Microsoft has released an update to its Windows 11 operating system that fulfills its promise of passwordless authentication using passkeys. The update, called Windows 11 version 23H2, was made available to Microsoft’s preview channel on Tuesday. It introduces the ability to generate passkeys through biometric authentication, a PIN, or third-party password managers instead of traditional passwords.
Passkeys are seen by experts as the most promising form of authentication for eliminating passwords and enhancing security. Unlike passwords, passkeys are linked to specific devices such as computers, tablets, and smartphones. This means that users no longer have to remember multiple usernames and passwords for different websites and online services. Passkeys cannot be stolen by attackers, and there are no multifactor authentication tokens for them to intercept. Access can only be granted with the unique cryptographic key, which is virtually impossible to guess.
To generate passkeys, users can utilize Windows Hello, Windows Hello for Business, or their smartphones. The passkeys are then securely stored on the device. To log in to a website or application, users can unlock the passkey with biometrics like facial recognition or fingerprint scanning, or by using a device-based PIN. Windows 11 also includes a passkeys management dashboard in the Settings app, making it easy to manage and organize passkeys.
The passkeys implemented in Windows 11 follow the FIDO Alliance specification, which is based on the World Wide Web Consortium’s (W3C) WebAuthn standard. The FIDO protocols rely on standard public/private key cryptography techniques. When a user registers with a service, a new key pair is generated. The private key is securely stored on the user’s device, while the public key is registered with the service. During authentication, the user’s device proves it has the private key, which can only be used after being unlocked by biometrics or a PIN.
Microsoft claims that passkeys on the new Windows 11 update are compatible with popular browsers such as Microsoft Edge, Google Chrome, and Firefox. The feature also works with websites and applications that support the WebAuthn standard, including Adobe, Amazon, DocuSign, GitHub, PayPal, Shopify, and Uber. Users can refer to 1Password’s comprehensive directory of services that support passkeys for more information.
Passkey support is not limited to Windows 11. Apple was the first to introduce passkey support in September 2022 for its iOS devices and Safari browser. Google also added passkey support to Android and Google Accounts. Apple expanded the capabilities of passkeys in its iOS 17 update, eliminating the need for passwords on supported sites and apps. It also added support for Apple Managed IDs, designed for organizations using Apple Business Manager or Apple School Manager.
For IT and security administrators, Microsoft is providing a new policy in Microsoft Entra ID (Azure AD)-joined machines to prevent password usage across the entire Windows experience. This policy removes the option to access company resources with just a username and password. Additionally, Microsoft is offering a feature called Config Refresh, which allows Windows 11 devices to automatically reset every 90 minutes (adjustable to 30 minutes). This feature is beneficial for companies looking to automate best security practices.
The introduction of passkeys in Windows 11 is seen as a significant step towards passwordless authentication becoming the standard. With major tech companies like Apple, Google, and Microsoft embracing passkeys, the shift towards eliminating passwords is gaining momentum. Passkeys not only enhance security but also provide a more convenient and user-friendly authentication method by eliminating the need to remember complex passwords for various services and websites.