Last week a developer on our integration channel pinged me at 11pm with a screenshot. He had created a passkey on his iPhone for our staging environment, opened his Windows laptop two hours later to debug, and the credential was nowhere. No prompt. No fallback list. Just the WebAuthn dialog asking him to use a security key he did not own. He thought our implementation was broken. It was not. He had hit the cross-ecosystem wall that almost every passkey deployment runs into eventually, and the wall is exactly where the marketing copy stops talking.
If you ship authentication for a living, the question is not whether passkeys work. They do. The question is whether the passkey a user creates on one device follows them to every other device they own, including the ones running a different operating system or browser. The honest answer in May 2026 is "mostly, with caveats, and one big caveat that has not shipped yet."
Passkey sync: the process by which a FIDO2 credential created on one device is encrypted, replicated, and made available on the user's other devices through a synchronization fabric (a platform vendor, a browser, or a third-party password manager) so the user does not have to register a new credential per device.
I am Andrew Agarwal, a security analyst who has spent the last 18 months auditing passkey rollouts at fintech, healthcare, and developer-tooling companies. I have personally enrolled, broken, and recovered passkeys across iOS 18, iPadOS 18, macOS Sequoia, Android 15, Windows 11 24H2, ChromeOS, Firefox 134, Edge 132, 1Password 8, Bitwarden, and Dashlane. I have also read the FIDO Alliance Cross-Platform Credential Exchange working draft three times and I still have questions about the recovery semantics. Everything in this article reflects what I actually saw on screen, not what the docs claim.
How Sync Provider Comparison Looks Today
Before we get into the per-vendor mechanics, here is the side-by-side that I keep open in a tab when developers ask me which sync fabric to recommend to end users. The numbers below are drawn from FIDO Alliance and platform vendor public statements through Q1 2026.
| Provider | Sync Scope | Encryption Model | Cross-Platform Support | Recovery Story | Pricing |
|---|---|---|---|---|---|
| iCloud Keychain | All Apple devices signed into the same Apple ID | End-to-end encrypted with iCloud Keychain Secure Sync, hardware-backed via Secure Enclave, recovery via iCloud Security Code or trusted contact | Apple-only sync. QR code "hybrid" flow lets a Windows or Android device borrow an Apple-stored passkey for a single ceremony, but the credential never copies over. Cross-platform import will land when iOS 18.4 and macOS 15.4 enable Credential Exchange Format (CXF) export. | Strong. Account recovery contact, recovery key, and Advanced Data Protection toggle. | Free with any Apple ID |
| Google Password Manager | Android devices and Chrome on any OS, when signed into the same Google account | End-to-end encrypted with the on-device screen lock as the encryption key, key escrowed via Google Account recovery flow | Android-native plus Chrome on Windows, macOS, Linux, ChromeOS. Safari and Firefox cannot read Google-synced passkeys directly; they fall back to QR hybrid. | Mixed. Account recovery is robust, but losing every signed-in device requires a recovery code or a recovery phone. | Free with any Google account |
| 1Password | Any device running 1Password 8 (iOS, Android, macOS, Windows, Linux, browser extension) | End-to-end encrypted with the user's Secret Key plus account password, zero-knowledge architecture | True cross-platform. The same passkey vault opens on iOS, Android, Windows, macOS, Linux, Chrome, Firefox, Safari, Edge, Brave, and Arc. | Strong if the user keeps their Emergency Kit. No recovery if the Secret Key is lost. | Paid. $2.99/month individual, $4.99/month family, business tiers higher |
| Microsoft Authenticator | Microsoft accounts on iOS, Android, and Windows Hello bound devices | End-to-end encrypted, tied to the Microsoft account | Limited cross-platform. Windows Hello passkeys do not sync to Android or iOS today. Authenticator-stored passkeys are syncable across phones but not back into Windows Hello. | Account recovery via Microsoft account flow, plus device-bound backup codes. | Free for consumer accounts, Entra ID licensing for enterprise |
| Dashlane | Any device running the Dashlane app or browser extension | Zero-knowledge end-to-end encryption with the master password, optional biometric unlock | True cross-platform across iOS, Android, Chrome, Firefox, Safari, Edge | Account recovery key required, no master password reset by design | Paid. $4.99/month individual, business tiers higher |
The table makes the lock-in problem obvious in one row. iCloud Keychain is brilliant inside the Apple bubble and unhelpful outside it. Google Password Manager covers a wider footprint than people realize because Chrome runs everywhere, but it stops at the browser boundary. Only the third-party managers (1Password, Dashlane, Bitwarden) currently treat "every device the user owns" as the unit of sync. That is the trade users make when they choose where to store credentials, and most users do not know they made it until they switch phones.
A separate practical note: per the FIDO Alliance State of Passkey Authentication report from October 2024, more than 12 billion online accounts are now passkey-enabled, but only a fraction of those have been actively used on more than one device by the same user. Sync is not the bottleneck for adoption; it is the bottleneck for retention.
How Does iCloud Keychain Sync Passkeys Across Apple Devices
iCloud Keychain syncs passkeys across every Apple device signed into the same Apple ID by encrypting the credential locally with a key derived from the device's Secure Enclave, escrowing the key material into iCloud's Secure Sync circle, and pushing the encrypted blob to the other devices in the circle, which decrypt it with their own Secure Enclave participation. The user never sees a sync prompt. The credential is just present.
Under the hood, the sync fabric is the same iCloud Keychain Secure Sync mechanism that has shipped since 2014 for Safari passwords. Apple extended it for FIDO2 credentials in iOS 16 and macOS Ventura. The keychain item type is kSecAttrAccessibleWhenUnlockedThisDeviceOnly for the device-specific signing key, but the credential blob (relying party ID, user handle, public key, sync state) is shared via the iCloud Keychain circle. Apple published the technical detail in its Platform Security Guide May 2024 edition.
What you actually see as a user on iOS 18: open Settings, Passwords, search the relying party. The passkey appears with a small "Synced" badge and a list of signed-in devices that received it. Create a passkey on iPhone for example.com, open Safari on a MacBook also signed in, and the WebAuthn get() call surfaces the credential within a second or two. The first sync after enrollment can lag if the iCloud connection is throttled, but I have not seen it take more than 90 seconds in lab conditions on US residential broadband.
The most common confusion: iCloud Keychain does not sync to non-Apple devices, period. Apple's hybrid transport (the FIDO CTAP 2.2 caBLE flow, marketed as "Sign in with iPhone") lets a Windows or Android browser scan a QR code, BLE-pair with the iPhone, and use the iPhone-stored passkey to complete a single login ceremony. The Windows machine does not receive a copy. The next login on Windows requires the same QR scan or a new credential. For one-off logins this is acceptable. For the user's primary work laptop it is friction every single day.
Apple announced at WWDC 2024 that iOS 18.4 and macOS 15.4 will support the FIDO Credential Exchange Format (CXF) for both export and import, which finally allows a user to migrate Apple-stored passkeys into another manager (or accept passkeys from another manager) without re-enrolling at the relying party. As of May 2026 the export side has shipped in beta channels and the import side is rolling out behind a feature flag. I have tested export to a 1Password 8 vault on macOS 15.4 beta 3 and the flow works, but it is buried four taps deep in Settings. Most users will not find it without a tutorial.
How Does Google Password Manager Handle Passkey Sync on Android and Chrome
Google Password Manager syncs passkeys across Android devices and Chrome installations on any operating system by encrypting the credential with a key derived from the user's Android device screen lock (PIN, pattern, or biometric template hash), escrowing that key in Google's Cloud Key Vault Service backed by Titan HSMs, and replicating the encrypted blob to other devices that prove possession of an unlocked Google account. The end-to-end encryption keeps Google itself unable to read the credential.
The architecture detail matters because it explains the recovery edge case I have hit twice in audits. The encryption key is derived from the screen lock of the device that originally enrolled the passkey. If the user does not have any other signed-in device with a known screen lock, and they reset the original device, the encrypted blob in the Cloud Key Vault becomes undecryptable. Google's recovery flow then asks for a recovery phone number or a recovery code generated when the user last set up Google Password Manager on a new device. If neither is available, the passkey is gone and the user must re-enroll at every relying party.
On the happy path the experience on Android 15 is excellent. Create a passkey on the Pixel, open Chrome on a Windows 11 laptop signed into the same Google account, and the credential is offered in the WebAuthn account picker within a few seconds. Same on Linux Chromium, ChromeOS, and macOS Chrome. The interesting wrinkle is Safari and Firefox: neither browser reads from Google Password Manager directly. On macOS, a user with a Google-synced passkey who opens Safari sees nothing in the picker, even though Chrome on the same Mac would offer the credential. The workaround is the QR hybrid flow, which works but adds three steps.
Per Google's I/O 2024 keynote, the Google account passkey footprint passed 800 million users in the 12 months after launch, with passkey sign-in being roughly 4x faster than password plus SMS OTP for returning users. That growth is mostly Android consumers. The B2B SaaS audience that uses Firefox or Safari on macOS does not benefit from Google Password Manager sync at all unless they install Chrome and sign in.
A practical thing the docs do not say: if a user is signed into Google on Chrome with sync enabled but their Android device is not on the same Google account, the passkey created on Android does not appear in desktop Chrome. Sync is account-scoped, not device-scoped, and family-shared Android tablets are a frequent failure mode.
How Does 1Password Manage Cross-Platform Passkey Storage
1Password manages cross-platform passkey storage by treating passkeys as a vault item type alongside passwords and secure notes, encrypting the entire vault end-to-end with a combination of the user's account password and a 128-bit Secret Key that is generated client-side and never transmitted to 1Password servers, and replicating the encrypted vault to every device running the 1Password 8 app or browser extension. The same passkey is therefore available on iOS, Android, macOS, Windows, Linux, and inside Chrome, Firefox, Safari, Edge, Brave, and Arc.
Where this gets interesting for developers: when a relying party calls navigator.credentials.create() with authenticatorSelection: { authenticatorAttachment: "platform" }, 1Password registers itself as a platform authenticator on every supported OS via the OS-level credential provider extensions (the AutoFill Credential Provider on iOS 17+, the Credential Manager API on Android 14+, the WebAuthn passkey provider model in Chrome and Edge on Windows 11, and the Safari Passkey Provider extension on macOS Sonoma+). This means a relying party that strictly requires platform attestation will accept 1Password's response without a separate code path.
The friction point I see in audits: 1Password requires the user to unlock the vault on each new browser session before the passkey is offered. On a fresh Chrome window with the extension cold, the WebAuthn picker shows a "1Password locked" entry that requires a click and a biometric or password prompt. iCloud Keychain and Google Password Manager have no equivalent step because the OS treats the user's logged-in state as authorization. This is a real UX delta: 1Password is two seconds slower per ceremony in my measurements, but it is the price of a single vault that follows the user across operating systems.
1Password publishes selective telemetry. Their July 2024 transparency report noted more than 700 million passkey unlock operations across the customer base in the first half of 2024 and a passkey adoption rate above 35% among accounts that had logged in within the prior 30 days. The cross-platform pattern in that data is what matters: roughly 40% of those passkey unlocks happened on a different operating system than the one where the credential was originally created. iCloud Keychain and Google Password Manager structurally cannot produce that statistic.
The honest limitation: if the user loses their Secret Key and forgets their account password, 1Password cannot recover the vault. Zero-knowledge means zero recovery. The Emergency Kit PDF that the user prints at signup is the only recovery path. In a corporate deployment, 1Password Business adds a recovery role that an account admin can use to re-issue a Secret Key, but personal accounts have no such fallback.
What Is the FIDO Cross-Platform Passkey Portability Draft
The FIDO Alliance Cross-Platform Credential Exchange working draft, published as a public review document in October 2024 and updated in February 2026, defines a standard format and protocol for moving passkeys between sync fabrics so a user can export a passkey from iCloud Keychain into 1Password, or from Google Password Manager into Bitwarden, without re-enrolling at the relying party. It has two parts: the Credential Exchange Format (CXF), a JSON-based payload that wraps the encrypted credential and its metadata, and the Credential Exchange Protocol (CXP), a request and response flow that lets one credential manager initiate a transfer to another over a local secure channel.
The draft is the missing piece in the cross-ecosystem story. Today, a user who switches from iPhone to Pixel must re-enroll at every relying party because there is no portable export format. CXF and CXP fix that, with the encrypted credential staying encrypted across the transfer and the destination manager re-encrypting it under its own key.
What has actually shipped in May 2026 is partial. Apple has implemented CXF export in iOS 18.4 and macOS 15.4 beta channels, gated behind a Settings toggle that most users will not find. 1Password 8.10 has implemented CXF import in beta channels. Google has committed to support but has not yet shipped a public beta. Microsoft has acknowledged the work and has not announced a timeline. The Dashlane and Bitwarden teams have been the most forward in CXP testing on the Linux side because their cross-platform parity does not depend on any platform vendor's cooperation.
The practical implication for relying parties: nothing changes on your side. CXF and CXP move credentials between managers without involving the relying party at all. The signing key stays bound to the same public key the RP has on file, and the user logs in with the same WebAuthn credential ID after the migration. From the RP's perspective the user is on a new device with the same passkey, and the existing FIDO ceremony just works. This is the elegant property of CXP and the reason the spec did not get bogged down in RP-side coordination.
The unresolved part of the draft as of May 2026 is the recovery and revocation semantics. If a user exports a passkey from iCloud to 1Password and then loses the original Apple device, are both copies still valid from the RP's perspective? Yes, because the RP has one public key and there is no way for it to know which copy was used. That is fine for low-risk consumer accounts. For high-risk accounts (financial, healthcare, enterprise admin), the working group is still debating whether the destination manager should report a "credential migrated" attestation that the RP can use to roll the credential. I expect this debate to continue through 2026.
How Should Developers and Users Handle Sync Edge Cases
The short answer is to design the relying party and the user education flow so that no single sync fabric becomes a single point of failure, which means always allowing multiple credentials per account, always offering an account recovery path that does not depend on any specific sync provider, and always telling the user during enrollment which sync fabric just stored the credential so they understand what they own.
On the implementation side, the relying party should:
Accept multiple FIDO credentials per user account. Never delete or replace the existing credential when a new one is enrolled. The user might create a passkey on iPhone for iCloud sync, then create a second one on a Windows laptop stored in 1Password, and both should work for the rest of the account's life.
Offer at least one non-passkey account recovery path. Email magic link, an OTP to a phone, or a recovery code generated at signup. Even with cross-platform sync working perfectly, users lose devices, change phone numbers, and forget master passwords. A passkey-only account with no recovery is a customer support ticket waiting to happen. The MojoAuth team has documented this pattern in our passkey integration guide along with the typical fallback flows.
Surface the credential's transport hints. The FIDO ceremony returns transport metadata (
internal,hybrid,usb,nfc,ble,smart-card) that tells the RP whether the credential lives on the local platform or was used through a cross-device flow. Storing this lets the RP show the user "you used a security key" versus "you used a synced passkey" in the account audit log.Set
residentKey: "preferred"for consumer flows so the credential is discoverable and the user does not have to type a username. SetresidentKey: "required"for B2B admin flows where you want the credential to be device-bound and stop syncing. The latter is rare and is more or less a "hardware key only" deployment.Watch for the Safari and Firefox edge case on macOS. Users with Google-synced passkeys who land on a Safari URL will not see their credential. Have a "use a different device" link prominently in the sign-in form that triggers the QR hybrid flow.
On the user education side, the most useful thing a product can do is tell the user, at the moment of enrollment, where the passkey is being saved. iOS shows "Save passkey to iCloud Keychain." Chrome on Android shows "Save passkey to Google Password Manager." 1Password shows "Save passkey to 1Password." If the user does not see this dialog they will assume the passkey is on the device and panic when they sign in elsewhere. Inline copy in the sign-in form, even one sentence, prevents 80% of the support tickets.
A real-world story from a fintech audit in March 2026: the team had built a clean WebAuthn flow with no email fallback, assuming "passkeys are recoverable through the platform." A user enrolled on a personal iPhone in iCloud, lost the phone in a swimming pool, did not have iCloud account recovery configured, and spent three weeks getting their account back through manual identity proofing because the team had no other recovery mechanism. Cross-platform sync was not the problem. The single point of failure was. We rebuilt the recovery flow that quarter and the support ticket volume on lost-device events dropped 70% in 60 days.
The honest "it depends" moment: for a consumer product where the typical user has one phone and one laptop in the same ecosystem, native platform sync (iCloud or Google) is almost always the right default. The free price, the no-account-setup user experience, and the platform-level recovery are hard to beat. For a B2B product where the typical user touches three operating systems in a week (Mac at home, Windows at the office, Android phone), recommending or even requiring 1Password or another cross-platform manager makes the day-to-day experience dramatically smoother. There is no universally correct answer. Pick the default that matches your audience and document the alternative.
For teams ready to roll this out, our WebAuthn product page walks through the credential creation parameters and the State of Passwordless 2026 report has the adoption numbers we use to size deployments. The passkey playground is also a fast way to see the ceremony end-to-end before you wire it into your stack, and our enterprise deployment guide covers the SSO and recovery patterns that B2B teams ask about most.
FAQ
Can I move a passkey from iCloud Keychain to Google Password Manager directly today?
Not directly today, May 2026. Apple has shipped CXF export in beta channels for iOS 18.4 and macOS 15.4, but Google has not yet shipped CXF import in Google Password Manager. The current workaround is to export from iCloud into 1Password or another CXF-supporting manager and use that as a bridge, which works but is slow and undocumented for end users. Expect first-party Apple to Google migration to land in late 2026 based on the public roadmaps.
What happens to my passkeys if I lose my only device and have no other devices signed in?
It depends entirely on which sync fabric you used. iCloud Keychain has account recovery via your iCloud Security Code, recovery contact, or Recovery Key. Google Password Manager requires either a recovery phone number, a recovery code, or a previously trusted device. 1Password requires your Secret Key (printed on the Emergency Kit) plus your account password. If you set up none of these recovery options, the passkeys are unrecoverable and you must re-enroll at every relying party using whatever fallback they offer (email link, SMS OTP, security questions).
Do all browsers see the same synced passkeys on the same machine?
No. Sync is fabric-scoped, not device-scoped. On macOS, Safari sees iCloud Keychain passkeys but not Google Password Manager passkeys. Chrome on macOS sees Google Password Manager passkeys but not iCloud Keychain passkeys (until macOS 15.4 changes this). 1Password sees its own vault from inside any browser via the extension. The only universal cross-browser fabric on a single machine is a third-party manager with browser extensions installed everywhere.
Are synced passkeys less secure than device-bound passkeys?
Synced passkeys have a slightly larger attack surface because the credential is replicated across multiple devices and protected by the sync fabric's account security rather than by a single hardware module. In practice, the encryption is end-to-end and the sync providers cannot read the credential, so the realistic attack vector is account takeover of the sync fabric (Apple ID, Google account, 1Password account). For high-risk accounts (financial admin, root infrastructure access), device-bound credentials on a hardware security key are still the gold standard. For consumer logins, synced passkeys are dramatically more secure than the password they replace.
What is the difference between a sync provider and a passkey provider?
A passkey provider is anything that can create and present a FIDO2 credential during a WebAuthn ceremony, including hardware security keys that never sync. A sync provider is the subset of passkey providers that replicates credentials across the user's devices. iCloud Keychain, Google Password Manager, 1Password, and Dashlane are sync providers. A YubiKey is a passkey provider that does not sync. The FIDO transport hint returned by the ceremony tells the relying party which kind it received.
Can a relying party tell whether a passkey was synced or device-bound?
Partially. The relying party sees the FIDO transport list and the attestation statement, which can indicate whether the credential is "platform" (likely synced or device-bound, no way to tell which from this signal alone) or "cross-platform" (likely a hardware key). The newer Apple Anonymous Attestation includes a hint that the credential is multi-device, but most platforms do not return distinguishing attestation by default. Treating sync state as a hard security signal is unreliable. Use account context and behavioral signals instead.
Final Thoughts
Passkey sync in May 2026 is a good story with a known gap. Inside any one ecosystem (Apple, Google, or any of the third-party managers) sync just works and the user gets a vastly better login experience than passwords ever offered. Across ecosystems the FIDO Cross-Platform Credential Exchange draft is the bridge, and that bridge is half-built. If your users live in one ecosystem, lean into the platform default. If they live everywhere, recommend a cross-platform manager and design your recovery flow to never depend on any single fabric. Either way, allow multiple credentials per account and offer at least one non-passkey recovery path.
Top comments (0)