I am signing in to account.microsoft.com. I use Windows Hello:
I tap "Sign-in options", then "Face, fingerprint, PIN or security key. (Use your device to sign in with a passkey".
Clicking the "?" icon says: "It's easier and safer to sign in with passkeys. You can sign in using your face, fingerprint, PIN, or use another device like a phone or security key. No passwords, apps, or codes needed."
Currently, this does not work for me in Google Chrome, Mozilla Firefox, or even a Microsoft Edge InPrivate window. It accepts my Windows Hello authentication, but it then asks for second-step verification. The help text says this is incorrect.
If I use a non-private Microsoft Edge window, then it works correctly.
What is Edge (non-private) doing differently from all the other browsers?
If I instead use a passkey saved on my phone (Google Pixel 8a, Google Password Manager) to log in on my Windows PC, then it works correctly.
I try to rule out cookies by running tests in fresh Private Browsing sessions (i.e. after closing all other private browsing windows). To test the non-private versions of the browsers, I first made sure I was logged out, cleared all cookies and browser data, and restarted the browser.
Windows is signed in to my Microsoft Account, but Edge is not. My Microsoft Account has two-step verification turned on.
It also works correctly if I manually save a passkey on a Windows account that is not signed in to the same Microsoft account. (When you are signed in to the same Microsoft account, you cannot manually save a passkey using Windows Hello).
Edge (Windows) works correctly even if I configure it to use Tor via a SOCKS proxy. I.e., using a suspicious IP address in a different country from where I created the Microsoft account.
Windows & browser version numbers:
- Windows 11 Pro
- Windows version 23H2 / "OS build" 22631.5189 / "Windows Feature Experience Pack" Windows Feature Experience Pack 1000.22700.1077.0
- Edge 136.0.3240.50
- Chrome 135.0.7049.42
- Firefox 138.0.1
In the screenshot above, I simulated an account recovery scenario by "pausing" the Authenticator app on my phone. After telling Microsoft I could not use Authenticator or another second step, it said I would have to wait 30 days to "recover" my account.
Note the Microsoft support page for two-step verification says that 30-day recovery is not guaranteed. If you lose your second step, "[y]ou may even lose access to the account". And Microsoft never allows using a passkey as a second step after entering a password, or vice versa.
They "strongly recommend you have three pieces of security info associated with your account". A passkey is supposed to reliably qualify as at least one piece of security info.
Microsoft Account does say that Chrome is a supported browser for passkeys, although Firefox is not.
I'm curious what the technical details are here. A lot more people will be relying on passkeys now, because "new Microsoft accounts will now be 'passwordless by default.'". They won't be prompted to add a password as one of their pieces of security info, so they need more alternative details. It seems that passkeys can work as expected, but if you use Firefox (or Chrome) with Windows Hello, there's a secret trick you need to know.
