WWDC25 Passkeys: Apple's Passwordless OS 26 Updates

The long-promised passwordless future is no longer a distant vision. It's taking shape. Apple's Worldwide Developers Conference (WWDC25) announcements deliver a substantial arsenal of passkey enhancements for its upcoming OS 26 suite:

• iOS 26
• macOS 26
• iPadOS 26
• visionOS 26

These developments signal an even deeper commitment from Apple to dismantle the vestiges of password-based authentication and usher in an era of more secure, user-friendly digital experiences.

During the WWDC25 presentation, Andrew Abosh from Apple's Authentication Experience team detailed five important updates designed to accelerate passkey adoption and usability. These include:

1. New Account Creation API for passkey-first onboarding
2. Mechanisms for keeping passkeys up-to-date by syncing account changes with credential managers
3. Automatic passkey upgrades to transition password-based accounts
4. Passkey management endpoints to improve discoverability from within credential managers
5. Ability for users to securely import and export passkeys, granting them greater control and flexibility.

This article examines three of these transformative updates — automatic passkey upgrades, passkey management endpoints, and importing/exporting passkeys — and explores the role of keeping passkeys synchronized and accurate. (The new Account Creation API is an important part of this strategy, but its breadth warrants a dedicated discussion in a future analysis.)

Apple's strategy appears holistic, addressing every facet of the passkey lifecycle. A suite of interconnected enhancements — rather than isolated features — spans the initial creation of an account with a passkey, migration of existing accounts, discoverability of passkey options, data accuracy over time and user control over credential storage. Tackling multiple friction points simultaneously signals a deep, long-term commitment from Apple and makes a compelling case for developers and services to invest confidently in passkey adoption.

The following table provides a concise overview of the key passkey enhancements announced at WWDC25 for OS 26:

A major hurdle in passkey adoption is migrating the existing user base from passwords. Apple's automatic passkey upgrade feature removes this friction by allowing a passkey to be created automatically in the background when a user signs in with their password. This provides a seamless path for adding passkeys without requiring extra user interaction.

We've covered the technical details of this feature in-depth in our previous blog post. If you'd like to see it in action, you can try it out on our demo page.

Apple recommends attempting the upgrade on every password sign-in if the user doesn't already have a passkey. The same capability exists for web apps, ensuring a consistent upgrade path across platforms.

Even when a service supports passkeys, users may be unaware. Passkey management endpoints solve this by letting credential managers surface links to a service's passkey pages:

1. Well-known URI: host a JSON file at /.well-known/passkey-endpoints.

2. Strict server rules: serve the file directly (no redirects), return 200 OK, and set Content-Type: application/json.

3. JSON keys:

   • enroll: URL where a user can add a new passkey.
   • manage: URL where a user can view, revoke or add passkeys.

Credential managers can probe this endpoint, display an "add passkey" button inside their UI, and deep-link users directly to the relevant page on the service's site. This expands the surface area for passkey adoption prompts and reaches users right where they manage their credentials.

True user ownership of credentials requires portability. Apple addresses this with secure passkey transfer:

• User-initiated: transfers happen only on explicit user request.
• Direct app-to-app: no intermediate files; transfers occur between credential-manager apps on iOS 26, iPadOS 26, macOS 26, and visionOS 26.
• Local authentication: Face ID / Touch ID protects the process.
• Standard schema: created with FIDO Alliance members, covering passkeys, passwords, verification codes and more.
• No insecure files: eliminating the risks posed by plain-text exports such as CSV.

This standardization work is part of a broader industry effort to define the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF). For a deeper dive into these emerging FIDO standards, you can read our detailed overview of CXP and CXF.

Websites and apps need not change anything; the transfer happens solely between credential managers, and existing passkeys remain valid. Credential-manager developers can adopt ASCredentialExportManager and ASCredentialImportManager to participate.

By facilitating secure export even from iCloud Keychain to third-party managers, Apple balances ecosystem strength and user freedom, building trust and setting a high security bar for credential portability.

Accurate, synchronized credentials are essential for a smooth passkey experience. Stale information, like an old username or a revoked passkey that still appears, leads to failed sign-ins and user frustration.

The WebAuthn Signal API provides a standardized way for services to notify credential managers about account changes. It helps keep passkey metadata current and removes stale credentials. For a comprehensive overview of this W3C standard, please see our dedicated article: WebAuthn Signal API: Update & Delete Passkeys on Client-Side.

Apple announced support for this standard in OS 26. Developers can now use signals to notify credential managers about:

• Username changes (native: reportPublicKeyCredentialUpdate, web: PublicKeyCredential.signalCurrentUserDetails())
• Revoked passkeys (native: reportAllAcceptedPublicKeyCredentials, web: signalAllAcceptedCredentials())
• Password removal (native: reportUnusedPasswordCredential)

This ensures a seamless and reliable authentication experience, a core part of the "delightful" passkey promise.

Although this analysis focuses on upgrades, management, and portability, the new Account Creation API is critical. It streamlines sign-up, often pre-filling user details and creating a passkey in one step with biometric confirmation. By making passkeys the default from the very first interaction, it normalizes passwordless onboarding and cements the foundation for a future in which passwords never appear.

The passkey enhancements unveiled at WWDC25 for OS 26 accelerate the journey toward a truly passwordless digital environment. Automatic Passkey Upgrades, Passkey Management Endpoints, secure import/export and the WebAuthn Signal API — alongside the forthcoming Account Creation API — form a cohesive strategy that dismantles remaining friction points and drives adoption.

For developers and businesses, these updates offer:

• Simplified passkey adoption: easier onboarding for new users and smoother upgrades for existing accounts.
• Enhanced user experience: faster, more reliable sign-ins that boost satisfaction and engagement.
• Stronger security: phishing-resistant, cryptographically strong authentication.
• Lower operational costs. fewer password resets, account lockouts, and credential-stuffing incidents.

At Corbado, we're ready to help businesses navigate these changes and integrate robust passkey solutions, whether they're just starting the journey or enhancing existing deployments.