Thx for the fast reply. If I have some users with iPhones and some users with Android phones, how do the Android users access the iCloud? There must be something in the browser like a credential reference that correlates to the user's private key in the iCoud, right? Are credentials device specific, like in FIDO's WebAuthn? How are credentials securely provissioned, inititially? How are keys provisioned on new devices? Is there a link to the collection of technical documents? I am looking for a flow chart. There is not a lot about passkeys here: Learn more about Apple ID security and iCloud Keychain security in the Platform Security Guide https://support.apple.com/en-us/HT213305 Thx again for your help!

After reading, About the security of passkeys, I am confused. The article states, "iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple..." How does Apple access and utilize the private key for signature purposes?

OK. After reading, Escrow security for iCloud Keychain, I think I have a better understanding. The iCloud Keychain is offline storage of the user's security data and is only used to restore the user's private keys on his/her devices. "To recover a keychain, users must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After this is done, users must enter their iCloud security code." The HSM cluster verifies the data the user entered and then returns the escrow record, which is the iCloud Keychain data. " Next, the device uses the iCloud security code to unwrap the random keys used to encrypt the user’s keychain. With that key, the keychain—retrieved from iCloud key-value storage and CloudKit—is decrypted and restored onto the device."