Windows
Resources for passkeys in Microsoft Windows
Local Authenticator
External Authenticator
Windows Hello, the local platform authenticator in Windows 10 and 11, has the following capabilities:
The following is also possible in Windows 11 version 23H2 and newer:
The following is also possible in both Windows 10 and Windows 11 (earlier than 23H2):
Starting in Windows 11 version 23H2, FIDO Cross-Device Authentication (CDA) is supported globally at the operating system level and available for all apps and browsers. Persistent linking is available between Android devices (authenticator) and Windows 11 23H2+. iOS and iPadOS do not support persistent linking.
In Windows versions prior to 11 23H2, including Windows 10, support for FIDO Cross-Device Authentication (CDA) is only available in Chrome and Edge. It is not available globally. Persistent linking is available between Android devices (authenticator) and Chrome and Edge (clients) on these versions. iOS and iPadOS do not support persistent linking.
When a user tries to interact with a passkey on Windows 11, an available screen unlock method is used for user verification via Windows Hello. Starting in Windows 11 22H2, users must set up Windows Hello with at least a device PIN. Setting up facial recognition or fingerprint recognition are optional.
Where these biometrics are not configured or available, both passkey creation and authentication fall back to asking for the Windows Hello PIN.
userVerification='required' and userVerification='preferred' are the same: Windows Hello asks for the device PIN for both passkey creation and authentication. Since user verification fails locally, the server only receives a successful response with the UV flag to be true.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns true.