Microsoft has begun rolling Windows 11 into a more flexible, passwordless future by adding native support for third‑party passkey providers — notably 1Password and Bitwarden — so those services can act as system-level passkey managers alongside Windows Hello and Microsoft’s own synced passkey option.
Background: what Microsoft changed and why it matters
Passkeys are the FIDO/WebAuthn‑based replacement for traditional passwords: asymmetric keypairs where the private key is kept on a device and unlocked via a local authenticator (biometrics or PIN) while the public key is stored on the service. That model blocks credential re-use and phishing in ways passwords never could, and Microsoft’s updates put passkeys at the center of the Windows 11 authentication story. At its core, Microsoft introduced three linked changes to Windows 11:
- A plugin model / API that lets third‑party credential managers register as a system passkey provider, letting apps and websites forward WebAuthn flows to them.
- A redesigned Windows Hello UX that surfaces passkey creation, saving and selection with clearer user prompts and choices (save to Microsoft Account, use a third‑party manager, or keep local).
- A Microsoft synced passkey provider option for users who prefer to store and sync passkeys to their Microsoft Account, protected by end‑to‑end encryption and TPM safeguards.
These changes move Windows 11 from merely supporting passkeys in some apps and browsers to
orchestrating passkeys across apps, browsers and third‑party vaults — a practical move toward mainstream passwordless authentication.
How the plugin model works (technical overview)
WebAuthn routing to plugins
Windows 11 extends the WebAuthn flow so messages can be forwarded to a registered plugin — the third‑party credential manager — and responses can be returned to the WebAuthn client application. This lets a service request a passkey and have the registered password manager handle creation, storage or authentication without the browser being the only path.
Split responsibilities: Windows Hello vs. provider
Microsoft designed the integration as a division of responsibilities:
- Windows Hello: remains the local authenticator — it unlocks private keys with biometrics or PIN and performs the local signing operation.
- Third‑party provider (1Password, Bitwarden, etc.: handles discovery, storage and optional sync of passkeys across devices if the provider supports it.
Keeping Windows Hello as the local gatekeeper retains the benefits of platform security (TPM, local biometric templates that never leave the device) while giving users choice over where passkeys are stored and how they are synchronized.
Microsoft’s synced passkey provider
For users who prefer a single vendor experience, Microsoft also added a native "synced passkey provider" that links passkeys to a Microsoft Account with end‑to‑end encryption and TPM protections. This is an
optional path — third‑party managers can be used instead — but it closes the convenience gap for people who live primarily inside the Microsoft ecosystem.
What 1Password and Bitwarden are delivering
1Password: system passkey manager in Windows 11
1Password implemented the Windows passkey plugin API in its Windows desktop app and has been testing MSIX builds that register the app as a system passkey provider. Users running the MSIX version can enable passkey features inside 1Password and then turn on the provider toggle in Windows Settings so 1Password appears as a system-level option. Early public beta feedback and community notes confirm an MSIX requirement for the system integration and a short delay (24–48 hours) after enabling before Windows surfaces the API on some Insider/dev builds. Key practical points reported by 1Password and users:
- The MSIX packaging of 1Password is used to enable system integration; the traditional EXE installer may not register as the system provider.
- After installing the MSIX build users may need to restart and wait a short propagation window for Windows to enable the passkey API in the system.
- 1Password’s integration is intended to let users create, save and sync passkeys using the 1Password vault while continuing to unlock private keys with Windows Hello.
Bitwarden: mobile-first passkeys and desktop integration plans
Bitwarden has added robust passkey capabilities on mobile and in browser extensions, and the company’s public materials show a clear roadmap for being a first‑class passkey provider across platforms. Bitwarden’s announcement of mobile passkey support and the availability of passkey storage for self‑hosted servers illustrates readiness to function as a synchronized passkey vault that could integrate via Microsoft’s plugin API. Community forum threads also show Bitwarden actively tracking Microsoft’s plugin doc and testing integration scenarios.
How to enable and use a third‑party passkey provider on Windows 11
The exact menu names and flows can vary slightly by build and rollout timing, but the general steps are:
- Ensure you have an up‑to‑date Windows 11 build that includes the passkey plugin features (Insider previews received the first test builds; stable rollout timing may vary).
- Install the third‑party manager’s Windows app that supports the system integration (for 1Password this is the MSIX build; Bitwarden’s current path may require its extension or a future desktop update).
- In the password manager app enable the passkeys/passkey suggestions feature (varies by product).
- Open Windows Settings > Accounts > Passkeys > Advanced options and toggle on the provider you want to use as a plugin credential manager. Windows will ask you to confirm your identity with Windows Hello.
- When visiting a site that supports passkeys you will be offered a choice in the Windows Hello flow to save or use the passkey with your selected provider (or with the Microsoft synced provider).
If a user experiences the provider toggle greyed out or missing, common causes are: not running the MSIX build (for 1Password), being on a Windows build that hasn’t yet received the feature, or a short propagation window after enabling the API where the system needs a restart. Community threads and vendor notes recommend reinstalling the MSIX package and rebooting, and waiting up to 24–48 hours for the system feature to appear.
Strengths and practical benefits
- Stronger phishing resistance: Passkeys eliminate passwords and therefore the primary vector for credential phishing and reuse. Using passkeys with Windows Hello retains strong biometric/PIN authentication while avoiding transmitted shared secrets.
- Choice and portability: The plugin model prevents vendor lock‑in by letting users choose a trusted vault (1Password, Bitwarden, etc. or Microsoft’s synced provider without sacrificing the native Windows Hello UX.
- App and non‑browser support: System integration means non‑browser apps and native Windows experiences can leverage passkeys directly, removing the need for mobile pairing QR flows or awkward extension workarounds.
- Enterprise controls: Microsoft exposed management hooks and policies so IT teams can control rollout, enforce Windows Hello for Business, or manage exceptions — making passkeys viable for larger organizations.
These benefits collectively lower friction for a large swath of users and create a more coherent passwordless experience across devices and apps.
Risks, limitations, and operational caveats
Sync and recovery trade-offs
Any sync system requires recovery and account recovery mechanisms. Microsoft’s synced passkey provider uses end‑to‑end encryption and TPM protections, but syncing also expands the attack surface compared with strictly local keys. Users should understand recovery keys, backup procedures and how their provider handles escrow or recovery. Where vendors rely on cloud sync the security model depends heavily on correct implementation of zero‑knowledge encryption and recovery flows.
Users should not assume identical protection across vendors. Dependency on Windows Hello and device hardware
Windows Hello remains the local unlock mechanism; it is anchored to a device and its biometric/pin methods. While the private key never leaves the device, users who switch to non‑Windows devices or lack a TPM may face friction. Enterprises with mixed endpoints must plan for fallback or cross‑platform passkey migration strategies.
Rollout fragmentation and user confusion
Passkey features are rolling through Insider channels before general availability. Early adopter reports show toggles greyed out and MSIX packaging issues for 1Password during the beta phase. This creates a fragmented experience where some users on similar Windows versions see different behavior depending on update cadence and vendor packaging. Clear communication and vendor documentation are essential to reduce end‑user confusion.
Vendor packaging requirements (MSIX, store listings)
Some integrations require specific packaging (1Password’s MSIX path is a prominent example). Organizations with strict software deployment pipelines must account for installer differences and potential coexistence of EXE and MSIX instances that can lead to duplicate installs or registration issues. Vendors have recommended uninstalling older EXE instances prior to MSIX migration to avoid conflicts.
Interoperability with non‑Windows environments
While WebAuthn is cross‑platform, system‑level integrations rely on OS support. A passkey created and managed by a third‑party vault on mobile may be usable on Windows via plugin routing, but full parity (features, recovery behavior) across iOS, Android, macOS and Windows depends on each vendor’s cross‑platform implementation and the browser’s WebAuthn support. Testing and migration planning are important for users who frequently move between ecosystems.
Enterprise considerations: policies, rollout, and training
For IT teams, passkeys change the identity lifecycle and the support model:
- Administrators should assess MDM and Intune policy options to control passkey behaviors, including whether to allow the Microsoft synced provider or third‑party integrations. Group Policy and CSPs can be used to enforce passwordless-only experiences where required, but planning recovery and exceptions is crucial.
- Windows Hello for Business remains an important building block for corporate deployments; organizations need to decide whether to use certificate‑backed or key‑based Hello for Business on domain‑joined devices. This choice impacts how passkeys and device keys interact with enterprise identity and SSO scenarios.
- Training and staged rollouts are essential. Passkeys will confuse some users initially — training should focus on recovery keys, device enrollment, and where to find passkey management settings (Settings > Accounts > Passkeys).
Enterprises will also need to test third‑party provider behaviors (sync timing, provisioning, MFA methods) before a broad rollout. The vendor packaging differences and update cadence add another layer of operational work for IT.
Real‑world observations from early adopters and community threads
Community posts and vendor forums reveal common patterns in the early rollout:
- Users who installed the MSIX 1Password build reported initial hiccups (greyed‑out toggles, multiple installs) but also successful activation once the MSIX install and Windows feature synced. Vendors recommended reboots and uninstalling older EXE instances if duplicates appear.
- Bitwarden’s public materials and forum threads show strong mobile passkey support and an active roadmap for desktop integration, indicating it can function as a solid third‑party option for users who already trust Bitwarden’s sync model.
- Windows Insider and tech press coverage highlight that the Windows passkey UX aims to simplify saving choices and reduce surprises by prompting explicitly how and where to store passkeys. Early screenshots show a clear dialog offering Microsoft account sync, a third‑party provider, or local storage.
These real‑world notes underline that while the architecture is sound, the user experience depends on timely vendor packaging and clear communication.
Practical recommendations for Windows 11 users and admins
- If you are a consumer who already uses a password manager: wait for the vendor’s official MSIX/stable update and read its setup guide. Back up your vault and confirm recovery options before making any switch.
- If you are an IT admin planning a rollout: pilot with a small group, validate third‑party provider behaviors, document recovery and support flows, and prepare MDM policies for controlled deployment. Test device combos (with and without TPM) and develop fallback policies.
- For security teams: evaluate the vendor’s encryption and recovery model. Zero‑knowledge end‑to‑end encryption is ideal, but verify how the provider handles lost‑device recovery and how Microsoft’s synced provider implements recovery keys and escrow.
The bigger picture: is this the end of passwords?
The combination of platform support, vendor integration and clearer UX marks a turning point: passkeys are moving from an experimental feature to a user‑facing, practical authentication model on Windows 11. Microsoft’s plugin approach reduces friction and increases choice — two barriers that previously slowed passkey adoption.
However, complete replacement of passwords will take time. Technical interoperability, vendor packaging issues, legacy systems, and the human factor (training, recovery behavior) remain real constraints. The likelihood that passwords vanish overnight is low; instead, expect gradual adoption with passkeys becoming the primary method for consumer and enterprise scenarios over the coming years.
Conclusion
Microsoft’s native support for third‑party passkey providers such as 1Password and Bitwarden in Windows 11 is a substantive, practical step toward mainstream passwordless authentication. The plugin API, enhanced Windows Hello UX, and a Microsoft synced provider collectively deliver stronger phishing resistance, choice for users, and better integration for apps and native experiences. Early adopter reports and vendor notes show some teething problems — packaging, propagation delays and rollout fragmentation — but those are predictable for a feature of this complexity.
For power users and IT teams, the immediate priority is careful piloting: validate vendor packaging (MSIX for 1Password), confirm recovery paths, and educate users about how passkeys work. For everyone else, the change means fewer passwords to remember and a clearer, more secure sign‑in experience when the feature lands on their device.
Source: Neowin
Microsoft brings native support for 1Password and Bitwarden passkeys to Windows 11