The Secret Lives of Passkeys (Premium)

While 2023 was the year of AI hype, it was also the year in which passkeys were broadly adopted by online services and users alike. This technology is finally making the post-password world a reality, and that's true no matter which platforms and ecosystems you prefer and use. It's the democratization of the passwordless dream.

I love that. But for us here in the Microsoft sphere, there's also a paradox inherent to passkeys. On the one hand, no company has done more to implement passwordless technologies at scale than Microsoft---it first allowed Microsoft account (MSA) holder to remove the password from their accounts over two years ago, for example. But on the other, Microsoft has been curiously silent this past year or so while Amazon, Google, and the rest of Big Tech tripped over themselves and each other, promoting their adoption of passkeys incessantly.

By comparison, Microsoft was as quiet as the proverbial church mouse. It mentioned passkey management support in Windows 11 version 23H2 in passing, preferring to market that release's unpolished Copilot functionality above all else. And then GitHub, which many don't even associate with Microsoft, made its passkey implementation generally available around the same time. But that was about it, and you'd be forgiven for not noticing either milestone.

But passkeys have been on my radar all year. And as I started organizing the 23H2-related updates I'd be making to the Windows 11 Field Guide, I decided early on that they would include a new chapter about passkeys, knowing full well that writing such a thing would require a lot of work, experimentation, and new writing. And that's exactly what happened. To paraphrase J.R.R. Tolkien, who famously noted that the tale grew in the telling, the writing, um, grew in the writing. Which is an awkward way to communicate that one thing led to another, and I suddenly found myself writing several thousand additional words more than expected. This is a big topic, and it seemed that every time I made a conceptual breakthrough, there was more to explore and then more to explain.

But I think I can bring this home for you in a way you will enjoy, assuming you're a long-time Microsoft follower. Because as it turns out, Microsoft began the work that led to passwordless generally and passkeys specifically well over two decades ago when it announced that it was working on the awkwardly-named Next Generation Secure Computing Base (NGSCB) as a hybrid hardware and software implementation of its Trustworthy Computing ideals. Among this system's many security advances was the notion of securely authenticating our digital identities---what we today call online accounts---using something we know (a password or PIN), something we have (a smartcard or phone), and something about us (a fingerprint or eye).

NGSCB led to the creation and standardization of the Trusted Platform Module (TPM) security chip and the many hardware-based security innovat...