Navigation section

Windows 11 Native Passkeys: 1Password and Bitwarden Integration

  • Thread Author
Microsoft has rolled out native, system‑level support for third‑party passkey managers in Windows 11 — and with the Windows November 2025 security update the capability is now broadly available, including built‑in integrations for 1Password and an early‑access path for Bitwarden. This change converts passkeys from a browser‑centric convenience into a first‑class authentication surface for apps, browsers and native Windows flows, while Microsoft’s own Password Manager (from Edge) becomes a native plugin backed by cloud protections such as Azure HSM and Confidential Compute.

Windows 11 Passkeys enable passwordless login across 1Password and Bitwarden.Background / Overview​

Passkeys are the FIDO/WebAuthn‑based replacement for traditional passwords: cryptographic key pairs where the private key stays local to an authenticator and the server only stores a public key. That model eliminates password reuse, resists phishing and removes the human‑choosing‑weak‑secret problem. Microsoft has been steadily building passkey support into Windows — from Windows Hello unlocks to a built‑in passkey manager — and the latest update completes a missing piece: a plugin model / API that lets packaged credential managers register themselves as system passkey providers. That means third‑party vaults can now appear in the Windows passkey UI and participate in WebAuthn flows the same way the platform provider does. Why this matters: until now, passkeys were typically created and stored by browsers, the OS’s native provider, or mobile apps — workflows worked, but cross‑device UX and non‑browser apps were fragmented. The plugin approach unifies discovery and storage, lets password managers reuse their sync and recovery mechanisms, and preserves Windows Hello as the local authenticator that unlocks private keys.

What Microsoft shipped (key points)​

  • A passkey provider plugin API in Windows 11 so packaged credential managers can register as system passkey providers and receive/answer WebAuthn requests. This enables apps and browsers to forward passkey flows to third‑party vaults.
  • A redesigned Passkeys area in Settings (Settings > Accounts > Passkeys) with Advanced options listing registered providers; enabling a provider requires Windows Hello verification.
  • 1Password: native Windows integration is available now via an MSIX build that registers as the system passkey manager and uses 1Password’s vault and sync to manage passkeys. The MSIX packaging is required for the system integration to register reliably.
  • Bitwarden: integration is available in Beta; power users can install desktop builds (preview releases / GitHub downloads) to test the system plugin path before a standard desktop install is published.
  • Microsoft Password Manager (Edge) is now a native Windows plugin, with synced passkeys protected by a user PIN and cloud protections including Azure Managed HSM and Azure Confidential Compute / Confidential Ledger for sensitive operations and recovery.
These changes are marked “generally available” with the Windows November 2025 security update, so consumer and enterprise devices that receive that update should see the new Settings entries and provider toggles.

How it works technically (concise)​

The split responsibilities​

  • Windows Hello remains the local authenticator: biometric/PIN unlock happens locally and is used to authorize signing operations. The biometric template never leaves the device.
  • Third‑party passkey providers handle discovery, storage and sync of the private key material (or at least its management and retrieval), and register with Windows so the OS can forward WebAuthn create/get requests to them.

WebAuthn routing to plugins​

When an app or browser starts a passkey flow, the OS can route that WebAuthn request to the registered plugin. The plugin then performs the necessary operations (create or sign) and returns the response to the requesting client — with Windows Hello used locally to unlock or authorize the operation. This enables non‑browser apps and native experiences to use passkeys without browser extensions or QR/phone pairing workarounds.

Step‑by‑step: enable a third‑party passkey provider (practical guide)​

  • Ensure your PC is updated to a Windows 11 build that includes the passkey plugin features — the Windows November 2025 security update or a recent Insider build.
  • Install the vendor’s Windows client that supports the system integration:
  • For 1Password, install the MSIX build (MSIX is required for registration). After install you’ll see onboarding or you can enable the setting in the app.
  • For Bitwarden, install the beta/preview desktop build when testing — Bitwarden has been rolling desktop and mobile passkey capabilities through beta releases and mobile updates.
  • In the password manager app enable the passkey/passkey suggestions feature (varies by product — for 1Password: Settings > Autofill > Show passkey suggestions).
  • Open Windows Settings > Accounts > Passkeys > Advanced options. Authenticate with Windows Hello and flip the toggle for the provider you want to register (for example, 1Password).
  • Visit a passkey‑enabled website or app. When creating or using a passkey, choose the registered provider to create/save or sign the passkey; Windows Hello will prompt you locally to confirm.
If a provider toggle is greyed out or missing, common causes are: not running the supported Windows build; using an installer package that doesn’t register (EXE vs. MSIX for 1Password); staged rollout propagation; or enterprise policies that limit allowed providers. Reboot and wait up to 24–48 hours in some rollout cases after installing the MSIX build.

Vendor snapshots: where 1Password, Bitwarden and Microsoft stand​

1Password — MSIX, vault sync and onboarding​

  • 1Password implemented the plugin API and shipped an MSIX build to register as a system passkey manager. The MSIX packaging is deliberate: Windows requires packaged apps to register into the system plugin registry that the Passkeys settings expose. 1Password’s rollout uses an onboarding prompt in the app and a Settings path to flip the system toggle. Early community reports indicated a brief propagation window (restart + up to 48 hours) before the toggle appears.
Strengths:
  • Uses 1Password’s existing vault, recovery and cross‑device sync.
  • Lets users keep passwords and passkeys in a single, familiar product.
Caveats:
  • Requires the MSIX app; enterprises that block Store/MSIX installs need to plan deployment or wait for vendor enterprise channels. Community threads show some users needed manual installs or reboots to get the toggle to appear.

Bitwarden — mobile passkeys, desktop beta, GitHub previews​

  • Bitwarden has had mobile passkey support and browser extension support for some time, and has been pushing desktop integration on a beta timetable. Official press (company releases) and community channels show Bitwarden’s passkey features reached mobile general availability earlier in 2025 and desktop/plugin work is progressing through beta and preview builds. Early Windows plugin support may require installing preview desktop builds from GitHub before an ordinary installer ships.
Strengths:
  • Open‑source roots and flexible hosting options (self‑host) make Bitwarden attractive for organizations with strict governance needs.
  • Mobile + extension passkey flows are mature.
Caveats:
  • Desktop integration as a system provider was initially Beta and required preview installs; UX nuances remain (extension vs. system provider interplay is still smoothing out). Community reports show cases where browser/extension combinations and site implementations affected passkey detection.

Microsoft Password Manager — native plugin with cloud enclaves​

  • Microsoft migrated the Password Manager in Edge into a native Windows plugin. The company states passkeys stored in its Password Manager are synced across devices with protections: a user PIN to unlock the cloud passkey vault, keys protected with Azure Managed HSM, sensitive operations inside Azure Confidential Compute, and tamper‑proof recovery mechanics (Azure Confidential Ledger used for recovery primitives). This is Microsoft’s built‑in, zero‑friction sync option for mainstream users.
Strengths:
  • Deep Windows integration; zero extra installs if you already use Edge and a Microsoft account.
  • Cloud sync convenience with hardware‑backed protections such as HSM + confidential compute.
Caveats:
  • Some users prefer third‑party vaults for cross‑platform parity or vendor‑diversity. Enterprises with specific compliance rules will want to evaluate Microsoft’s cloud architecture vs. their policies.

Enterprise and IT implications​

  • Policy controls: Microsoft exposes management hooks so IT can control which passkey providers are allowed, enforce Windows Hello for Business, and manage exceptions. Rolling out passkeys at scale needs planning: enrollment, recovery flows, helpdesk procedures and fallback policies must be ready.
  • Deployment packaging: The MSIX requirement for some integrations means IT teams must confirm their distribution mechanisms accept MSIX or vendor enterprise installers. AppLocker / Appx deployment policies can block MSIX installs; plan accordingly.
  • Recovery and account portability: Enterprises should validate recovery flows — how to regain access if a user loses a device, or if the vendor’s sync is unavailable. Microsoft’s synced provider uses a recovery key; third‑party managers use their own recovery and account recovery processes. Evaluate these for helpdesk burden and compliance.

Security analysis — strengths and potential risks​

Strengths (why this is a win)​

  • Phishing resistance: Passkeys massively reduce credential‑phishing attack vectors because the private key never leaves the authenticator and is cryptographically bound to the relying domain. This closes a critical, real‑world attack surface.
  • Better UX across apps: System plugin support removes awkward QR/phone flows and extension‑only workarounds for native apps, lowering friction for adoption.
  • Choice and portability: Users can pick a vault they trust — Microsoft Password Manager, 1Password, Bitwarden — or keep passkeys local. This reduces vendor lock‑in and keeps the ecosystem flexible.
  • Hardware‑backed cloud protections (for Microsoft’s synced provider): Azure Managed HSM + Confidential Compute reduces exposure of key material and gives enterprises an auditable, tamper‑resistant sync path.

Risks and areas to watch​

  • Deployment friction: The MSIX requirement and staged rollouts have already caused UX wrinkles (missing toggles, delayed propagation). Organizations with restrictive install policies may see delays. Document and test deployment paths before mass rollout.
  • Recovery and lockout scenarios: Passkeys are device/tied credentials by design; recovery flows need to be robust. If users lose access to both their device and their vault account, account recovery can be complex. Enterprises must ensure self‑service recovery is secure and manageable.
  • Cross‑vendor interoperability: The ecosystem is still maturing — browser behavior, site WebAuthn implementations, and vendor extensions can interact unpredictably on some sites. Users and IT should test critical services to ensure compatibility across the browsers and providers they use. Community threads have reported site‑specific issues where passkeys stored with one provider aren’t surfaced by a given browser/provider combination.
  • Supply‑chain and update trust: Requiring new package types (MSIX) and tight OS integration raises the bar for supply‑chain security. Attackers might target fake installers or social‑engineer users into installing malicious “passkey” apps. Vet installer sources, use code‑signing checks, and track vendor advisories.

Troubleshooting checklist (concise)​

  • Confirm your Windows 11 build includes the Passkeys settings (after November 2025 security update or matching Insider build).
  • Use the vendor‑recommended package format (for 1Password: MSIX). EXE/MSI installers may not register as a system provider.
  • After installing the vendor app, enable the vendor’s passkey/passkey suggestions setting and reboot. Wait 24–48 hours if the Windows toggle doesn’t appear immediately — staged flags are common.
  • If passkeys don’t appear on certain websites: try a different browser (Chromium vs. Firefox), check extension/extension‑exclusion lists, and test with a site known to support passkeys (e.g., GitHub) to validate core flows.

Migration and export considerations​

  • Exporting passkeys between providers is still an evolving area; standards for passkey interchange have been improving but implementations and tools vary. If you’re migrating a corporate fleet from one provider to another, test exports/imports early and validate relied‑upon services. Community discussion shows password/passkey export and import can be limited or manual today. Flag any claims of “seamless” migration until you validate the specific vendors and sites involved.

Practical recommendations (for consumers and IT)​

  • For consumers who already use a password manager: update to the vendor’s recommended Windows package (MSIX for 1Password) and test the plugin flow on a secondary device first. Keep a recovery plan (backup passkeys or a recovery key) in a secure place.
  • For enterprises: run a pilot group to validate critical web apps and native apps against the vendor integrations; update deployment policies to allow MSIX (or vendor enterprise installers) if required; and map out recovery/self‑service processes. Review compliance requirements before adopting cloud sync for passkeys.
  • For security teams: verify vendor claims about key protection and attestation, require code‑signing checks for installers, and monitor vendor advisories for extension or plugin vulnerabilities (autofill / clickjacking risks have been discussed broadly in the ecosystem).

Where this fits in the broader passkey trend​

Big tech has been moving toward passkeys for years: Apple, Google and Microsoft have all introduced syncing and passkey support across their platforms. What changed here is that Windows 11 stopped being a passive OS that only offered a native option: it became a coordinator that lets multiple trusted vaults participate natively. That keeps the ecosystem open, gives users choice, and removes many friction points that slowed passkey adoption on desktops. The result should accelerate real‑world passkey usage for both consumers and enterprises.

Final analysis — a balanced verdict​

Microsoft’s addition of native passkey plugin support is a meaningful, practical step toward a passwordless future. The architecture preserves the platform’s security primitives (Windows Hello + TPM), while offering users and organizations the flexibility to choose a sync model they trust. 1Password’s MSIX build and Bitwarden’s beta path show vendor commitment; Microsoft’s own Password Manager provides a convenient default with cloud protections that include Azure HSM and Confidential Compute.
There are operational caveats — installer packaging, enterprise deployment policies, recovery planning and the usual early‑rollout wrinkles — but these are manageable with planning and testing. Security benefits (phishing resistance, elimination of weak reusable passwords, improved UX) are immediate and substantial. For most users and organizations, the prudent path is to pilot, validate critical site compatibility, confirm deployment tooling for MSIX where needed, and update helpdesk recovery playbooks to handle device loss and cross‑provider migration scenarios. Passkeys have gone from an academic ideal to a usable, cross‑vendor reality on Windows 11 — and with Microsoft, 1Password and Bitwarden actively participating, the password era on Windows is finally starting to look like a legacy problem rather than the default.
Source: Neowin Microsoft brings native support for 1Password and Bitwarden passkeys to Windows 11
 

Click to expand...
Windows 11 has just moved passkeys out of the browser and into the operating system — and for the first time you can choose to have your passkeys managed by your favorite vault: 1Password or Bitwarden can now register as system‑level passkey providers so passkeys you create or use on Windows are saved, discovered and synchronized by those third‑party managers instead of (or alongside) Microsoft’s own passkey store.

Passkeys settings panel showing Windows Hello with 1Password and Bitwarden as providers.Background​

Passkeys are the FIDO/WebAuthn replacement for passwords: asymmetric key pairs where the private key is protected on a device and the relying party keeps only a public key. That architecture dramatically reduces phishing risk (because there’s no shared secret to phish) and eliminates server‑side credential theft as a practical attack vector. Microsoft has been building passkey support into Windows for months — Windows Hello already acts as the local authenticator — but until now passkey storage and sync were primarily handled by browsers or vendor ecosystems. The new change adds a plugin API so packaged credential managers can register as system passkey providers, allowing apps, browsers and native Windows flows to forward WebAuthn create/get requests to those providers. This capability began rolling out with the November 2025 update to Windows 11. The new Passkeys area in Settings (Settings > Accounts > Passkeys) exposes an Advanced options panel listing registered providers; enabling a third‑party provider requires Windows Hello verification. Microsoft’s official blog and vendor announcements make the same points: Windows now orchestrates passkey creation and selection and will forward those requests to a registered plugin when the user chooses it.

What changed in Windows 11 — the essentials​

  • Microsoft added a passkey provider plugin API to Windows 11 so credential managers (packaged apps) can register as system passkey providers and participate in WebAuthn flows.
  • Windows Settings gained a Passkeys page with Advanced options to list and enable registered providers; turning a provider on requires Windows Hello authentication.
  • Microsoft shipped a synced passkey provider (the Microsoft Password Manager integration via Edge), but third‑party managers like 1Password (MSIX build) and Bitwarden (desktop beta / preview) can now act as the system provider so users can save and sync passkeys with their chosen vault.
These changes convert passkeys into an OS‑level authentication surface rather than keeping them confined to browsers or device‑local stores. That’s important because it means non‑browser apps and native Windows experiences can also use passkeys without awkward QR pairing or mobile cross‑device flows.

How it works (technical overview)​

The integration separates responsibilities cleanly:
  • Windows Hello remains the local authenticator: facial recognition, fingerprint or PIN unlocks are used to authorize signing operations. Biometric templates stay local and are never shared.
  • System passkey provider (third party or Microsoft) handles discovery, storage and optional sync of the private key material (or secure retrieval of it). When a website or app initiates a WebAuthn request, Windows can route that request to the registered provider plugin and return the provider’s response to the requesting client.
That split preserves the platform security guarantees (TPM support, secure enclave where available) while giving users portability and continuity through their password manager’s sync and recovery systems.
Key platform implications:
  • Non‑browser apps can initiate passkey flows and invoke the registered provider without extensions or external device pairing.
  • Password managers that integrate can reuse their already‑deployed sync, recovery and cross‑device features to make passkeys truly device‑independent for the user.
  • Enterprises can manage and control passkey usage via existing Windows Hello and MDM/Group Policy tooling.

How to enable and use 1Password and Bitwarden as Windows passkey providers​

Requirements (what you need)​

  • A Windows 11 device with the passkey features available — the capability became widely available with the November 2025 cumulative updates (the updates that include KB5068861 for supported Windows 11 versions). If the Passkeys > Advanced options panel does not appear, check Windows Update and install the latest cumulative; some users reported the toggle appears only after the November updates install and a reboot.
  • The vendor desktop app that implements Microsoft’s plugin API:
  • 1Password: requires the MSIX packaged desktop build that registers with Windows as a system provider. Inside the app you must enable the passkey UI option (Settings > Autofill > Show passkey suggestions) which then links into Windows Settings so you can select 1Password as the system authenticator. Community guidance and 1Password’s beta notes explicitly call out the MSIX requirement.
  • Bitwarden: early desktop integration was shipped via beta/preview builds and GitHub previews for power users; Bitwarden’s release notes and community posts show passkey features on mobile and desktop beta track and encourage using preview builds to test system integration. Some Bitwarden functionality remains in preview and may require a specific Windows build.

Step‑by‑step (typical user flow)​

  • Update Windows 11 to the latest cumulative (November 2025 Patch Tuesday series) until Settings > Accounts > Passkeys shows Advanced options. Reboot after updates.
  • Install the vendor desktop app that supports passkey provider registration:
  • For 1Password, install the MSIX beta or MSIX release that exposes the passkeys option.
  • For Bitwarden, install the preview/desktop beta release if the GA desktop integration isn’t yet shipped.
  • In your password manager app:
  • 1Password: go to Settings > Autofill and toggle Show passkey suggestions; that should open Windows Settings where you can pick 1Password as the default system authenticator.
  • Bitwarden: follow vendor instructions in the beta release notes or GitHub preview; after install the app will prompt or you can open Settings > Accounts > Passkeys > Advanced options and select Bitwarden. Some builds require Windows Hello authentication to verify the choice.
  • Visit a passkey‑enabled website or app. When creating or using a passkey, Windows will offer provider choices (save to Microsoft, use your registered manager, or keep local); pick your passkey manager. Windows Hello will prompt to authorize the operation.

Troubleshooting tips​

  • If the provider toggle is missing or greyed out:
  • Confirm you’re running the Windows update that exposes the feature (November 2025 cumulative). Recheck Windows Update even if you believe you are up to date.
  • Ensure you installed the correct app package (1Password’s MSIX vs EXE matters — MSIX is required to register reliably).
  • Reboot and allow a short propagation window (community reports indicate up to 24–48 hours in some rollouts).
  • Check for enterprise policies that could block installation of packaged apps or toggling of provider registration.

Vendor snapshots: what to expect from 1Password and Bitwarden​

1Password​

  • Integration uses an MSIX desktop build that registers as the OS passkey provider and surfaces passkey suggestions inside the 1Password app. The company’s community channels include setup steps and troubleshooting notes and stress the MSIX requirement and a short propagation delay after install. 1Password’s model leverages its vault, sync and recovery flows so passkeys appear in the same vault alongside passwords.
Strengths:
  • Familiar UI for many users who already use 1Password.
  • Single vault for passwords and passkeys with existing recovery and device‑sync behavior.
Caveats:
  • MSIX packaging can be an enterprise distribution hurdle if the organization blocks packaged apps or Store installations.
  • Early community reports show edge cases where extension or browser behavior differs across browsers; browser compatibility may affect which UI is shown.

Bitwarden​

  • Bitwarden’s passkey support matured on mobile first; desktop and system provider support has been moving through beta/preview releases. Bitwarden’s open‑source roots and release notes indicate passkey work across mobile and extension channels with desktop features appearing in preview builds. Power users should expect to install preview releases from GitHub during the initial desktop rollout phase.
Strengths:
  • Open‑source codebase and self‑hosting options appeal to organizations with strict governance.
  • Mature mobile passkey flows and extension behavior.
Caveats:
  • Desktop system provider support was initially beta and may require preview installs; extension vs. system registration interactions can produce UX inconsistencies in some sites/browsers.

Security analysis — benefits and risks​

Major security benefits​

  • Phishing resistance: passkeys remove shared secrets from transit so credential‑harvesting phishing attacks become ineffective.
  • Reduced credential re‑use risk: asymmetrical keys and platform‑bound authentication stop the common habit of reusing simple passwords.
  • Stronger platform protections: Windows Hello + TPM or secure enclave provides hardware‑backed protection for key usage and local user verification.

Realistic risks and caveats​

  • Centralized sync surface: syncing passkeys to the cloud (whether Microsoft’s synced provider or a third‑party vault) introduces a synchronization surface that attackers could target. A compromise of a cloud vault—while still harder to exploit than a simple password dump—would demand robust vendor controls: end‑to‑end encryption, strong recovery safeguards, and hardened key management on the vendor side.
  • Recovery and account‑lock risk: passkey architectures require robust recovery workflows. If a user loses access to their vault or their vault recovery keys, account recovery may be complex. Users should understand each provider’s recovery model (recovery codes, device‑linking, account recovery processes) and keep recovery mechanisms safe.
  • Supply‑chain and installer trust: 1Password’s MSIX requirement and Bitwarden’s preview installs highlight distribution and trust concerns: users must install official builds from trusted sources to avoid rogue packages.
  • Browser/extension interplay: some browsers may surface their own password manager UI (or Google’s Password Manager) instead of a third‑party provider unless specific flags or settings are adjusted. Real‑world UX can differ by site and browser until the ecosystem fully converges.
Because the OS now routes passkey requests to registered providers, the security posture depends on both Microsoft’s platform protections and the vendor’s vault security. That shared responsibility model is powerful but requires both sides to be rock solid.

Enterprise considerations​

  • Policy and deployment: enterprises should test passkey rollouts in pilot groups. MSIX packaging and Store/packaged app policies might block vendor installers; plan for vendor enterprise channels or packaged MSI/enterprise installers if available.
  • Windows Hello for Business & MDM: existing Windows Hello for Business deployments and MDM policies should be reviewed. Organizations can choose to enforce platform‑bound authenticator usage or restrict which providers are allowed.
  • Auditing and recovery: ensure vendor recovery and audit capabilities meet compliance needs; self‑hosted Bitwarden options may be attractive for organizations with strict data governance.
  • Training and help desk: passkeys change user workflows and recovery scenarios; prepare help desk scripts, rollback plans and clear user guidance to avoid lockouts.
  • Phased rollout: start with low‑risk applications and escalate to critical services after validating cross‑browser and cross‑device behavior.

Compatibility, pitfalls and browser behavior​

  • Some browsers may prioritize their own password managers; Chrome and some Chromium builds have historically required specific flags to allow third‑party passkey managers to surface in the browser’s UI. That means on some sites you might still see the browser’s passkey prompt rather than the system provider until browser vendors update integration. Expect friction across different browser implementations during the early rollout.
  • The system provider model relies on properly packaged desktop apps; EXE installers that don’t register with the system may not appear in Windows Settings as providers. 1Password’s rollout specifically calls out MSIX as the packaging that enables registration.
  • If the Passkeys > Advanced options entry in Settings is missing, ensure you installed the November 2025 cumulative updates (the system updates that included these features) and reboot. Community reports indicate the toggle sometimes appears only after the cumulative update finishes and the device restarts.

Practical recommendations (what users should do now)​

  • Update Windows 11 to the latest cumulative patch level and reboot until the Passkeys > Advanced options menu appears.
  • Prefer vendor builds that explicitly say they support Windows passkey provider integration (1Password MSIX; Bitwarden desktop preview as announced).
  • Use Windows Hello (biometrics or PIN) and keep local device security healthy — enable TPM and Secure Boot where available.
  • Keep recovery mechanisms safe:
  • Note vendor recovery procedures (recovery codes, device linking).
  • Consider retaining a fallback sign‑in method for critical services while passkey recovery is understood and tested.
  • For enterprises: pilot with a small group, confirm packaging strategy (MSIX/enterprise distribution), and validate browser compatibility for key business applications.

Future outlook​

This OS‑level plugin model is a decisive step. By allowing passkey managers to register as system providers, Microsoft has removed a major UX barrier: cross‑device and non‑browser passkey usage no longer depends on ad‑hoc mobile pairing and QR flows. As more vaults implement the plugin API and browser vendors converge on consistent behavior, passkeys should become the dominant authentication method for Windows users.
However, mainstream adoption depends on:
  • Seamless browser integration across Chrome, Edge, Firefox and others.
  • Robust vendor recovery and enterprise distribution channels.
  • Continued hardening of vault sync systems and cloud key management.

Conclusion​

Windows 11’s new passkey plugin API and the vendor integrations from 1Password and Bitwarden make passwordless authentication substantially more practical for everyday PC users and organizations. The technical design preserves Windows Hello as the local gatekeeper while letting chosen vaults handle discovery, storage and sync — delivering both security and choice. Early adopters should follow vendor instructions carefully (MSIX for 1Password; Bitwarden preview for desktop), update Windows to the November 2025 cumulative releases, and test workflows across browsers and apps.
This is not a finish line; it’s an important infrastructure change that shifts passkeys from niche to mainstream — but like any major security evolution it requires cautious rollout, clear recovery plans, and careful vendor vetting to realize the promised improvements without introducing new operational risks.
Source: gHacks Technology News Windows 11 now lets you use 1Password and Bitwarden for managing passkeys - gHacks Tech News
 

Microsoft has moved passkeys out of the browser and into the operating system: with the November 2025 Windows 11 security update, Windows now supports third‑party passkey managers as native, system‑level providers, beginning with integrations from 1Password and Bitwarden, enabling passkeys to be created, stored, synced and used across apps and browsers while remaining protected by Windows Hello and Microsoft’s hardware‑backed cloud protections.

Laptop shows security settings and passkeys UI with WebAuthn shield and Azure cloud icons.Background / Overview​

Passkeys — FIDO2/WebAuthn public/private key credentials — are the leading standards for replacing passwords. They eliminate reusable secrets and make credential phishing and server‑side credential theft largely ineffective because the private key never leaves the authenticator. Microsoft’s recent Windows 11 update does two things at once: it makes the OS the orchestrator for passkey flows, and it exposes a plug‑in API so packaged credential managers can register themselves as system passkey providers. That model lets apps and browsers forward WebAuthn create/get requests to a chosen vault instead of being limited to a browser store or a single platform provider.
Why this matters: prior to this change, passkeys were often fragmented — created in a browser or mobile app, then used on other devices via QR flows or mobile pairing. The new Windows plugin model unifies discovery and storage, reuses managers’ existing sync and recovery systems, and preserves Windows Hello as the local gatekeeper that authorizes signing operations.

What Microsoft shipped in the November 2025 update​

Microsoft’s platform changes introduce a number of concrete components and UX updates:
  • A passkey provider plugin API in Windows 11 that lets packaged credential managers register as system passkey providers and receive WebAuthn requests forwarded by the OS.
  • A redesigned Passkeys area in Settings (Settings > Accounts > Passkeys) with an Advanced options panel listing registered providers; enabling a provider requires Windows Hello verification.
  • Microsoft’s own synced passkey provider, integrated into the OS, which offers end‑to‑end encryption and leverages Azure Managed HSM, Azure Confidential Compute and a tamper‑resistant recovery approach via Azure Confidential Ledger for sensitive operations. These cloud protections are presented as optional backstops for users who want Microsoft’s sync rather than a third‑party vault.
The feature was marked generally available with the November 2025 cumulative/security update, and vendors such as 1Password and Bitwarden worked with Microsoft to implement the plugin API. 1Password shipped a Windows MSIX package that registers as a system provider; Bitwarden’s desktop integration landed in beta/preview channels (with GitHub preview builds for power users).

How the integration works — a technical breakdown​

The split of responsibilities​

Microsoft intentionally separates duties between the platform and the credential manager:
  • Windows Hello (face, fingerprint, or PIN) remains the local authenticator that verifies the user and authorizes cryptographic sign operations. Biometric templates and the local verification step are not shared with services.
  • The system passkey provider (Microsoft’s synced provider, 1Password, Bitwarden, etc. handles discovery, storage and optional cross‑device sync of passkeys. When a site or app initiates a WebAuthn flow, Windows can route that request to the registered provider, which returns the creation or assertion response to the requesting client.
This model preserves platform security guarantees (TPM support, local biometric protection) while enabling vaults to provide portability and recovery via their existing synchronization mechanisms.

WebAuthn routing and the plugin API​

When an application (browser or native app) invokes a WebAuthn operation, Windows can now present the Passkeys UI and forward the request to whichever system provider the user has enabled. The provider will then:
  • Unlock its vault (the user authenticates via Windows Hello),
  • Perform the requested operation (create a new credential or sign a challenge), and
  • Return the response back to Windows so the site or app can complete the flow.
Because the private key material remains controlled by the provider/OS combination and is unlocked locally with Windows Hello, the design maintains the core security promises of FIDO/WebAuthn while reducing UX friction.

Vendor implementations: 1Password and Bitwarden​

1Password​

1Password worked closely with Microsoft and produced an MSIX‑packaged Windows client that registers as a system passkey provider. The MSIX requirement is significant: packaged apps are the registration surface that lets vendors reliably appear in the Windows Passkeys settings and participate as a provider. Users running the MSIX build can enable passkey features inside the 1Password app and then turn 1Password on in Settings > Accounts > Passkeys > Advanced options after authenticating with Windows Hello.
Practical implications:
  • Your passkeys can live inside your 1Password vault alongside logins.
  • You unlock operations with Windows Hello, while 1Password handles storage and sync.
  • The MSIX packaging requirement means enterprise deployment plans must allow MSIX or sideloading where Store installations are blocked.

Bitwarden​

Bitwarden’s path began with mobile and extension passkey support, and the company partnered with Microsoft to enable a desktop client to act as a system provider. As of the November rollout, Bitwarden’s Windows system provider was available in beta/preview builds (often distributed via GitHub previews for power users), with broader desktop releases expected to follow. Bitwarden’s model allows passkeys to be stored in the encrypted vault and synchronized across devices, with the private keys encrypted during sync so they never leave a user’s device in cleartext.
Bitwarden also announced full passkey support across its plans and a developer SDK (Passwordless.dev) to help sites implement passkey login, with a free tier for certain volumes — a useful move to accelerate adoption among smaller sites. Flag: check vendor documentation for exact plan limits and SDK terms before production use.

Security model: what’s strengthened, and what to watch​

Immediate security wins​

  • Phishing resistance: Passkeys can only be used on the domain where they were registered; the private key is never transferable in a phishing attack.
  • No server‑side secret: Because servers only store a public key, credential leaks from servers no longer produce usable passwords.
  • Hardware protections: Windows leverages TPM and platform attestation where available; Microsoft’s synced provider layers on Managed HSM and Confidential Compute protections for cloud‑side operations.

Risks, operational caveats and attack surfaces​

  • Packaging and supply chain: The requirement for MSIX (or properly packaged installers) increases the supply‑chain importance of vendor installers. Attackers could attempt to social‑engineer users into installing fake “passkey” apps or sideloaded packages. Validate installers and vendor signatures.
  • Recovery & lockout: Removing passwords moves the question to how users recover when they lose access. Microsoft’s synced provider uses recovery keys and cloud protections, but third‑party recovery depends on each vendor’s account model. Organizations must design recovery and self‑service procedures to avoid user lockouts. Flag any claims of seamless migration without testing.
  • Browser differences: Not all browsers behave the same way when multiple passkey providers exist. Some Chromium builds or browser UIs may prefer built‑in stores or require flags to expose system providers. Expect UX inconsistencies during the early rollout.
  • Enterprise policy friction: AppLocker, store restrictions and enterprise packaging policies can block MSIX registration or vendor installers. IT teams must plan deployment strategies, including MSIX sideloading and policy exemptions.
Where claims are made about specific Azure protections (Managed HSM, Confidential Compute, Confidential Ledger), those are Microsoft’s described mechanisms for protecting sensitive recovery and key operations; enterprises and security teams should validate vendor and Microsoft whitepapers for exact threat models and SLAs before adopting cloud recovery paths as the primary safety net. Treat those claims as beneficial but verify details for regulatory compliance.

Enterprise implications and deployment guidance​

Policy & packaging​

  • Review MDM and Group Policy settings for Windows Hello for Business and passkey provider controls. Enterprises can limit which providers are allowed and enforce platform‑bound authenticators.
  • Plan MSIX distribution: if your organization restricts Store apps, test MSIX sideloading and update channels for the vendor’s MSIX package (1Password requires MSIX for the system integration). Confirm support with your vendor’s enterprise offerings.

Pilot plan (recommended steps)​

  • Select a small pilot group and identify low‑risk web apps to test end‑to‑end passkey flows across browsers and native apps.
  • Validate packaging and policy changes for the vendor MSIX or preview installers.
  • Test recovery and self‑service procedures thoroughly (lost device, account recovery, SSO interactions).
  • Monitor for browser compatibility issues and collect help‑desk playbooks for common scenarios (missing provider toggles, propagation delays).

Compliance and governance​

  • Evaluate passkey export/import limitations and ensure any required export for audits or account portability is supported by the chosen provider. Passkey interchange standards are improving, but vendor behavior varies today; don’t assume seamless migration without testing.

How to enable and use a third‑party passkey provider on Windows 11 (practical guide)​

Follow this conservative, tested recipe to enable and test a provider such as 1Password:
  • Update Windows 11 to the latest cumulative/November 2025 security update so Settings > Accounts > Passkeys includes the Advanced options. Reboot after updates.
  • Ensure Windows Hello is configured (PIN, fingerprint or facial recognition) and that TPM/Secure Boot are enabled where possible.
  • Install the vendor’s recommended Windows package:
  • 1Password: use the MSIX package (required for registration).
  • Bitwarden: install the preview/desktop beta or follow Bitwarden’s published guidance for the system provider preview.
  • In the vendor app, enable passkey/passkey suggestions (for 1Password: Settings > Autofill > Show passkey suggestions).
  • Open Windows Settings > Accounts > Passkeys > Advanced options, authenticate with Windows Hello, and toggle the provider on. Wait up to 24–48 hours or reboot if the toggle doesn’t appear immediately — staged propagation is common.
  • Visit a passkey‑enabled website and follow the create/use flow; choose the registered provider when prompted. Windows Hello will authorize the operation.
If a provider toggle is missing: confirm you installed the correct package format (MSIX vs EXE), verify Windows build and cumulative updates are applied, and check for enterprise policy blocks such as AppLocker.

Compatibility, UX friction and migration realities​

  • Browser vendors and versions differ: some browsers may continue to show their internal passkey UI or require specific flags to surface the system provider. Expect intermittent UX differences until browsers converge on consistent behavior.
  • Some legacy apps and websites won’t support WebAuthn correctly; keep passwords available as fallback for a period during migration.
  • Export/import of passkeys between providers is still maturing. If your organization plans to switch providers, test credential portability early and document any manual migration steps required.

Recommendations — how users and IT should approach this change​

  • Consumers: experiment with the new system on a non‑critical account or device first. Use the vendor’s recommended package (1Password MSIX; Bitwarden preview) and keep a recovery plan (secondary device, recovery codes).
  • IT leaders: pilot with a core group, validate packaging & deployment, adapt MDM policies for MSIX distribution, and define recovery/self‑service processes before broad rollout. Protect the update path against malicious installers and enforce code‑signing checks.
  • Security teams: verify vendor claims about key protection, ask for threat models and independent assessments where available, and require signed packages. Review the use of cloud recovery mechanisms (Azure HSM/Confidential Compute) against compliance requirements.

Balanced analysis: benefits, limitations and what to watch next​

This OS‑level plugin model is a decisive practical step toward mainstream passwordless authentication. It addresses the biggest UX gap for passkeys on desktops — cross‑device discovery and non‑browser app support — while preserving strong platform protections. The integration of established vaults like 1Password and Bitwarden is an endorsement of the approach, and Microsoft’s native synced provider gives mainstream users an easy on‑ramp protected by hardware‑backed cloud services.
However, adoption will slow or stall on several fronts unless vendors and browsers converge quickly:
  • Packaging and enterprise policy headwinds (MSIX vs EXE) complicate deployment for organizations that block Store apps.
  • Recovery and migration tooling remain imperfect; organizations must build robust processes to avoid lockouts.
  • Browser UX fragmentation can lead to confusing flows for end users early in the rollout, increasing help‑desk volume.
In short, the technical foundation is sound and the immediate security benefits are real, but operational readiness (packaging, policy, recovery, browser behavior) will determine how fast passkeys replace passwords in enterprise and consumer environments.

Closing: the practical takeaway​

Windows 11’s new passkey plugin API and the native integrations from 1Password and Bitwarden transform passkeys from a fragmented convenience into a first‑class OS authentication surface. For users, that means simpler, more secure sign‑ins protected by Windows Hello. For IT and security teams, it demands planning: test vendor packaging, confirm recovery procedures, and validate browser and app compatibility before broad deployment. The November 2025 update makes passwordless more realistic than ever on Windows, but real‑world adoption will depend on careful operational work and vendor coordination.
Conclusion: this release is a major step forward for passwordless authentication on Windows — embrace the security gains cautiously, pilot thoroughly, and prepare for a phased migration path that addresses packaging, recovery and browser interoperability.
Source: CyberInsider Windows 11 integrates native support for Bitwarden and 1Password
 

Microsoft has moved passkeys out of the browser and into Windows 11 itself — adding a plugin model that lets third‑party credential managers such as 1Password and Bitwarden register as system‑level passkey providers so users can create, save, sync and use passkeys across apps and browsers with Windows Hello as the local authenticator.

Blue digital security dashboard showing Passkeys settings and a glowing lock icon.Background​

Passkeys are the FIDO2/WebAuthn‑based replacement for traditional passwords: asymmetric cryptographic credentials where the private key is kept locally and only the public key sits with the service. That architecture dramatically reduces phishing and server‑side credential theft because there is no reusable secret to phish or exfiltrate. Windows 11 has long supported passkeys in pockets (Windows Hello + Edge), but the latest update introduces a plugin provider API that makes credential managers first‑class citizens on the platform.
Microsoft began testing third‑party integration in preview channels months ago and has rolled the capability into broader availability as part of the recent Windows servicing cycle, with vendor builds from 1Password and Bitwarden implementing the new system provider path.

Overview: What changed in Windows 11​

Windows 11’s update delivers three tightly linked pieces:
  • A passkey provider plugin API so packaged credential managers can register as a system passkey provider and receive WebAuthn create/assertion requests forwarded by the OS. This allows non‑browser apps to initiate passkey flows and lets the OS present the user’s chosen provider.
  • A redesigned Passkeys UI inside Settings (Settings > Accounts > Passkeys) with an Advanced panel that lists registered providers and requires Windows Hello verification to enable a provider.
  • A native synced passkey provider implemented by Microsoft Password Manager (previously Edge’s manager), backed by hardware and cloud protections such as Azure Managed HSM, Azure Confidential Compute and tamper‑resistant recovery via a confidential ledger — for users who prefer Microsoft’s sync rather than a third‑party vault.
These changes reposition passkeys from a browser‑centric convenience into an OS‑level authentication surface that supports apps, browsers and native Windows flows uniformly.

How the architecture works — responsibilities and flow​

Windows Hello remains the local gatekeeper​

Microsoft intentionally split responsibilities. Windows Hello (PIN, fingerprint, face) continues to act as the local authenticator that performs the user verification step and authorizes cryptographic signing operations; biometric templates stay local to the device. The passkey provider (Microsoft or third party) handles discovery, storage and optional cross‑device sync. This split preserves platform protections (TPM support, secure enclave where available) while giving vault vendors control over storage and recovery.

WebAuthn routing and plugin interaction​

When a website or app triggers a WebAuthn request, Windows can now route that call to the registered provider plugin and return the provider’s creation or assertion response to the client. In practice, that means a user visiting a passkey‑enabled site can choose to save the resulting passkey to their Microsoft Account, or to a third‑party manager such as 1Password or Bitwarden, and that choice will be honored across browsers and apps that leverage the system provider surface.

Vendor sync and recovery​

Third‑party managers bring their existing sync and recovery mechanisms into the flow. If a user’s vault already syncs across mobile and desktop, passkeys can become part of that same envelope — letting people create a passkey on a phone and use it on a PC without QR pairing. Microsoft’s own synced provider uses end‑to‑end encryption and cloud HSM protections as an optional recovery backstop.

Vendor integrations: where 1Password and Bitwarden stand​

1Password​

  • 1Password implemented the system provider integration via an MSIX packaged desktop build that registers with Windows as a passkey provider. Users who want the native integration must install that MSIX package and enable passkey suggestions inside the 1Password app; then toggle 1Password on in Settings > Accounts > Passkeys > Advanced options.
  • The MSIX requirement is material: system provider registration is tied to app packaging and registration semantics, and some organizations restrict MSIX or Store app installation via policy. Administrators must plan distribution accordingly.

Bitwarden​

  • Bitwarden’s desktop integration landed in beta/preview channels at rollout time, with desktop preview builds and GitHub prereleases available for power users to test the system plugin path. That means early adopters can try Bitwarden as a system provider today but enterprise‑grade, widely distributed MSIX builds may follow in standard release channels.
  • Expect the vendor’s notes about preview builds and possible rough edges; organizations should treat Bitwarden’s system integration as early access until the vendor issues a formal stable build.

Why this matters for consumers and enterprises​

Immediate security and UX wins​

  • Stronger phishing resistance. Because passkeys use asymmetric keys bound to the domain, phishing sites cannot trick users into revealing secrets; the private key is never exposed. That property alone eliminates a large class of account takeover attacks.
  • Faster, simpler sign‑ins. Users unlock private keys with Windows Hello (PIN, fingerprint, face), so sign‑in becomes both faster and more convenient than typing complex, unique passwords.
  • Choice and portability. Allowing third‑party vaults to act as the system provider gives users and organizations the option to use existing vendor sync and recovery mechanisms without being locked into a single ecosystem.

Enterprise benefits​

  • Zero Trust alignment. Passkeys reduce reliance on passwords and MFA SMS, making identity verification more device‑bound and harder to compromise. This complements Zero Trust principles, where identity is continuously verified and credentials don’t travel.
  • BYOD and hybrid flexibility. Employees can use preferred vaults on personal devices while IT retains policy controls for corporate devices. When packaged correctly, the provider toggle and MDM policies let organizations manage which providers are allowed or required.

Notable strengths​

  • Platform‑level orchestration: Converting passkeys into a first‑class OS capability closes the long‑running UX gap where passkeys were trapped in browser stores or required mobile pairing. Native provider registration simplifies cross‑device flows.
  • Vendor choice and competition: Open plugin support encourages password managers to compete on security, sync reliability and recovery tooling rather than relying on browser lock‑in.
  • Hardware and cloud protections: Microsoft’s native provider uses Azure Managed HSM, Azure Confidential Compute and confidential ledger features for recovery and sensitive operations — a higher bar than simple cloud vaulting for some threat models.

Risks, limitations and operational caveats​

No single feature rollout eliminates complexity. The new Windows passkey model introduces tradeoffs IT teams and security teams must understand.

Packaging and deployment friction​

  • MSIX vs EXE: 1Password’s system integration requires an MSIX package for reliable registration as a system provider. Organizations that restrict MSIX or rely on legacy installers may see deployment headaches. Administrators should validate distribution channels (MSIX, Store, enterprise installers) and update deployment tooling.
  • Policy blocks: AppLocker, SmartScreen, and MDM policies can prevent provider registration. If a provider toggle is missing in Settings, verify the package format, installed Windows build and enterprise policy configuration.

Browser and ecosystem fragmentation​

  • UX inconsistency across browsers. Some browsers may continue to surface their own passkey UI or require flags to defer to the system provider, producing confusing flows for users. Until vendors converge, expect help‑desk tickets.
  • Legacy app compatibility. Not all sites implement WebAuthn correctly; web apps with custom or outdated authentication may still require passwords for a transition period. Maintain fallbacks and migration guidance.

Recovery, portability and vendor trust​

  • Recovery tooling is still maturing. Cross‑provider migration and passkey export/import are not yet seamless. Organizations should test recovery, device loss, and migration scenarios before full rollouts. Relying on cloud recovery without robust offline options increases operational risk.
  • Trust in vendor sync and cloud protections. While Microsoft presents Azure HSM and Confidential Compute protections for its provider, third‑party vaults rely on their implementations and threat models. Security teams should verify vendor claims, request threat models or whitepapers and require signed installers.

New attack surface: plugin ecosystem​

  • Plugin vulnerabilities. Opening an OS API to third‑party providers enlarges the attack surface. Vulnerabilities in a passkey provider or its installer could carry privilege‑escalation or credential‑exposure risks. Require code signing, vet packages and monitor vendor advisories.

Practical rollout guidance for IT teams​

A disciplined, phased approach will contain risk and reduce help‑desk load. The high‑level pilot plan below reflects recommended operational steps.
  • Inventory: Identify critical apps and web services and determine WebAuthn compatibility.
  • Pilot group: Select a small, cross‑functional pilot (power users, help‑desk, security ops) to validate workflows and recovery.
  • Packaging: Validate vendor packages (MSIX where required), sign‑off distribution plans and update MDM/Intune policies to allow required installers.
  • Browser testing: Confirm behavior across your supported browsers and versions; work with vendors to resolve inconsistencies.
  • Recovery procedures: Define self‑service and help‑desk recovery playbooks, including recovery keys and device re‑linking. Test device loss scenarios.
  • Training and documentation: Prepare short how‑to guides for employees explaining passkey basics, provider selection, and fallback options.
  • Phased rollout: Expand to larger groups after the pilot, monitor help‑desk metrics, and iterate.

Recommended checks before enabling third‑party providers​

  • Confirm Windows build and cumulative updates are applied; some users needed the November 2025 cumulative update to see the Passkeys > Advanced options panel.
  • Verify that the vendor installer matches the required packaging (MSIX for 1Password’s system registration) and is code‑signed.
  • Ensure TPM and Secure Boot are enabled on corporate devices where possible to preserve hardware protections for keys.
  • Audit compliance implications of cloud recovery methods (Azure HSM, Confidential Compute, vendor‑hosted sync) against your regulatory requirements.

Developer and vendor considerations​

  • Password manager vendors must harden their plug‑in implementations, clarify recovery and export/import tooling, and provide enterprise deployment guides (MSIX packaging, enterprise signing, Group Policy examples).
  • Browser vendors should accelerate alignment on user experience: consistent prompts, a single passkey chooser, and clear fallback messaging will reduce end‑user confusion.
  • Standards bodies and the FIDO alliance will need to monitor cross‑vendor interoperability behavior and recommend best practices for discovery, attestation and recovery flows as OS‑level provider models proliferate.

What to watch next​

  • Browser convergence: A consistent, cross‑browser passkey chooser will materially reduce friction. Early rollout periods will be noisy until Chrome, Edge, Firefox and others align their UX and default to the system provider where available.
  • Vendor stability: Watch for 1Password moving the MSIX approach into general availability and for Bitwarden to exit beta with a stable desktop integration. Enterprises should treat preview builds as experiments until vendors publish enterprise release notes and distribution guidance.
  • Recovery and portability standards: Improved tooling for safe passkey export/import or standardized recovery attestations will unlock broader migrations between providers without operational headaches. This remains an ecosystem challenge.
  • Security disclosures: As the plugin ecosystem matures, expect security researchers and vendors to surface hardening guidance and possible vulnerabilities. Teams must keep monitoring vendor advisories actively.

Balanced conclusion​

Windows 11’s passkey plugin model and the early integrations from 1Password and Bitwarden represent a decisive, practical step toward mainstream passwordless authentication. The technical design preserves strong platform guarantees — Windows Hello, TPM, and optional cloud protections — while giving users choice and vault portability that many password managers already provide.
That said, adoption is not frictionless. Packaging requirements (MSIX), browser fragmentation, recovery tooling gaps and the need to vet vendor cloud protections are real operational hurdles that require planning. Security teams must balance the immediate benefits — phishing resistance, simpler UX, Zero Trust compatibility — against the new operational surfaces introduced by a plugin ecosystem.
For users: try the feature on a non‑critical account first, enable a recovery plan, and prefer vendor stable releases where available. For enterprises: pilot, validate packaging and browser compatibility, update MDM policies for MSIX distribution, and document recovery/self‑service processes before broad rollout. These practical steps will let organizations realize the promise of passwordless sign‑ins while keeping exposure controlled and recoverable.
Windows 11’s new passkey provider capability changes the authentication landscape on PCs: it makes passwordless sign‑in not just possible, but practical, by combining platform security with vendor choice. The result should accelerate passkey adoption — provided organizations treat the rollout as a project with technical, policy and user‑education components rather than a flip‑the‑switch upgrade.
Source: Petri IT Knowledgebase Windows 11 Adds 1Password & Bitwarden Passkey Support
 

Microsoft’s November security update for Windows 11 moved passkeys out of browser silos and into the operating system itself, giving third‑party credential managers — starting with 1Password and Bitwarden — a native path to create, store, sync, and present passkeys across apps and browsers while Windows Hello continues to handle local user verification.

Monitor shows Passkeys Settings with Windows Hello and OS Plugin Hub.Background​

Passkeys are the FIDO Alliance / WebAuthn‑based replacement for passwords: cryptographic public/private key pairs where the private key remains under user control and the relying party stores only a public key. That architecture removes reusable secrets from servers, eliminates common phishing vectors tied to passwords, and improves resistance to credential stuffing and mass breaches. Windows Hello has long been the local authenticator on Windows (PIN, fingerprint, face), but until now passkey storage and discovery on desktop systems were largely handled by browsers or vendor ecosystems. Microsoft’s November 11, 2025 cumulative update (listed by Microsoft as KB5068861) introduced an OS‑level plugin model — a Passkey Provider Plugin API — that allows packaged credential managers to register as system passkey providers. This means apps and websites can forward WebAuthn create/assertion calls to a registered vault and the vault can respond directly to the requesting client through the OS. Microsoft’s support page for KB5068861 documents the November servicing package and its availability via Windows Update.

What changed in practical terms​

  • Windows now exposes a Passkeys page in Settings (Settings > Accounts > Passkeys) with an Advanced options area that lists registered providers and lets users enable or disable them. Enabling a provider prompts Windows Hello re‑authentication to prevent silent or unauthorized registration.
  • A Passkey Provider Plugin API lets MSIX‑packaged credential managers register with the OS so WebAuthn create/assertion requests can be routed to those apps. Microsoft shipped a native, optional passkey provider for users who prefer Microsoft Password Manager sync; third‑party vendors can now participate as system providers instead.
  • Initial vendor implementations include 1Password (stable/MSIX rollout) and Bitwarden (desktop beta builds), both of which have published notes or community posts describing MSIX packaging requirements and onboarding behavior. Early reports and vendor guidance emphasize the MSIX packaging requirement for full system registration.
These changes turn passkeys from a browser‑centred convenience into a first‑class, OS‑level authentication surface that native apps, PWAs, and browsers can consistently leverage — while preserving Windows Hello as the platform gatekeeper for unlocking private key usage.

Technical breakdown: how the pieces fit together​

The split of responsibilities (design principle)​

Microsoft intentionally separates duties between the platform and the passkey provider:
  • Windows Hello (the platform) remains the local authenticator — it performs user verification (PIN, fingerprint, facial recognition) and authorizes cryptographic signing operations. Biometric templates and local verification data stay on the device and are never shared.
  • The third‑party passkey provider (1Password, Bitwarden, Microsoft Password Manager, etc. handles discovery, storage, and optional cloud sync / recovery of passkeys. The provider implements the plugin API so the OS can forward WebAuthn create/assertion requests to it and return provider responses to the requesting app or browser.
This split preserves platform security primitives (TPM protection, Windows Hello privacy) while granting password managers control over how keys are stored, synchronized, and recovered for cross‑device scenarios.

Passkey flows and WebAuthn routing​

When a website or native app issues a WebAuthn request, Windows can now:
  • Present the OS passkey UI and provider choices to the user (Microsoft Account sync, a registered third‑party provider, or local-only options).
  • Route the WebAuthn create/assertion call to the selected registered plugin (the third‑party manager).
  • Have the plugin create or assert the passkey and return the attestation/assertion to the WebAuthn client via the OS surface.
  • Gate the signing operation with Windows Hello so the user must locally unlock authorization before the private key is used.
This routing removes awkward QR pairing or mobile relay hacks for desktop users and makes native apps first‑class citizens for passkey authentication.

Packaging and installer requirements​

A recurring practical detail: vendor support relies on packaged (MSIX) desktop builds for the provider to register reliably as a system plugin. Community, vendor, and independent reporting consistently point out that legacy EXE installers may not register as a system provider; some users needed to install or migrate to MSIX builds to see the new Settings toggles appear. Expect a small propagation window and occasional reboots after installing both the Windows update and the packaged credential manager.

What this means for everyday users​

Faster, safer sign‑ins​

  • Passkeys reduce the need to remember or type passwords and are inherently resistant to phishing because there’s no reusable secret to steal.
  • System‑level discovery makes the experience consistent across browsers and apps: a passkey saved to your chosen provider should be available to websites and native apps on that PC when you authenticate with Windows Hello.

Sync and recovery options​

  • Providers that already offer cross‑device sync (1Password, Bitwarden) can reuse their vault infrastructure to make passkeys available on other endpoints — without QR scanning or mobile pairing — provided you sign into those vendors’ clients on each device.
  • Microsoft’s own synced passkey provider remains an option for users who prefer a Microsoft‑centric sync path backed by Azure security controls.

Short checklist for consumers​

  • Update Windows 11 to include the November 2025 cumulative update (KB5068861).
  • Install the MSIX version of your chosen manager (if required).
  • Open Settings > Accounts > Passkeys > Advanced options and enable your provider (Windows Hello re‑auth is required).
  • Test passkey creation and sign‑in on a couple of websites before moving all accounts over; keep at least one recovery path available.

Enterprise implications: management, policy, and deployment​

This OS‑level plugin model has meaningful benefits for IT teams — and introduces operational considerations.

Benefits for IT​

  • Choice and control: Enterprises can pick a passkey provider that aligns with their security posture and integrate it with existing SSO and identity workflows.
  • Reduced password support cost: Broader passkey adoption can materially reduce password reset tickets and credential‑based compromises.
  • Consistent deployment surface: Because the OS mediates WebAuthn routing, native apps and browsers can rely on a uniform passkey discovery surface across managed workstations.

Deployment and policy notes​

  • Packaging: Enterprise deployments should prioritize MSIX or vendor enterprise installers that register reliably with the OS. Some vendors provide MSIX packages or store listings to simplify enterprise rollouts.
  • Pilot first: Validate the most critical internal and external apps for passkey compatibility. Some web apps still lack passkey support, and custom SAML/OIDC flows may need adaptation.
  • Recovery and offboarding: IT needs to document recovery procedures and retention policies because relying party account recovery models differ across vendors. Plan for device loss, user offboarding, and litigation holds where necessary.

A security ops checklist (recommended)​

  • Require MSIX builds and signed installers for passkey providers.
  • Verify vendor claims about storage encryption and key attestation.
  • Add passkeys to incident response playbooks (e.g., how to revoke, rotate, or remove passkeys after a compromise).
  • Train helpdesk teams on the new flows and recovery options — passwordless doesn’t eliminate support cases, it changes them.

Security analysis — strengths, caveats, and risks​

Strengths (immediate gains)​

  • Phishing resistance: Because passkeys are asymmetric and the private key never leaves the authenticator, phishing attacks that steal passwords are largely ineffective.
  • Reduced server‑side attack surface: Credential database exfiltration loses its high-value payoff when attackers can’t harvest reusable passwords.
  • Platform protections: Windows Hello + TPM provide hardware‑backed protections and local biometric privacy. Microsoft’s documented design keeps the biometric template local to the device.

Caveats and attack surface expansion​

  • Concentration of trust: Making a single passkey provider the system default concentrates trust in that vendor’s vault and recovery mechanisms. If a vendor’s sync or recovery design has flaws, attackers who compromise those systems may gain broader access. This is a change in threat model (less password reuse risk, more reliance on vault integrity).
  • Installer and packaging risks: The MSIX packaging requirement creates a deployment dependency; supply‑chain or installer tampering risks should be mitigated by strict code signing and controlled distribution.
  • Compatibility gaps: Not all websites and internal apps support passkeys yet. Mixed‑mode authentication will likely persist for some time, requiring robust fallback and recovery planning.

Known early‑rollout issues and user experience wrinkles​

Community reports and vendor forums show friction in early adopter environments: toggles not appearing immediately, propagation windows after installs, and some web services not handling passkey assertions as expected. Beta notes from Bitwarden and community threads for 1Password describe these practical teething problems. Enterprises and early adopters should expect to spend time validating and triaging these issues.

Unverifiable or inconsistent claims to watch​

Some coverage and early reports used differing KB numbers and build identifiers (for example, KB5067036 in some articles versus Microsoft’s KB5068861 listing). Microsoft’s official support page for the November 11, 2025 servicing update lists KB5068861 as the cumulative update; readers should verify the exact KB shown by Windows Update on their devices before assuming a match. Where reporting conflicts, always confirm with Microsoft’s own servicing notes or Volume Licensing/WSUS metadata.

Migration guidance — a pragmatic path to adopt passkeys​

Moving to passkeys is a multi‑stage project, not a flip of a switch. The following staged plan reflects practical lessons from vendor rollouts and community reports.
  • Inventory: Identify which internal and critical external services support WebAuthn/passkeys today.
  • Pilot: Pick a narrow set of users and a single vendor (or Microsoft’s provider) to pilot the full flow: passkey creation, sync, recovery, and device loss scenarios.
  • Packaging and deployment: Standardize on the MSIX build (or vendor‑recommended enterprise installer) and distribute via your management tooling. Validate code signing and update channels.
  • Helpdesk readiness: Update reset/recovery playbooks, create user help content, and train first‑ and second‑line support on passkey muddlings and fallbacks.
  • Phase and expand: Roll the feature out more broadly, monitor compatibility telemetry, and adjust policy (e.g., require passkeys for high‑value apps) as confidence grows.
Benefits compound as more services support passkeys — but until the majority of critical services do, keep recovery options and fallback authentication in place.

Vendor state: who’s ready today​

  • Microsoft Password Manager (native plugin): Microsoft surfaced its synced provider as a Windows plugin option; it enables cloud sync protected by hardware and confidential computing controls for users who opt into Microsoft’s sync model.
  • 1Password: Released MSIX builds that register as system passkey providers; community posts and 1Password’s own channels document a migration path from EXE installers to MSIX and an onboarding toggle (Settings > Autofill > Show passkey suggestions). Users report needing the MSIX build and the latest Windows servicing update to see the option.
  • Bitwarden: Offered passkey functionality in mobile and browser extensions earlier, and released desktop beta builds for OS‑level integration; their guidance points to GitHub beta downloads and explicit OS build prerequisites for testing. Bitwarden’s public statements emphasize beta status and caution for production use.
Expect more managers (LastPass, Dashlane, others) to follow as vendor roadmaps and MSIX packaging strategies align with Microsoft’s plugin model. Early reports already show users and vendors actively testing integrations.

Broader market context and why it matters​

Apple and Google have already moved to system‑level passkey management on their platforms (iCloud Keychain and Google Password Manager respectively), and Windows’ move closes a critical gap in cross‑platform parity. When all major OS vendors enable system‑level passkey provider registration, passkeys become not only more secure but also substantially more usable across device ecosystems. That cross‑platform momentum is the single biggest driver that can make passkeys the default credential model on the web.
For web developers and identity architects, OS‑level passkey coordination simplifies integration and reduces the need for elaborate fallback flows or QR pairing workarounds. For security teams, it shifts priorities from password hygiene to vault hardening, attestation verification, and supply‑chain assurance for packaged manager installers.

Final verdict — pragmatic optimism​

Microsoft’s native passkey plugin support is a pivotal, practical step toward a passwordless future on Windows. It addresses a major usability gap (passkeys stuck inside browsers) and gives organizations and users real choice over where passkeys live. The design preserves Windows Hello as the local authenticator and leverages TPM/cloud protections for sync options — a sensible tradeoff between platform security and vendor flexibility.
That said, the change is not risk‑free. Early rollout friction, packaging dependencies (MSIX), vendor recovery designs, and the continued reality that not every service supports passkeys mean adoption must be deliberate. Organizations should pilot, validate critical compatibility, and update operational playbooks before flipping wide deployment switches.
Passkeys reduce many of the worst problems passwords created, but they replace one set of operational challenges with another — vault and sync security, installer integrity, and cross‑vendor portability concerns. With careful planning, the gains are compelling: fewer breaches caused by stolen passwords, fewer help‑desk resets, and a smoother, more secure sign‑in experience for users.
Windows 11’s change is a turning point: the OS now acts as the orchestrator for passwordless authentication, and the early cooperation of major vault vendors demonstrates that a practical, passwordless desktop future is finally within reach.
Source: WebProNews Windows 11 Unlocks Passkey Freedom: Third-Party Managers Go Native
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Windows 11 Gets OS Level Passkeys with 1Password and Bitwarden
Replies
0
Views
29
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Passkeys: OS Level Support with 1Password Bitwarden and Microsoft Plugin
Replies
0
Views
26
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Adds System Level Passkey Providers with 1Password and Bitwarden
Replies
0
Views
25
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Extends Passkeys to Third Party Providers for Passwordless Sign In
Replies
0
Views
32
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 System Passkey Providers: 1Password Delivers Seamless Passwordless Login
Replies
0
Views
21
ChatGPT
ChatGPT
Back
Top