Passkeys (25H2)

Passkeys are a simpler and more secure alternative to the passwords we use with our online accounts.

Windows 11 includes native support for passkeys but they’re limited to being device-bound, meaning they can be used only on the PC on which they were created. And so Windows 11 version 25H2 now lets you integrate this system with third-party passkey providers that make your passkeys portable so they can be used on all your devices.

❓ Why passkeys?

The passwords we use with our online accounts are insecure. They are easily guessed, can be stolen or leaked in a data breach, and most people reuse the same passwords across multiple accounts, opening us up to further hacks.

To combat these problems, we can use a password manager to manage our passwords and create unique, complex passwords for each online account. And security organizations and online account platform makers have collaborated on adding additional layers of identity verification to online accounts, including multi-factor authentication (MFA) technologies like one-time passwords (OTPs) and Authenticator apps.

✅ Tip: The most common MFA methods are often described as two-factor authentication (2FA) or two-step verification. For our purposes, these terms are interchangeable.

These techniques are all useful and effective. But to more fully secure online accounts, we need to eliminate passwords entirely. And so the same industry players have collaborated to create passkeys as a simpler and more secure alternative to passwords. Unlike passwords, passkeys are phishing resistant and impervious to data breaches. And they require the use of the PIN or biometric authentication method you configured on your PC or other device.

Passkeys are also broadly adopted across the industry. Online account makers are adding support for passkeys at a rapid clip and most password managers can now be used to manage passkeys too.

✅ Tip: For this reason, I will use the terms passkey manager and password manager interchangeably in this chapter.

The advantages are obvious. From a convenience perspective, passkeys can help you can achieve a passwordless experience today when you sign in to online accounts or have to verify your identity. But the end game is to reduce and then remove our reliance on passwords across all our online accounts.

✅ Tip: Few online account platforms let you create a passwordless account today or remove an existing password. One notable exception is your Microsoft account (MSA): Once you set up the correct alternative identity verification methods for your MSA, you can optionally delete the password.

? Types of passkeys

Passkeys can be saved to a phone, PC, or other device. Or they can be saved to a password manager (or other passkey manager) and used on multiple devices.

Passkeys stored only on a single device are called device-bound passkeys.

Passkeys stored in a password/passkey manager are portable passkeys because you can access the underlying service (and the passkeys it stores) on any device.

?️ Windows 11 and passkeys

Microsoft supports passkeys in its online accounts, including the Microsoft account (MSA) and Microsoft Work or School account (MWSA).

Windows 11 version 23H2 added basic support for device-bound passkeys that are managed in the Settings app and protected by Windows Hello PIN and whichever biometric authentication methods (facial or fingerprint recognition) your PC provides.

? Windows 11 version 25H5 includes a plug-in system so that you can bypass the in-box passkey functionality and use an external, portable passkey manager instead. This external passkey manager is also protected by Windows Hello.

As of this writing, compatible passkey managers include the Microsoft Password Manager (which is integrated with the Microsoft Edge web browser), 1Password, and Bitwarden.

? My advice. I feel strongly that you should use a third-party passkey manager, and there’s no reason to worry about integrating with Windows 11 as all good password managers provide web browser extensions and native Windows apps. In addition to the 1Password and Bitwarden, both of which are excellent, I recommend (and use) Proton Pass for passkey (and password and identity) management.

? My advice. You will also install this password manager on your phone and, if desired, an iPad or other tablet too. On these mobile devices, the password manager works as a password autofill and passkey provider in apps and on the web. In Windows 11, a web browser extension is usually enough, but you can optionally install the password manager’s desktop app, too. But I just stick with the browser extension on my PCs.

⚙️ Defaults

There isn’t much to passkey management in Windows 11, but you can find what’s available in the Settings app by navigating to Accounts > Passkeys.

If you sign in to Windows 11 using a Microsoft account (MSA) or Microsoft Work or School account (MWSA), the system creates a device-bound passkey for that account that provides single sign-on (SSO) capabilities (sometimes called passthrough authentication) for Microsoft Edge, Microsoft Store, OneDrive, and other in-box apps that use that type of account. This is obviously convenient, but it’s also secure because Windows 11 confirms your identity using Windows Hello.

✅ Tip: You can’t delete this passkey because it’s required by the system. If you create other device-bound passkeys as described later in this chapter, you can delete those passkeys here if desired.

The Advanced options choice opens a separate page in Settings that’s only useful when you install a third-party passkey manager that integrates with Windows 11’s passkey functionality. Otherwise, there’s only a single option, and it’s grayed out (and thus unavailable).

If you install a compatible third-party passkey manager, it will be listed here. And the “Save passkeys to this Windows device” option will be made available but configured to Off by default.

⚒️ Choose a passkey manager and configure Windows 11 and your web browser correctly

There are several ways in which you can authenticate your identity with a passkey in Windows 11:

• Your phone, using the passkey manager app installed and configured on that device
• An extension for whichever web browser(s) you use
• Windows 11’s native, in-box support for device-bound passkeys
• A desktop app for a compatible third-party passkey manager that integrates with Windows 11

If you are using the Microsoft Password Manager in Microsoft Edge or a third-party password/passkey manager with any web browser, you will configure that to work with Windows 11, your phone, and perhaps other devices.

If you are using a third-party passkey manager, as I recommend, it will be installed on your phone and you should install its extension in whichever web browser you use. You can also optionally install its desktop app in Windows 11 and, if it’s compatible, configure it for use by the system in the Settings app.

Use your phone and a web browser extension

The most common scenario for using passkeys across your phone and PC is to install the app for your passkey manager (typically a password manager) on your phone and install the extension for your passkey manager in the web browser(s) you use in Windows 11.

To find the correct interface on Android, iPhone, or iPad, open the Settings app and search for autofill. Then, be sure to disable any other password and passkey autofill providers.

In your web browser in Windows 11, after installing the extension and signing in to it, open the browser settings interface and locate the passwords and autofill interface. Then, do the following:

• Disable the web browser’s built-in password manager. In Microsoft Edge, you can find this in Edge settings > Passwords and autofill > Microsoft Password Manager.
• Disable any options related to the browser and passwords and passkeys. In Microsoft Edge, navigate to Edge settings > Passwords and autofill > Microsoft Password Manager > More settings and uncheck “Ask to save passwords and passkeys” and “Autofill passwords and passkeys.”

Use the native Windows 11 passkey management

While it is unlikely that you will use only the native Windows 11 passkey functionality, you can do so. You will only need to configure your web browser to not ask to save passwords and passkeys and autofill passwords and passkeys, as described in the previous section.

Use the Microsoft Password Manager

To use the Microsoft Password Manager for passkeys in Windows 11, you have to also use the Microsoft Edge web browser. Then, just make sure that the following options are enabled in Microsoft Edge settings:

• “Ask to save passwords and passkeys” in Passwords and autofill > Microsoft Password Manager
• “Ask to save passwords and passkeys,” “Autofill passwords and passkeys” in Passwords and autofill > Microsoft Password Manager > More settings

Integrate a third-party passkey manager with Windows 11

To use a compatible third-party password manager that can integrate with Windows 11, install 1Password or Bitwarden and sign in.

Then, open the Windows 11 Settings app and navigate to Accounts > Passkeys > Advanced options. Locate the passkey manager you wish to use under Passkey managers and configure it to On.

Also, make sure that the option “Save passkeys to this Windows device” remains configured to Off.

Next, open the web browser you use in Windows 11 and disable any password and passkey-related functionality as described earlier in the chapter.

? Save a passkey

The experience you see when you save a passkey for an online account using a web browser in Windows 11 will vary according to which passkey management systems are currently configured on that PC.

But the outcome will be consistent. Unless you changed the configuration, all these choices will prompt you to authenticate yourself using Windows Hello. And when you do so, the passkey will be saved to the method you chose.

Available methods can include:

1. Save a passkey to a third-party passkey manager with a browser extension

If you installed a browser extension for a third-party passkey manager, it will override all other choices and appear first. The UI you see here will vary by extension, but here is what it looks like using Proton Pass.

✅ Tip: You can close the passkey manager’s UI to view other options as noted below.

2. Save a passkey to a browser-based passkey manager

If you didn’t install a browser extension (or you canceled/closed that UI when it appeared) and your web browser’s password manager is enabled, you will typically see a dialog with two choices, for the browser-based password manager (Microsoft Password Manager in Edge, Google Password Manager in Chrome, and so on) and Windows Hello, meaning the native, in-box device-bound passkey manager. Here is the experience in Google Chrome.

To save the passkey to your browser-based password manager, select that option. What you see next will vary by browser, but the process is straightforward.

3. Save a passkey to a third-party password manager integrated with Windows 11

If you didn’t install a browser extension, disabled the browser’s password manager, and installed and enabled a third-party password manager that integrates with Windows 11, a Windows Security dialog titled “Save your passkey” will appear with the text “This will be saved to [Passkey manager name].”

✅ Tip: If there are other options, you can click “Change” to switch to a different passkey manager, including, interesting, one that is installed on your phone.

4. Save a passkey to the native Windows 11 device-bound passkey manager

If you didn’t install a browser extension and disabled the browser’s password manager, a Windows Security dialog titled “Save your passkey” will appear with the text “This will be saved to your Windows device.”

✅ Tip: If there are other options, you can click “Change” to switch to a different passkey manager.

? Sign in to a website using a passkey

The benefits of passkeys are apparent when you need to sign in to an online account on the web. Though there are differences in how online accounts handle this, this experience will be seamless and convenient, no matter how you manage passkeys.

Sign in to a website using a passkey saved on your phone

If the site you’re signing in to knows you’ve previously saved a passkey to a phone-based passkey manager, or if your configured passkey manager doesn’t contain a passkey for the site, it will display a “Sign in with a passkey” dialog displaying a QR code.

You then scan the code using your phone’s camera and use the PIN or biometric authentication method you configured on that device to prove your identity and continue.

Sign in to a website using a web browser extension

While this will vary by extension and service, you will typically see a dialog from your passkey manager extension asking you to verify which passkey to use.

To sign in, just select the correct (or only) entry.

Sign in to a website using a device-bound passkey in Windows 11

If your system is configured to use a device-bound passkey, you will be prompted to authenticate with Windows Hello when you sign in using a passkey.

Sign in using a third-party passkey manager

If you have configured a third-party passkey manager extension in your web browser, you will be prompted with a “Sign in with a passkey” dialog and then will authenticate with Windows Hello.

? Manage a passkey

Passkey management is minimal, regardless of which passkey solutions you use.

If you use the native device-bound passkey system in Windows 11, you will see your saved passkeys in the Settings app at Accounts > Passkeys as noted earlier in this chapter. Each passkey has a “More options” (“…”) link that offers a single option,  “Delete passkey.” That’s it.