As part of announcements made a Ignite 2024, Microsoft brings third-party passkey support to Windows 11.
Published: Nov 26, 2024
Key Takeaways:
Microsoft has long been part of the FIDO Alliance, a consortium of technology companies championing a passwordless future. The company is taking another step to making passkeys the future by introducing API support in Windows 11 for third-party passkey providers.
In a November 22 blog post, Microsoft said that it is releasing updates to WebAuthn APIs that add a plugin authentication model for passkeys. This will allow users to choose a third-party provider, like Bitwarden and 1Password, instead of the native Windows passkey provider. The decision to provide third-party passkey support in Windows 11 was first announced at the beginning of October, 2024.
Passkeys are essentially private-public key pairs that allow users to sign in to websites and applications without using a password or TOTP multifactor authenticator codes. Not everyone wants or trusts Microsoft to deal with creating and storing their passkeys.
The new third-party passkey support will give users more choice. Microsoft also says that plugins will be able to use Windows Hello as a verification mechanism to provide users with a seamless experience.
In its October blog post, Microsoft said:
“Microsoft is partnering closely with 1Password, Bitwarden and others on integrating this capability to provide users with seamless third-party passkey provider integration into Windows 11. You will be able to use the same passkey on Windows 11 that you’ve created on your mobile device, and together we can raise the bar on login security with passkeys.”
There will be the option to save new passkeys with Windows Hello and sync them so they can be accessed on other Windows devices. Microsoft also highlighted that passkeys are secured by end-to-end encryption and protected with the device’s TPM (Trusted Platform Module).
Usernames and passwords are simple and everyone got the memo. But there’s still a lot of confusion about how passkeys work.
The first advantage of passkeys over passwords is that they are already multifactor because you need the device that stores the passkey (something you have) and you need to unlock it with a biometric gesture or PIN (something you are or something you know).
Secondly, passkeys are more resistant to phishing. They can only be used for the domain where they are registered. And because you don’t need to type a password, they can’t be so easily stolen.
Despite all the advantages, why hasn’t passkey adoption been better? Until now, passkey support has been restricted at the operating system level on Windows to using the Windows passkey provider. That means you can’t use a passkey provided by Bitwarden, 1Password, or other third-party provider to log in to Windows or most desktop apps. However, you can use a third-party passkey provider to log in to websites using a browser extension.
But that is soon to change with a plugin model that allows message flows between Windows Hello and third-party passkey providers.
While it has long been possible to use a passkey stored on a mobile device to authenticate on another, it requires a proximity check (also called Cross-Device Authentication), use of a password manager, or cloud syncing service like iCloud Keychain.
Cross-Device Authentication works by scanning a QR code, which is presented by the website on a PC for example, using a mobile device’s camera. The mobile then sends a message over Bluetooth to check it is in proximity with the requesting device. An end-to-end encrypted connection is established over the Internet between the requesting site and the mobile device. The mobile then sends the passkey signature to the requesting site so it can be verified with the public key.
The FIDO Alliance, which includes Google, Microsoft, Apple, and many others, has proposed two new standards that will make it possible to securely move passkeys between different providers, which should improve passkey adoption rates.