Next month, saved passwords will no longer be in Microsoft’s Authenticator app
139 comments
·June 30, 2025dontTREATonme
_Algernon_
The only way passkeys make sense is in terms of vendor lock in. If you stick with a single vendor (ie. Google or Apple) to manage them for you, it kinda works if you ignore edge cases (eg. how to recover if phone breaks).
So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.
The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
lucumo
> Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work.
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
AJRF
I have a degree in computer science, 10 years experience in some complicated fields and I can’t figure out PassKeys.
They are woefully designed and implemented, wish we just cut our losses with them and stopped pushing them.
Tuck them away in settings, not on the default login path.
kjuulh
I felt the same when implementing OpenID connect flows according to spec. It uses the browser in creative ways ;) Especially the device flow, absolutely insane complexity for what it is.
escapecharacter
CVS keeps pushing them for their pharmacy login. So annoying.
sydbarrett74
Agree. The UI/UX is atrocious at present. The concept has flaws, but IMO it substantively raises the floor security-wise.
jeroenhd
That's not a passkey problem, that's Dashlane being very weird about passkeys. There's no way that isn't a bug.
teekert
I think Proton Pass just stores one key for all devices? Not even sure! But it does work anywhere without the experience you had: I go to a website I have saved, it pops up, I click and am logged in.
Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right?)
I too, have no idea.
rafaelmn
I think your problem is Dashlane. I had to use it for one corporate gig an oh my god was it the worst password manager I used - UX and stability wise.
djvdq
I don't have this problem. I'm using passkey probably on only 1 website (github) but it's working without any issues on all my devices. Maybe it's a password manager issue? I'm a bitwarden user
qwertox
Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.
The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.
I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.
This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.
What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.
wasmitnetzen
Do you have a source for the hardware-tied design? Neither the specs[1] nor Wikipedia[2] say anything about Authenticators being hardware-only as far as I can see. The specs even specifically talk about Clients (ie browsers) storing passkeys.
[1]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-aut...
[2]: https://en.wikipedia.org/wiki/WebAuthn#Reasons_for_its_desig...
jeroenhd
> The idea of passkeys is that they are supposed to be tied to a hardware device.
No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.
You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.
There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.
And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.
I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.
ExoticPearTree
Looks like a Dashlane problem from what you are describing.
Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.
avhception
There is no way I will sync all of my credentials onto other peoples computers.
Trust issues aside, is there a way to get those passkeys out of there?
Suppose you want to switch from iCloud to whatever else, can you export and import those passkeys?
jeroenhd
I don't think iCloud has exports for secrets like that (and that's not just restricted to Passkeys).
Other tools do, though, like KeepassXC or any other password manager really.
N_Lens
Yeah I'm on Mac/iPhone as well and was scratching my head at the "multiple passkeys" comment.
jonathanlydall
For those who may not have read the article fully, Microsoft's existing traditional password management on mobile devices is not becoming unavailable, but is being moved from the Authenticator App to Microsoft Edge.
I had this warning show up in the iOS Authenticator app like last week or something and it guides you through changing your iOS settings to instead use Edge as a password manager. As Edge is my browser of choice on my Windows PC and I already had it installed on iOS, this was a very minor inconvenience for me.
It's worth mentioning that even though I almost exclusively use Safari as a web browser on my iOS device, when filling in passwords on websites it seamlessly allows you to use any iOS configured password manager including Edge.
It's definitely a little weird that you now require Edge to also be installed for essentially the same functionally and Microsoft might be doing it to try push people to install Edge.
RHSeeger
I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
Avicebron
> see a compelling argument for passkeys
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
re
> It's tied to vendor lock in
If you're referring to the inability to transfer passkeys across systems, that should be improving soon.
https://blog.1password.com/fido-alliance-import-export-passk...
https://arstechnica.com/security/2025/06/apple-previews-new-...
ls612
As long as the passkey spec includes remote snitching (attestation) your keepass open source alternative will exist only because big tech allows it, and it will end when big tech demands it. The entire import/export standard is a red herring.
t_mann
You can do all of those using Passkeys in Keepass, eg though KeepassXC, including import/export. However, Keepass applications have already been flagged as non-compliant for this reason. What you also currently can't do afaik is use them on mobile.
darkwater
> I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason. To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
Freak_NL
Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
jjani
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
darkwater
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
porridgeraisin
> breach of their terms of use
I mean, it was an example. Replace it with an amazon account and the argument remains the same.
RataNova
Right now, passkeys feel like they solve Google's and Apple's problems more than users
vanviegen
I think a password manager like bitwarden still meets all of those criteria when it's managing passkeys for you.
thayne
But companies like Google, Microsoft, and Apple have a vested interest in making third party tools like bitwarden not work as well, or not at all on their platforms.
jeroenhd
Bitwarden works just as well on Android. In fact, it's even easier when it comes to managing multiple passkeys per domain. And yes, that includes CTAP2 logins ("scan a QR code with your phone to log in").
ChadNauseam
iOS and Android both have APIs for plugging in custom password managers into password entry fields in every app, and for using passkeys with those custom password managers. I use 1password on my iPhone and my Android and it integrates perfectly with both. I agree that those corporations have an interest in making those tools work poorly to stop you from leaving the platform, but they seem to have done the right thing and put some effort into allowing them to work well.
ashdksnndck
iOS third-party password manager integration has gotten better over the years. It went from nonexistent, to half-working but constantly pushing me to use iCloud passwords instead, to allowing third-party to be the default once I set it up and never mentioning iCloud passwords to me during normal use.
null
microflash
I do use Bitwarden to store passkeys and it works across devices just fine.
Ferret7446
> I want to be able to share passwords for accounts with my family
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
blendergeek
I want to be able to share access without permission from Microsoft
Ferret7446
Huh? Microsoft doesn't own passkeys. I think you have a completely incorrect understanding of passkeys.
joeblubaugh
And people complain about Apple being paternalistic.
If you’re already saving passwords in an app, you’re being more secure than most users. A forced move to passkeys seems nuts when not all systems support them yet.
I’m also still concerned that passkeys seems more likely to fail the average user when they break or lose a device, compared to a decent password.
smolder
They used to complain about that 10 years ago, but apple was just ahead of it's time. Microsoft saw the light and is racing down that path. Soon enough, no computer without user-defeating secret logic and remote ownership will be allowed to interact with important networked applications. Linux users will either need a tainted linux variant or not have access to banking, streaming (already a problem), games, and so on.
hansvm
And still, the entire bank account is still vulnerable to a $15 silent borrowing of your phone number for a day, bypassing all normal protections. The system is only harder to access for the rightful owner.
krior
How would that attack work?
throwaway290
It is already required to buy an approved terminal to participate in society. This may seem a bit of joke in some countries but in many places it is absolutely real.
The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.
jgerrish
You're probably right. We'll have enforced boot chains and attestation for devices if we want to take part in large parts of our economic system in the future. A ton of important systems like banking, safe and secure sex worker and entertainment sites for users and performers, government services like online taxes and car licensing and drivers testing* and children-safe sites.
Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.
We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.
Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.
But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.
I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.
No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.
Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?
Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.
Who will work more in the future?
And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.
And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.
Other countries are doing it. I hate the fucking game theory solutions that it encourages.
But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?
And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?
That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.
* I believe myself here, that's key.
Groxx
Also next to impossible to write down to give to someone else.
This (or by phone) is how I've transferred: all family accounts, all small community accounts, some business accounts, many friend-shared accounts, and it's also how some people ensure accounts can be accessed if they die. It's not a small problem.
jrockway
Yeah, I think people will lose their passkeys a lot. I think companies are happy to provide another service ("passkey syncing") that you will pay for for life. Back In The Day you could be a freeloader by remembering your passwords like a nerd. No longer. The loophole is closed!
That said, passwords are actually so bad that anything would be an improvement over them. While a stealable passkey vault sync'd to your malware-infested Windows laptop is not ideal for security, it's sure better than typing your bank password into your favorite forum because you don't understand that website administrators can see your password when you type it on their site. (Not to mention phishing.)
RataNova
Until recovery and multi-device support are seamless across ecosystems, forcing this kind of shift just adds friction
sedatk
This is very bold because passkeys haven't been the smoothest ride so far. There are many inconsistencies in implementations among platforms. For example, many websites use passkeys as an alternative sign-in option, and let you keep your password login. So, you remain susceptible to phishing despite having a passkey on your account. Recovery flows are inconsistent too.
I applaud Microsoft because a big player had to go all-in into passwordless authentication. I'm sure it won't be painless, but it might push others to adopt the approach eventually.
grahameb
There's still a dearth of support in commonly used open source backend frameworks, too – and, at least after looking a bit the other day, I couldn't find much in the way of documentation on the standard flows. I was hindered a little in searching by SEO spam from various companies offering APIs to deal with users/passkeys for me as a service.
aniviacat
Bypassing SEO spam is the core use case of LLMs (with search function) for me. It's so nice to just get a (relatively) concise answer immediately.
umanwizard
Absolutely bonkers if true. The #2 thing you don’t want a password manager to do (after, of course, leaking your passwords) is deleting your passwords!
Hopefully this will entice people to switch to 1Password, but I’m pessimistic — it will most likely just convince people not to use password managers at all.
FinnKuhn
As I understood it from the announcement in the App itself the password will still be available but through the Edge App instead.
No idea who thought of this bad idea. Now I gotta move them all to Apple passwords or something else.
LeoPanthera
I hope they don't switch to 1Password, I switched away from it, after their new Electron app repeatedly failed to autofill passwords in Safari - a basic function.
Quarrel
While not quite switching to 1Password, the latest Win 11 build includes:
> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.
after other details at least it does go to:
> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.
The full info:
https://blogs.windows.com/windows-insider/2025/06/27/announc...
Brian_K_White
keepass ffs not 1password
execat
What's their end game here?
What is Microsoft gaining from their push to passkeys? They knew this was going to piss off a lot of people, but they went ahead with it anyway. That makes me believe there's something else at play.
My experience with passkeys has been worse that my Bitwarden password auto complete, so needless to stay I'm sticking with my regular passwords on my Bitwarden (I know Bitwarden has Passkeys support. I don't want to use it)
hakfoo
I suspect it's another step in the push to make the mobile device the centre of digital identity. (Yeah, it might support some standalone key devices, but nobody's giving Joe Sixpack a Yubikey)
The one with far more data gathering capability and generally less robust ability for the end user to assert control over it, and which is generally tied to a service contract that in many countries requires identity verification.
RataNova
Feels like they're betting big on being seen as a leader in "passwordless" security
ocdtrekkie
So in business Microsoft cloud land, not using Microsoft Authenticator specifically is basically impossible. You have to shut it off four different ways even if you have an alternative solution already configured.
I think centralizing control is absolutely the core play for them.
withinrafael
The simpler version is that Microsoft Authenticator--a mobile app that provides 2FA--is discontinuing its password autofill feature and the passwords stored/used with that will be wiped in August unless action is taken, as has been communicated for a while now.
More information: https://support.microsoft.com/en-us/account-billing/changes-...
TiredOfLife
"Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge"
djrj477dhsnv
If I can't export the private key to my own backup solution, I don't want it.
akho
Password managers sync passkeys just fine. If you use one of those, the benefit of passkeys is that some sites skip their SMS 2fa if you use a passkey. The downside is that you can only use them from your own devices, where you have the app/extension.
Analemma_
This response fundamentally misunderstands what passkeys are, and it feels like a cargo-cult copy-pasted answer for outrage points rather than one that is really considered. The whole point of passkeys is that they are a) one per device and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them.
recursive
What passkeys are isn't something that most people want.
I prefer passwords precisely because passkeys have achieved their design objectives. They are just not objectives that I share.
comex
No, passkey export is intended to be a thing and is becoming a thing. I'm not sure if Microsoft has implemented it yet but here is Apple's version:
https://mobileidworld.com/apple-introduces-cross-platform-pa...
freeone3000
Someone should tell Apple; they’ve been cloud-syncing passkeys for years.
AlotOfReading
And yet people still need to share authentications between different devices (or people) and back them up for recovery purposes. If you're expecting only what you're saying, you'll find yourself simultaneously disappointed at how low the uptake is in the real world and how many major implementations (e.g. Apple) have a vastly different security model.
WarOnPrivacy
> And yet people still need to share authentications between different devices (or people)
Absolutely. The problem with narrowly targeted security measures is they are a poor fit for nearly everything.
whatevaa
No, their point is that they are absurdly long and not phishable. Point b is not practical for mass uptake, as hardware devices get broken/lost/stolen all thr time. And no, only nerds will have multiple ones.
ChromaticPanic
If that means I lose access to my accounts if my device dies on me, then hard pass.
CamperBob2
Sounds like the sort of thing that will lock me out for any of a dozen different reasons.
subarctic
Ya really what you want is your passwords saved in an encrypted vault that you can copy from device to device for backup. If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services to create a new passkey for the new device, that sounds terrible
hulitu
> The whole point of passkeys is that they are a) one per device
Hm, so then i need one for my account and one for every device where i use this account
> and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them
i heard that the new "device's secure enclave" is the cloud.
charcircuit
One per device you want to authenticate with. So for example you can use your phone to do the authentication for many other devices you own.
rambambram
Wherever I work, IT departments expect me to install MS Authenticator on my own smartphone. To authenticate myself to MS so they can authenticate me to the organisation that already has seen my passport and my driver's license. No thanks...
simonw
I'm confused. Is this a Windows-exclusive thing? As an iPhone and Mac user is there anything I need to do?
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
munchler
Yes, they're talking about a mobile app used for two-factor authentication. It doesn't run on Windows (or Mac). If you don't have this app on your phone, you don't need to worry about it.
abawany
IME some MS shops enforce use of it for 2fa to access company resources like vpn and etc. - for eg, the only reason this app exists on my phone is so I can log into my employer's vpn.
WarOnPrivacy
I occasionally run into small biz employees running the mandated MS Authenticator (biz O365) on their personal devices. This makes me sad.
I'm trialing Winauth for some remote-only users. So far I'm happy with having the authenticator on Windows desktop.
adastra22
What is sad about that?
anotherhue
ehh... for just one well behaved app I think it's tolerable.
It's about where I draw the line though.
WarOnPrivacy
Most every bit of online exchange and O365 (+the ever-changing, ever-growing stack of MS policy/admin/security panels) is overkill for 10-20 users who need mail, Outlook, Word, Excel (no substitutions).
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
My first experience with passkeys was eBay. They implemented them 3-4 years ago, and my password manager, Dashlane picked up on it. They offered to save it and I wouldn’t have to enter a username or password. Great, seemed to work. Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work. After having like 6 different passkeys for eBay I gave up. Now I always decline to use passkeys. They don’t work, idk who uses them but as a fairly tech savvy user, without a very complex setup (chrome, with Dashlane installed) if it’s not working for me it’s probably just not working.
I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.