Article Details

Windows 11 22H2 adds a built-in passkey manager for Windows Hello. Today's Windows 11 update includes several security improvements, including a new passkeys management dashboard designed to help users go passwordless more easily and tools to reduce the attack surface. Passkeys are linked to specific devices (e.g., computers, tablets, or smartphones) and play a pivotal role in mitigating the threat of data breaches by offering robust defenses against phishing attacks, blocking threat actors from stealing credentials, and thwarting unauthorized access attempts. Compared to traditional passwords, passkeys are a more secure option as they remove the need to memorize passwords for each website or online service. Microsoft's passwordless push was prompted by the three-fold increase in phishing attacks targeting user credentials since last year, reaching over 4,000 incidents every second, according to Redmond's internal data. To fend off these attacks, the company is making it possible to generate passkeys using Windows Hello, enabling users to sign into their website or web app accounts with their faces, PINs, or fingerprints. Additionally, Windows 11 customers will also be able to use Bluetooth-paired mobile devices to complete sign-in processes. After the update, a passkeys management dashboard will be available in the Settings app from Accounts > Passkeys. "Windows 11 will make it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys," said David Weston, Microsoft VP for Enterprise and OS Security. "Passkeys are the cross-platform future of secure sign-in management. Microsoft and other technology leaders are promoting passkeys as part of the FIDO Alliance." The passkeys management dashboard was first introduced in June with the Windows 11 Preview Build 23486 release pushed to Insiders in the Dev Channel. Microsoft and Apple first confirmed their commitment to passkeys in May 2022, endorsing Web Authentication (WebAuthn) credentials. One year later, Google also announced it's rolling out support for passkeys for Google Accounts to allow users to sign in without entering a password or using 2-Step Verification (2SV). ​With today's Windows 11 update, Microsoft also provides IT teams with a new policy that can help block the use of passwords across all Azure AD (Entra) joined enterprise devices. Once enabled, the policy will prevent password usage across the entire Windows user experience, including device unlocks and all authentication attempts. "With this change, users can now navigate through their core authentication scenarios using strong, phish-resistant credentials like Windows Hello for Business or FIDO2 security keys," Weston said. "If ever necessary, users can leverage recovery mechanisms such as Windows Hello for Business PIN reset or Web sign-in. Another new feature, Config Refresh, will also allow security teams to ensure that all policies will be automatically reverted to a secure default state every 30 or 90 minutes, depending on the admins' choice—this is available today for Insiders and will soon roll out to all organizations. Customers can also use App Control for Business (formerly Windows Defender Application Control) to ensure that only trusted apps can run across business environments, automatically preventing unwanted or malicious code from launching. Today's Windows 22H2 update also offers more granular Firewall logging for domain, private, and public firewall profiles and a new capability to choose ICMP inbound and outbound rules.