Support for passkeys in Windows

Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.

You can use passkeys with any applications or websites that support them, to create and sign in with Windows Hello. Once a passkey is created and stored with Windows Hello, you can use your device's biometrics or PIN to sign in. Alternatively, you can use a companion device (phone or tablet) to sign in.

This article describes how to create and use passkeys on Windows devices.

How passkeys work

Microsoft has long been a founding member of the FIDO Alliance and has helped to define and use passkeys natively within a platform authenticator like Windows Hello. Passkeys utilize the FIDO industry security standard, which is adopted by all major platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.

The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user's device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).

FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted across the network or to the service.

Passkeys compared to passwords

Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker might try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.

Windows edition and licensing requirements

The following table lists the Windows editions that support passkeys:

Passkeys license entitlements are granted by the following licenses:

For more information about Windows licensing, see Windows licensing overview.

User experience

Users can follow the steps in the following topics to create, use, and manage their passkeys on Windows:

• Create a passkey
• Use a passkey
• Manage passkeys

Passkeys in Bluetooth-restricted environments

For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.

Some organizations restrict Bluetooth usage, which includes the use of passkeys. In such cases, organizations can allow passkeys by permitting Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators.

To limit the use of Bluetooth to only passkey use cases, use the Bluetooth Policy CSP and the DeviceInstallation Policy CSP.

Device configuration

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

# Bluetooth configuration
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_Policy_Config01_Bluetooth02"
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
    ParentID="./Vendor/MSFT/Policy/Config";
    InstanceID="Bluetooth";
    AllowDiscoverableMode=0;
    AllowAdvertising=0;
    AllowPrepairing=0;
    AllowPromptedProximalConnections=0;
    ServicesAllowedList="{0000FFF9-0000-1000-8000-00805F9B34FB};{0000FFFD-0000-1000-8000-00805F9B34FB}"
}


# Device installation configuration
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_Policy_Config01_DeviceInstallation02"
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
    ParentID="./Vendor/MSFT/Policy/Config";
    InstanceID="DeviceInstallation";
    PreventInstallationOfMatchingDeviceIDs='<![CDATA[<Enabled/><Data id="DeviceInstall_IDs_Deny_List" value="1&#xF000;BTH\MS_BTHPAN"/><Data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>]]>'
}

Provide feedback

To provide feedback for passkeys, open Feedback Hub and use the category Security and Privacy > Passkey.