How can passkeys be protected on machines that don’t have biometrics?

As an admin, I am wary of allowing passkeys now on services, knowing some Mac users might end up unknowingly set up passkeys in systems that offer a control mechanism like biometrics or even the account password. It just makes it easier for attackers.

Also, I don’t believe there’s an option for me to block passkeys on these systems via MDM, which IMO would be ideal. No biometrics should mean no passkeys access, or at least should have required the macOS account password to unlock access to them.

I provided this feedback to Apple, and I await to hear an explanation.

I hope, I am just missing some information. Otherwise, this is a glaring bug.

Well, if you want a little bit more step by step:

1. disable touchid
2. try to use your passkeys to login, or
3. create a new passkey in a service (like Gmail).

You will find that passkeys are still available to you, without asking you to type your Mac account password.

I found out that without enabling biometrics on a Mac, it's a similar thing with just passwords. It will make the password in the built-in password manager in macOS available without prompting to input the user's macOS account password.

Only when biometrics is enabled does it provide password as a fallback option to access the password or passkey.

I've been using MacBooks with TouchID for a long time, I failed to realize this.

The message I am getting is that if you don't care enough to have biometrics, Apple will offer access to credentials in a Mac with the lowest possible barrier.

I just described how I tested it. You can replicate it by removing touchid on your Mac.

it’s the same, whether disabling after generating the passkey, or never having had touchid.