Microsoft has expanded Windows 11's passwordless authentication capabilities by introducing native support for third-party passkey managers, starting with Bitwarden and 1Password.
The new feature, now generally available through the November 2025 security update, allows users to create, store, and use passkeys with their preferred credential manager across apps and browsers.
The update marks a significant step toward a passwordless future, with Microsoft building an API that enables packaged credential providers to integrate directly into Windows. This integration enables passkey managers to operate as native components in the OS, unlocking deeper system-level capabilities such as Windows Hello-based authentication and seamless sync across devices.
The collaboration was developed in close partnership between Microsoft's Windows Security team and passkey providers. Travis Hogan, Product Manager at 1Password, highlighted the joint effort in building the plugin API, noting 1Password's role as the first external manager to integrate natively with Windows 11. Similarly, Bitwarden worked with Microsoft to enable its desktop application to act as a system-level passkey provider, currently available in beta for users who install it via GitHub.
Bitwarden's implementation allows users to store and retrieve passkeys from their encrypted vault, whether in-browser or through standalone Windows apps. The integration supports bidirectional syncing, meaning users can create passkeys on Windows and access them on mobile, or vice versa, without needing a browser extension. These passkeys remain encrypted during sync, ensuring private keys never leave the user's device during authentication.
Windows 11 users can now select their passkey manager during the credential setup process. Supported managers, such as Microsoft's own Password Manager, 1Password, and Bitwarden, are offered as plugin providers and protected by Windows Hello, including facial recognition, fingerprint, or PIN. Passkey operations, such as creation and login, are secured by Azure-based hardware-backed protections, including Managed Hardware Security Modules (HSMs), Azure Confidential Compute, and tamper-proof recovery via Azure Confidential Ledger.
This enhancement aligns with Microsoft's broader goal of reducing reliance on passwords, which remain one of the weakest links in account security. Passkeys use asymmetric cryptography based on the FIDO2 and WebAuthn standards, offering several advantages over traditional passwords:
- They are resistant to phishing, as passkeys can only be used on the domain where they were registered.
- They are immune to typical credential leaks, as the private key never leaves the device.
- They are easier to use, requiring no memorization or typing.
Bitwarden, which offers a free and open-source password manager, has also announced full passkey support across all its plans. Users can now create passkeys via the web extension or mobile apps, and store them in the vault for synchronization across devices. Developers can integrate Bitwarden's Passwordless.dev SDK to add passkey login to their websites at no cost for up to 10,000 users.
Leave a Reply