My credential isn’t working when I try to login due to a missing certificate.

This article describes the actions required to update your credential on your device Authenticator so that you can log in again

What’s the issue?

During application startup or authentication, the authenticator will attempt to verify the integrity of your credential. If the credential is found to be invalid due to missing certificates or missing keys, the application or browser will display a message like the following examples.

The following error may get displayed in your browser tab processing the authentication.

What’s the cause?

The following describes the likely causes for this issue.

1. The password was reset.

A password reset changes the login password and rotates the Keychain and Secure Enclave. This results in:

• Renaming the original Keychain and Secure Enclave and creating a new, empty Keychain and Secure Enclave linked to the reset password.
• The Platform Authenticator updating hourly, which can fail.

To resolve this issue, see Solution 1 below.

Note: A password reset is not the same thing as a password change. A password change occurs when you supply your old password and then create a new one.

Important behavior:
If the old password is used as part of the password reset, then the keychain stays intact and the user's passkey is preserved. This includes changing the password via System Settings and MDM forced password expiration.

If the old password is not used as part of the password reset, then the keychain is discarded along with the user's passkey. This includes forcing a change from another admin account or via macOS recovery.

2. The wrong password was entered and the operating system reset the password.

If you enter the wrong password on the login screen several times and have Apple ID paired, the operating system will offer to reset the password for you.

To resolve this issue, see Solution 1 below.

3. A backup was restored to a new or different machine.

If you restore a backup to a new or different machine, Secure Enclave will not be migrated because it is linked to the machine's hardware.

To resolve this issue, see Solution 1 below.

4. Migration Assistant was used to move data.

If you used Migration Assistant to copy files and data to a new machine, Secure Enclave will not be migrated because it is linked to the machine's hardware.

To resolve this issue, see Solution 1 below.

If none of the causes above apply

If you did not reset your password, or perform the tasks in Steps 1–4 above, perform each step in the order below until the passkey issue is resolved.

1. Open Authenticator and press Command-R to refresh the app.
2. Close and re-open Authenticator.
3. Log out and log back into the machine.
4. Restart the machine.

Solution

This solution applies only to the possible causes outlined in steps 1–4 above.

You will need to update your existing credential so that its certificate is no longer missing.

Step 1: Remove the affected credential from your device.

Step 2: Migrate your credential from another device.

If the same credential is on another device and is working as expected, you can migrate the working credential back onto the affected device that has the missing certificate issue.

To migrate your working credential, follow the guides below based on your affected device:

• How do I migrate my existing credential to a macOS device?
• How do I migrate my credential from a Linux device?
• How do I migrate my credential to an Android device?
• How do I migrate my existing credential to an iOS device?
• How do I migrate my existing Passkey to a Windows device?