A Preview of Windows 11's Passkeys Support

Back in May 2022, Microsoft promised support for passwordless authentication using passkeys in the Windows operating system by the end of 2023. Windows 11 version 23H2, which Microsoft released to its preview channel on Tuesday, delivers on that promise.

This update to Windows 11, set to become generally available by the end of 2023, introduces the ability to generate passkeys using biometric authentication, a PIN, or third-party password manager instead of passwords. The FIDO Alliance specification for creating digital private keys containing unique cryptographic credentials is based on the World Wide Web Consortium's (W3C) WebAuthn standard.

"Passkeys are the cross-platform future of secure sign-in management," wrote David Weston, Microsoft's vice president of enterprise and operating system security. "A passkey creates a unique, unguessable cryptographic credential that is securely stored on your device."

Hello to Passkeys

Experts view passkeys as the most promising form of authentication currently available for eliminating passwords and protecting accounts from attack. Because passkeys are linked to specific devices, such as computers, tablets, and smartphones, users don't have to memorize usernames and passwords for each website or online service. With passkeys, there are no passwords for attackers to steal or multifactor authentication tokens to intercept. Access can only be granted with the unique cryptographic key, which can't be guessed by an attacker. Passkeys can also be synced across devices within the same operating system, which simplifies the sign-in process.

Individuals can generate passkeys using Windows Hello, Windows Hello for Business, or a smartphone. The passkeys are then stored on the device. To log into a website or application, the person would "unlock" the passkey with biometrics, such as facial recognition or fingerprint scanning, or via a device-based PIN to gain access to the applications and websites. A passkeys management dashboard will be available in the Settings app, under Accounts >> Passkeys.

The FIDO protocols rely on standard public/private key cryptography techniques; when a user registers with a service, a new key pair is generated, Microsoft says. The private key is stored securely on the user's device, while the public key is registered with the service. During authentication, the user's device proves it has the private key, which can then be used after it has been unlocked by one of the biometrics or PIN-based methods.

Microsoft says passkeys on the new Windows 11 update work with popular browsers, including its own Edge, Google Chrome, and Firefox. This feature will work with other websites and applications that already support the WebAuthn public key authentication standard, including Adobe, Amazon, DocuSign, GitHub, PayPal, Shopify, and Uber. 1Password maintains a comprehensive directory of services that support passkeys.

Support Exists in iOS and macOS

Apple was the first to deliver passkey support in September 2022, with its release of iOS 16 for iPhones and iPads, followed by its Safari browser. Later that year, Google added passkeys to Android and, more recently, to Google Accounts.

Apple expanded the capabilities of passkeys in the release of iOS 17 on Sept. 18, 2023, adding support for Apple IDs, which eliminates the need to use a password on any site or app that is enabled for passkeys. Further, Apple has added support for Apple Managed IDs, created for organizations using Apple Business Manager or Apple School Manager.

Managed Apple IDs support iCloud Keychain in macOS Sonoma, iOS 17, and iPad OS 17, said Alex Sokolov, a software engineering manager who made the announcement at Apple's Worldwide Developers Conference in June.

"With Managed Apple IDs, your users get all the benefits of using passkeys on all their devices with iCloud Keychain, and you get to manage their accounts," he explained. "Passkeys stored in iCloud Keychain of Managed Apple IDs cannot be shared."

Managed Passkeys for IT

Microsoft is providing IT and security administrators with a new policy to prevent password usage across the entire Windows experience, including device unlocks and authentication attempts. A policy in Microsoft Entra ID (Azure AD)-joined machines eliminates the option to access company resources with just a username and password.

Microsoft will offer a feature, also available in preview mode for Windows Insiders, called Config Refresh, which allows Windows 11 devices to automatically reset every 90 minutes by default; it can be adjusted down to every 30 minutes. It is accessed via the policy configuration service provider (CSP), which covers hundreds of settings that were traditionally set with Group Policy. It does so through Mobile Device Management, like Microsoft Intune, and IT administrators can pause Config Refresh as needed, Weston added.

"This is a major win for companies looking to automate best security practices," says 1Password chief product officer Steve Won. "With tech giants such as Apple, Google, and now Microsoft embracing passwordless authentication, another domino has fallen in the shift toward passkeys becoming the standard."