Microsoft is making a bigger play for a passwordless future, and this time it is doing something a lot of regular Windows users will actually notice: Microsoft Password Manager can now save and sync passkeys across devices as long as you are signed in with the same Microsoft account. That means a passkey you create on one supported device does not have to stay stuck there anymore, which removes one of the biggest annoyances people have had with early passkey rollouts.

That matters because passkeys are supposed to be simpler than passwords, not another security feature that creates extra friction. Microsoft says passkeys are designed to replace passwords with strong, phishing-resistant credentials, and on Windows, they use local device unlock methods like biometrics or a PIN instead of asking you to remember yet another login. So instead of typing a password that can be stolen or tricked out of you, you are usually approving a sign-in with something tied to your device, like Windows Hello face unlock, fingerprint, or PIN.

The bigger shift here is convenience. In its earlier rollout, Microsoft said passkeys saved in Microsoft Password Manager could be synced across Windows desktop devices, stored in the user’s Microsoft account, and used after local authentication, such as fingerprint, facial recognition, or PIN. The new engineering update goes further by explaining how Microsoft is trying to make that roaming experience secure enough for everyday use without weakening the security benefits that made passkeys appealing in the first place.

That is the part many people miss when they hear the word “sync.” Syncing passwords already makes some users nervous, so syncing passkeys sounds even more sensitive. Microsoft’s answer is a layered security design that combines confidential computing for sensitive passkey operations, hardware-rooted protection for encryption keys, tamper-evident recovery storage, and encrypted synchronization across registered devices. According to Microsoft, sensitive tasks such as credential creation, assertion, and recovery validation run inside Azure confidential computing environments, where cryptographic material is processed in protected memory and only attested service code can access protected encryption keys.

In less technical terms, Microsoft is saying it built special guarded zones in the cloud for the parts that matter most. The company says the backend uses confidential containers on Azure Container Instances and relies on trusted execution environments so the host environment cannot inspect sensitive passkey material while it is being used. That will not mean much to the average person day to day, but it is an important clue about Microsoft’s pitch: this is not just “we uploaded your passkeys somewhere,” it is “we designed the system so even our own infrastructure has limited visibility into the secrets it is handling.”

There is also a second protection layer around the keys that guard those synced passkeys. Microsoft says the service uses Azure Managed HSM for service-side encryption keys, and those keys are only released after the execution environment is verified through Microsoft Azure Attestation. In effect, the system is supposed to release sensitive keys only to trusted confidential workloads, not to ordinary environments where the risk surface would be higher.

For users, the most visible part of this setup is the Microsoft Password Manager PIN. Microsoft said in its original rollout that when you save a passkey to Microsoft Password Manager for the first time, you set up a separate PIN to protect the vault, and that PIN is then used when unlocking passkeys on a new device. The company also said new-device unlocking has a maximum of 10 attempts, and its latest engineering post adds that recovery attempts are tracked with a retry counter and related metadata recorded in Azure Confidential Ledger to prevent rollback or counter tampering.

That recovery story is important because one weak recovery flow can ruin an otherwise strong security system. Microsoft says recovery and activation are validated inside confidential computing boundaries, and if the PIN attempt limit is exceeded, the system enters lockout and requires a secure reset flow started from a trusted device and authenticated through the user’s Microsoft account. That is a pretty clear sign the company knows synced credentials live or die on account recovery: people need a way back in, but attackers cannot be allowed to brute-force that same door.

There is also a practical reason this update matters beyond Microsoft Edge itself. Microsoft previously said passkeys stored in Microsoft Password Manager were supported in Edge on Windows, with additional platform support planned for the future, and it also introduced a browser policy that lets organizations control whether users can save new passkeys in the built-in password manager. So this is not just a flashy consumer feature – it is increasingly being treated like a real platform capability that both individuals and IT admins are expected to manage.

Zooming out, this launch fits into Microsoft’s much wider passwordless push. Microsoft Entra release notes say synced passkeys are now supported as a generally available authentication method in Microsoft Entra ID, with support for passkeys stored in native and third-party passkey providers and policy controls for different passkey types. Even though that side is more enterprise-focused, it shows Microsoft is trying to normalize synced passkeys across both consumer and work environments instead of treating them like an experiment.

For readers, the takeaway is pretty simple: Microsoft is trying to make passkeys feel less like a one-device trick and more like a real replacement for passwords across your digital life. If the company gets the balance right, users get faster sign-ins and stronger phishing resistance without the old headache of recreating credentials every time they move to a new device. And that may be the real test of whether passkeys finally go mainstream – not whether they are more secure on paper, but whether they are easy enough that ordinary people will actually use them.

Passkeys, after all, only win when they stop feeling like security homework. Microsoft’s latest move suggests it understands that, and syncing through Microsoft Password Manager is its clearest attempt yet to turn passkeys from a promising idea into something Windows users can live with every day.