Transcripts

Hands-On Windows 97 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Paul Thurrott
Coming up next on Hands-On Windows, we're going to take a look at Passkey support in your Microsoft account and whether you should enable it. Podcasts you love From people you trust. This is Twit. Hello everybody and welcome back to Hands-On Windows.

I'm Paul Thrott and we have spoken in the past about such things as passkeys right, this new passwordless security authentication feature for online accounts. We've talked about securing your Microsoft account, which is super important because, among other things, you use it to sign into your Windows 11 or Windows 10 PC. To your Windows 11 or Windows 10 PC. Microsoft added passkey management support in Windows 11 23H2, kind of a light interface, nothing dramatic, but it's there. Microsoft supports passwordless technologies in the Microsoft account, but interestingly, until fairly recently, it didn't support using a passkey to authenticate yourself against your Microsoft account. So recently, sometime in the past month, they've added that capability. Based on my initial analysis, is a strong word, but based on my initial look at it, it appears to be incomplete and also incorrect as far as the passkey spec goes, and for that to make sense, I think we'll just have to take a look. So, as you may recall, you manage your Microsoft account on the web. There's no real way to do this in Windows. There's a simple interface in Windows. But you really want to go to accountmicrosoftcom, you'll have to sign in. You'll have to authenticate as well. If you set this thing up with 2FA, two-factor authentication, like I recommend, probably through an authenticator app on your phone, right, you'll have to go through that and then you need to go to the security dashboard. Now, yeah, I was going to say, depending on what happens here, you have to authenticate again as well. So I've set this up where I can authenticate using Windows Hello On this PC. That's a pin. This PC actually does support finger and facial recognition, but I just haven't set that up. Okay, so the security dashboard is starting to change. This is kind of interesting. So, depending on the PC and potentially the resolution, I guess it's normal you get this kind of different interface. The older interface is a set of four cubes or squares, but it's the same thing. You want to manage how you sign in, right, and this is that interface where it lists your password. If you have any secondary email addresses, you use to sign in or verify against your Microsoft account. If you want to email addresses, you use to sign in or verify against your Microsoft account. If you want to get a text message, to get a code, you can set that up here. But there are other authentication types that are actually more secure, like the 2FA Microsoft authenticator type choices, right, and so this particular account.

I don't really have a lot set up here. I think there's an interesting mix between having too much in here and too little. You do want to have options, but they should be options that you control. So, for example, it doesn't make sense to verify your Microsoft account against a work or school account necessarily, because you will eventually graduate or perhaps lose your job and move on to a different job and then you won't have access to that account and you won't be able to verify. So you want to make sure that anything that's in here whether it's your phone number or an email address or whatever is something that you control, that you will always have access to. So that's. We already talked about that in a previous episode, but every time I look at the screen I think about that sort of thing I do have. I do not have, rather, a passwordless account set up. This is something Microsoft allows you to do with an MSA where you literally remove the password from your account. That's a bridge too far for a lot of people. It is actually for me as well, but I do have two-step verification turned on. I strongly recommend it.

And that's that Microsoft Authenticator or other options, security keys and so forth right, so this is the same interface as before. Nothing has really changed. But we want to add a passkey right, so we can add a passkey here. So obviously you would click this, add a new way to sign in or verify. And this is where the first bit of confusion comes in, because, as you can see, passkey is not one of the options. Right? If we were going to add a Microsoft authenticator or other authenticator app, we would use this, use an app choice Email code, and that's actually the one you want for this, right, so it will. Actually, you could actually use this to authenticate with Windows Hello, which are those first three options, or a security key, which is a physical security key which uses Passkeys, as it turns out. But we don't have one of those here, so we'll click that. And this is the second bit of confusion, because you're asked where to save the Passkey and there are two options your phone, basically your phone, or an iPad, so an iPhone, ipad or Android device or a security key, and this is what I meant up front when I said this is not the spec.

The point of a pass key is that it is a way to authenticate yourself without having to use a password that is based on the device you're using currently, right, and what I mean by that is when you authenticate yourself with a phone using Microsoft Authenticator or whatever. There are two devices involved, right. In that case, the second factor is this phone with a passkey. The second factor is on your device and it uses all of the security built into your device to make it okay. In other words, because we have a TPM and because we sign in with a Microsoft account and because we protect that Microsoft account with a Windows Hello something, pin, facial recognition, fingerprint recognition, whatever we've established this chain of trust, but that's not an option here. So it's going to create a passkey on a different device which, like I said, it just bypasses the entire point of passkey. So I already have a problem with this, but let's do it anyway. So I'm not going to use security key because, like I said, I don't have a security key here, but I do have a phone. So it's going to give me this QR code. Hopefully everyone watching this video is now signing into my microsoft account with it, but I will use my pass my phone rather and its camera to sign in. So it's connecting and it's asked me if I want to create a pasky. So in this case this is kind of interesting because on my phone I have a third-party password manager that can save passkeys and it overrides the phone's built-in ability to save passkeys, which makes those passkeys portable, which is not part of the passkey spec. You know, it kind of keeps going on and on.

Passkeys are complicated. Typically, if you didn't have something like this, it would save it directly to the phone. In this case it's going to save it to my password manager, which honestly is okay. So I'm just going to say okay to that and it checks my face. It uses in this case it's an iPhone, so face ID and it says okay.

And then, back on the computer screen, it says that the passkey is saved. Click okay and I'm going to be asked to name it. Click OK and I'm going to be asked to name it. So it comes up Dashlane. Dashlane is the name of the third-party password manager that I use. I'm just going to make this a little more explicit. So I know exactly where this thing is, although it doesn't really matter, right, because Dashlane is on my Android devices. It's on my Windows PCs and the browsers. I should say so technically, depending on the app or the website or whatever it is I'm using. I so, technically, depending on the app or the website or whatever it is I'm using, I should be able to authenticate against this from any instance of Dashlane that I'm using. But I don't want to complicate this even further. And then, yes, okay, good.

So now we get back to the screen and you can see it's been added here. We've got a passkey option so that I can sign in. Is there a good way to demo this? Not exactly, but I think the best way would be to go to an in-private window and I could go to something like Outlookcom and then sign in with the same account. Because it's an in-private or incognito type window, I will have to type all my stuff and, oops, what's going on here? Boom, outlookcom. If I could type, I would be dangerous. So it's going against my authenticator app because that's the default right and, honestly, this is still the best way to do passwordless in Windows, unfortunately, but I'm going to choose other ways to sign in right, and I have other ways. So, face fingerprint, pin or security key will use Windows Hello on this computer or a security key if that's what it was I could request using the app that's the authenticator app, or I could use a password.

So, basically, what I've just demonstrated is I created a passkey that I now cannot use, right, and it still asks me to do an authentication with the Microsoft authenticator, because that's what happens sometimes. That's OK, I don't mind that, but I went through this process. In other words, microsoft added support for PASCs. I created a PASC using their system and then I tried to use that PASC and their system does not support the PASC. So this is the Microsoft world. Unfortunately and I guess you know this is not completely useless.

The truth is, this will work differently on different devices. If I was signing into my Microsoft account on a mobile app on my iPhone I don't want to promise you, but there's a good chance I would be able to use that passkey to authenticate myself. Of course, I have other things on my phone too, right, so it would probably default to that authenticator app. It's kind of hard to say, and that's the problem. So here we have passkeys that are very complex to begin with. They're hard to use. We have Microsoft not implementing it to the spec. They have Microsoft not supporting the most basic passkey feature, which is the point of passkeys, which is that you save it to the device that you are using. Passkeys are supposed to be device specific. You're supposed to have one.

If I create a passkey on this computer, I should be creating it on this computer, but they don't even offer that as an option. So this is what I meant up front when I said you know they've done this thing. It's not complete, it's not ready. They shipped it out into the world. It's there if you want it. And you know, depending on the types of devices you use, it might make sense, but I would say for most people it kind of doesn't. I mean, it's just sitting there doing nothing. It's probably not harmful in any way, it's safe and dashly and dashly and I do trust. And they have a good system for portability of pass keys, which you know again, not part of the spec, but whatever.

So I did this and I don't know why, and my recommendation for everyone watching this is to just hold off on this the initial advice I had up front about how you would secure properly secure your Microsoft account still stands. You should have two of a like we have down here. You should have multiple ways to authenticate, but a passkey right now if you're primarily using Windows. Not a great option, so, unfortunately. Well, I hope you found that useful, if only as a warning of what not to do. We'll have a new episode of Hands on Windows every Thursday. You can learn more at twittv slash how. Thank you so much for watching. Thank you, especially to all of our club Twit members. We love you. We'll see you soon, thank you.

All Transcripts posts