Hands-On Windows 175: Passkeys in 25H2 – Detailed Episode Summary

Episode Theme:
Paul Thurrott dives deep into Windows 11 25H2's evolving support for passkeys—phishing-resistant, hardware-bound credentials intended to replace traditional passwords. This first of a two-part series addresses both conceptual confusion about passkeys and practical use within the Windows ecosystem, especially focusing on portability improvements and third-party manager integration.

Introduction to Passkeys (00:19–02:40)

Key Points:

• Passkeys are introduced as a major security upgrade—more secure and convenient than passwords, essentially acting as an advanced version of Multi-Factor Authentication (MFA).
• Passkeys are based on cryptographic key pairs—one held by your device/cloud, the other by the web service—meaning they cannot be "stolen" like passwords and are resistant to phishing.
• Paul acknowledges the confusion:
  • Many users find the technology abstract, but "once you kind of get in the swing of this, you'll wonder why you aren't doing this everywhere." (Paul Thurrott, 01:33)

Quote:

"Passkeys are confusing because they're basically pairs of cryptographic keys... But it's not really that bad. In fact, once you kind of get in the swing of this, you'll wonder why you aren't doing this everywhere."
(Paul Thurrott, 01:10)

Passkeys Before 25H2 – Device-Bound Limitation (02:40–06:20)

Key Points:

• Windows 11's previous passkey support (released in 23H2/24H2) allowed users to create device-bound passkeys, but these were not portable—each device required its own registration.
• These passkeys appear in the Windows Settings app under Accounts > Passkeys.
• Microsoft calls these “device bound passkeys.” If your device is lost or you switch devices, you'd need to generate new keys for each.
• Deletion is possible, but you can’t delete required passkeys (like those tied to the main Windows login).

Demonstration:
Paul walks through registering a passkey for a Google account using Chrome (with no password manager configured), including the familiar QR code flow to register credentials from a phone.

Notable Moment:
"I took a picture like an idiot because I’m old. But now I will scan it and it will connect..."
(Paul Thurrott, 04:09)

• After creation, the new passkey is visible in the Windows account passport.
• The main drawback: "It's not portable. So... you'd have to create a new passkey on each one of those devices." (Paul Thurrott, 03:50)

What’s New in 25H2 – Portability & Integration (06:20–10:40)

Key Advancements:

• 25H2 adds two big enhancements:

  1. Native integration with Microsoft Password Manager (in Microsoft Edge), allowing for cloud-stored, portable passkeys.
  2. Third-party password manager integration (with support for 1Password, Bitwarden, others coming soon), making your passkeys available across devices and platforms.

• These improvements address the prior limitation by allowing passkeys to follow users between devices via authenticated accounts or third-party ecosystems.

Quote:

"In 25H2, the latest version of Windows 11, Microsoft added two related features that make pass keys more portable. Native integration with the Microsoft Password Manager... and also third party password manager integration."
(Paul Thurrott, 06:18)

Microsoft Password Manager Integration in Edge (10:40–13:30)

Demonstration:

• Paul demonstrates enabling Microsoft Password Manager within Edge (Settings > Passwords and passkeys), stressing the benefits of Edge as a cross-platform solution.
• When creating a passkey for a Google account, Edge gives the user a choice between saving with the Microsoft Password Manager (portable) or Windows Hello (device-bound).

Quote:

"Now when I use edge on… my iPhone or my Android phone… it will work. That makes this passkey portable. That passkey is not locked to this computer."
(Paul Thurrott, 12:15)

Third-Party Password Manager Integration (13:30–16:55)

Key Details:

• 1Password and Bitwarden are presently supported; users can enable integration in Windows Settings > Accounts > Passkeys > Advanced Options.
• Once enabled, saving a passkey will direct them into the chosen third-party app interface—these credentials will then sync across their platforms.
• You can opt to save a key locally, but portability is the goal.

Demonstration:

• Paul walks through enabling 1Password and shows the creation of a passkey that's saved directly into 1Password instead of Windows or Edge.
• The 1Password app, set as autofill on all devices, ensures the key works anywhere (desktop, phone, etc.).

Quote:

"The point is you can save that passkey now to 1Password and now it's portable. 1Password... has many additional features over what, you know, the Chrome Password Manager, the Microsoft Password Manager... But it's also available everywhere."
(Paul Thurrott, 16:20)

Recap & Looking Forward (16:55–17:37)

Summary:

• Microsoft is rapidly expanding its passkey support, and Paul encourages users to consider third-party managers for the most robust, flexible experience.
• The next episode will feature hands-on tips for using passkeys in practice (websites/app sign-in flow).

Closing Statement:

"I still feel really strongly that you should use a third party password [or] passkey manager… In the next episode we're going to take a look at that."
(Paul Thurrott, 16:40)

Recommended Sections & Timestamps

• Introduction to Passkeys & Why They're Better: 00:19–02:40
• Device-Bound Passkeys in Windows 11 23H2/24H2: 02:40–06:20
• What's New in 25H2 for Passkeys: 06:20–10:40
• Microsoft Password Manager/Edge Integration: 10:40–13:30
• Third-Party Password Manager Setup: 13:30–16:55
• Recap and Next Steps: 16:55–17:37

Notable Quotes & Moments

• "Passkeys are confusing because they're basically pairs of cryptographic keys... But it's not really that bad. In fact, once you kind of get in the swing of this, you'll wonder why you aren't doing this everywhere."
  – Paul Thurrott, 01:10

• "I took a picture like an idiot because I’m old. But now I will scan it..."
  – Paul Thurrott, 04:09

• "In 25H2, the latest version of Windows 11, Microsoft added two related features that make pass keys more portable..."
  – Paul Thurrott, 06:18

• "That makes this passkey portable. That passkey is not locked to this computer. It's going to go up to the cloud and go wherever I am."
  – Paul Thurrott, 12:15

• "You can save that passkey now to 1Password and now it's portable... it's also available everywhere and that means that you can bring up the 1Password app on your phone, install it as the autofill provider. If you created a passkey in this computer, it will be available on all your other devices and vice versa."
  – Paul Thurrott, 16:20

Episode Flow & Engagement

Paul takes a practical, hands-on approach (“Hands-On Windows” truly earns its name) with live walkthroughs of passkey registration and honest, sometimes humorous, commentary (“I took a picture like an idiot… because I’m old”). The tone is approachable, informative, and focused on demystifying new security tech for everyday users.

For Listeners:

If you’re looking to get started with passkeys on Windows 11 (especially 25H2), this episode is a valuable primer on what's new, how it works, and where to look for maximum flexibility. Catch the next episode for real-world usage demos and recommendations.

Feedback?
Reach out at twit.tv/how or join Club TWiT for more exclusive content!