Microsoft
MicrosoftJuliusPIV PSSO w/ Secure Enclave key is absolutely an equivalent to Windows Hello for Business. In both cases the actual authentication being done to acquire tokens from the IDP uses public key/private key cryptography between the user on that particular device and the IDP. The only real difference between the two on Windows and macOS is that each OS handles the local user authentication in OS-specific ways:
Regardless of which OS you are using there is typically still a password in Entra ID. Many customers are starting to scramble those passwords so they can no longer be used or blocking their use via Conditional Access authentication strengths policies. Platform SSO with Secure Enclave key is another tool in the toolbelt for organizations that want to reduce or eliminate their use of passwords in Entra ID.
We would recommend that organizations that use MDM-based password policies for their Macs begin to rethink the way they configure those password policies to align more with the policies they use for Windows Hello for Business PINs, iOS PINs, or Android PINs. This could mean 6-8 characters, no forced rotation schedule, simplified complexity requirements. Due to the way macOS works, we would also recommend pairing this with MDM policies that use the device firewall to block remote management protocols like SSH, which of course are not a concern on iOS/Android/Windows.
Finally, we do not recommend using passwords or password sync unless you absolutely have to for security reasons, and we're trying to align on that across Microsoft, so in the future we'll try to make sure we show the Secure Enclave key experiences instead. Passwords are THE major attack vector in most environments, so we want to help customers move away from them.
