Paul Thurrott

Coming up next on Hands on Windows, we're going to take a look at some new passkey features for Windows 1125H2.

Leo Laporte

Podcasts you love from people you trust. This is Twit.

Paul Thurrott

Hello, everybody, and welcome back to Hands on Windows. I'm Paul Thurat, and this week I'm going to do the first of two episodes in a row about passkeys. Pass keys are a modern replacement for passwords. They are confusing. So the easiest way to think about this is they're basically a form of Multi Factor Authentication, or MFA or Two Factor Authentication. Some people call it Two Step Authentication. But they're more secure and more convenient than passwords. They can't be stolen, so they're phishing resistant. If some site is hacked and your password is leaked, doesn't matter if you need to have a passkey to get into that account. But the confusion, I think, is based on a lot of things. Passwords are insecure, but they're basic, right? We understand what it is. We have an account of some kind, usually an email address for an online account, and you have a password and it's some set of numbers and letters or whatever. It seems easy, but they're super, super insecure. So passkeys are confusing because they're basically pairs of cryptographic keys. That one exists on your device or up in the cloud, one exists somewhere else, and you don't own both of them. There's no way to put them together. They can't be stolen. Basically, it feels vague, but it's not really that bad. In fact, once you kind of get in the swing of this, you'll wonder why you aren't doing this everywhere. In fact, you should be doing it everywhere. So in this episode, what I want to do is focus just on the passkey functionality that's built into Windows 11, right? And so sometime in the past year, we would have done some episode about this because back in 2324 H2, Microsoft added basic passkey functionality to Windows, which you can see by going into the Settings app and then accounts, and then you'll see this passkey section, right? And so at the time, this was pretty much it. If you log in with a Microsoft account or a Microsoft work or school account, you get this pass key right here, which is associated with that account. So in my case, this is a Microsoft account. There's no actually says delete. Oh, but you can't, because it will say you cannot do it. Right? Because this thing is required for you to sign into this PC. If you add Other pass keys to the system, they will be listed here. We'll look at that in a moment. And you can delete those. That's about all you can do with those things. But the problem with this feature is that these passkeys are not portable. They're locked onto this one computer. So if you have another computer, you have a phone, you have an iPad or a tablet or whatever, you would have to create a new passkey on each one of those devices. Right. Microsoft calls this a device bound passkey. Okay. But if that doesn't bother you, you may want to do that. That's fine. So I'm going to run a browser that I don't usually use, which is getting excited to use a passkey immediately. So let me just close that and it will go to the Google Accounts website where it will actually before I. No, it's fine. This is fine. I just want to make sure I wasn't using some other form of passkey management. I got to be careful. This is why I'm using Chrome. So Chrome is configured right now not to do anything for passkey. So this will give you kind of the native experience. So once you're inside this Google account website, you can go into security and sign in, go down to passkeys and there will be. It wants a passkey for me to sign in, of course. So this is actually the, in many ways, till now, I would say the most common experience for passkeys. Not the security key part, but rather you have a phone and that phone has some password manager or passkey manager on it. And I can scan a QR code with my phone to log in. So I'm actually going to do that right now. So you're going to see there's a QR code. So I bring up the phone, the camera, I took a picture like an idiot because I'm old. But now I will scan it and it will connect and then I say, yes, use the passkey and it lets me get into this more secure area of the Google Accounts website. Right. So now I want to create a new passkey, but this casci is one I want to save on this device specifically. So when I click this, what I get is this Windows security dialog. It's got the name of the passkey in the account and it does say this will be saved to your Windows device, which is what I want in this case. So this is going to create a device bound passkey that only exists on this one computer. So I click this, I will have to do some form of Windows hello Authentication. Look at the camera and get through that little tedious. But we've created the pass key, okay. So I could look at that on this page, but I think the more important thing to do is go back and look at it in Windows so you can see that it was created on the computer itself and there it is. So again, there's not a lot you can do here. I can delete it. Okay. And the idea here is that going forward, if you were going to use this kind of passkey, which I don't necessarily recommend because it's locked to this one computer, you could use a different browser. Maybe you got logged out, you log into some other Google service. Whatever it is, it would just pass that thing through to you. We're going to look at that kind of experience in the next episode. But for now, I'm just going to get rid of that thing because I don't want it and I'm not going to use that kind of passkey. But it's not portable. So. To address the portability problem in 25H2, the latest version of Windows 11, Microsoft added two related features that make pass keys more portable. Native integration with the Microsoft Password Manager. That's part of Microsoft Edge, but it works on other devices as well through Edge, actually, and also third party password manager integration. So instead of using this native experience, I could use a third party app, which in this case would be like 1Password or Bitwarden. Those are the two that are compatible today and then in the future there'll be more. So we're going to take a look at both of those. But first, here's a quick message.

Leo Laporte

This episode of Hands on Windows brought to you by Threat Locker. We love Threat Locker. Ransomware is killing businesses worldwide. You know that. But Threat Locker is amazing. It can stop it before it starts. Recent analysis from Threat Locker shows how one operation, just one of hundreds of ransomware operations. This one is Chi Lin. It surged in 2022. They had about 45 incidents. Last year, more than 800.

Paul Thurrott

Wow.

Leo Laporte

That's a 200% increase, right? If my math is right. ThreatLocker Zero Trust Platform takes a proactive deny by default approach to block every unauthorized action. That's, by the way, that's the key to the whole Zero Trust platform. Deny by default. If an action isn't authorized, if that user is not allowed to do that thing, it doesn't happen. Which means it protects you not only from known threats, but completely unknown threats. It stops lateral movement. It stops zero days because you haven't approved it, right? You didn't say yes. Threatlockers innovative ring fencing, that's what they call it constrains tools and even remote management utilities. That means attackers just can't weaponize them. They don't get lateral movement, they can't get mass encryption. They are stopped cold. It really works in every industry. By the way. Macs and PCs, they get. You get 24, seven fabulous support from their US based support pros, engineers who really know what they're talking about. Let me give you some examples. Emirates Flight Catering, they use Threat Locker. That's a global leader in the food industry. 13,000 employees. Big company Threat Locker gave full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support. Listen to what the CISO of Emirates Flight catering said about ThreatLocker. Quote, the capabilities, the support and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a ciso. That's the CISO for Emirate Flight Catering. But that's not the only company that uses it. Companies that can't afford to be shut down by ransomware like JetBlue, Heathrow Airport, they'd had problems in the past, they weren't going to let it happen again. The Indianapolis Colts, the Port of Vancouver, they all use Threat Locker. Threat Locker consistently receives high honors in industry recognition, G2, high performer and best support for enterprise. Summer 2025 peer spot ranked number one in application control. Get App's best functionality and features award in 2025. Visit threatlocker.com twit get a free 30 day trial. Learn more how ThreatLocker can help you mitigate unknown threats and Ensure compliance. That's threatlocker.com TWIT now one more thing to say. We're going to be going down to Zero Trust World Threat Locker's annual conference. It's March in Orlando. Steve Gibson and I are going to be doing a presentation. Richard Campbell's coming down. Paul, by the way, I'm trying to get Paul to come down. He hasn't said yet, but Richard Campbell's coming down. So he's gonna go down there doing some interviews but also he'll be doing Windows Weekly from down there and you could be there. We'd love to see you. For a limited time, use the code ztwit26 to save 200 off registration for Zero Trust World 2026. That's z ztw twit26 to save $200 and you get the full, you know, McGilla. You get access to all the sessions, you get hands on hacking labs, you get meals, you get an after party. It's the most interactive hands on cybersecurity learning event of the year. March 4th through 6th, Orlando, Florida. Bring the kids, they can go to Disney World while you're learning and save some money when you register with the code. ZTW twit 26. ZTW twit 26. Thank you threat locker. Now back to Paul.

Paul Thurrott

Okay, so let's look at the Microsoft Password Manager. So this is Microsoft's portable passkeys solution. To access this you have to use Microsoft Edge of course, because that's what Microsoft does. So I don't typically use this myself for. Well maybe I think there are obvious reasons, maybe you're not sure, but if I go into the Microsoft Edge settings interface, I will have to turn this thing on. Right. So I'm going to use the Microsoft Password Manager when I say passwords and passkeys in this browser and there are additional settings related to this that you probably do want to turn on. The default here is fine. It's going to ask and then these things are not really related to passwords, passkeys. I'll leave those around. Hello, I will leave those alone but you might actually want to take a look at those if you're using Edge. It's worth going through this but I'm just doing this to kind of demonstrate how this works. So as before, I'll go to that same Google account website, why not? And same thing, secure. Oh, I'm in the wrong type of account. So let me get to my Gmail account. Not my workspace, account security and sign in and nope, not passwords. Paul, pass keys, same as before. It's going to verify me now in this case I actually have a third party password manager doing passkeys and so that's actually a little bit of a problem because I don't want to. I want to save a passkey somewhere else but I'm going to let that go through. Normally I would get that phone based experience like we saw before if you weren't using a third party password or passkey manager. But it's okay because when we go to create a passkey we're going to say yes and we could use another device. But I want to, yeah, it's going to go to this default but then we're going to get this choice. So this is what you would see normally if you didn't have a password, another password or passkey manager installed, right? You're going to be able to do this through the Microsoft Password Manager, which is that thing built into Edge, right? That is portable or Windows hello, which means a device bound pass key that is going to be specific to this computer. So I will actually just save it to there. It works like it did before. I already have a passkey saved, so I didn't save it. But that's the interface. So it's really just like the other thing. It's just that now when I use edge on say my iPhone or my Android phone or whatever, I can configure that to be the autofill provider and it will work, right? And so that makes this passkey portable. That passkey is not locked to this computer. It's going to go up to the cloud and go wherever I am. And so that's actually pretty useful. The third party password manager integration is interesting. I'm going to talk about this a little bit more in the next episode about why maybe it's not as necessary as it seems, but you can install the desktop app for 1Password or Bitwarden today and then there'll be more in the future and it can integrate into Windows 11. So let me show you what that looks like. I've already installed that app. I've installed one password in this case. So if I go to that same interface from before, which is accounts and then passkeys, you'll see this advanced options. And I have the option to enable that app that I just installed. Right? So if I had multiple apps, you might see multiple apps here. It keeps wanting to do a PIN for some reason, but I will do a camera, facial recognition. And once this is enabled, there's a second option that becomes available but is disabled by default. Save passkeys to this Windows device. In this case, I would want to leave this off. The point of enabling this is that you're not going to save them to the local device, but this will give you the option to do that if you want it. I can't imagine why you would want that, but maybe you want the choice. So now this is enabled. All right, so let me see. I will go. I think in this case I could probably use. I could probably use any browser. It shouldn't matter, right? Because this is at the system level, right? Because I have the 1Password app installed. I'm already here, but I will go back Out. I'll just use the Google thing again because now we all understand how this site works. But now I'm going to go in here security and sign in pass keys and create a passkey. And now you can see it's the same dialog as before. But now it says this will be saved to 1Password. Right? Because I've integrated it with this passkey functionality in Windows. That is what I want. However, you can also click change and go through these other options if you want. Interestingly because I didn't enable that second option right in Advanced Options, what I'm not seeing here is that it would say Windows hello, like save to this device. I've disabled the mic. Well, I'm not using Microsoft Edge, so I can't see the Microsoft Edge Microsoft Password Manager. So these are the only choices I get. Obviously what I do want to do is one Password. Now I haven't really signed it, I'm not going to enter my password here. But typically what you would get is whatever UI that the app has. So in this case you're seeing that normally you would just sign in with Windows, hello, whatever, but I haven't, I just haven't configured that. It doesn't matter. But the point is you can save that pass key now to 1Password and now it's portable. 1Password is a third party password manager, has many additional features over what, you know, the Chrome Password Manager, the Microsoft Password Manager, whatever the in house, you know, kind of first party password managers have, there's a lot more going on there, so it's good for that. But it's also available everywhere and that means that you can bring up the 1Password app on your phone, install it as the autofill provider. If you created a passkey in this computer, it will be available on all your other devices and vice versa. So that's the built in Windows 11 passkey functionality as of today. Right. I think the big thing that's going to change is you'll see more passkey providers come in over the course of this year. But I still feel really strongly that you should use a third party password passkeymanager. And so in the next episode we're going to take a look at that. I'm going to show you how I manage passkeys and then you can see what it looks like to access an account online. Whether it's in an app or a website, it doesn't really matter using a passkey instead of a password. So we'll do that next time. Thank you so much for watching. We'll have a new episode next week as we always do on Thursday. You can learn more about Hands on Windows at TWIT tv. H o W thank you so much for watching. Thank you especially to our Club TWIT members. We love you. If you're not a member, please check out the program at TWiT TV. Club TWiT. Thanks. I'll see you next week.

Leo Laporte

Hey everybody, it's Leo laporte. Are you trying to keep up with the world of Microsoft? It's moving fast, but we have two of the best experts in the world, Paul, you thank and Richard Campbell. They join me every Wednesday to talk about the latest from Microsoft on Windows Weekly. It's not a lot more than just Windows. I hope you'll listen to the show every Wednesday. Easy enough. Just subscribe on your favorite podcast client to Windows Weekly or visit our website at TWiT TV www. Microsoft's moving fast, but there's a way to stay ahead. That's Windows Weekly every Wednesday on Twitter.

Paul Thurrott

Sam.