Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Microsoft is keeping its promise to support passkey syncing.
- The rollout is starting with availability on Edge for Windows.
- It appears that a more holistic and industry-leading strategy is in the works
Even if you’re using websites or applications (collectively referred to by cybersecurity professionals as “trusted parties”) that require a login, you’ll eventually be asked to eliminate your password in favor of a passwordless passkey.
Under multi-vendor guidance FIDO AllianceThe Passkey standard – considered a non-phishable type of login credential – has been around for about five years. However, the global shift toward passkeys has been hindered by the immaturity of some supporting technologies in today’s operating systems and devices, as well as the different identity management systems used by trusted parties.
Also: I changed my Microsoft account password to Passkey – and you should too
Rollout begins with Edge on Windows 11
However, the passkey adoption rate should get a boost now that one of the barriers – the lack of a widely available Microsoft-proposed means to sync passkeys across Windows devices and installations of its Edge web browser – is being removed. Microsoft’s phased rollout began last week.
According to Microsoft, the initial phase of the rollout has begun with the ability to sync passkeys across installations of Edge version 142 (or above) running on devices running Windows 10 and above.
Also: 10 Passkey Survival Tips: Prepare Now for Your Passwordless Future
“We are targeting the end of the calendar year for (availability on Edge) for iOS,” a Microsoft spokesperson told ZDNET. That availability “will be followed later (by Edge) on Android and macOS.” The company has not yet offered any timetable for support through Edge on Linux.
Previously, Windows users could create passkeys for apps and websites that supported them. However, those passkeys were cryptographically linked to a unique hardware-based trust root, such as the Trusted Platform Module (TPM) found in modern Windows-enabled systems. TPMs are typically integrated into silicon that is surface mounted on the device’s motherboard. Once created, such “device-bound” passkeys are inextricably linked to the unique hardware-based root of trust used to create them and cannot be synchronized with other devices supported by a different hardware-based root of trust.
Device-bound vs. syncable passkey
Synchable passkeys are considered more user-friendly than their device-bound counterparts. When users can sync their passkeys across their different devices (computers, smartphones, tablets, gaming consoles, etc.), they only need to create one passkey per relying party and they can reuse that single passkey as the login credential for that relying party from any of their devices.
However, with the type of device-bound passkeys that Microsoft has primarily supported so far, you have an increased technical burden of either creating multiple passkeys for each relying party (one per device) or storing a single passkey on a roaming authenticator – a portable hardware-based trust root like Yubico Yubiki or Google Titan that has to be connected to whatever device you’re logged in to at the time.
Also: I’m removing the password for Passkey for a reason – and it’s not what you think
To free a passkey from these device-bound limitations, it must be created using a portable, software-based trust root. Once a passkey is created in this manner, the common approach is to sync it via a cloud operated by the vendor of the credential management solution. For example, passkeys that originate from Apple’s iCloud Keychain are synced with other Apple devices through Apple’s iCloud. The same applies to passkeys created with the password manager found in Google’s Chrome web browser; They are synced with other copies of Chrome on the user’s other devices through Google’s cloud.
Apple, Google, and Microsoft are members of the FIDO Alliance and are the three largest global proponents of Passkey (officially known as FIDO2 credentialsThere is also a large cottage industry of password management solutions – including 1Password, Bitwarden, Dashlane, LastPass, and NordPass – many of which also support passkey syncing through their independently operated clouds. It’s true, Microsoft relies on its cloud to facilitate syncing of passkeys (as well as other credentials like user IDs and passwords).
Also: Best Password Manager: Expert Tested
“Instead of being tied to a specific TPM, the private key (associated with the passkey) is now protected within a secure, hardware-backed cloud enclave and encrypted using an HSM (Hardware Security Module) key,” a Microsoft spokesperson told ZDNET. “This ensures that passkeys remain strongly protected not only at rest and during synchronization, but also during use within the secure enclave.”
Microsoft’s holistic approach
However, as Passkey platform authenticators go, Microsoft’s Synchable Passkey strategy does more than extend the free and built-in availability of Synchable Passkey capability to a huge footprint of existing Windows and Edge users. This platform takes the idea of authenticators to a whole new level for the industry. Although the full approach is being delivered in small steps — starting with the shift of password support from Microsoft Authenticator to Edge this July — it will include key capabilities not found in other credential management solutions (especially free and built-in ones).
The most important and pleasantly surprising aspect of these is the overall view that passkey creation and subsequent use should be an integrated service offered by the operating system to other applications. Let’s say you rely on a trusted party that provides its functionality through both a web app and a native Windows application. Under Microsoft’s approach, both Edge and native Windows applications can rely on the same underlying operating system components to include passkey registration and authentication capabilities.
Also: Microsoft Authenticator will no longer manage your passwords – or most passkeys
For example, let’s say you create a syncable passkey to log in to LinkedIn through your Edge browser. Once created, the same passkey will be available for the native Windows application for LinkedIn as well. or vice versa. Through the native Windows application for LinkedIn, you should be able to register a passkey that is later available for authentication with LinkedIn through Edge.
This capability is not exclusive to native Windows applications that are specific to a single relying party. According to Microsoft, users of other browsers like Firefox will also have access to the OS-provided service. In such a case, one can use Firefox to visit and authenticate to LinkedIn.com using the same passkey (for LinkedIn) that is available from Windows to Edge, as well as use LinkedIn’s native app for Windows.
According to Microsoft, this capability will be activated for Windows 11 users who have performed one-time setup of a password manager in Edge (referred to by Microsoft as “Microsoft Password Manager”).
Also: What exactly happens during your ‘passwordless’ Passkey login?
Finally, just because Microsoft is now rolling out its broader synchable passkey strategy doesn’t mean it’s ending support for the older device-bound passkeys.
“Whenever a user encounters a passkey creation (workflow) within Edge, they will be prompted with a ‘picker screen’ where users can choose between saving it to Microsoft Password Manager (sync) and storing it locally (as a device-bound passkey) via Windows Hello,” a Microsoft spokesperson told ZDNET. “Based on what the user selects, appropriate next steps are implemented.” Within Windows, Windows Hello includes several components that are part of the larger Windows Security subsystem.
