Passkey (possibly Noob) question.

Question

Passkey (possibly Noob) question.

Justin Thompson 0

OK, apologies for what may be a noob questions.. But I just went to log in to my Virgin Media account.. and (I assume) because of link with O2 now it was a nightmare.. it insisted I set up a whole new security profile.. One of the options was for a Passkey... I didnt go for that option as it said the Passkey would be set up on my device (My Main Win 11 PC, using Edge).. My rationale was "if this is set up on my device.. thats great when I use this device, but what about if I miles from home and want to log in via my brothers PC... or my phone?

The FAQ says... "To link your devices together for cross device authentication, you must scan a QR code that's generated on the device where you want to sign in. During this process, a proximity check takes place to ensure that the passkey is only being used for authentication on a link device that's nearby. With this technology, you can rest assured that your passkey can't be used by a remote attacker to gain access from far away." SO how will a QR code work when I on my Brothers PC? I cant scan it... and even if I could, I am miles away and so would fail the "proximity check"?

i.e. I just have my ID and Password... and my Phone.. (so this is why I went for the "send me a code" option) But how SHOULD it work?

P.S. I value my privacy.. so I dont allow Windows to track my location... I dont allow it to share my browser profile across devices...

2 answers

Your answer

Answer 1

Rob Koch 25,465 Volunteer Moderator

If you think through what you've just stated logically, you'll find that if you'd just allowed the site to set up the passkey on the local Windows 11 PC for convenience (for example, if your phone wasn't handy or working for whatever reason atm), then you could have later also set up the passkey capability on your smartphone and used the QR code from your alredy registered PC to create the same exact passkey (actually private key( on your phone as well, giving you the best of both worlds using the PC for access at home without requiring the phone, and then the smartphone when needing to access the same website from any other device with which the phone's Bluetooth could confirm that you're locate close-by when attempting to use its private key to validate your identity.

That's the beauty of the passkey system, since it makes this combination of events possible, which also has the advantage of creating an inherent backup of the passkey on multiple devices to ensure that losing one of those devices doesn't also lose the only copy of the passkey.

Fortunately, you should still be able to create this same situation in reverse by using the camera on your laptop to read a QR code from the phone in order to move the passkey in the opposite direction, assuming the laptop has a camera that supports reading QR codes.

Here's an article that describes how passkeys work from the FIDO Alliance, which created and supports the standards it's built on, and includes many industry players like Microsoft, Apple, Google and others who are of course required in order for passkeys to work across these multiple platforms and websites.

How Passkeys Work | Passkey Central

And here's a paragraph from that article titled; 'Passkeys are private by design', that shows why they don't themselves allow tracking you, though most like Google who commonly do this have other ways that circumvent this using things like fingerprinting or simply the fact that most people don't choose to disable location tracking on their phones for other reasons.

"A unique passkey is created for each domain and account. So there is no way for multiple online services to collaborate to track the user. The device unlock (using biometric or PIN) stays local. The online service only sees public keys and signatures from the user's device. For a person to use the private key, the password manager uses an API provided by the operating system to directly leverage the familiar, and private-by-design, device unlock that device operating systems have already been shipping for many years now."

Rob

Justin Thompson 0 Reputation points

2025-07-15T20:21:04.63+00:00

Thanks... but you make some big assumptions (or do I missunderstand?) .
In your first paragraph, you assume I have the forethought to transfer the passkey to my phone from my Win 11 PC? most people wont...
So the realistic scenario is that I am at my brothers... on his desktop PC... or on my phone in his house and I just need log in...
I know the password... but without the passkey.. I am stuffed? the QR code presented to me is no good, I could scan on my phone (not on his desktop PC)... but thats no use? (or do I missunderstand?) ..
You seem to be assuming that I have the forethought to distribute the passkey to all my devices... and while I might.,.. its not the sort of thing 99% of users will think about (my wife for instance would struggle with just setting up in first place... let alone thinking "I better get this set up on my phone.. in case I need it when away from home"...
So I repeat... what am I missing here... please explain how my scenario would play out... i.e. I am at my brothers house.. many miles from home... and I need access.
I have password... my phone.. and the URL to get to the login for my account, thats all.
Rob Koch 25,465 Reputation points Volunteer Moderator

2025-07-15T21:49:53.5933333+00:00

Yes Justin, you're just as confused as most others without a technical background, which is why Microsoft is working frantically in order to create the systems necessary to enable the typical consumer to use these more easily.

An example of this is the coming ability to sync these passkeys between Windows 11 devices, which I just read today also allows for support of certain 3rd-party authenticator apps that could be used for mobile operation and thus kept automatically synced as well.

Here's a short description of this coming feature displayed in the Windows Insider Preview sections of the document link I'm providing below.

"There are two types of passkeys: synced passkeys and device-bound passkeys.

Synced passkeys can synchronize between your devices via a cloud service. For example, you can use your Microsoft account to keep your passkeys synchronized across your Windows devices when signed in with the same Microsoft account. Alternatively, if you install a third-party passkey manager, you can sync passkeys wherever the manager is installed

Device-bound passkeys are created on a device and cannot leave it"

Passkeys overview - Microsoft Support

The problem at the moment is that unlike those like me who read about these passkeys and that document I linked earlier as much as 3 years ago, that's not something the typical consumer will ever do. So, the confusion for such a relatively complex and invisible private key based security is really not surprising and something that Microsoft should have anticipated.

Unfortunately, as usual, they did their initial testing with people similar to me who could instantly understand how these invisible objects worked and visualize them, since engineering and developer types are typically able to visualize such things that probably 70-90% of the population aren't. They've had a rough awakening to that fact as a result and are now scrambling to fill in the significant gaps in the operation of the entire system to make it easier to use and understand for the consumer.

Rob
Rob Koch 25,465 Reputation points Volunteer Moderator

2025-07-15T21:59:51.58+00:00

BTW, Justin. Forgot to mention that whether your password and possibly other 2FA options like a TOTP passcode still continues to work for a particular 3rd-party website along with the passkey when that's available, depends on the policies of that website.

Microsoft is pushing passkeys to the extent they're trying to get people to drop their passwords entirely, but many others are taking a slower approach for exactly the sorts of reasons you mentioned, since it will take some time both for people to become familiar with passkeys, as well as for Microsoft and the other major names like Apple and Google to improve their interfaces enough to make them decently acceptable to most average users.

Rob
Justin Thompson 0 Reputation points

2025-07-15T23:27:20.26+00:00

Thanks again... apart from your attempts to belittle me (My history in IT was a lot to do with looking after user experience and not allowing "tech experts" to baffle them with bullshit)... it appears you have been unable to clearly articulate how my scenario would be successful and tried to distract me with "they working to do X,Y,Z".
I already said I dont allow my browser to sync... and track me..
SO yes.. it appears to be a solution focused on Mobile centric, not unreasonable... but they need to be crystal clear on that and highlight shortcomings if you not using it in that way.
And yes.. on the face of it I MUCH prefer the "use the Authenticator" solution, yes, it relies on you having your mobile with you, but it seems much more intuitive... as long as you have your Phone with you, you have access to the code (with no need for internet connectivity to get the code, even if you need it to authenticate the code)..

So thanks again for your input.. I will be happy to hear further from you... or others who don't want to obfuscate and actually answer the question.

All the best :)
Rob Koch 25,465 Reputation points Volunteer Moderator

2025-07-16T21:04:56.7766667+00:00

Not trying to belittle Justin since I had no idea of your background, just explain something that's difficult for me to fully visualize at present myself, since with Windows 10 there's no complete local authenticator option possible and that also means little ability to trouble-shoot issues with the otherwise invisible passkeys.

Though in theory Microsoft might be able to track you via the passkey sync abilities they're currently adding, that's not the intent and instead it's being created to remove the need to manually move the private key(s) between devices using QR codes that's currently the only supported way provided by the FIDO2 spec itself.

The primary reason I provided you with that sync information though was to indicate that it's apparently those 3rd-party authenticators that Microsoft intends to support for sync with Windows Hello, since that's where the passkey information is actually handled by Windows 10/11 with the private keys themselves stored encrypted within the TPM, so the browser(s) you're using only access these via services provided via Windows Hello.

Due to your background, I'll provide the more technical documentation that would likely only confuse the typical consumer.

What Is FIDO2? | Microsoft Security

I'm dropping you into the Microsoft Implementation section of this next document so you can see how passkey operation relates to Windows Hello, rather than the browsers that might be using its services.

WebAuthn APIs | Microsoft Learn

Microsoft has always tried to manage information such as Windows Defender security data and similar in ways that completely anonymize and isolate the actual user information and preserve privacy unless the user himself agrees to, for example, submit a sample that might include personal information. While the methods used within the browser itself may differ due to more user visibility and control, as well as different expectations for privacy when using public websites.

I've done extensive configuration on both Windows/Edge and Android/Chrome in order to provide whatever specific privacy limitations those particular combinations allow.

Personally, I won't be worrying about Microsoft using passkeys to track me, but then I've understood that you inherently need to trust your operating system vendor not to do these things, which is why I stay Microsoft centric rather than Google, who's well known to abuse that position to track and collect data. I've only seen the relatively obvious abuse of data for personal targeting when using Microsoft's MSN based products which I've disabled for that reason, while if I choose to browse with Google apps on that platform, I see the obvious signs of personal targeting even with all of the supposed browser tracking or collection abilities disabled.

Rob
Rob Koch 25,465 Reputation points Volunteer Moderator

2025-07-16T21:14:30.03+00:00

Again, forgot a primary concern regarding the use of only a single smartphone-based authenticator product for passkeys, or really any 2FA option such as TOTP code generators, since that leads to the potential loss of access if that single device were to fail or be stolen, which if you browse these forums is a now a common occurrence.

The built-in syncing that Micrsoft, Google and others are providing on their own platforms is really to resolve this inherent issue along with making the use of passkeys easier for the average user.

Answer 2

Ron Barker 980

Hi Justin, yes I had problems with the new security sign in procedure. Your concerns would be better put on Welcome to the Virgin Media Community Forum.

Share via

Passkey (possibly Noob) question.

2 answers

Your answer