From the Editor’s Desk: A Mind is a Terrible Thing ⭐

The current version of the Windows 11 Field Guide is over 1180 pages long. It’s too long, and it’s not even complete in the sense that are topics I never got to and new topics to cover with each passing season. So a goal for the 25H2 edition of this book is to make it more concise, more task or action oriented. More how-to with less superfluous writing.

This has proven difficult.

The problem is me. Which isn’t the same thing as me being at fault. This is no one’s fault. I just have this condition called ADHD. Sometimes it’s like a super power. And sometimes it just gets in the way. I can’t control it. But right now, it’s getting in the way. When I’m like this, I feel broken and lost.

This is how my brain works. Or doesn’t work, I guess.

A week ago, I set out to write a chapter on passkeys. Since I wrote about this for the book last year, Microsoft added third-party passkey support to Windows 11, so it felt like a meaningful update.

I can’t explain this, but I typically write new chapters for the 25H2 edition of the book without referring to anything I wrote previously. So that was my first mistake. But I plotted out a basic explanation of passkeys and then planned two main sections for the chapter, for the in-box passkey management functionality, which is limited, and what I initially called a third-party passkey integration. And then I started writing them.

I kept getting distracted.

The in-box passkey functionality is borderline pointless, as those passkeys are not portable, they’re what Microsoft calls device-bound passkeys, meaning they’re stuck on that one PC and can’t be used elsewhere. I feel very strongly that passkeys need to be portable, that’s what makes them universally useful, and that no one should use the in-box passkey functionality in Windows 11 for the most part. But I also need to document this functionality in the book, right? And hopefully do so in the shortest possible way.

The third-party passkey integration is more useful because you’re using a compatible password manager to store passkeys, and because those password managers are available elsewhere, on phones and tablets, other PCs, Macs, and elsewhere, the passkeys you store in them are portable. But the compatibility is limited to 1Password and Bitwarden right now. And, as it turns out, the Microsoft Password Manager (MPM) that’s built in to Microsoft Edge.

I feel very strongly that no one should use the password manager built in to an OS or web browser, and that everyone should use a third-party password manager instead. So that’s a problem, too. As is the fact that MPM is not technically a third-party password/passkey manager but is instead a Microsoft product. And so I needed a different term, as third-party was not going to cut it. So I started referring to these things as external passkey managers.

But I kept getting distracted.

As I wrote this new chapter, as I repeatedly created, accessed, and managed passkeys using these two methods, I kept having the same troubling thoughts. First, this is not how I use passkeys, and the more I experienced these things, the more strongly I felt that neither was how most people should use passkeys either. And that led me down a path in which I felt I had to cover the more common and, to my mind, more advisable ways to use passkeys in Windows 11.

The problem was that Windows 11 or whatever web browser would put up a QR code that you would scan with your phone and, in turn, open whatever password manager on the phone so that you could authenticate yourself there. Or, it would display a dialog in which the only choices for a passkey were a mobile device or a hardware security key.

I tried to work around this by explaining that most people install a password manager on their phones and use that for passwords and passkeys. That there were web browser extensions for those password managers that brought that functionality to whatever web browser you use with Windows 11. And that I recommended that most people do those things instead of using a device-bound or (my term) external password manager integrated with Windows 11. And that this chapter would simply focus on the passkey functionality that’s built in to Windows 11.

Except, of course, that it wouldn’t. I just couldn’t stand it.

After spending part of two days working on the chapter, I gave up and started over. I created a new passkeys chapter that had a basic explanation of passkeys followed by five main sections, instead of two: Using your phone to authenticate with a passkey, using a web browser extension to authenticate with a passkey, using Windows 11 to authenticate with a device-bound passkey, using the Microsoft Password Manager to authenticate with a passkey, and using a third-party passkey manager to authenticate with a passkey.

This satisfied some broken part of my brain, but it also meant that the passkeys chapter would now be longer in an edition of the book in which I am striving for brevity. I forged ahead, regardless.

Most of those five main sections went on to have the same three sub-sections: Saving a passkey with that method, using a passkey with that method, and managing a passkey with that method. And that meant there was a lot of repetitive text, as each section was essentially the same information, but targeted at different ways to deal with passkeys.

Now that was distracting.

If you’re familiar with software coding and/or have read my WinUIpad or .NETpad articles, you are likely familiar with the term refactoring. This is where you rewrite a block of code with two goals in mind: To make it “better” in whatever ways (faster, more efficient) while not changing how it works at all. I had literally finished writing this passkeys chapter, it’s about 15 pages long in PDF form, and I realized that I could not publish it as is. I would need to refactor the chapter to remove the repeated content as much as possible.

Except, of course, that this is impossible. Instead, I would need to completely rewrite it again. For the third time.

Here’s the issue. You’re going to use passkeys in Windows 11. You’re going to use whatever method you prefer for saving, accessing, and managing passkeys, except for an important caveat: You’re really going to use at least two methods because that third-party password manager you are using, because you are not an idiot, is going to live on your phone and in your Windows 11-based web browser via its extension. And when Windows 11 prompts you to authenticate, it will sometimes throw up a QR code, in which case you will use your phone and whatever PIN and/or biometric functionality you have there. Or it will simply work with the web browser extension, in which case you will just use your PC (with Windows Hello).

And so the organization of this chapter has to be different. The basic explanation of passkeys can stay, of course. But then I need a section that explains each of the methods you can use with passkeys in Windows 11. Followed by sections for saving a passkey, accessing a passkey, and managing passkeys, each of which will hopefully just make sense no matter which passkey method you choose.

You may have taken note of the word “hopefully” there. I wrote that because I have not yet fully written this new version of the passkeys chapter. And I am not sure right now that what I describe in the previous paragraph will even work or make sense to readers. This is a complex topic and security is daunting to most people. I want to make it less daunting, but I also would like to describe all this with as few words as possible.

There’s more. There is always more.

Tied to this is another distraction that keeps gnawing at my brain and hurting my concentration. Security really is complex and daunting, and in writing a chapter on passkeys, I have to make assumptions about certain things. This is, after all, a form of multi-factor authentication (MFA), or two-factor authentication (2FA), or two-step authentication, or whatever you prefer. And it is part of a move towards a passwordless future. I need to explain those things somewhere. Not in the passkeys chapter, I guess. But that means another chapter.

How low can I go? If we’re going to talk about MFA/2FA and passwordless, then we’re also going to talk about accounts generally and about online accounts specifically. About other forms of MFA/2FA authentication, like authenticator apps and one-time passwords (OTPs). About securing a Microsoft account (MSA). About why passwords are insecure. And so on.

I have to make assumptions. I have to draw a line somewhere. But this is security, and security is important, and if I make an assumption that causes some reader to do something wrong that leads to some vulnerability or hack or whatever … well, that’s no bueno.

The distractions never end.

One assumption I make is that most readers will sign in to Windows 11 with an MSA. And when you do that, Windows 11 creates a special device-bound passkey for that account that enables single sign-on capabilities (passthrough authentication) with in-box apps and services like Edge, OneDrive, and the Microsoft Store. This special passkey cannot be managed in any way, you cannot delete it because it’s required by the system. But what if the reader signs in with a Microsoft Work or School account? Does that also create a similar special device-bound passkey?

When this thought hit my brain, I almost stopped functioning. I had to find out. I pulled out a laptop, signed in, and added my Microsoft Work or School account to the system (in Settings > Accounts > Other Users). Then I logged out so I could sign in with that account and … and nothing. It wasn’t available on the Lock screen. When I signed in using the original MSA, I saw why: That laptop was running Windows 11 Home, and that doesn’t support Work or School account sign-ins.

So I grabbed my Surface Laptop 7, which I had previously upgraded to Windows 11 Pro. Went through the same process. And had the same outcome: The Microsoft Work or School account was not available for me to sign in with. WTF. So I looked at winver and saw that it, too, was running Home. I had reset it at some point using Microsoft’s Surface Recovery media and so it blasted it back to Home. So I had to find the key I had used, reactivate it, reboot, and … yeah. Welcome to a typical day. Sometimes, it feels like this is all I do most days. A lot of stuff but with little forward progress.

This is a really long way of explaining that I set out to write a single chapter for a book a week ago and I still haven’t finished it. I still don’t have all the answers I need, and I’m still not happy with where this thing is at. The only thing I know for sure right now is that this can’t last. At some point, something will click, some synapse in my brain will connect, it always does, as that super power side of ADHD will finally take over, and all will be clear. I will find that path forward. I will finish that goddamn chapter.

But today is not that day.