--- url: 'https://www.corbado.com/blog/wwdc25-passkeys-os26' title: 'WWDC25 Passkeys: Apple''s Passwordless OS 26 Updates' description: 'Explore the passkey updates from Apple''s WWDC25 for OS 26. Learn about automatic upgrades, management endpoints and secure credential exchange.' lang: 'en' author: 'Vincent Delitz' date: '2025-06-11T09:10:36.833Z' lastModified: '2026-03-27T07:01:33.433Z' keywords: 'wwdc25, ios automatic passkey upgrade, apple automatic passkey upgrade, passkey management endpoints, ios import passkey, ios export passkey' category: 'Passkeys Strategy' --- # WWDC25 Passkeys: Apple's Passwordless OS 26 Updates ## Key Facts - Apple's **OS 26** introduces five passkey enhancements at WWDC25: automatic upgrades, management endpoints, secure import/export, Signal API support and a new Account Creation API. - **Automatic passkey upgrades** silently create a passkey in the background on every password sign-in, requiring no extra user interaction, for both native and web apps. - **Passkey management endpoints** use a JSON file at `/.well-known/passkey-endpoints` with `enroll` and `manage` keys, enabling credential managers to surface direct add-passkey prompts. - Secure credential transfer uses the FIDO Alliance's **Credential Exchange Protocol (CXP)**: direct app-to-app transfers with no intermediate files, eliminating plain-text CSV export risks. - The **WebAuthn Signal API**, now supported in OS 26, lets developers notify credential managers of username changes, revoked passkeys and password removals to prevent stale credentials. ## 1. Introduction: Passkey Announcements at WWDC25 The long-promised passwordless future is no longer a distant vision. It's taking shape. Apple's Worldwide Developers Conference (WWDC25) announcements deliver a substantial arsenal of passkey enhancements for its upcoming OS 26 suite: - [iOS](https://www.corbado.com/blog/webauthn-errors) 26 - macOS 26 - iPadOS 26 - visionOS 26 These developments signal an even deeper commitment from Apple to dismantle the vestiges of password-based authentication and usher in an era of more secure, user-friendly digital experiences. During the WWDC25 presentation, Andrew Abosh from Apple's Authentication Experience team detailed five important updates designed to accelerate [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) and usability. These include: 1. New [Account Creation API](https://www.corbado.com/blog/passkey-account-creation-api) for passkey-first onboarding 2. Mechanisms for keeping passkeys up-to-date by syncing account changes with credential managers 3. [Automatic passkey upgrades](https://www.corbado.com/blog/ios-18-passkeys-automatic-passkey-upgrades) to transition password-based accounts 4. Passkey management endpoints to improve discoverability from within credential managers 5. Ability for users to securely import and [export passkeys](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf), granting them greater control and flexibility. This article examines three of these transformative updates — [automatic passkey upgrades](https://www.corbado.com/blog/ios-18-passkeys-automatic-passkey-upgrades), passkey management endpoints, and importing/exporting passkeys — and explores the role of keeping passkeys synchronized and accurate. (The new [Account Creation API](https://www.corbado.com/blog/passkey-account-creation-api) is an important part of this strategy, but its breadth warrants a dedicated discussion in a future analysis.) ## 2. Improvements for the Passkey Lifecycle Apple's strategy appears holistic, addressing every facet of the passkey lifecycle. A suite of interconnected enhancements — rather than isolated features — spans the initial creation of an account with a passkey, migration of existing accounts, discoverability of passkey options, data accuracy over time and user control over credential storage. Tackling multiple friction points simultaneously signals a deep, long-term commitment from Apple and makes a compelling case for developers and services to invest confidently in [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case). The following table provides a concise overview of the key passkey enhancements announced at WWDC25 for OS 26: | Feature | Brief Description | Primary Benefit for Users/Developers | | ------------------------------ | -------------------------------------------------------------------------------- | ---------------------------------------------- | | Account Creation API | Fastest, easiest way to create a new account with a passkey from the start | Streamlined, secure onboarding. | | Keeping Passkeys Up-to-Date | Sync account changes (e.g., username, revoked passkeys) with credential managers | Accurate credential info, smoother sign-ins. | | Automatic Passkey Upgrades | Seamlessly adds passkeys to existing password-based accounts post-login | Frictionless security upgrade for users. | | Passkey Management Endpoints | Showcase a service's passkey adoption directly within credential managers | Improved discoverability, easier upgrades. | | Importing & Exporting Passkeys | Securely transfer passkeys between participating credential managers | User control, flexibility, ecosystem openness. | ## 3. Automatic Passkey Upgrades in iOS & macOS A major hurdle in [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) is migrating the existing user base from passwords. Apple's automatic passkey upgrade feature removes this friction by allowing a passkey to be created automatically in the background when a user signs in with their password. This provides a seamless path for adding passkeys without requiring extra user interaction. We've covered the technical details of this feature in-depth in our previous blog post. If you'd like to see it in action, you can try it out on our [demo page](https://passkeys.eu/automatic-passkey-upgrade). Apple recommends attempting the upgrade on every password sign-in if the user doesn't already have a passkey. The same capability exists for web apps, ensuring a consistent upgrade path across platforms. ## 4. Better Discoverability via Passkey Management Endpoints Even when a service supports passkeys, users may be unaware. Passkey management endpoints solve this by letting credential managers surface links to a service's passkey pages: 1. **Well-known URI**: host a JSON file at `/.well-known/passkey-endpoints`. 2. **Strict server rules**: serve the file directly (no redirects), return `200 OK`, and set `Content-Type: application/json`. 3. **JSON keys:** - `enroll`: URL where a user can add a new passkey. - `manage`: URL where a user can view, revoke or add passkeys. | JSON Key | Description | Example Value | Required? | | -------- | ----------------------------------------------- | ------------------------------------------------------- | ---------------------- | | `enroll` | URL to add a new passkey to an existing account | `https://example.com/settings/security/passkeys/enroll` | Optional (recommended) | | `manage` | URL to manage existing passkeys | `https://example.com/settings/security/passkeys/manage` | Optional (recommended) | Credential managers can probe this endpoint, display an "add passkey" button inside their UI, and deep-link users directly to the relevant page on the service's site. This expands the surface area for passkey adoption prompts and reaches users right where they manage their credentials. ## 5. Secure Importing and Exporting of Passkeys (CXP) True user ownership of credentials requires portability. Apple addresses this with secure passkey transfer: - **User-initiated**: transfers happen only on explicit user request. - **Direct app-to-app**: no intermediate files; transfers occur between credential-manager apps on [iOS 26](https://www.corbado.com/blog/ios-26-passkeys), iPadOS 26, macOS 26, and visionOS 26. - **Local authentication**: [Face ID](https://www.corbado.com/faq/is-face-id-passkey) / Touch ID protects the process. - **Standard schema**: created with [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance) members, covering passkeys, passwords, verification codes and more. - **No insecure files**: eliminating the risks posed by plain-text exports such as CSV. This standardization work is part of a broader industry effort to define the Credential Exchange Protocol ([CXP](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf)) and [Credential Exchange Format](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf) ([CXF](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf)). For a deeper dive into these emerging FIDO standards, you can read our detailed overview of [CXP](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf) and [CXF](https://www.corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf). Websites and apps need not change anything; the transfer happens solely between credential managers, and existing passkeys remain valid. Credential-manager developers can adopt `ASCredentialExportManager` and `ASCredentialImportManager` to participate. By facilitating secure export even from [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) to third-party managers, Apple balances ecosystem strength and user freedom, building trust and setting a high security bar for credential portability. ## 6. Signal APIs to Keep Things Tidy Accurate, synchronized credentials are essential for a smooth passkey experience. Stale information, like an old username or a revoked passkey that still appears, leads to failed sign-ins and user frustration. The [WebAuthn Signal API](https://www.corbado.com/blog/webauthn-signal-api) provides a standardized way for services to notify credential managers about account changes. It helps keep passkey metadata current and removes stale credentials. For a comprehensive overview of this W3C standard, please see our dedicated article: [WebAuthn Signal API](https://www.corbado.com/blog/webauthn-signal-api): Update & [Delete Passkeys](https://www.corbado.com/blog/webauthn-signal-api) on Client-Side. Apple announced support for this standard in OS 26. Developers can now use signals to notify credential managers about: - **Username changes** (native: `reportPublicKeyCredentialUpdate`, web: `PublicKeyCredential.signalCurrentUserDetails()`) - **Revoked passkeys** (native: `reportAllAcceptedPublicKeyCredentials`, web: `signalAllAcceptedCredentials()`) - **Password removal** (native: `reportUnusedPasswordCredential`) This ensures a seamless and reliable authentication experience, a core part of the "delightful" passkey promise. ## 7. New Account Creation API Although this analysis focuses on upgrades, management, and portability, the new Account Creation API is critical. It streamlines sign-up, often pre-filling user details and creating a passkey in one step with biometric confirmation. By making passkeys the default from the very first interaction, it normalizes passwordless onboarding and cements the foundation for a future in which passwords never appear. ## 8. Conclusion: Apple's OS 26 paves a smoother Passkey Experience The passkey enhancements unveiled at WWDC25 for OS 26 accelerate the journey toward a truly passwordless digital environment. [Automatic Passkey Upgrades](https://www.corbado.com/blog/ios-18-passkeys-automatic-passkey-upgrades), Passkey Management Endpoints, secure import/export and the [WebAuthn Signal API](https://www.corbado.com/blog/webauthn-signal-api) — alongside the forthcoming [Account Creation API](https://www.corbado.com/blog/passkey-account-creation-api) — form a cohesive strategy that dismantles remaining friction points and drives adoption. For developers and businesses, these updates offer: - **Simplified passkey adoption**: easier onboarding for new users and smoother upgrades for existing accounts. - **Enhanced user experience**: faster, more reliable sign-ins that boost satisfaction and engagement. - **Stronger security**: [phishing](https://www.corbado.com/glossary/phishing)-resistant, cryptographically strong authentication. - **Lower operational costs**. fewer [password resets](https://www.corbado.com/faq/passkeys-reduce-password-resets-otp-costs), account lockouts, and credential-stuffing incidents. At Corbado, we're ready to help businesses navigate these changes and integrate robust passkey solutions, whether they're just starting the journey or enhancing existing deployments. ## Frequently Asked Questions ### How does Apple's automatic passkey upgrade work in iOS 26 and macOS 26? On iOS 26 and macOS 26, a passkey is automatically created in the background when a user signs in with their password, requiring no extra steps. Apple recommends attempting this upgrade on every password sign-in if no passkey exists yet. The same capability applies to web apps, providing a consistent upgrade path across platforms. ### How should I implement the `/.well-known/passkey-endpoints` file for passkey discoverability? The `/.well-known/passkey-endpoints` file must be served directly with no redirects, return `200 OK` and set `Content-Type: application/json`. Two optional but recommended keys are `enroll` (URL to add a passkey) and `manage` (URL to view or revoke passkeys). Credential managers probe this endpoint and display direct add-passkey prompts inside their UI. ### How does iOS 26 enable secure passkey transfer between credential managers? iOS 26 uses the FIDO Alliance's Credential Exchange Protocol (CXP) for direct app-to-app passkey transfers with no intermediate files and no plain-text CSV exports. Transfers are user-initiated and protected by Face ID or Touch ID, working across iOS 26, iPadOS 26, macOS 26 and visionOS 26. Credential manager developers adopt `ASCredentialExportManager` and `ASCredentialImportManager` to participate. ### What specific WebAuthn Signal API methods does OS 26 support for keeping passkey data current? OS 26 supports three Signal API operations: username changes via `reportPublicKeyCredentialUpdate` or `PublicKeyCredential.signalCurrentUserDetails()`, revoked passkey notifications via `reportAllAcceptedPublicKeyCredentials` or `signalAllAcceptedCredentials()` and password removal via `reportUnusedPasswordCredential`. Both native and web implementations are supported, preventing stale or revoked credentials from persisting in credential managers after account changes.