EN 
07.02.2025 Veronika WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FIDO passkeys část 2 - praktické použití přístupových klíčů na Windows a Android

FIDO passkeys part 2 - practical use of passkeys on Windows and Android

Edited 14.04.2024 09:30 | created | Petr Bouška - Samuraj |
We'll look at the practicalities of creating and using passkeys to sign in to online services on Microsoft Windows and Google Android platforms, including Cross-Device Authentication. That is, using an internal authenticator (and local passkeys) or an external authenticator (and passkeys on another device), including the FIDO2 security key. We will try different web browsers. We will test on a Google account for which we will create passkeys on different devices.
displayed: 2 856x (2 297 CZ, 559 EN) | Comments [0]

Note: This article addresses the practical use of passkeys for logging into a cloud (online) service, typically using a web browser. We discuss the Windows and Android platforms from the perspective of support for creating, storing, and using passkeys. This is not about logging into Windows using a passkey, which is fundamentally not possible. But we'll describe more in the next part, where we'll address personal Microsoft accounts and authentication in Entra ID (work or school account).

Content of selected main chapters

Introductory information on using passkeys

  • Passkeys are discoverable FIDO2 (WebAuthn) credentials used for FIDO authentication.
  • They replace passwords with a more secure and faster user verification option.
  • They are classified as phishing-resistant passwordless multi-factor authentication.
  • We can create them on devices with Windows, macOS, Android, iOS/iPadOS operating systems or on a FIDO2 security key.
  • Passkeys stored on devices with Android or iOS/iPadOS can be used for logging in on another device (Windows, Android, macOS, iOS/iPadOS, ChromeOS, Ubuntu with Edge or Chrome) using FIDO Cross-Device Authentication.
  • Passkeys can be synchronized within a platform (macOS and iOS/iPadOS or Android) using Apple ID (iCloud Keychain) or Google Account (Google Password Manager).
  • For user verification, a PIN or biometrics is used. This data is local and never leaves the device (it is not transmitted to the target service). It is used to access the private key, which is used to digitally sign data that is sent to the service and authenticates the user.
FIDO Alliance passkeys logo

An older but nice (official) video showing the use of passkeys FIDO Multi-device Credentials in Action.

Note: We described detailed theoretical information about passkeys in the previous part. Here we will focus on practical use.

Testing in this article was performed on

Devices with operating systems

  • HP notebook and workstation with Windows 11 23H2
  • HP notebook with Windows 10 22H2
  • Xiaomi 13 phone with Android 14, HyperOS 1.0.3 overlay
  • Xiaomi Mi 10T phone with Android 12, MIUI Global 14.0.3 overlay

Web browsers on Windows

  • Microsoft Edge version 122
  • Google Chrome version 122
  • Mozilla Firefox version 124

Web browsers on Android

  • Google Chrome version 123
  • Mozilla Firefox version 124

FIDO2 security key

  • YubiKey 5 NFC
  • YubiKey Bio FIDO Edition

To work with passkeys, we need

  • an online service that supports passkeys
  • a client device from which we want to log in, with a browser and platform (OS) supporting passkeys
  • the client device must support either local passkeys (have an internal authenticator) or an external authenticator, where we use a mobile device with FIDO Cross-Device Authentication or a HW security key with FIDO2

Possible operations with passkeys

  • creating (registering) a passkey with an online service
    • on the current device (locally / internally)
    • on another device (remotely / externally) in proximity
  • logging in using a passkey
    • on the current device (locally / internally)
    • on another device (remotely / externally) in proximity

Various options (which we can also combine) for using a passkey with one service

  • there can be several passkeys for each device, we log in using a local passkey
  • we can have a passkey on a FIDO2 security key and use it to log in on various devices
  • we can have a passkey on a mobile device (Android, iOS/iPadOS) and use it to log in on various devices
  • we can have a passkey stored with a platform account (Apple ID) in a cloud service (iCloud Keychain) and synchronized between devices, we log in using the same passkey on various devices

Supported devices in Windows

By default in Windows (but similarly available on Android), we can use either this (This device) or another device (Another device) for storing and logging in using a passkey.

Overall, we can choose one of the options (only those available to us are offered):

  • this Windows device (This Windows device) - passkeys are stored locally on the device (Windows Hello is used)
  • security key (Security key) - passkeys are stored on an external FIDO2 key
  • mobile device (iPhone, iPad or Android device) - passkeys are stored on a phone or tablet, we scan a QR code on it, a BLE connection is established, and we verify ourselves
  • linked device (Linked device) - identified by the device name, passkeys are stored on an Android phone or tablet that we have linked (mutually remembered)
Výběr zařízení s passkey na Windows

Support in platforms and browsers

Note: Here is only brief information, we will discuss most of it in more detail throughout the article. Accurate information is not always easy to find. For example, Microsoft states that passkey support is in supported versions of Windows 10 and 11. For Mozilla Firefox, I didn't find much, but current versions work. The behavior in the browser also depends on the operating system version. Various options are still being added.

Support for creating and using passkeys is from the version of platform

  • Microsoft Windows 10 1903
  • Google Android 9
  • Apple macOS 13 Ventura
  • Apple iOS/iPadOS 16
  • in Linux systems, support is not available, limited support is provided by Chrome and Firefox, where we can use passkeys on a security key or mobile device

From the version of browser

  • Microsoft Edge 108
  • Google Chrome 108
  • Mozilla Firefox 122 (support on macOS, possibly older versions on Windows)
  • Apple Safari 16

Google Account

Google is one of the main members of the FIDO Alliance and has been supporting and promoting passkeys for some time. However, it's difficult to find documentation on certain details. For a Google Account, we can set up authentication using a passkey. And thus log in to various Google services using a passkey.

For testing the practical use of passkeys on various platforms, we will use the Google account. Generally, it shouldn't matter which service we use passkeys for, and it should always be the same. The only difference is in the administration of the service account.

For a Google Account, management is done in Google Account settings - Security, in the How you sign in to Google section, there is an item Passkeys and security keys.

On an Android phone, we can open the same thing via settings Settings - Google - Manage your Google Account - Security - Passkeys and security keys.

Google Account - Passkeys and security keys

Note: For general testing, we can use the demo Passkeys.io.

Google Android Platform

Passkey support

The Android operating system supports creating and using passkeys via an internal authenticator since version Android 9. In version Android 14, support for an external authenticator was added, so we can use a security key or another phone.

An Android device can also be used for logging in on another device using Cross-Device Authentication. A QR code is used, which is scanned on the Android device. On certain platforms or browsers, persistent linking can be performed, then scanning a QR code is not necessary. This is for example on Windows 11 23H2, Chrome or Edge on older Windows 11, Windows 10 or macOS.

User verification

When accessing a passkey on an Android device, one of the available screen unlock methods is used for user verification. This can be a PIN, pattern or biometrics.

Activating a local passkey for Google Account on an Android device

If a Google account is logged in on an Android device, a passkey has already been automatically created on it. We just need to activate it by clicking on Use passkeys. If we add a new account, the option to simplify login using passkeys will be offered.

We can get to the settings via the website or

  • Settings - Google - Manage your Google Account - Security - Passkeys and security keys
Aktivace lokálního passkey pro Google Account na Android zařízení

Viewing passkeys stored on an Android device

I couldn't figure out how to view passkeys that exist on an Android phone. Certain advice about using Chrome didn't work for me. The info in the official Google documentation Manage passkeys seems nonsensical to me.

We can see passkeys for a Google account in the account management. If we have synchronized passkeys, we can see them in the Google Password Manager.

Microsoft Windows Platform

Passkey support

Windows 10 and 11 operating systems support creating and using passkeys via an internal authenticator (Windows Hello) or external authenticator (FIDO2 security key). Support is apparently from Windows 10 1903, when Windows Hello was certified as a FIDO2 authenticator.

To store passkeys on a Windows device, it's important to have Windows Hello set up (active). Otherwise, the option to use this device is not offered. Ideally, a TPM chip is used to create a key pair and store and protect the private key. According to practical tests, we can create passkeys on a Windows device with active Windows Hello or Windows Hello for Business. Windows Hello can be (typically) activated even on a computer not equipped with a TPM chip. Even in this case, we can use Windows Hello for working with passkeys.

Browsers and applications use operating system features for working with passkeys. Chrome and Edge browsers from version 108 additionally support using FIDO Cross-Device Authentication, i.e., working with a passkey on iOS, iPadOS or Android devices.

From Windows 11 23H2, FIDO Cross-Device Authentication is natively supported in the system, so it works in all (common) browsers and system applications. Persistent linking is possible with an Android device (this is not supported for iOS, iPadOS).

In Windows 11 22H2 with KB5030310, support for native passkey management was added in Settings - Accounts - Passkeys.

Behavior in different versions

The options and process of logging in using a passkey depend on the operating system version and browser. When logging into a service in a browser, we choose whether to log in with a password or a passkey.

Přihlášení k účtu Google volba metody

In Windows 11 23H2, when choosing a passkey, a system dialog Windows Security opens. Here, a selection of options available on the given device is offered. It can be this Windows device (if Windows Hello is active) or another device. Here, a security key, iPhone, iPad or Android device (a QR code is used) or a certain connected (saved) Android device (Bluetooth must be active) may be offered.

If we use persistent linking, the device is saved in the system. We can find it in the registry HKEY_USERS\S-1-5-20\Software\Microsoft\Cryptography\FIDO\(Account SID)\LinkedDevices.

In an older version of Windows, Firefox allows using only system-supported features (via Windows Security), i.e., a passkey on a security key or Windows Hello. Chrome or Edge supports the same system features, under the option External security key or built-in sensor. But the browser also directly allows using Cross-Device Authentication, option A different device.

Podpora passkeys v Chrome na Windows 10

If we use persistent linking, the device is saved in the browser. In Chrome, we can find it in Settings - Privacy and Security - Security - Manage Phones.

User verification

When accessing a passkey on a Windows device, one of the available user verification methods is used through Windows Hello. This can be a PIN or biometrics.

Creating a local passkey for Google Account on a Windows device

If Windows Hello is not set up on the computer, then in the Google account settings at the top of the Passkeys and security keys page, the following information is displayed

A passkey can't be created on this device 
Passkey na Windows bez aktivního Windows Hello

The help only contains information that we must have an up-to-date operating system (at least Windows 10), a screen lock, Bluetooth turned on (if we want to use a passkey on a phone) and a supported browser (at least Chrome 109, Edge 109, Safari 16).

Windows Hello is not mentioned here, but as soon as we set it up in Settings - Accounts - Sign-in options (at least PIN).

Aktivace Windows Hello

Then we can create a passkey.

Vytvoření lokálního passkey pro Google Account na Windows zařízení 1
  • click on Create a passkey
  • to continue, we need to verify (log in to the account), probably if we logged in a while ago, then click again on Create a passkey
  • then we need to unlock the authenticator (Windows Hello)
Vytvoření lokálního passkey pro Google Account na Windows zařízení 2
  • the passkey is created
Vytvoření lokálního passkey pro Google Account na Windows zařízení 3

The newly created passkey appears in the list of passkeys. We can test authentication using it.

Vytvoření lokálního passkey pro Google Account na Windows zařízení 4

Note: Passkeys automatically created on an Android device are named after the device. But when we create a passkey on a Windows device or FIDO2 security key, the name is Windows Hello, or FIDO2 security key respectively. If we have multiple devices of the same type, only a number will be added and we won't know which device it is. So it's good to adjust the name.

Viewing passkeys stored in Windows 11

In Windows 11 (at least 22H2) we can look at passkeys stored on this device.

  • Settings - Accounts - Passkeys
Zobrazení passkeys uložených ve Windows 11

Note: If we have Windows Hello for Business set up for logging in to a company Entra ID account, we will see a passkey for login.microsoft.com here. Similarly, this applies to a personal Microsoft account.

Creating an external passkey for Google Account on a Security Key

In Windows, we can issue a passkey on a connected security key (in a USB port, possibly also via NFC). In the Google account settings, at the end of the Passkeys and security keys page, there is a (second) + Create a passkey button.

Vytvoření externího passkey pro Google Account na Security Key 1

Using it opens a dialog where we can create a passkey on this device (Create a passkey), but also on another (Use another device).

Vytvoření externího passkey pro Google Account na Security Key 2
  • click on Use another device
  • a Windows Security dialog for setting up the security key appears, allow access, unlock the security key
Vytvoření externího passkey pro Google Account na Security Key 3

The passkey is issued and saved. Again, we can see it in the list of created passkeys.

Vytvoření externího passkey pro Google Account na Security Key 4

Viewing passkeys stored on a YubiKey

If we have a security key from Yubico, we can use their YubiKey Manager to manage and retrieve information about the key. However, the GUI application for Windows is quite limited. For many operations, we need to use the command-line application ykman.exe.

We can display (manage) Credentials stored on the YubiKey. These must be discoverable credentials (which passkeys should always be). The example shows a listing from a security key that is registered in Microsoft Entra ID and has a passkey issued for Google.

c:\Program Files\Yubico\YubiKey Manager>ykman fido credentials list
Enter your PIN:
Credential ID  RP ID                Username                Display name
d0fb5472...    login.microsoft.com  bouska@xxxx.cz          Bouška Petr
d9deb560...    google.com           bouska@gmail.com        bouska@gmail.com 

Creating an external passkey on an Android device

Added on 14.4.2024. Another test on Windows is creating a passkey on an Android phone (which connects via Bluetooth). For this test, we'll use an account on Passkeys.io. Issues I encountered with connecting a specific phone are described in the login chapter.

We choose Create a passkey. A Windows Security dialog appears (depending on the OS and browser), offering available options for creating a passkey (in this example, the computer has Windows Hello set up with PIN and fingerprint, and Bluetooth enabled). You may need to switch from the local device using Use another device. Then we select iPhone, iPad, or Android device.

On the phone, we scan the QR code in the camera app, where the code should be recognized, and clicking on the icon triggers the action. The phone and computer connect. We can save the device for future connections. We confirm creating the passkey and use the screen lock.

Vytvoření externího passkey na Android zařízení 1
Vytvoření externího passkey na Android zařízení 2
Vytvoření externího passkey na Android zařízení 3
Vytvoření externího passkey na Android zařízení 4

Interestingly, in this case, the passkey was created in Google Password Manager (which is also how it was named in passkeys.io) and thus as synchronized. When I created a passkey directly in the browser on the Android phone, it was saved unsynchronized on the device. This might be because the URL FIDO:/ is assigned to the Google Password Manager provider, whereas the browser uses a different API.

Logging in using passkeys

Local passkey on a Windows device

Logging in on Windows 10 or 11 using a passkey stored in Windows Hello on that computer. The process is the same in the current versions of Chrome, Edge, and Firefox.

Passkeys allow logging in without entering a username. Google doesn't support this when logging into their services, but it is possible with Microsoft, for example.

Přihlášení pomocí passkey k Microsoft účtu bez zadání jména

We enter or select the email address. If the default method is password, we click on Try another way and Use your passkey. In the Windows Security dialog, we authenticate (unlock Windows Hello using PIN or biometrics) and log in to the account.

Přihlášení k účtu Google volba metody
Přihlášení pomocí lokální passkey na Windows zařízení 1

An available method may be offered even if it doesn't contain a passkey for the given service. If we try to use it, we'll get an error.

Přihlášení pomocí lokální passkey na Windows zařízení 2

Local passkey on an Android device

Logging in on an Android device using a local passkey. The screenshot is from Firefox on Android 14, which supports all options. The process is the same as on Windows. We choose this device and use one of the screen unlock methods. Chrome is tied to the system account and in some attempts only offered me the passkey on the phone.

Přihlášení pomocí passkey na Android zařízení 1

Logging in on an Android device using an external passkey

Just a screenshot from Firefox on Android 14, where we can use Use a different phone or tablet (the process is the same as on Windows when logging in using a mobile phone) or security key.

Přihlášení pomocí passkey na Android zařízení 2

Logging in on a Windows device using an external passkey on a Security Key

Logging in on Windows 10 or 11 using a passkey stored on a FIDO2 security key. It works similarly to a local key. If we have a passkey in Windows Hello as well, we must choose Use another device. In the Windows Security dialog, we continue with Security key and authenticate (PIN + key touch or biometrics).

Přihlášení na Windows zařízení pomocí externího passkey na Security Ke

Logging in on a Windows device using an external passkey on an Android device

Logging in on Windows 10 or 11 using a passkey stored on a mobile device (iPhone, iPad, or Android device). We need Windows 11 23H2 or on an older OS, Chrome or Edge 108+. Both the computer and phone must be equipped with Bluetooth devices and must be able to establish a connection. They don't need to be paired; a temporary Bluetooth connection is made automatically.

On the Windows device, Bluetooth must be active (it must not be disabled or we must not be logged in to the computer via RDP). Otherwise, the option to use iPhone, iPad, or Android device won't be offered at all when logging in from the computer. On the Android device, Bluetooth can be turned off, but we'll be prompted to turn it on.

External passkey on an Android device - problems with Xiaomi 13 phone

I had trouble getting this method, Cross-Device Authentication with an Android device, to work for a long time. I was looking for a problem with Bluetooth and tried different computers. But the problem turned out to be with the Xiaomi 13 phone, and I couldn't solve it. I tried several other Android devices (with Android 12 and 13), and this method worked everywhere. I found a discussion where people reported that it stopped working after upgrading to HyperOS.

The problem manifested as an error (on both the phone and computer) Something went wrong. After scanning the QR code, an offer to remember the device appeared, the connection started to establish, and the error immediately popped up.

Chyba spojení s telefonem při FIDO Cross-Device Authentication

The second problem on Xiaomi 13 was that the standard Google Camera app (version 5.1 in the system) couldn't be used for scanning the QR code. The code was recognized, so the QR code icon was displayed, but after clicking, a dialog appeared saying it wanted to open the URL FIDO:/... and didn't know how. I found information that the Google Lens app could be used. That indeed worked; after hovering over the QR code, it displays a Use Passkey button and starts the authentication process.

External passkey on an Android device - login process

I got an old Xiaomi 10T phone working, and logging in worked fine on it. The Google Camera app (version 4.5 in the system) also works here.

When logging in, we choose iPhone, iPad, or Android device in the Windows Security dialog. A QR code is displayed, which we scan in the camera app on the phone.

Přihlášení na Windows zařízení pomocí externího passkey na Android 1

The scanned code should trigger the system function for FIDO authentication. If we don't have Bluetooth turned on on the phone, a prompt will appear. The next question is whether we want to remember this device. If we use this, the device will be offered next time. We won't need to scan the QR code; the prompt will be sent directly to the phone (via the internet).

Přihlášení na Windows zařízení pomocí externího passkey na Android 2

The computer displays information that the device is connected. On the phone, we need to authenticate (usually with biometrics), and login occurs.

Přihlášení na Windows zařízení pomocí externího passkey na Android 3

If we remember the device, we can select it from the list during the next login (from the same computer). A notification is sent to the device via the internet, and a Bluetooth connection is established.

Přihlášení na Windows zařízení pomocí externího passkey na Android 4

Remote Desktop - using passkeys on a remote desktop

Passkeys are tied to a specific device and we use them to log in on that device or another in its physical proximity. If we log in to a remote desktop of a computer, we can't use a passkey stored on that remote computer (in Windows Hello), on a security key connected to it, nor will a phone we have with us connect to it. But we can use passkeys that we have locally.

When connecting to a remote computer, certain newer versions of Remote Desktop Connection support redirecting WebAuthn (Windows Hello or security keys). Thanks to this, we can use passkeys stored on the local computer (Windows Hello) or on a security key connected to the local computer on the remote computer. At least on Windows 11, this works well and reliably.

Remote Desktop Connection přesměrování WebAuthn (passkey)

Synchronized or device-bound passkeys

According to the standard, passkeys can be bound to one authenticator, then they are called Device-bound passkeys. For example, a FIDO2 security key typically contains device-bound passkeys because its private key cannot leave it.

Or they can be synchronized between the user's devices using a cloud service; these are referred to as Synced passkeys. Synchronization is supposed to work only within a certain platform (not between different OSs). Relatively recently, it has become possible to store passkeys in a credential management app, which handles their availability on various devices.

Microsoft

According to information on the internet, Microsoft doesn't support passkey synchronization yet (they reportedly plan to).

Apple

Apple uses iCloud Keychain for passkey synchronization. According to various sources, including About the security of passkeys and Device Support, it is not possible to create Device-bound passkeys on macOS or iOS devices. The created passkey is stored in the iCloud Keychain and is automatically synchronized within the Apple ID. There seems to be an exception where it is possible to create a passkey on a FIDO2 security key which is not synchronized.

Google

Google uses Google Password Manager for passkey synchronization. Again, there are various sources indicating that standard passkeys created on an Android device are synchronized. It is possible to create non-discoverable credentials that are device-bound and therefore not synchronized. Can an RP still create device-bound credentials that aren't synchronized?, Passkey support on Android and Chrome.

Interesting information can be found in the article Security of Passkeys in the Google Password Manager. It states that a service may require the creation of a Device-bound passkey. The private key is generated in the device's Trusted Execution Environment (TEE), which provides hardware protection against exfiltration.

My experience is different so far. On each Android device, a new passkey for the Google account is automatically created. In the account settings, passkeys for each device can be seen. Even the test passkey for Passkeys.io does not synchronize and is not visible in the Google Password Manager.

Updated on 12.4.2024

I created a passkey for a Microsoft account from Windows using an external authenticator, which was an Android phone. This was done by scanning a QR code. It was automatically saved in the Google Password Manager and is synchronized across my Android devices.

I then tried to create another passkey for the Passkeys.io service. I did not do this directly on the Android device but remotely from Windows. Now the passkey was also created in the Google Password Manager.

This might be related to which component is called in the Android system when creating the passkey. When used locally in the browser, the system API is called. When scanning a QR code, the URL FIDO:/ is called, and a specific application (provider) is assigned to it in the system, probably the Google Password Manager by default. Some information can be found in the new Microsoft documentation Cross-device registration point 6.

Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

FIDO Authentication

FIDO authentication is based on the FIDO2 standard (WebAuthn and CTAP2). It brings a more secure option to log in to online services. It belongs to Passwordless MFA (multi-factor authentication without a password). At the same time, it increases the convenience of users (it supports the use of biometrics). These are, for example, Windows Hello for Business, FIDO2 security key and generally passkeys (access keys).

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)