Use Windows 11 Without Windows Hello / Microsoft Account

As passkeys become the prevalent form of authentication, developers and product managers are increasingly interested in how Windows 11 devices handle passkeys, especially when Windows Hello or a Microsoft account is not in use. Therefore, in this article, we will explore three key questions:

1. How passkey-ready is Windows 11?
2. Can you use Windows 11 without a Microsoft account?
3. Can you use Windows 11 without Windows Hello?

Understanding these configurations will give developers and product managers better insights into how passkeys behave in environments with different setups.

See this FAQ to understand better what Windows Hello is.

A Microsoft account is a single sign-in credential used to access various Microsoft services, such as Windows, Outlook, OneDrive, Office 365, and Xbox. By using a Microsoft account, users can synchronize their files, preferences, and settings across multiple devices and access cloud storage. This unification creates a seamless user experience, whether on a PC, smartphone, or tablet.

The integration of Microsoft accounts with Windows 11 improves the security and user experience. However, not all users prefer to use a Microsoft account and may choose to use a local account instead.

Windows Hello is a feature in Windows designed to enhance security by offering biometric authentication, such as facial recognition or fingerprint scanning, or also PIN codes. Microsoft has been actively pushing users to adopt Windows Hello by integrating it with various security features and requiring it for certain functionalities.

Additionally, the use of Microsoft accounts is encouraged and for some Windows versions even required, as it allows users to sync settings, preferences, and apps across devices (passkeys will soon also be synced via Microsoft accounts, presumably as of Q1/2025 according to Microsoft-internal resources).

Let’s look at two interesting follow-on questions then:

1. How many Windows 11 users have a Microsoft account?
2. How many Windows 11 users have Windows Hello activated?

Although there is limited specific data on how many Windows 11 users have a Microsoft account activated. Microsoft has shifted its focus to promoting passwordless security options, including passkeys, as the of the new standard of authentication. This conclusion is also backed by the following data that Microsoft recently published and it makes clear that the vast majority of users has Windows Hello activated:

Yes, it is possible to use Windows 11 without a Microsoft account, though Microsoft has made this process less straightforward over time. During the Windows 11 installation, users can opt for a local account by selecting "I don’t have internet" or "Skip for now" when prompted to connect to a network. This allows them to create a local user account instead of linking the device to a Microsoft account.

However, this method may not work on all versions of Windows 11, as some might force users to connect to the internet and create a Microsoft account. Additionally, users with local accounts may find that some services and apps are unavailable or limited in functionality.

To set up Windows 11 without a Microsoft account, look for the various tutorials you find on the Internet.

Yes, at the timing of writing this article a local Windows 11 account can have Windows Hello activated (October 2024). This means that users can still benefit from biometric authentication, such as facial recognition or fingerprint scanning, without needing a Microsoft account. In this setup, the passkeys would be device-bound.

However, it’s worth noting that in Q1 2025, Microsoft is expected to allow passkey syncing across devices, which could change how local accounts interact with passkeys.

Windows 10 handles Windows Hello and Microsoft accounts differently from Windows 11. One of the key differences is that Windows 10 does not require a Trusted Platform Module (TPM) to be installed. In case a hardware TPM is not available, Windows 10 emulates a TPM via software.

However, Microsoft has still been encouraging users to adopt both Windows Hello and Microsoft accounts on Windows 10. The push comes from a desire to improve security and convenience. Windows Hello offers enhanced protection against phishing attacks, and Microsoft accounts enable seamless syncing of settings, files, and services across devices.

First of all, Windows 11 has really good detection capabilities for passkey-readiness. By calling PublicKeyCredential. isUserVerifyingPlatformAuthenticatorAvailable(), you can determine with 100% certainty if Windows Hello (local authenticator) is active or not. Thus, based on this information, fallback authentication can be directly used if Windows Hello is not available making sure the UX is always great.

We ran tests using a local Windows 11 account, with Windows Hello turned off, and attempted to check the passkey-readiness of the device on state-of-passkeys.io.

When trying to use passkeys without Windows Hello enabled, a prompt appeared, requesting that Windows Hello should be activated to proceed with the passkey setup. This might indicate that, in some cases, Windows Hello is required to use passkeys, particularly for local platform authentication.

When testing for passkey-sync-readiness on State of Passkeys:

The popup above only occurs if fallbacks are not handled properly (e.g. in Corbado’s UI components, we fall back directly to email OTP when passkey-readiness is not given, thus avoiding user confusion).

As most users have Windows Hello activated anyways, only a tiny fraction of users should this popup.

When clicking on Close, the final result was the following:

You might ask yourself why is the device not Passkey-ready but Conditional-UI-ready. This is partially due to the definitions of State of Passkeys because passkey-ready could be also described as Platform-Auth-Ready which indicates if a local platform authenticator is available. As Windows Hello is not activated, the local authenticator check is false. However, it’s possible to use cross-device authentication (via QR code and Bluetooth) as well as synced passkeys from Google Password Manager via Conditional UI. That’s why the device signals Conditional-UI-readiness.

How the system then handles the user login flow depends a lot on the implementation. A default test on https://webauthn.io resulted in the following screenshot when Windows Hello was not activated:

This means, that WebAuthn cross-device authentication (via QR codes and Bluetooth) was possible as well as hardware security keys, even without Windows Hello.

Other systems might directly fall back to their fallback login methods (e.g. password, email OTP) and avoid this popup.

When logging into a Google profile on Chrome, the Google Password Manager’s cross-platform sync feature comes into play (Google Password Manager behaves here like a third-party password manager such as 1Password or Dashlane). This allows users to log in with passkeys on a Windows 11 device without needing to activate Windows Hello or connect to a Microsoft account. An initial verification and a six-digit recovery code were required (sometimes it’s also the Android PIN pattern if an Android device is connected), but after that, the login process felt seamless – almost magical.

In Chrome, when logged in to your Google profile and you want to use the passkeys stored in Google Password Manager, the following popup appears initially. You then provide a six-digit recovery PIN.

This recovery PIN is also being asked for when you want to use / create a passkey later. So, let’s create passkey in Google Password Manager:

Provide the recovery PIN.

If a passkey is successfully stored in Google Password Manager on Windows 11 without Windows Hello or an activated Microsoft account, you will see the following popup below the browser’s URL field.

When doing this verification and setting a six-digit recovery code for this device you can login with passkeys on a Windows 11 device without setting up Windows Hello or having a Microsoft account.

If you’re logged into your Google profile in Chrome on Windows 11, you now have also the possibility to save passkeys via Save another way. Then, the following options appear (Google Password Manager and Windows Hello).

However, when Windows Hello is not turned on and you click on this option, then the following popup comes again:

In summary, most Windows 11 users can seamlessly use passkeys as the vast majority of Windows 11 users have a Microsoft account and use Windows Hello. While Windows 11 is optimized for users with a Microsoft account and Windows Hello activated, it is still possible to use the operating system - and passkeys - without them. Let’s look at our questions from the beginning:

1. How passkey-ready is Windows 11? Most Windows 11 devices use a Microsoft account and 99% of these have Windows Hello activated. As Windows Hello indicates passkey-readiness, the vast majority of Windows 11 devices are ready for passkey usage.
2. Can you use Windows 11 without a Microsoft account?
   Yes, you can use Windows 11 without a Microsoft account by opting for a local account during installation. However, this setup may limit access to certain apps and services, and the process is not available on all versions of Windows 11.
3. Can you use Windows 11 without Windows Hello?
   Yes, you can use Windows 11 without enabling Windows Hello. However, if you want to use passkeys, Windows Hello is often required to enable local platform authentication. Without Windows Hello, you can still use WebAuthn cross-device authentication (via QR codes or Bluetooth), hardware security keys for passkey authentication or a third-party password manager, such as 1Password, Dashlane or Google Password Manager in Chrome, that has cross-platform sync capabilities for passkeys.

Developers and product managers should be aware that passkey behavior may vary depending on whether Windows Hello is enabled, and cross-device WebAuthn authentication may require additional steps. However, as passkeys and passwordless solutions continue to evolve, the options for integrating these features on devices with different setups will only expand.