passkeys.dev logo passkeys.dev logo
  • Docs 
  • Device Support 
  • About 
  •  
  •  
  •  
  •  
Docs
  • Intro
    • What are passkeys?
  • Use Cases
    • Bootstrapping
    • Reauthentication
  • Advanced
    • Related Origin Requests
  • Tools & Libraries
    • Libraries
    • Test & Demo Sites
  • Reference
    • Android
    • iOS & iPadOS
    • Chrome OS
    • macOS
    • Windows
    • Known Issues
    • Specifications
    • Terms
  • Intro
    • What are passkeys?
  • Use Cases
    • Bootstrapping
    • Reauthentication
  • Advanced
    • Related Origin Requests
  • Tools & Libraries
    • Libraries
    • Test & Demo Sites
  • Reference
    • Android
    • iOS & iPadOS
    • Chrome OS
    • macOS
    • Windows
    • Known Issues
    • Specifications
    • Terms

Windows

Share via
passkeys.dev
Link copied to clipboard

Resources for passkeys in Microsoft Windows

On this page
Overview   Platform Notes   Cross-Device Authentication   User Verification Behavior   Resources  
 

Local Authenticator

(create and use passkeys from the local device)
 

External Authenticator

(create and use passkeys from another device)

Overview  

Windows Hello, the local platform authenticator in Windows 10 and 11, has the following capabilities:

  • creating and using device-bound passkeys on the local device
  • creating and using device-bound passkeys on a FIDO2 security key

The following is also possible in Windows 11 version 23H2 and newer:

  • using passkeys from iOS and iPadOS devices for signing into services in all browser and native apps using FIDO Cross-Device Authentication
  • using passkeys from Android devices for signing into services in all browser and native apps using FIDO Cross-Device Authentication

The following is also possible in both Windows 10 and Windows 11 (earlier than 23H2):

  • using passkeys from iOS and iPadOS devices in Chrome (108+) and Edge (108+) for signing in to web services using FIDO Cross-Device Authentication
  • using passkeys from Android devices in Chrome (108+) and Edge (108+) for signing in to web services using FIDO Cross-Device Authentication

Platform Notes  

Cross-Device Authentication  

Starting in Windows 11 version 23H2, FIDO Cross-Device Authentication (CDA) is supported globally at the operating system level and available for all apps and browsers. Persistent linking is available between Android devices (authenticator) and Windows 11 23H2+. iOS and iPadOS do not support persistent linking.

In Windows versions prior to 11 23H2, including Windows 10, support for FIDO Cross-Device Authentication (CDA) is only available in Chrome and Edge. It is not available globally. Persistent linking is available between Android devices (authenticator) and Chrome and Edge (clients) on these versions. iOS and iPadOS do not support persistent linking.

User Verification Behavior  

When a user tries to interact with a passkey on Windows 11, an available screen unlock method is used for user verification via Windows Hello. Starting in Windows 11 22H2, users must set up Windows Hello with at least a device PIN. Setting up facial recognition or fingerprint recognition are optional.

Where these biometrics are not configured or available, both passkey creation and authentication fall back to asking for the Windows Hello PIN.

Chrome 120+  

  • When biometrics are not configured on Windows, or not available on the device:
    • The behavior for both userVerification='required' and userVerification='preferred' are the same: Windows Hello asks for the device PIN for both passkey creation and authentication. Since user verification fails locally, the server only receives a successful response with the UV flag to be true.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns true.

Resources  

  • Support for passkeys in Windows (Microsoft)
Last Updated: Jan 29, 2025
On this page:
Overview   Platform Notes   Cross-Device Authentication   User Verification Behavior   Resources  
passkeys.dev
passkeys.dev
This site is brought to you by members of the W3C WebAuthn Community Adoption Group and the FIDO Alliance.
CC BY-NC-ND 4.0 | Privacy Policy
 
Links
Docs 
About 
Device Support 
Resources
Passkey Central 
Dev Discussions 
FIDO Alliance 
Tools
Client Feature Detect 
WebAuthn Response Decoder 
passkeys.dev
Code copied to clipboard