How to use Passkeys on your Apple Watch

Apple is ushering the passwordless future with passkeys with macOS Ventura. In this article, we want to show how passkeys can be used on the Apple Watch as the latest device from the Apple cosmos, after they were previously available with Face ID and Touch ID on Mac, iPhone and iPad.

One of the many new features of macOS Ventura is that passkey logins are now available by using an Apple Watch. After the passwordless login with Touch ID or Face ID was already supported on Mac, iPhone and iPad, users can now create a passkey with yet another Apple device. This is possible for all passkey-supported websites on Safari as well as on Chrome.

Below, you'll find an instruction on how to set up the passkey login for your Apple Watch:

1. Go to System Settings on your Mac
2. Check under General if you already installed macOS Ventura
3. Proceed to Touch ID & Password (wear your Apple watch on your wrist)

4. Go to https://passkeys.eu and click on Sign up
5. Create a new account

6. Check the notification on your Apple watch

7. Double-Click on the side button of your Apple Watch
8. Signed In

Even though macOS Ventura and newer Apple Watches work together to authenticate you in more places (like unlocking your Mac or the new Passwords app), Apple has a policy decision that prevents the Watch from counting as a “strong” user verification (UV) in certain contexts—specifically, when cryptographic keys are protected by the Secure Enclave. In these cases, Touch ID or a typed password is required, and macOS will not allow the Apple Watch alone to complete the final authentication.

When using passkeys with Safari (which stores them inside the Secure Enclave via iCloud Keychain), Apple’s framework is designed to ignore the Apple Watch for the final “user verification” step if Touch ID is unavailable (such as in clamshell mode). Instead, it forces you to enter your Mac password—even though the Watch can unlock your Mac in other scenarios. This is because Apple does not consider the Watch by itself a high‐enough level of security to release Secure Enclave–protected credentials.

In contrast, if you use passkeys stored by Google Password Manager or inside your Chrome profile, they are generally kept outside Apple’s Secure Enclave. That means Chrome can use the broader .deviceOwnerAuthentication policy in LocalAuthentication, which lets macOS determine whether to prompt you for Touch ID, Apple Watch, or your password. As a result, Apple Watch fallback often works in clamshell mode for Chrome‐based passkeys (since the system allows it) while Safari’s Secure Enclave–based passkeys do not.

You might wonder why the Watch can unlock your Mac session or the new Passwords app yet not finalize a passkey login in Safari. Apple considers the Mac session unlock and password manager unlock to be convenience features, whereas accessing Secure Enclave–protected keys (the actual cryptographic passkeys) requires stricter user verification. In practical terms, that means if you’re in clamshell mode and go to log in to a passkey‐enabled site in Safari, you’ll see a password prompt instead of being able to confirm on your Watch—even though you’re wearing it.

Below is a summary of how passkeys behave on a MacBook in clamshell mode, with different storage and authentication configurations:

Since passkeys are enabled on all Apple devices, it's time to also make browsing on your website even safer and much more user-friendly by fully replacing passwords.

With Corbado's solution, we help to you easily integrate the new sign-in method. Check out our demo and discover how the passwordless future looks like.