Avoid password friction in Secure Enclave PSSO deployments

The password prompt during Secure Enclave PSSO registration is intentional by design — it's Apple's mechanism to verify the user's identity before binding the Secure Enclave key to their account. It's a one-time enrollment cost, not an ongoing authentication event.

That said, there are two ways to reduce friction:

First — pre-stage the registration silently via MDM before the user's first login. If you push the PSSO extension configuration via com.apple.extensiblesso payload with RegistrationToken pre-populated from your IdP, the password dialog can be pre-satisfied using SSO credentials the MDM already has. Check whether your IdP supports registration token pre-provisioning in their MDM integration.

Second — if you're on Entra ID, the Microsoft Enterprise SSO plugin handles the Secure Enclave binding silently for Entra-joined devices when Company Portal is installed and the device is already registered. The password step is bypassed because Company Portal already holds the device registration credential.

The password prompt being suppressed entirely without one of these flows isn't currently possible — it's a security boundary Apple has intentionally kept.

— Divya Ravi, Senior iOS Engineer

My understanding with Secure Enclave-backed Platform SSO is that it uses hardware-based tokens to authenticate to Identity Providers (Entra, Okta, etc.). In macOS, you are required to enter your password after reboot regardless of whether or not you have biometrics or allow Apple Watch to unlock your device.

Authentication methods have historically included three items:

1. What you know (password/pin)?
2. What do you have (hardware tokens/cards)?
3. Who you are (biometrics)?

I am aware that Apple has discussed the feature of Tap To Login, piggybacking off of hardware tokens. Unless this feature is implemented in future releases of macOS 27, I don't see passwordless authentication being available for a while.