Using Passkeys with Apple Watch: Simplify the user experience with passkeys on Apple Watch.
Robert
Created: November 3, 2022
Updated: April 30, 2025
Our mission is to make the Internet a safer place and passkeys provide a superior solution to achieve that. That's why we want to keep you updated with the latest industry insights here.
Apple is ushering the passwordless future with passkeys with macOS Ventura. In this article, we want to show how passkeys can be used on the Apple Watch as the latest device from the Apple cosmos, after they were previously available with Face ID and Touch ID on Mac, iPhone and iPad.
One of the many new features of macOS Ventura is that passkey logins are now available by using an Apple Watch. After the passwordless login with Touch ID or Face ID was already supported on Mac, iPhone and iPad, users can now create a passkey with yet another Apple device. This is possible for all passkey-supported websites on Safari as well as on Chrome.
Below, you'll find an instruction on how to set up the passkey login for your Apple Watch:
Even though macOS Ventura and newer Apple Watches work together to authenticate you in more places (like unlocking your Mac or the new Passwords app), Apple has a policy decision that prevents the Watch from counting as a “strong” user verification (UV) in certain contexts—specifically, when cryptographic keys are protected by the Secure Enclave. In these cases, Touch ID or a typed password is required, and macOS will not allow the Apple Watch alone to complete the final authentication.
When using passkeys with Safari (which stores them inside the Secure Enclave via iCloud Keychain), Apple’s framework is designed to ignore the Apple Watch for the final “user verification” step if Touch ID is unavailable (such as in clamshell mode). Instead, it forces you to enter your Mac password—even though the Watch can unlock your Mac in other scenarios. This is because Apple does not consider the Watch by itself a high‐enough level of security to release Secure Enclave–protected credentials.
In contrast, if you use passkeys stored by Google Password Manager or inside your Chrome
profile, they are generally kept outside Apple’s
Secure Enclave. That means Chrome can use the broader
.deviceOwnerAuthentication
policy in LocalAuthentication, which lets macOS determine
whether to prompt you for Touch ID, Apple Watch, or your password. As a result, Apple
Watch fallback often works in clamshell mode for Chrome‐based passkeys (since the system
allows it) while Safari’s Secure Enclave–based passkeys do
not.
You might wonder why the Watch can unlock your Mac session or the new Passwords app yet not finalize a passkey login in Safari. Apple considers the Mac session unlock and password manager unlock to be convenience features, whereas accessing Secure Enclave–protected keys (the actual cryptographic passkeys) requires stricter user verification. In practical terms, that means if you’re in clamshell mode and go to log in to a passkey‐enabled site in Safari, you’ll see a password prompt instead of being able to confirm on your Watch—even though you’re wearing it.
Below is a summary of how passkeys behave on a MacBook in clamshell mode, with different storage and authentication configurations:
Scenario | Stored In | Clamshell Apple Watch Fallback? | Why? |
---|---|---|---|
1. Safari & iCloud Keychain (Secure Enclave) | Secure Enclave | No – Password is required | Apple enforces a policy that the Watch alone is not a sufficient factor for unlocking Secure Enclave keys. |
2. Chrome & Google Password Manager (non‐Enclave) | Google/Chrome storage | Yes – Apple Watch can confirm | Passkeys not in Secure Enclave, so .deviceOwnerAuthentication can allow Apple Watch as fallback in macOS. |
3. OS‐Level Unlock (e.g., unlocking Mac session) | System authentication | Yes – Apple Watch auto‐unlock | Apple sees session unlock as a “convenience” factor, so watch unlock is sufficient (but not for Enclave keys). |
Since passkeys are enabled on all Apple devices, it's time to also make browsing on your website even safer and much more user-friendly by fully replacing passwords.
With Corbado's solution, we help to you easily integrate the new sign-in method. Check out our demo and discover how the passwordless future looks like.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Related Articles
Table of Contents