Microsoft has enabled native support for third-party passkey managers on Windows 11, starting with 1Password and Bitwarden, through a new passkey API released in the November 2025 security update.
Microsoft announced that Windows 11 now supports third-party passkey management applications following the development of a new passkey API. The feature launched with the November 2025 security update and currently supports 1Password and Bitwarden as the first third-party managers. The Windows security team collaborated with these third-party providers to develop the API that enables this functionality. Additionally, Microsoft integrated its own Password Manager from Microsoft Edge into Windows as a plugin, giving users the option to choose their preferred passkey manager. Passkeys follow FIDO2/WebAuthn standards and use private-public key cryptography for authentication. When users register on a passkey-enabled site or app, Windows generates a key pair with the private key securely stored on the chosen manager. Authentication requires Windows Hello verification using PIN or biometric authentication.
Passkey technology works by generating a private-public key pair during registration. The private key remains securely stored on the user's chosen manager, Microsoft Password Manager, 1Password, or Bitwarden. When logging into a passkey-enabled site or app, Windows receives an authentication challenge and prompts the user to verify their identity through Windows Hello. This verification is protected by PIN and biometric authentication. Microsoft Edge introduced passkey saving and syncing with Microsoft Password Manager earlier in November 2025 in version 142 and later for Windows 10 and above. Bitwarden has supported passkey storage since November 2023 and introduced "Log in with Passkeys" in January 2024.
According to Microsoft, the following security benefits apply to this development, passkey creation, authentication, and management are protected by Windows Hello; syncing is available across Windows devices when signed into Edge with the same Microsoft account; syncing is protected by the manager PIN and a cloud enclave; Azure Managed Hardware Security Modules (HSMs) safeguard encryption keys; sensitive operations run in Azure Confidential Compute; and recovery uses Azure Confidential Ledger.
Bitwarden announced the Windows 11 integration via an update on its original feature launch announcement, noting that its system-level integration on the OS is currently at beta stage, meaning there may be functional limitations or potential instability until sufficient broad-scale testing and bug fixing happens.
Passkeys are a secure authentication mechanism that follows the FIDO2/WebAuthn standards. They utilize private-public key cryptography for local challenge signing and server-side verification, rather than traditional passwords. The system is considered superior to passwords due to its portability, higher convenience for users, and immunity to phishing attacks. Unlike passwords that can be stolen or guessed, passkeys rely on cryptographic proof stored locally on the user's device, making them resistant to common attack vectors like phishing and credential stuffing.
This development matters because it represents eliminating password-based authentication vulnerabilities in enterprise and healthcare environments. By allowing users to choose between Microsoft's native solution and trusted third-party managers like 1Password and Bitwarden, organizations gain flexibility in implementing passwordless authentication while maintaining their existing security infrastructure and workflows. For healthcare organizations handling sensitive patient data, passkeys' immunity to phishing attacks addresses one of the most common breach vectors. The integration with Windows Hello's biometric and PIN protection adds an additional security layer that aligns with HIPAA's requirements for secure authentication methods, potentially reducing the risk of unauthorized access to protected health information.
Organizations should begin evaluating passkey implementation as part of their security strategy, especially as Microsoft continues pushing passwordless authentication adoption. While Bitwarden's beta status indicates the technology is still maturing, the foundation for more secure, phishing-resistant authentication is now built into Windows 11 at the system level.
Yes, centralized management is possible through existing Windows and third-party enterprise admin tools.
Yes, local authentication can work offline, but syncing requires an internet connection.
Yes, some managers support passkey export and import, but compatibility varies.
No, Windows Hello functions the same regardless of the selected passkey manager.
Yes, cross-device authentication is possible depending on the manager's syncing ecosystem.