Tip: Use Passkeys With Your Microsoft Account

Windows 11 natively supports passkeys, a modern passwordless technology that lets you sign in to your online accounts using Windows Hello. From a security standpoint, passkeys are as effective as using an authenticator app. But they’re even easier to use, and that rare combination of secure and convenient has already catapulted passkeys to a level of acceptance and usage those other two solutions never achieved.

Note: Be sure to configure your Microsoft account securely with two-step authentication and multiple alternate sign-in and security verification methods using the instructions I outline in a previous post. This write-up, like that one, is based on content I’ve created for new chapters of all-new content in the Windows 11 Field Guide, in this case one that covers passkeys and security keys.

2023 was notable for so many reasons, but one of the biggest shifts was the rapid spread of passkey support across popular online accounts from Amazon, Apple, Google, and many others. But despite doing more than any of these other companies to enable a passwordless world, Microsoft was curiously quiet when it came to passkeys this past year. Meanwhile, Google was widely acclaimed for making passkeys the default sign-in option for its online accounts this past October. This, despite the fact that Microsoft had allowed its customers to literally remove the password from their Microsoft accounts for over two years by that point.

But this is on Microsoft: Aside from briefly mentioning passkey management as one of the many new features in Windows 11 version 23H2, the software giant didn’t promote its support for this technology in any meaningful way this past year. Nor does Windows 11 really mention passkeys in any meaningful way when you access your Microsoft account, while Google, especially, makes a big deal about it when you access its accounts on the web. Instead, Microsoft seems content to let its users keep using the passwordless sign-in functionality provided most commonly by authenticator mobile apps.

But that’s not the full story.

As I wrote in The Secret Lives of Passkeys (Premium), Microsoft silently saves a passkey to your PC’s Trusted Platform Module (TPM) security chip when you sign in to Windows 11 with a Microsoft account or Microsoft work or school account. And so the passkey for one of your most important online accounts is already there on the PC, and you can authorize its use online, in any web browser, using Windows Hello (PIN or biometric, whichever you have configured), the secure method you’re already using to sign in to your Microsoft account (or work or school account) when you fire up the PC.

So that’s a lackluster tip, I guess: To create a passkey for your Microsoft account, just do nothing. It’s already there.

Of course, you still have to know how to use that passkey. And you may have other Microsoft accounts, and would like to create a passkey for those accounts on this PC too. And you use a phone: Can you create a passkey for your Microsoft account there? Should you? And if so, how?

First, a quick explainer.

What are passkeys?

At a high level, a passkey is another alternative for bypassing the password associated with an online account, albeit one that is based on an industry standard with broad adoption from platform makers and service providers. Like authenticator apps, passkeys help protect against and phishing attacks and other password-related compromises. And as with authenticator apps, passkeys rely on the modern security technologies we take for granted these days on our devices, including secure, encrypted storage of some kind and secure sign-in technologies like PINs and, ideally, biometrics like facial and fingerprint recognition.

There is one wrinkle: Each passkey you create is specific to the device on which it was created. That means you will have a different passkey for each supported online account on one PC. And a different passkey for each supported account on each of your PCs and other devices. This may seem complex, but in practice, it works seamlessly after a one-time set up process. And unlike with an authenticator app or security key, you don’t have to have or use another device when you need to sign-in.

Once you’ve stored a passkey on your PC (or Microsoft has done so for you with your Microsoft account), subsequent sign ins, on the web or in apps will be seamless. When you’re prompted by some online service to sign in for whatever reason, all you’re expected to know is the email address associated with the account. (And in most cases, that will be auto-filled by your browser, OS, or password manager anyway.) Then, instead of typing a password or dealing with an authenticator app on your phone, you can authenticate yourself using a secure Windows Hello PIN or biometric method. When you prove who you are to Windows, the system will communicate this success back to the service that prompted you to sign-in. And because it trusts that this authentication is both correct and secure—you configured it together, after all—it grants you access to the service.

Passkeys can also be implemented in Windows (and elsewhere) using security keys, as noted, or in certain password managers. What we’re discussing here is the native platform capability in Windows. What Windows 11 version 23H2 adds is passkey management capabilities (noted below). But there’s more work to do: The Microsoft account’s support for passkeys is not particularly obvious, and Windows 11 doesn’t (yet?) sync your passkeys through your Microsoft account, a capability that would make passkey usage (for all of your accounts) much more seamless. Today, you need to manually create a passkey for each account on each PC.

We’ll get there, I bet. But for now, I’ll keep this focused specifically on creating and using a passkey with your Microsoft account on a Windows 11-based PC. (This works nearly identically for Microsoft work or school accounts as well.)

Note: Windows has long supported authenticating online accounts using physical security keys like those made by Yubico, and these hardware fobs also support passkeys. Security keys have their place, but their complexity and cost make them non-starters for most individuals. Authenticator apps and passkeys are much more convenient. But no worries, I’m covering security keys in the book too.

Create a passkey for a Microsoft account

If you sign in to Windows 11 with a Microsoft account, you’re done: Microsoft already created a passkey for that account, and you can see it in the Settings app by navigating to Accounts > Passkeys. On this PC, there is just a single passkey, for the Microsoft account used to sign in to Windows 11.

If this is all you need, you can move on to the next section. But if you have other Microsoft accounts, you can create a passkey for each on this PC too. And you create a passkey for a Microsoft account the same way you create any other additional account sign-in or verification method, by navigating to the Additional security options page on the Microsoft account website, authenticating as prompted, and then clicking “Add a new way to sign in or verify.” (Note that this may be easier to do in a secondary web browser as handling multiple Microsoft accounts in a single browser can be problematic.)

In the “Select an additional way to verify or sign in” dialog that appears, click “Use your Windows PC.” The “Use Windows Hello to sign in to your account” page appears. Click “Next.” Windows 11 will display a prompt explaining that the sign-in data for your Microsoft account will be stored on this PC, allowing you to sign-in to that account later using this credential. Click “OK.” Windows will then prompt you to authenticate using Windows Hello PIN, facial recognition, or fingerprint recognition so that it can securely save the passkey on this PC. (This will vary according to which methods you’ve configured. Click “More choices” here to choose a different method than the one presented.)

Once you’ve authenticated using Windows Hello, Windows will store the account credential in the TPM’s secure storage on the PC. And the Microsoft account website will note that you can now use Windows Hello to sign-in to this account in the future, instead of your password (or a phone-based verification method or whatever other methods you’ve configured).

Sign-in to your Microsoft account on a PC using a passkey

To use the passkey to sign-in to your Microsoft account, click “Other ways to sign in” when prompted in the future. (Note that you will not see this option at the Windows 11 lock screen: Windows already provides Windows Hello device-specific sign-in capabilities and these methods are as seamless as they can be. I used an InPrivate browser window for these shots.)

This prompt will typically default to whatever authentication method you used most recently. But you can choose between different ways to authenticate yourself. Click “Sign in with Windows Hello or a security key” and then authenticate using whichever method you prefer that is available on that PC. (Windows Hello in this case.)

And that’s it: You’ve signed into your account securely and seamlessly, and without needing to fish your phone out of your pockets and deal with its on-screen prompts.

Manage passkeys in Windows 11 version 23H2

Passkey management is an interesting topic in part because many online accounts provide limited capabilities in this regard. But your Microsoft account is among the worst: Once you create a passkey on a particular PC from the Microsoft account website, there’s no way to manage that from the web: It does not appear in the list of additional sign-in and verification methods alongside your password, email addresses, authenticator app, and other methods. Other companies, including Google, offer centralized passkey management on their online account management websites.

But it doesn’t matter. If your PC is lost or stolen, your passkey stays safe because it’s stored in encrypted storage and further protected via a PIN or biometric authentication method. But I still expect this to change in the future, if only because customers will expect to be able to remotely delete passkeys or in some way disconnect existing passkeys from the underlying service.

Until that happens, you can manage the passkeys on a PC using the Settings app in Windows 11 version 23H2 and newer, as noted above: Navigate to Accounts > Passkeys settings to see what’s available.

As expected, the capabilities are limited to deleting passkeys one at a time: Just click the “See more” (“…”) item next to a passkey and then “Delete passkey.” Note that these passkeys are system-wide: I created some of those using a different Windows 11 sign-in account. As long as I have admin privileges, I can delete any and all passkeys stored on that PC, except for the passkey associated with the account I’m currently using.

And that’s literally all you can do with this new Windows 11 version 23H2 feature.

What about mobile?

Because Microsoft doesn’t have its own mobile platform anymore, those with a Microsoft account (or Work or School account) tend to approach their Android phones and tablets, iPhone, and iPads from the perspective of the apps they use there. That is, we sign in to this account when we need to configure our Microsoft account in a Microsoft (Outlook, Microsoft 365, OneDrive, etc.) or third-party (Gmail, Google Calendar, etc.) app, using some form of password auto-fill (native or third-party), and then hopefully configure an authenticator app like Microsoft Authenticator to further protect our Microsoft account and other online accounts.

And that does appear to be Microsoft’s solution on mobile, as it does not support saving passkeys for Microsoft accounts (or Microsoft work or school accounts) on mobile. Instead, you’re expected to use Microsoft Authenticator, the idea being that it works similarly to a passkey since you can verify sign-in attempts using that app on the same device on which you’re making the sign-in attempt. That is, while an app on a phone is a bit inconvenient when you’re using a PC, it’s not at all inconvenient when you’re using that phone. So the benefit of a passkey would be minimal on that one device.

This is perhaps misguided. Like Windows 11, these mobile platforms—Android, iOS, and iPadOS—all support passkeys natively, each device type has secure storage in a TPM-like security chip, and each supports secure PIN and biometric sign-in methods to protect those passkeys. And you won’t typically use Authenticator on an Android tablet or iPad. Using a passkey on those devices would be convenient too.

Maybe someday.