Microsoft's Syncable Passkeys: A Game-Changer for Passwordless Security
The Future of Login Credentials is Here!
Microsoft has finally delivered on its promise to support passkey syncing, and it's a game-changer for passwordless authentication. But here's where it gets controversial: this move goes beyond just keeping up with the latest security trends. It's a strategic shift that could redefine how we access our digital world.
For years, we've relied on passwords as our primary login method. But passwords are notoriously insecure, and the shift towards passkeys has been gaining momentum. Passkeys, considered a more secure and non-phishable login credential, have been around for some time, but their adoption has been hindered by technical challenges.
The global shift to passkeys has been a slow process due to the immaturity of supporting technologies in various operating systems and devices, as well as the identity management systems used by different services. However, Microsoft's recent move addresses one of the key barriers to passkey adoption.
Microsoft's Phased Rollout: A Big Step Forward
Microsoft's phased rollout of syncable passkeys began last week, starting with the ability to sync passkeys across Edge version 142 (or above) on Windows 10 devices and above. This initial phase is a significant step towards a passwordless future.
Previously, Windows users could create passkeys for apps and websites, but these passkeys were tied to unique hardware-based roots of trust, like the Trusted Platform Module (TPM) found in modern Windows systems. This meant that passkeys were device-bound and couldn't be synchronized across multiple devices.
Syncable vs. Device-Bound Passkeys
Syncable passkeys offer a more user-friendly experience. With syncable passkeys, users can create a single passkey for each service and reuse it across their various devices, including computers, smartphones, tablets, and gaming consoles. This eliminates the need to create multiple passkeys or store them on portable authenticators like Yubico Yubikeys or Google Titans.
In contrast, device-bound passkeys require users to either create multiple passkeys for each device or store them on a roaming authenticator, adding technical complexity and inconvenience.
The Role of Cloud Syncing
To free passkeys from these device-bound limitations, they must be created using a portable, software-based root of trust. Typically, these passkeys are synced through a cloud operated by the vendor of the credential management solution. For example, Apple's iCloud Keychain syncs passkeys across Apple devices, and Google's Chrome browser syncs passkeys through Google's cloud.
Apple, Google, and Microsoft are leading the charge in promoting passkeys, and there are also numerous password management solutions, like 1Password, BitWarden, and LastPass, that support passkey syncing through their clouds.
Microsoft's Holistic Approach
Microsoft's syncable passkey strategy goes beyond simply expanding the availability of syncable passkeys to Windows and Edge users. It takes the concept of a platform authenticator to a new level, offering an integrated service for passkey creation and usage.
Under Microsoft's approach, both web apps and native Windows applications can rely on the same underlying operating system components for passkey registration and authentication. This means that a passkey created through your Edge browser for LinkedIn will also be available for authentication through the native Windows application for LinkedIn, and vice versa.
This capability extends beyond specific relying parties. Users of other browsers, like Firefox, will also have access to this OS-provided service. For example, you could use Firefox to visit and authenticate to LinkedIn.com using the same passkey that's available through Windows to Edge and LinkedIn's native app.
According to Microsoft, this capability will be activated for Windows 11 users who have set up the password manager in Edge (known as "Microsoft Password Manager").
A Comprehensive Strategy
Microsoft's comprehensive syncable passkey strategy is a significant step forward in passwordless security. It not only expands the availability of syncable passkeys but also offers an integrated and holistic approach to passkey management. This strategy sets Microsoft apart from other credential management solutions, especially the free and built-in ones.
And this is the part most people miss: Microsoft's approach ensures that passkeys remain strongly protected not just at rest and during synchronization but also while in use within a secure enclave. This level of security is a game-changer and a testament to Microsoft's commitment to user privacy and data protection.
So, what do you think? Is Microsoft's syncable passkey strategy a step in the right direction? Will it encourage wider adoption of passwordless authentication? We'd love to hear your thoughts in the comments!
