Why Is Windows So Slow with Passkey Adoption and Rollout?

The Landscape of Passkey Adoption

When it comes to the adoption of synced, multi-device passkeys, Apple took the lead by rolling them out with iOS 16 in September 2022. Not long after, macOS followed suit, ensuring that every new Apple device was equipped and ready for synced passkey use. Google wasn't far behind, with Chrome and Android receiving an upgrade starting late 2022 to become passkey-ready.

In stark contrast, Windows has been more conservative. Even the latest Windows 11 version only supports single-device passkeys. This means passkeys aren't synced to a cloud account (e.g. to a Microsoft account), a significant limitation that hampers broader adoption of passkeys, especially among non- technical users who require a simple passkeys recovery. This is surprising, given that Microsoft, alongside Apple and Google, is one of the core members of the FIDO alliance. Moreover, the Windows security blog has a long history of pointing out all kinds of problems arising from password-based authentication and related phishing attacks on Microsoft accounts.

Reasons for Windows Slow Passkey Adoption

Historically, Microsoft has occasionally found itself trailing behind competitors like Google and Apple in the swift adoption of emerging technologies. There have been examples where they either lagged in embracing new trends or missed itentirely. Could the gradual uptake of passkeys be a reflection of this pattern?

• Mobile Dominance: Microsoft was late to the smartphone game, allowing Android and iOS to establish dominance. Their Windows Phone platform, despite its merits, couldnt gain significant market share.
• Web Browsing: Internet Explorer, once the dominant web browser, lost its position due to slow updates and lack of modern features, paving the way for browsers like Chrome.
• Digital Assistants: While Cortana is a promising digital assistant, it couldnt match the popularity and integration of Apples Siri or Google Assistant.

1. Windows 10 not requiring a Trusted Platform Module

According to the latest data, still most of Windows devices run with Windows 10. Windows 10 doesnt have the requirement to integrate a Trusted Platform Module (TPM), which is needed though for storing passkeys in general. With Windows 11, Microsoft requires the device to have a TPM, otherwise an update is not possible.

2. Windows is used by Diverse User Base (Business and Consumers alike)

Windows caters to a vast and varied user base, from individual consumers to large enterprises. Rolling out a new feature like passkeys requires ensuring that it satisfies the needs and security requirements of all these users. This broad spectrum of users might necessitate a more cautious and phased approach which integrates existing, on-premise systems, together with Microsoft 365 Business accounts alongside private accounts.

3. Heterogenous Hardware Ecosystem

Another plausible reason could be the vast array of hardware configurations that Microsoft has to support. Unlike Apple, which has a more controlled ecosystem, Windows is used by a diverse range of hardware manufacturers and devices. However, this argument loses some weight when we consider Google's Android, which successfully supports various smartphone manufacturers and has made most devices passkey-ready.

4. Enterprise Concerns

Another angle to consider is the dominance of Windows in the business world. Most desktop devices, despite the rising popularity of macOS, still run on Windows (especially enterprise devices). This widespread use in professional environments might make Microsoft more cautious in implementing changes. Additionally, features like Windows Hello aren't universally activated yet, unlike Apple's approach of nudging users towards Face ID / Touch ID and keychain functionalities.

Windows 11 23H2: A Step Forward, But Is It Enough?

The latest Windows 11 update from September 26, 2023, promises some advancements concerning passkeys. Users can work with a more user-friendly graphical interface for managing passkeys, eliminating the previous reliance on browser capabilities. However, the update still doesn't seem to address the issue of passkey synchronization (e.g. via a Microsoft account). For now, the only workaround for backing up a passkey on a Windows device is to utilize modern password managers like 1Password or Dashlane, which offer passkey sync features.

Besides that, the biggest problem still remains, as Windows 10 22H2 is planned to be the last feature version for Windows 10, but lacks the WebAuthn library version that is needed to offer at least Conditional UI (to offer the best passkeys UX via passkeys autofill), which could easily be backported according to Microsoft internal sources. That rises the question if there should be an out-of-band update for Windows 10 22H2 to enforce TPMs?

The Road Ahead: When Will Windows Support all Passkey Features?

Despite the slow corporate movement, it's worth noting that many Microsoft employees are extremely strong advocates for the passkey movement and do fantastic work in the space, like supplying educative resources and insights on https://passkeys.dev. So, what's holding Microsoft back from a more aggressive push towards passkey integration?

The reasons could be multifaceted, ranging from strategic business decisions, concerns about user experience, or even technical challenges. As developers and product managers, it's crucial to stay informed and be prepared for when the shift eventually happens.

We'd love to hear your thoughts. Are there other reasons you believe contribute to Microsoft's cautious approach? When do you anticipate a more widespread adoption of passkeys in the Windows ecosystem? Join our passkeys community and participate in the discussion.