While Apple and Google have rapidly embraced passkeys, Microsoft's Windows has is notably slower in its adoption. This article delves into the possible reasons.
Vincent
Created: September 30, 2023
Updated: June 3, 2024
When it comes to the adoption of synced, multi-device passkeys, Apple took the lead by rolling them out with iOS 16 in September 2022. Not long after, macOS followed suit, ensuring that every new Apple device was equipped and ready for synced passkey use. Google wasn't far behind, with Chrome and Android receiving an upgrade starting late 2022 to become passkey-ready.
In stark contrast, Windows has been more conservative. Even the latest Windows 11 version only supports single-device passkeys. This means passkeys aren't synced to a cloud account (e.g. to a Microsoft account), a significant limitation that hampers broader adoption of passkeys, especially among non- technical users who require a simple passkeys recovery. This is surprising, given that Microsoft, alongside Apple and Google, is one of the core members of the FIDO alliance. Moreover, the Windows security blog has a long history of pointing out all kinds of problems arising from password-based authentication and related phishing attacks on Microsoft accounts.
Historically, Microsoft has occasionally found itself trailing behind competitors like Google and Apple in the swift adoption of emerging technologies. There have been examples where they either lagged in embracing new trends or missed itentirely. Could the gradual uptake of passkeys be a reflection of this pattern?
According to the latest data, still most of Windows devices run with Windows 10. Windows 10 doesnt have the requirement to integrate a Trusted Platform Module (TPM), which is needed though for storing passkeys in general. With Windows 11, Microsoft requires the device to have a TPM, otherwise an update is not possible.
Windows caters to a vast and varied user base, from individual consumers to large enterprises. Rolling out a new feature like passkeys requires ensuring that it satisfies the needs and security requirements of all these users. This broad spectrum of users might necessitate a more cautious and phased approach which integrates existing, on-premise systems, together with Microsoft 365 Business accounts alongside private accounts.
Another plausible reason could be the vast array of hardware configurations that Microsoft has to support. Unlike Apple, which has a more controlled ecosystem, Windows is used by a diverse range of hardware manufacturers and devices. However, this argument loses some weight when we consider Google's Android, which successfully supports various smartphone manufacturers and has made most devices passkey-ready.
Another angle to consider is the dominance of Windows in the business world. Most desktop devices, despite the rising popularity of macOS, still run on Windows (especially enterprise devices). This widespread use in professional environments might make Microsoft more cautious in implementing changes. Additionally, features like Windows Hello aren't universally activated yet, unlike Apple's approach of nudging users towards Face ID / Touch ID and keychain functionalities.
The latest Windows 11 update from September 26, 2023, promises some advancements concerning passkeys. Users can work with a more user-friendly graphical interface for managing passkeys, eliminating the previous reliance on browser capabilities. However, the update still doesn't seem to address the issue of passkey synchronization (e.g. via a Microsoft account). For now, the only workaround for backing up a passkey on a Windows device is to utilize modern password managers like 1Password or Dashlane, which offer passkey sync features.
Besides that, the biggest problem still remains, as Windows 10 22H2 is planned to be the last feature version for Windows 10, but lacks the WebAuthn library version that is needed to offer at least Conditional UI (to offer the best passkeys UX via passkeys autofill), which could easily be backported according to Microsoft internal sources. That rises the question if there should be an out-of-band update for Windows 10 22H2 to enforce TPMs?
Despite the slow corporate movement, it's worth noting that many Microsoft employees are extremely strong advocates for the passkey movement and do fantastic work in the space, like supplying educative resources and insights on https://passkeys.dev. So, what's holding Microsoft back from a more aggressive push towards passkey integration?
The reasons could be multifaceted, ranging from strategic business decisions, concerns about user experience, or even technical challenges. As developers and product managers, it's crucial to stay informed and be prepared for when the shift eventually happens.
We'd love to hear your thoughts. Are there other reasons you believe contribute to Microsoft's cautious approach? When do you anticipate a more widespread adoption of passkeys in the Windows ecosystem? Join our passkeys community and participate in the discussion.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free