Passkeys are revolutionizing the way we think about authentication, offering a robust alternative to traditional passwords. Designed to be phishing-resistant, these credentials streamline the sign-in process, making it both quick and secure. With the introduction of Microsoft Password Manager, users can now save and synchronize their passkeys across all devices linked to their Microsoft accounts, enhancing accessibility and convenience.
By syncing passkeys, users can enjoy a seamless sign-in experience, allowing them to access their credentials from any device. This flexibility means that passkeys are no longer confined to a single device; they can be securely accessed across multiple platforms while still utilizing device-based authentication methods such as biometrics or PINs. However, achieving this level of convenience requires a meticulous approach to security, ensuring that roaming cryptographic credentials are protected throughout their lifecycle—from creation to synchronization and recovery.
Architecture overview
The architecture underpinning passkey syncing in Microsoft Password Manager is a sophisticated, layered design that prioritizes the secure management of roaming credentials. This system employs multiple independent protections across various domains, including computation (where sensitive operations occur), key management, storage, and device authorization.
At its core, the passkey syncing mechanism integrates:
- Confidential computing for executing sensitive passkey operations.
- Hardware-rooted key protection for safeguarding service-side encryption keys.
- Tamper-evident recovery storage to ensure secure activation and recovery.
- Encrypted synchronization across all registered devices.
These protective layers work in concert to secure passkeys during their creation, synchronization, and recovery phases. The backend service for passkeys operates within Confidential Containers on Azure Container Instances (ACI), utilizing Trusted Execution Environments to ensure the protected execution of sensitive workloads.
Confidential compute for passkey operations
All sensitive passkey operations—including credential creation, assertion, and recovery validation—are executed within Azure’s confidential computing environments, which are fortified by hardware isolation. This setup guarantees that:
- Cryptographic material is processed in protected memory.
- The host environment is unable to inspect sensitive cryptographic materials, such as passkeys and encryption keys, while they are in use.
- Only verified service code can access protected encryption keys.
This stringent control over where passkey materials can be decrypted and utilized ensures that sensitive cryptographic information remains secure within trusted execution boundaries, thereby enhancing operational integrity. User verification through platform authenticators, such as Windows Hello or device biometrics, further fortifies access to these operations, employing device-bound cryptographic keys for authorization.
Hardware-rooted key protection
The encryption keys that protect synced passkeys are secured using Azure Managed HSM. Access to these keys is governed by attestation-based secure key release mechanisms. Before any keys are released, the execution environment undergoes verification through Microsoft Azure Attestation, ensuring that key material is accessible only within trusted confidential workloads and is not exposed to non-confidential environments.
This approach establishes a hardware-rooted trust anchor for service-side encryption operations. Passkeys are encrypted prior to synchronization and managed within authorized, hardware-isolated environments.
Secure registration and recovery
Microsoft Password Manager facilitates cross-device activation through a secure and auditable registration and recovery process. This process mandates authentication via a user-defined knowledge factor, such as a PIN, with all security measures enforced within confidential computing boundaries. Recovery operations are validated within this secure environment, ensuring strong integrity guarantees.
To prevent malicious brute-force attempts on the low-entropy PIN, the system imposes a fixed limit on consecutive incorrect attempts. Once this limit is reached, the system enters a lockout state, requiring a secure flow initiated from a trusted device for PIN reset, authenticated through the user’s Microsoft account. This design ensures that recovery mechanisms do not compromise the security of synced passkeys.
Building for the passwordless future
Passkeys signify a significant advancement in the realm of authentication. Within Microsoft Password Manager, we have crafted a synchronization system that harmonizes robust security measures with effortless cross-device usability. By integrating confidential computing, hardware-backed key protection, and device-bound authorization, Microsoft Password Manager offers a secure passkey roaming solution capable of withstanding contemporary threats. These protective layers are designed to function independently yet collectively safeguard passkeys throughout their entire lifecycle.
The introduction of synced passkeys marks a pivotal step in our journey toward a passwordless future, delivering the simplicity and security of phishing-resistant sign-ins to users. We look forward to expanding this journey with new capabilities and experiences on the horizon.
