Microsoft Brings Passkey Support to Windows 11
Microsoft, long a proponent of doing away with passwords for authentication, is now supporting passkeys in the latest update to the Windows 11 operating system.
The IT giant last year joined Google, Apple, and the FIDO Alliance – launched a decade ago to develop authentication standards other than passwords – in vowing to support the use of passkeys on their platforms. For Windows 11, that support was announced this week.
“With the integration of Passkeys, Windows 11, with Windows Hello, will make it even more difficult for hackers to steal your passwords,” Yusuf Mehdi, corporate vice president and consumer chief marketing officer for Microsoft, wrote in a blog post. “Passkeys are the cross-platform future of secure sign-in management and eliminate the need for passwords.”
Passkeys essentially let users sign into apps and websites by using the PIN on their device or biometric information – like a fingerprint or face scan – rather than usernames and passwords, which are more prone to phishing and other scams.
For Windows 11 users, passkeys will work on a range of browsers, including Edge, Chrome, and Firefox, and any applications or websites that support them, according to Microsoft. Once a user creates a passkey and stores it Windows Hello, they can use it to sign in or use a companion device – like a phone or tablet – to sign in, the company wrote in a support document.
Passkeys are based on a security standard developed by FIDO.
“The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication,” according to the support document. “When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user’s device, while the public key is registered with the service.”
In order to authenticate, “the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they’re unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).”
A passkey creates a unique and unguessable credential and allows you to sign in using your face, fingerprint or device PIN. Passkeys on Windows 11 will work on multiple browsers including Edge, Chrome, Firefox and others, according to Microsoft.
Passkey Support is Growing
Microsoft already supported passkeys for Office 365 and Xbox users and is part of a growing list of companies – including Google, Apple, X (formerly Twitter), PayPal, and Microsoft-owned LinkedIn – that make passkeys available for their sites. Microsoft-owned GitHub introduced passkeys for their account holders earlier this month.
Google in May announced that users could use passkeys for their personal Google accounts as an alternative to passwords and multi-factor authentication (MFA). Arnar Birgisson and Diana K Smetters, with Identity Ecosystems and Google Account Security and Safety teams, at the time touted the security and convenience that passkeys provide.
“Using passwords puts a lot of responsibility on users,” they wrote. “Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV [two-step verification] (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”
Google late last year began supporting passkeys for Chrome on Android, Windows, and macOS, and Apple supports passkeys in its iOS 16 and macOS Ventura operating systems.
Passwords Aren’t Going Away Soon
Passkeys are relatively new and passwords aren’t disappearing anytime soon, even as they continue to be a growing security risk. With more business being done online, bad actors increasingly are targeting credentials as a way into corporate networks. Verizon last year said that in 2021, 82% of security breaches were due to stolen credentials.
Another problem is that people have a lot of passwords to keep track of. Password manager vendor NordPass said in a report earlier this year that the average person has about 100 passwords to remember, a 25% jump over previous years.
Given all those passwords, a tendency is to use easy-to-remember passwords or reuse the same ones for multiple accounts. NordPass last year found that the most common password was “password,” and that it took less than a second for it to be cracked. Others in the top 10 included “123456” (also less than a second to crack), “guest” (10 seconds), and “qwerty” (less than a second).
Meanwhile, security analytics firm SpyCloud last year found a 70% password reuse rate among users exposed in data breaches in 2021 and that among employees of Fortune 1000 companies, the reuse rate was 64%.
The vendor noted high number of accounts the average person needs to manage – adding that the number grows by 25% a year – and wrote that the “unwieldiness has left credential security in a pitiful state. People often user passwords that are too easy to guess, making them susceptible to brute force or credential stuffing attacks, or they use the same passwords across multiple accounts, or worse – both.”
Password managers can help, giving users a single place to store passwords and an easier way to change them. However, even these can be hacked, exposing all of a user’s passwords in one attack.
Security.org in a report this month found that while 34% of people (or about 79 million people) use password managers – up from 21% last year – they continue to reuse passwords. In the report, the product security research company found that 28% of people use the master password for their password manager as the password for other accounts.