Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Microsoft is making good on its promise to support passkey syncing.
- The rollout is starting with availability on Edge for Windows.
- A more holistic and industry-leading strategy appears to be in the works
Whether you’re using websites or applications (collectively referred to by cybersecurity pros as “relying parties”) that require a login, you will eventually be asked to eliminate your password in favor of a passwordless passkey.
Under the guidance of the multi-vendor FIDO Alliance, the passkey standard — considered a non-phishable type of login credential — has been around for five years. However, the global shift to passkeys has been hindered by the immaturity of some supporting technologies in today’s operating systems and devices, as well as in the various identity management systems used by relying parties.
Also: I replaced my Microsoft account password with a passkey – and you should, too
Rollout begins with Edge on Windows 11
However, the rate of passkey adoption should receive a boost now that one of the barriers — the lack of a widely available Microsoft-offered means to sync passkeys across Windows devices and installations of its Edge web browser — is being removed. Microsoft’s phased rollout began last week.
According to Microsoft, the initial phase of the rollout has started with the ability to sync passkeys across installations of Edge version 142 (or above) running on Windows 10 devices and above.
Also: 10 passkey survival tips: Prepare for your passwordless future now
“We are targeting end of calendar year for [availability on Edge on] iOS,” a Microsoft spokesperson told ZDNET. That availability “will be subsequently followed [by Edge] on Android and MacOS.” The company has not yet offered a timetable for support through Edge on Linux.
Previously, Windows users could create passkeys for apps and websites that supported them. However, those passkeys were cryptographically tied to a unique hardware-based root of trust such as the Trusted Platform Module (TPM) found in modern Windows-capable systems. TPMs are typically integrated into the silicon that’s surface-mounted onto a device’s motherboard. Once created, such “device-bound” passkeys are inextricably linked to the unique hardware-based root of trust used to create them and cannot be synchronized to other devices backed by a separate hardware-based root of trust.
Device-bound vs syncable passkeys
Syncable passkeys are considered to be more user-friendly than their device-bound counterparts. When users can sync their passkeys across their various devices (computers, smartphones, tablets, gaming consoles, etc.), they only need to create one passkey per relying party and can reuse that single passkey as a login credential for that relying party from any of their devices.
However, with device-bound passkeys of the sort that Microsoft primarily supported until now, there’s an increased technical burden on you to either create multiple passkeys (one per device) for each relying party or to store a single passkey on a roaming authenticator — a portable hardware-based root of trust like a Yubico Yubikey or a Google Titan that has to be connected to whichever device you’re logging in from at the time.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
For a passkey to be freed from these device-bound limitations, it must be created using a portable, software-based root of trust. Once a passkey is created in this manner, the typical approach is to sync it through a cloud operated by the vendor of the credential management solution. For example, passkeys whose origin starts with Apple’s iCloud Keychain are syncable to other Apple devices through Apple’s iCloud. The same goes for passkeys created with the password manager found in Google’s Chrome Web browser; they are synced through Google’s cloud to the user’s other copies of Chrome on other devices.
Apple, Google, and Microsoft are members of the FIDO Alliance and are the three biggest global proponents of passkeys (officially known as FIDO2 Credentiial). There’s also a large cottage industry of password management solutions — including 1Password, BitWarden, Dashlane, LastPass, and NordPass — many of which also support passkey syncing through their independently operated clouds. True to form, Microsoft relies on its cloud to facilitate syncing of passkeys (as well as other credentials such as user IDs and passwords).
Also: The best password managers: Expert tested
“Instead of being anchored to a specific TPM, the private key [associated with passkey] is now protected within a secure, hardware-backed cloud enclave and encrypted using HSM (Hardware Security Module) keys,” the Microsoft spokesperson told ZDNET. “This ensures that passkeys remain strongly protected not just at rest and during synchronization, but also while in use within the secure enclave.”
Microsoft’s holistic approach
However, as passkey platform authenticators go, Microsoft’s syncable passkey strategy does more than expand the free and built-in availability of syncable passkey capability to the giant footprint of existing Windows and Edge users. It also takes the idea of a platform authenticator to an entirely new level for the industry. Although the full vision is being delivered in baby steps — starting with the shift of password support from Microsoft Authenticator to Edge this July — it will include key capabilities not found in other credential management solutions (especially the free and built-in ones).
The most significant and pleasantly surprising aspect of these is the holistic view that passkey creation and subsequent usage should be an integrated service offered to other applications by the operating system. Let’s say you depend on a relying party that offers its functionality through both a web app and a native Windows application. Under Microsoft’s approach, both Edge and the native Windows application can rely on the same underlying operating system components for the infusion of passkey registration and authentication capabilities.
Also: Microsoft Authenticator won’t manage your passwords anymore – or most passkeys
For example, let’s say you create — through your Edge browser — a syncable passkey for logging into LinkedIn. Once created, the same passkey will also be available to the native Windows application for LinkedIn. Or, vice versa. Through the native Windows application for LinkedIn, you should be able to register a passkey that’s subsequently available for authentication with LinkedIn through Edge.
This capability isn’t just for native Windows applications that are specific to a single relying party. According to Microsoft, users of other browsers, such as Firefox, will also have access to the OS-provided service. In a case like this, one could use Firefox to visit and authenticate to LinkedIn.com using the same passkey (for LinkedIn) that’s available through Windows to Edge, as well as LinkedIn’s native app for Windows.
According to Microsoft, this capability will be activated for Windows 11 users who have performed the one-time setup of the password manager in Edge (referred to by Microsoft as “Microsoft Password Manager”).
Also: What really happens during your ‘passwordless’ passkey login?
Finally, just because Microsoft is now bringing its comprehensive syncable passkey strategy to bear doesn’t mean it is eliminating support for the old device-bound passkeys.
“Whenever a user encounters a passkey creation [workflow] within Edge, they will be prompted with a ‘picker screen’ where users can choose between saving to Microsoft Password Manager (Synced) vs. storing it locally [as a device-bound passkey] via Windows Hello,” the Microsoft spokesperson told ZDNET. “Depending upon what users select, the appropriate next steps are invoked.” Within Windows, Windows Hello consists of several components that are a part of the larger Windows Security subsystem.