Passkey gain strong momentum, with many companies embracing passkeys to offer their customers a seamless and secure authentication experience. However, the enterprise sector presents unique challenges a mix of personal and managed devices all accessing sensitive corporate data. Where do the tech giants stand in deploying enterprise-grade passkey solutions? Let's analyze the current developments from Apple, Google, and Microsoft to get a clearer picture.

For individuals, passkeys already represent a huge improvement in usability and security. However, for enterprises to fully embrace passkey solutions, four critical functionalities must be offered:

1. Syncing passkeys between different devices
2. Recovering passkeys from lost devices
3. Prevention of unauthorized passkey transfers
4. Centralized management of passkeys and user accounts

Managed Apple IDs have become more user-friendly by enabling iCloud Keychain support, which allow for device synchronization and recovery.

Think of Managed Apple ID as a corporate-controlled counterpart to a personal Apple ID, encompassing password resets and role-based admin rights.

Integrating managed Apple IDs with the iCloud Keychain in macOS Sonoma, iOS 17, and iPadOS 17 means that passkeys are synced across devices and can be recovered if those devices are misplaced. While convenient for users, enterprises might be concerned about passkeys syncing to devices outside their control. That is why Apple introduced a couple of optional settings and safety measures:

1. Non-transferability of Passkeys: Passkeys for managed Apple IDs cannot be shared, preventing unauthorized log-ins on non-approved devices.

2. Selective Synchronization Controls: Administrators can control which devices are allowed to sync passkeys, choosing between three levels:

• Any Device (default): Employees can sign in with their managed Apple IDs on any device, syncing the passkeys to devices outside the company.
• Managed Devices Only: This restricts synchronization to company-managed personal devices, catering to bring-your-own-device (BYOD) workplaces.
• Supervised Devices Only: This highest security setting limits passkey synchronization strictly to company-owned and -supervised devices.

3. Mandatory Passkey Creation on Managed Devices: Next to limiting the synchronization, administrators can also require passkey creation on managed devices.

Apple has adapted to enterprise needs by introducing these features, facilitating secure and efficient passkey usage within organizational structures. They also implemented some features to provide trustable attestation. For detailed instructions on implementing these settings in your organization, please refer to Apples release notes of the WWDC23.

Google, too, is a front-runner in advancing passkeys, especially in the consumer domain. Recent updates to Android and Chrome have unlocked Googles Password Managers ability to securely store, retrieve, and sync passkeys across devices using end-to-end encryption. Additionally, since Android 14, it's possible to use third-party credential managers, such as password managers like 1Password or Dashlane, to handle passkeys, offering alternatives to Google Password Manager.
But how do these enhancements translate to enterprise solutions?

Google's SaaS offering for businesses - Google Workspace - has integrated passkey capabilities. This enables organizations to allow their users a sign-in to their organization with passkeys.

Passkey Settings in Google Workspace's Admin Control

Administrators can now set passkeys as the primary sign-in method for their employees.

Google's management system for Android devices has yet to introduce specific passkey management features. Despite support for passkey synchronization via Google Password Manager in Android 14, Android Enterprise lacks the administrative customization options Apple offers.

Although Google has promoted passkey utilization for developers and individual users, its enterprise solutions are yet to offer the same level of administrative control provided by Apple, particularly in device management, where enterprises require granular control over passkey sync and usage. We expect Google to keep up with Apple via more updates in the near future.

Microsoft rolled out passkeys for Microsoft Entra ID (formerly known as Azure ID) in 2024. Moreover, Microsoft added passkey support to its Authenticator app. However, Windows Hello is still missing a synchronization feature between devices for single users as well as for organizations.

If you want to read more about why Microsoft is so slow with passkey adoption, check out this blog article.

Let's have a look at how the three tech giants meet the enterprise requirements for passkeys:

Only Apple has implemented all four features for organizations, setting a standard for passkeys in enterprise solutions. Google is the runner-up, offering synchronization and recovery but falling short on enterprise-centric controls. Microsoft trails behind, with room for significant improvement.

We believe that passkeys will make the internet a safer place. Enterprises are a big part of this transformation which is why we call for an implementation of enterprise passkeys. If you have any questions, feel to reach out to us via our passkeys community or subscribe to our passkeys Substack.