On June 22, 2023, Microsoft released the implementation of the passkey function in the Insider Preview (Dev channel) of Windows 11.
This time, let's see how the passkey function was implemented on Windows. Please understand that it may be difficult to understand because it includes a little technical content.
I will omit how to install the Insider Preview version of Windows 11. Insider Preview has multiple channels (Dev, Beta, etc.), but this time the passkey function is added to the Dev channel.
Since this is an experimental build, I recommend using an environment where there is no problem even if it breaks, and do not install it on the PC you usually use.
In addition, in my environment, the passkey-related implementation was not found immediately after the change to the Dev channel. I was going through trial and error, thinking that there might be a reason such as the hardware conditions not being met. After a few days without any clues, I rebooted the machine for other works and it popped up. I recommend that you wait patiently.
From here, I will proceed with the experiment while quoting the information from the Windows Insider Blog presented at the beginning. For the experiment, I will use "WebAuthn.io" that I have used before.
"WebAuthn.io"
Let's read the Windows Insider Blog.
■ Registration and use of passkey
Enroll and use passkey to sign into apps and websites
It was written as you can now do new things, but in fact, this itself was available in the current Windows 11 and even Windows 10. As I wrote in my previous blog (What are Passkeys? (Part 1)), the word "passkey" in a broad sense refers to the existing technology "WebAuthn", which itself has been implemented in previous versions of Windows. Once again, it seems that they are saying this with the implication that "We also support passkeys.".
However, in this blog, there is also a description of the past that has not been implemented in Windows until now. That is the point below.
Sign in using passkeys saved on your phone
This is the "Hybrid authentication" introduced in the previous blog. As I mentioned in the previous blog post, this was already implemented in Google Chrome, and it was also implemented in Edge, which uses Chrome's browser engine (Chromium). However, the new thing is that this part was implemented in the OS instead of the browser this time.
I think some people may have a hard time understanding what it means to have a passkey implemented in the OS. Windows has a mechanism called "Windows Hello", which comprehensively handles various authentications such as Windows logon or WEB authentication. Hybrid authentication was implemented this time in the Windows Hello part. By implementing Hybrid authentication in Windows Hello, it will be possible to use Hybrid authentication in applications that use Windows Hello, in addition to WEB authentication. I think this is technically an important point.
I'm going to explain the changes in the screen on the WEB, but I need another explanation for that. Let me explain the "Special Instructions" section a little further on the Windows Insider Blog.
On Microsoft Edge or Google Chrome, if you see the browser’s passkey UI, choose “Windows Hello or external security key” to get the Windows native experience. Try Google Chrome Canary for the latest experience there. As Microsoft Edge is Chromium-based, experiences in Chrome Canary will roll up into Microsoft Edge as well over time.
"Browser's passkey UI(*)" is the screen that was displayed when using WebAuthn until now.
(*)UI: User Interface. It is a mechanism for interacting with the user, but in the case of applications, it often refers to the display parts of the screen, appearance, operation method, operability, etc.
As I wrote a note in the image, in the case of Windows Chrome, when you click "Windows Hello..." Windows Hello is called and for Hybrid authentication, the Hybrid authentication screen implemented by the browser is displayed. Until now, Windows Hello has not implemented Hybrid authentication, so the browser-side program is in charge of that. And since this selection screen is implemented in the browser, it will not change even if Insider Preview is introduced. The need to try the Canary build of Chrome to try out the latest UI seems to be necessary to skip this selection screen and call Windows Hello directly.
 |  |
The screen movement used to be like this, and the UI was not very user-friendly.
Choose Windows Hello authentication or Hybrid authentication. (For Hybrid authentication, go directly to the Hybrid authentication screen of the browser).
For Windows Hello authentication, select the type of authenticator (PIN, fingerprint, face, security key).
The latest Windows 11 Insider Preview version and Chrome Canary are as follows.
The Windows Hello internal authenticator (PIN) screen appears, and the authentication of other devices is the item "Use another device". In the experimental environment, the device has no fingerprint or face authentication, so the screen looks like this, but if it has, fingerprint and face will probably be displayed on this screen. Click "Use another device" to move to the following screen.
"KYV46" is the model name of my smartphone, and it has already been connected once with Hybrid authentication. The next item "iPhone..." is Hybrid authentication using a QR code, and the "Security key" is authentication by a FIDO device. The last "This Windows device" seems to return to the first screen. From these situations, it seems that the first screen probably uses Windows Hello's internal authenticator, and the next screen allows you to use Hybrid authentication and FIDO security keys. Regarding the first screen (internal authenticator) and the next screen ( external authenticator), the last used screen is remembered, and when the Windows Hello screen opens next time, the screen used at last time will open.
Looking at it this way, from the engineer's point of view, the content is that Hybrid authentication has been incorporated into Windows Hello, but from the user's point of view, the UI for passkey authentication on Windows has been organized.
■ Passkey management
Next, let's take a look at the following parts of the Windows Insider Blog:
Manage passkeys saved to your Windows device
The latest version of iOS and Android have made it possible to manage passkeys, but in Windows, there has been no equivalent until now. Passkeys were only stored internally and could not be checked or deleted. It seems that a screen to check and delete them has been implemented.
An item called "Passkey settings" has been added to the Windows Accounts settings screen.
The setting screen is relatively simple, with a search box and a list of registered passkeys. Each passkey item is a domain name and a user name, and there seems to be no further information. I would appreciate it if there was a registration date and last use date and time.
If you click "..." on the right side of the passkey, only the item "Delete Passkey" will be displayed. Unlike passwords, it is not rewritten, so it is simple, but the fact that the menu is open format may increase the number of items in the future.
If you try to delete it, you will be warned that "You won't be able to sign in anymore".
If you try to delete it, you will be prompted to enter the password for the Windows account you are logged on to. In addition, I was able to select a PIN from "Others", so it seems that fingerprint/face authentication of Windows Hello is probably possible.
That's about all you can do with this setting screen. Since it is still an Insider Preview version, it seems that there may be more things that can be done with feedback, etc.
■ About Multi-device FIDO Credential
In the previous blog (What are Passkeys? (Part 2)), I also explained passkeys in the narrow sense, Multi-device FIDO Credentials (MDC). So far, there is no description of MDC implementation in the contents of the Windows Insider Blog, and since the expression "this device" was often seen on the screens, it seems that MDC is not implemented at this time. However, like Apple and Google, Microsoft also has a Microsoft account, so MDC using that account may be implemented in the future. I would like to share on the blog, etc. if there is information on how to proceed in the future.
(*) Currently, Multi-device FIDO Credentials have been unified under the name "synced passkeys". And credentials on devices will also be standardized under the name"device-bound passkeys". From now on, we will use these unified names in our blogs.
■ Summary
This time, we sent you a preview version of the Windows passkey implementation. It's still an Insider Preview Dev channel, so it may take a little longer to incorporate it into the actual product built, but it feels like the three major OS vendors have finally completed their passkey implementations. We hope that we can contribute to the popularization of this, as passkey support on the service provider side is also processing.
We provide a service called YubiOn FIDO2 Server for service providers who want to incorporate passkey authentication into their services. If you are interested, please feel free to contact us.
■ Reference link
[Experimental site]
WebAuthn.io
[Microsoft public information]
Announcing Windows 11 Insider Preview Build 23486 | Windows Insider Blog
[SoftGiken link]
YubiOn FIDO2 Server