Hands-On: Microsoft Account Passkey Support

In late 2023, I went down a weeks-long password security rabbit hole that resulted in a guide for properly securing your Microsoft account and a big set of updates to the Windows 11 Field Guide. But today, Microsoft finally completed the circle on Microsoft account security with the addition of passkey support. If this works correctly, you can use passkeys to more seamlessly authenticate yourself when signing in with your Microsoft account, on any device. But based on an initial examination, it may not be that simple.

As a refresher, passkeys are a modern passwordless solution for online account authentication. They’re vastly superior to passwords and can be more seamless and convenient than other two-factor authentication (2FA) systems like using an authenticator app or a security key. But passkeys also get a bad rap because they’re often poorly and inconsistently implemented, causing some to dismiss them as overly complicated. Also problematic, passkeys aren’t formally portable, meaning they’re specific to the device on which they’re created. (The FIDO Alliance is working on that as we speak.) And so platform and password makers and others sometimes implement their own ways to move passkeys between devices, creating more inconsistencies and, worse, potential security problems. I use and recommend the Dashlane password manager, and its passwordless support for portable passkeys is particularly good.

Microsoft implemented passkey management in Windows 11 version 23H2, leading me to write two new chapters for the Windows 11 Field Guide, Secure Your Microsoft Account and Passkeys and Security Keys. But what Microsoft didn’t do was add passkey support to its Microsoft account. Instead, it uses other passwordless technologies like authenticator apps and security keys, along with various recovery methods, and it even lets you remove the password from your Microsoft account, a somewhat unnecessary step that probably scares most users.

On Windows, that’s not a big deal: We use Windows Hello PIN, facial recognition, and/or fingerprint recognition to authenticate ourselves without ever having to type a password. Indeed, I haven’t typed my Microsoft account password to sign in to Windows or otherwise authenticate my identity on that platform in several years. On mobile, we can achieve less seamless, but still passwordless, authentication using the Microsoft Authenticator app (or another compatible authenticator app). But as I wrote in Tip: Use Passkeys With Your Microsoft Account back in January, mobile devices all support passkeys, and you wouldn’t need to go through the authenticator machinations if Microsoft just supported passkeys in their online account for consumers.

Well, now it does.

The problem is that it supports passkeys in a way that I believe to be incorrect. That is, passkeys are device specific, so when you create one on your PC, Mac, or mobile device, it should authenticate you when you need to sign in to your Microsoft account anywhere on that device. On a phone, for example, a passkey should authenticate you in any web browser or in any app.

From what I can tell, that’s not how Microsoft account passkeys work. Instead, they are app-specific: If you create a passkey in Microsoft Edge on the Mac, for example, it can be used with a secure sign-in method (on the Mac, Touch ID or your password) to authenticate you on the web, but only in that app. If you need to sign in to that account in a different web browser, or in an app, the passkey you created in Edge can’t help.

(UPDATE: Looking over Microsoft’s light documentation for this functionality, I found a line that I think explains what I’m seeing: “Passkeys are supported on desktop and mobile browsers (mobile app support is coming soon).” So it’s possible that this will eventually work correctly. Why Microsoft would ship this in such an incomplete state is unclear. Yes, it’s Password Day. But still.)

You can overcome these limitations by using a password manager that supports passkey portability. Again, I use and recommend Dashlane, and passkey portability is a big part of that. When you use Dashlane on a PC, Mac, Chromebook, or mobile device and create a password, you save it to Dashlane by default instead of the device on which it runs. That makes it portable, meaning that passkey is now available on all of your devices (on which Dashlane is installed). And since I use Dashlane everywhere, my passkeys are all portable.

On my first pass through Microsoft account passkey creation, however, I bypassed Dashlane to see what the native experience was in Windows, the Mac, ChromeOS, iOS, iPadOS, and Android. And it’s mixed. Choosing a portable solution like Dashlane is the better choice. But with that said, here are my experiences on some of those platforms. (It got repetitive after a while.)

To create a passkey, open your favorite web browser (on the first pass, I used Microsoft Edge on the Mac) and navigate to the Security dashboard on the Microsoft account website. If you configured your account correctly as I previously documented, you will then authenticate your identity using the Microsoft Authenticator app on your phone. (I had hoped for the last time, but stay tuned.)

From there, click “Advanced security” to access the Additional security options page, which lists the sign-in and verification options you have configured for this account. (This a great time to review those, by the way.) Click “Add a new way to sign in or verify.”

Click “Face, fingerprint, PIN, or verify.”

What you see there will vary by device, but also by which browser you’re using. With Microsoft Edge on the Mac, one of the options for storing the passkey includes “Your Microsoft Edge profile.” That option is interesting because it sounds like it might be portable. But when you click through, you find that it’s a standard passkey implementation in which the passkey is stored only on this device.

But that language from the previous screen—”your Microsoft Edge profile”—maybe should have been a tip-off that it’s actually tied to just Microsoft Edge. (And then, just to the profile in which it was created, which makes sense.)

(When I tried this in Chrome on the Mac, the choices were different: I could save the passkey to my iCloud keychain, Pixel 8 Pro, Pixel Tablet, Galaxy S24 Ultra, or a different phone, tablet, or security key.)

When you click through this item, you need to authenticate on the device you’re using, a key part of the passkey security chain. On Windows, that means Windows Hello (PIN or better), but on Mac it means Touch ID or a password, so I used the former. And then you give the passkey a name. When finished, you’re dumped back on the Additional security options page, which now lists a “Use a passkey” option. You can remove it from there later if needed.

To test the first passkey that I created this way, I opened an Incognito window in Google Chrome and browsed to Outlook.com, so I could sign in with the same Microsoft account. But the passkey is inaccessible in Chrome: The passkey I created on the Mac using Edge is only available in Edge (and only on that  Mac).

Microsoft passkey prompts only support phone-based authentication (by scanning a QR code, which I find ponderous) or a security key. Curious about this, I tried to do the same thing, but from Edge on my phone, but had the same issue: The passkey is tied to the Edge profile on that one device.

That is not ideal.

And, again, the results vary by platform and by browser. In Google Chrome on Windows 11, when I sign in to the Microsoft account website, I can authenticate using the passkey that Windows 11 automatically (and silently) stored in the PC’s TPM when I created that sign-in account. But if I try to create a passkey, it only lets me save it to a phone. That happens in Microsoft Edge as well.

When I signed in to the same site using Brave (which is not explicitly supported), I had to authenticate with my Microsoft Authenticator app on my phone. And then when I tried to create a new passkey, the same thing happened, my only option was to save it to a phone. Ugh.

And that’s just desktop. Mobile is similar in that it’s a mess, too, but it’s a different kind of mess. If I try to create a passkey on the Microsoft account website using Edge, Dashlane gets in the way—which is normally what I want, of course—but my other options for storing the passkey are the phone or a security key. And when I choose the phone route, I don’t get “this phone,” I get a QR code so I can scan it with another phone. Guys, seriously.

On my iPad, I disabled Dashlane and reconfigured the device to use the native iCloud Keychain password manager. But here, again, I had the same results: I created a passkey using Edge and then installed the Microsoft Outlook app and tried to sign in with the same Microsoft account. It had no understanding of a compatible passkey on the device. (Indeed, it required me to type my password and then authenticate with Microsoft Authenticator.)

For now, I will simply recommend that most people do as I advise in Tip: Properly Secure Your Microsoft Account. But I need to spend more time with this, and I will eventually need to update the book as well. Passkeys, like everything else related to account security, remain perplexing.