Enterprise Passkeys: Apple, Google & Microsoft's Offerings

Passkeys gain strong momentum, with many companies embracing them to offer their customers a seamless and secure authentication experience. However, the enterprise sector presents unique challenges: a mix of personal and managed devices all accessing sensitive corporate data. Where do the tech giants stand in deploying enterprise-grade passkey solutions? Let's analyze the current developments from Apple, Google, and Microsoft to get a clearer picture.

For individuals, passkeys already represent a huge improvement in usability and security. However, for enterprises to fully embrace passkey solutions, four critical functionalities must be offered:

1. Syncing passkeys between different devices
2. Recovering passkeys from lost devices
3. Prevention of unauthorized passkey transfers
4. Centralized management of passkeys and user accounts

Managed Apple IDs have become more user-friendly by enabling iCloud Keychain support, which allows for device synchronization and recovery. Apart from that passkeys can also be synced across third party password management apps like 1Password, Bitwarden etc.

Think of Managed Apple ID as a corporate-controlled counterpart to a personal Apple ID, encompassing password resets and role-based admin rights.

Integrating managed Apple IDs with the iCloud Keychain in macOS Sonoma, iOS 17, and iPadOS 17 means that passkeys are synced across devices and can be recovered if those devices are misplaced. While convenient for users, enterprises might be concerned about passkeys syncing to devices outside their control. That is why Apple introduced a couple of optional settings and safety measures:

1. Non-transferability of Passkeys: Passkeys for managed Apple IDs cannot be shared, preventing unauthorized log-ins on non-approved devices.

2. Selective Synchronization Controls: Administrators can control which devices are allowed to sync passkeys, choosing between three levels:

• Any Device (default): Employees can sign in with their managed Apple IDs on any device, syncing the passkeys to devices outside the company.
• Managed Devices Only: This restricts synchronization to company-managed personal devices, catering to bring-your-own-device (BYOD) workplaces.
• Supervised Devices Only: This highest security setting limits passkey synchronization strictly to company-owned and -supervised devices.

3. Mandatory Passkey Creation on Managed Devices: Next to limiting the synchronization, administrators can also require passkey creation on managed devices.

Apple has adapted to enterprise needs by introducing these features, facilitating secure and efficient passkey usage within organizational structures. They also implemented some features to provide trustable attestation. For detailed instructions on implementing these settings in your organization, please refer to Apples release notes of the WWDC23.

Google, too, is a front-runner in advancing passkeys, especially in the consumer domain. Recent updates to Android and Chrome have unlocked Googles Password Managers ability to securely store, retrieve, and sync passkeys across devices using end-to-end encryption. Additionally, since Android 14, it's possible to use third-party credential managers, such as password managers like 1Password or Dashlane, to handle passkeys, offering alternatives to Google Password Manager. With the arrival of Android 16, a major quality-of-life and security improvement addresses a long-standing problem: the "new phone problem." This version of Android introduces Restore Credentials, a powerful feature specifically designed to make migrating all essential security information (including passkeys, app login tokens, and saved passwords) to a new device a seamless and secure experience. Prior to this, setting up a new Android device often required manually re-authenticating and setting up critical security elements for numerous apps, a process that was not only tedious but also created a significant point of user friction. Restore Credentials streamlines this by securely backing up the cryptographic keys and tokens needed for these credentials to the user's Google account or a secure cloud service. When the user initiates a setup on a new Android 16 device, this feature automatically and securely pulls the necessary data, allowing apps to function with all previous login state intact. This eliminates the need for users to remember and re-enter passwords or perform multi-factor authentication for dozens of services, ensuring a smooth transition and encouraging the continued use of stronger, non-password-based authentication methods like passkeys.

Google's SaaS offering for businesses - Google Workspace - has integrated passkey capabilities. This enables organizations to allow their users a sign-in to their organization with passkeys. Expanded Admin Restriction Controls have been added: Google Workspace passkey support reached General Availability (GA) for its customers. Crucially, administrators now have expanded controls, including the ability to audit enrollment and strictly restrict passkeys solely to physical security keys within the Google Admin console. It is also possible to allow users to skip password sign-in challenges and instead use a passkey that covers first and second-factor authentication.

Passkey Settings in Google Workspace's Admin Control

Google has since introduced more robust enterprise controls. Recent versions of Android (such as Android 16) now include features that give IT administrators granular control over credential providers within Work Profiles. This new Enterprise Credential Manager Policy allows IT to enforce corporate passkey policies, such as restricting users to specific third-party passkey providers or enforcing the use of Google Password Manager, finally addressing the need for fine-grained control in managed environments.

Microsoft rolled out passkeys for Microsoft Entra (formerly Azure ID) in 2024 and added support to its Authenticator app](/glossary/authenticator-app). Crucially, Microsoft wants to introduce a synced passkey provider for Windows. This new feature will allow Windows Hello passkeys to be securely synchronized across Windows 11 devices when the user is signed in with the same Microsoft account, eliminating the gap in device synchronization. Furthermore, building on the initial 2024 rollout, Microsoft wants to introduced Passkey Profiles in Entra ID (in public preview/release) in Q4 2025. This feature enables administrators to implement granular, group-based control over FIDO2/passkey configurations, allowing them to apply differentiated policies, such as restricting privileged user groups to only use hardware security keys.

Let's have a look at how the three tech giants meet the enterprise requirements for passkeys:

The landscape has rapidly improved since the initial rollouts. Apple retains its leading position with deeply integrated device management and comprehensive controls (Managed Apple IDs). However, Google and Microsoft have both recently implemented the critical administrative controls previously missing. Microsoft has introduced both Windows synchronization and granular, group-based controls in Entra ID. Google has added essential policy management for Android Work Profiles. This convergence means all three tech giants now offer solutions that address the four core enterprise requirements, making the choice for organizations based more on existing infrastructure alignment (e.g., Windows shop vs. Google Workspace shop) than on raw feature count.

We believe that passkeys will make the internet a safer place. Enterprises are a big part of this transformation which is why we call for an implementation of enterprise passkeys. If you have any questions, feel to reach out to us via our passkeys community or subscribe to our passkeys Substack.