Passkeys and Security Keys

The passwords we use to protect our online accounts are insecure and easily compromised. For this reason, Microsoft has been working with industry partners for decades to create and standardize new ways to reduce our reliance on passwords and improve the security of our accounts and the private data they contain. The ultimate goal is to eliminate passwords all-together: In this passwordless world, we can authenticate--prove who we are--using methods that are more secure and easier than typing a password.

This isn't just a theory: Depending on which online accounts and devices you use, you can go passwordless right now. That's because these more modern account security methods have been broadly implemented, not just by Microsoft, but also by Amazon, Apple, Google, and most other companies that provide online accounts, software platforms, app developers, and devices like PCs, phones, and tablets.

For its part, Microsoft has added support for two-step verification to its Microsoft accounts for consumers and Microsoft work or school accounts for businesses and other organizations, and it even allows users to remove the passwords from these accounts.

On PCs, Microsoft lets customers use these accounts to securely sign in to Windows 11 with Windows Hello PIN (personal information number) and biometric sign-in capabilities. And when the back-end security protections in the online accounts and the front-end authentication protections in Windows are used together, passwordless isn't just possible, it's more secure and more convenient.

The key to this magic is a new passwordless authentication technology called passkeys. Passkeys solve all the problems with passwords, and because they are the simplest-possible form of two-step verification, they're even easier to use than smartphone-based authenticator apps, and passkey usage has not surprisingly expanded dramatically in recent years.

To support this change, Microsoft has added passkey support to its online accounts and to Windows 11. On PCs, passkeys are stored in the encrypted storage inside the Trusted Platform Module (TPM) security chip in your PC, and you can seamlessly and securely sign in to any online accounts that support passkeys on the web or in apps using Windows Hello PIN or biometric authentication. Windows 11 version 23H2 even includes a new passkey management interface too.

Additionally, Microsoft has long supported a related technology, security keys, that now makes passkeys more portable--meaning you can use them directly on multiple PCs and other devices rather than saving a unique passkey for each account on each PC you use--at the expense of making them also more difficult to use. We don't recommend security keys for most readers, but you may be forced to use one by your workplace or educational institution.

Confused? It's not you: Security is a difficult topic with a lot of jargon, and it's important to get this right. But this will all make more sense as we st...