19 hours ago
13
For most of this year, Microsoft has been warning users that they will no longer be able to use its Authenticator mobile application for user ID and password management. As reported by CNET on July 29, 2025, "In June, the company stopped letting users add passwords to Authenticator…. And starting Aug. 1, you'll no longer be able to use saved passwords."
Also: How passkeys work: The complete guide to your inevitable passwordless future
To me, the dire warnings of this pending doomsday-like deadline are reminiscent of the run-up to January 1, 2000 -- the so-called "Y2K problem" -- when it was anticipated that computers everywhere would experience a meltdown because their programmers never considered the possibility that their software would still be in use in the 21st century.
The great passkey migration
But most of this reporting overlooks the bigger shift that's underway across Microsoft's identity management portfolio and, in many cases, is missing key details about the future roles of Microsoft Authenticator and the Microsoft Edge browser when it comes to another colossal shift that's currently in progress: the world's transition from passwords to passkey.
A passkey is unequivocally a safer credential than a password when it comes to logging into websites and apps. Passkeys cannot be guessed, the same passkey cannot be reused across different websites and apps, and you cannot be tricked into divulging your passkeys to malicious actors through techniques such as phishing, smishing, squishing, and malvertising. Even if you're strengthening user IDs and passwords with additional factors of authentication, passkeys are a better and more secure alternative.
Also: I replaced my Microsoft account password with a passkey - and you should, too
In fact, of the major technology vendors that are encouraging end-users to switch to passkeys, no vendor is pushing users to transition as hard as Microsoft is. But, at the same time that Microsoft is aggressively campaigning for that transition, we are still waiting for Microsoft to offer the comprehensive credential management capabilities that are necessary to support that future.
Managing passwords after Authenticator
For users who managed their user IDs and passwords with Authenticator and want to stay with Microsoft-based solutions to manage their user IDs and passwords, their only option is to export their passwords from Microsoft Authenticator to Microsoft's Edge web browser. Once users do this, Edge will not only take over the role of managing those user IDs and passwords, it will also handle the auto-provisioning of those credentials (a.k.a. autofill) at the time of login and the synchronization of those credentials to the user's other copies of Edge.
In addition to Windows, Edge is available on MacOS, iOS, Android, and Linux. Given Edge's cross-platform reach when compared to that of Microsoft Authenticator (iOS and Android), it makes more sense for Edge to handle credential management and autofill.
This approach, where Microsoft is facilitating credential management through the browser instead of a mobile application closely resembles the way Google is handling credential management and autofill through its Chrome browser. Both browsers are based on Chromium and offer users some basic password management capabilities, and both rely on a central cloud to handle credential synchronization to the same browser on other devices.
The problem with non-syncable passkeys
But, at the time this article was published, whereas Chrome's password management capabilities will auto-provision and synchronize credentials of both types (passwords and passkeys) to a user's other installations of Chrome, Edge can only synchronize passwords. According to a Microsoft spokesperson who was interviewed for this story, "passkeys created for services like PayPal and eBay are stored as device-bound credentials in Windows and can be accessed via Windows Settings > Accounts > Passkeys. These are not stored or synced in Edge."
In other words, Edge for Windows is capable of handling and auto-provisioning passkeys during a login, but not the other versions of Edge. I confirmed this by trying to use Edge for Android to register a passkey for eBay. A lot happens behind the scenes when you register a passkey for the first time, and I explain the process in How Passkeys Work: Let's Start the Registration Process.
Also: 10 passkey survival tips: Prepare for your passwordless future now
Whereas an eBay passkey registration option exists when using Edge for Windows, no such option was available to me on Edge for Android. In addition to that limitation, the eBay passkey that I was able to establish on Edge for Windows could not be synchronized to my copy of Edge for Android. This confirmed the spokesperson's statement about passkeys being "stored as device-bound credentials in Windows." Device-bound passkeys are also referred to as "non-syncable passkeys." They are tied to the device that was used to create them and cannot be synchronized to another device. As it turns out, the passkey that I established through Edge running on my copy of Windows 11 was bound via Windows Hello to the Trusted Platform Module (TPM) in my HP Notebook.
This raises the question of where, across Microsoft's portfolio, users might be able to find support for syncable passkeys since they are by far the most convenient form of passkey to use for the websites and apps that support them. After all, the company is already supporting syncable user IDs and passwords through Edge. The last thing most users want to do is manage multiple device-bound passkeys for each website and app they use. Better to just have one, just like a password.
Your passkey management options now
This is where the confusion sets in. Across most of the articles that reported on the elimination of user ID and password support in Microsoft Authenticator, the authors also noted that Authenticator would continue to support passkeys and that the user could continue to rely on Authenticator to authenticate (login) with those passkeys (see my explanation of what really happens during your 'passwordless' passkey login). It's not surprising that most of the articles said this. After all, Microsoft's own post about the changes to Authenticator very clearly states, "Authenticator will continue to support passkeys. If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys."
This certainly piqued my interest. On the surface, it was strangely starting to look like Microsoft was moving all user ID and password management to Edge while at the same time fracturing passkey management across Microsoft Authenticator and Edge for Windows instead of moving full support for both syncable passwords and syncable passkeys to Edge (which is exactly how Chrome does it). So I went back to Microsoft to make sure that I understood things correctly. I apparently didn't.
Also: Passkeys won't be ready for primetime until Google and other companies fix this
"Authenticator will always continue to support device-bound passkeys for Entra accounts," a Microsoft spokesperson told me. "You'll always be able to create one of those today and in the future." There's a lot to unpack there. Not only are Authenticator-managed passkeys also device-bound passkeys (in other words, they cannot be synchronized), the passkey support found in Authenticator is for users of Microsoft Entra ID, Microsoft's cloud-based identity management solution (formerly known as Azure Active Directory) for businesses. In other words, the passkey support found in Microsoft Authenticator is not for those of us in the general user population who just want to manage their credentials. And it still lacks any synchronization capabilities.
In a nutshell, for those of us in the general user population who want to manage and use passkeys in addition to user IDs and passwords, Microsoft offers one option: Edge on Windows. Additionally, neither Edge for Windows nor Microsoft Authenticator (for Entra ID users) offers passkey synchronization. The only type of passkeys that Microsoft currently supports are device-bound (non-syncable) passkeys. This is obviously not ideal, and knowing some of the folks at Microsoft, I'm sure they would agree (especially given how hard the company is selling the idea of passkeys right now).
My conclusion as I try to take a 30,000-foot view of this situation is that when it comes to all of the different Microsoft technologies that play a role in credential management -- Windows, Windows Hello, Authenticator, Edge, Microsoft Wallet, Entra ID, passkeys, etc. -- the company has a lot of different pieces on the chessboard. Moving them all into the ideal position to support the secure credential management future it is selling is easier said than done.
Also: What really happens during your 'passwordless' passkey login?
In the same way that a chess player (and opponent) always think and anticipate a few moves ahead, it's hard not to see that at some point, sooner or later (probably sooner), Microsoft will support syncable passkeys across all its versions of Edge just like it does now with user IDs and passwords (and just like Chrome does). That is the only logical outcome given its strongly worded messages to migrate passwords from Authenticator to Edge.
But until that final chess move happens, users have options in the other credential management companies, including Google and all the third-party password managers (1Password, BitWarden, Dashlane, LastPass, NordPass, etc.) that support syncable passkeys and passwords in a single solution.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
English (US) ·