Microsoft has begun testing a significant upgrade to Edge that would allow the browser to sync passkeys across devices, signaling a major step toward a passwordless future. The latest Canary builds of Edge include experimental flags for "Passkey roaming" and "Passkey roaming management and settings," along with a new "Passwords and passkeys" sync option, indicating that Microsoft plans to make the browser a full-fledged passkey provider tied to your Microsoft account.

What's New in Edge Canary

In the Canary channel, Edge introduces two experimental flags that explicitly address passkey syncing. The Passkey roaming flag's description states that Edge would act "as a passkey provider" and sync saved passkeys across devices. This positions the browser not just as a conduit for Windows Hello but as an originator and manager of synced passkey material. A companion flag, Passkey roaming management and settings, exposes a dedicated management UI, giving users granular control over synced passkeys.

When these flags are enabled, a new entry appears under Profiles > Sync: Passwords and passkeys, with the description "Stored securely and made available on all your devices. Review security settings to help make your Microsoft account even more secure." This is the first time passkeys have been listed alongside traditional passwords in Edge's sync controls, marking a shift in how Microsoft packages credential management within the browser.

How This Fits with Windows 11's Passkey Overhaul

These Edge experiments don't exist in a vacuum. Microsoft is concurrently redesigning the Windows Hello experience in Windows 11 to support cloud syncing of passkeys and integration with third-party providers like 1Password and Bitwarden. A new API will allow third-party password managers to plug directly into the Windows 11 authentication flow, enabling users to access their mobile passkeys on a PC without QR codes or workarounds.

The Edge Canary flags signal an additional layer: while Windows Hello handles OS-level authenticator management, Edge aims to become a passkey provider in its own right, syncing credentials via Microsoft Account sync. This dual approach—platform-wide passkey support in Windows and browser-specific syncing in Edge—could offer users a seamless, cross-device experience whether they're authenticating on a website, in an app, or across different operating systems.

The Security Trade-offs of Synced Passkeys

Passkeys are built on WebAuthn and FIDO2 standards, replacing passwords with cryptographic key pairs. The private key stays on a device (or in a credential manager), and authentication requires a local factor like biometrics or a PIN. This inherently resists phishing because there's no reusable secret to steal. Syncing passkeys via the cloud introduces new considerations.

Strengths

  • Anti-phishing remains intact: The key pair is bound to a specific origin and unlocked locally, so even synced keys can't be phished.
  • Hardware-backed protection: On Windows, Windows Hello combined with TPM provides strong local key protection. If Edge's roaming relies on encryption tied to a TPM or secure vault on each device, local security remains robust.

Risks

  • Increased attack surface: By design, synced keys must be transferable—encrypted and stored in the cloud—which creates a larger target than strictly device-bound keys. The mitigation is end-to-end encryption where only the user's devices can decrypt the keys, but Microsoft must clearly document this architecture.
  • Account compromise stakes rise: If passkeys are synced through a Microsoft Account, an attacker who compromises that account could potentially misuse passkeys or authorize new devices. Strong multi-factor authentication (MFA) and recovery protections become critical.
  • Enterprise implications: Organizations that enforce attestation (requiring proof that a key is hardware-backed) may find synced passkeys complicating compliance. Administrators will need new policies to manage attestation enforcement, revocation, and auditing.

Edge vs. Chrome vs. Apple: The Battle for Passkey Roaming

Microsoft is entering a race where competitors already have mature offerings.

  • Google Chrome syncs passkeys through Google Password Manager, using end-to-end encryption and offering PIN-protected flows for moving credentials across platforms. Trust is anchored in Google account security.
  • Apple iCloud Keychain provides seamless passkey sync across Apple devices, with keys end-to-end encrypted and tied to the Apple ID, but remains locked to Apple's ecosystem.
  • Microsoft Edge now aims to offer a comparable experience tied to Microsoft Account sync. The unique challenge is bridging Windows' strong OS-level authenticators with Edge's cross-platform ambitions. If successful, users could have passkey portability across Windows, Mac, Linux, and mobile devices where Edge is signed in.

What This Means for Users and IT Administrators

For Enthusiasts Testing Canary

  • Canary builds are unstable; test with a secondary profile or machine.
  • If the flags are available, enable them to see the "Passwords and passkeys" sync option, but avoid using critical accounts until recovery flows are clarified.
  • Observe how passkeys are backed up and whether recovery codes or device backups are created.

For Everyday Users

  • Protect your Microsoft Account with strong MFA, ideally a hardware security key. If passkey sync is tied to that account, it becomes the anchor for all synced credentials.
  • Maintain backup sign-in methods on important accounts before removing passwords or modifying recovery settings.

For Enterprise Administrators

  • Audit identity governance: if your organization requires attested, hardware-bound keys, validate how synced passkeys interact with conditional access and attestation policies.
  • Plan pilots and incident-response procedures for lost or deprovisioned devices that hold synced passkeys.
  • Anticipate new Intune or Entra ID policies to manage passkey lifecycle and revocation.

Unanswered Technical Questions

Several critical details remain unclear from the Canary flags:

  • Key wrapping and storage: Where are the encrypted private keys stored, and how are wrapping keys managed? Does the TPM play a role in protecting the sync encryption keys, or does it rely solely on Microsoft Account credentials?
  • Attestation semantics: For enterprise uses that require hardware-backed attestation, will Edge's roaming preserve the ability to prove a key was generated in a secure enclave, or will synced keys degrade to software-level protections?
  • Recovery and revocation: Users need clear, auditable processes for recovering access if a device is lost and for revoking synced keys if an account is compromised. Current Canary builds don't yet expose these flows.

The Road Ahead

Microsoft's passkey strategy is unfolding on multiple fronts: the Windows 11 Hello redesign with third-party API support, and now Edge's own passkey provider capabilities. These Canary experiments are a strong signal that passkeys are moving from specialized developer tools to mainstream browser UX.

If the flags survive into Dev and Beta channels, and documentation emerges detailing the cryptographic model and recovery procedures, it will mark a major milestone for passwordless authentication on Windows. For now, Edge Canary testers have a unique preview of a future where passwords could become a relic, replaced by synced, phishing-resistant credentials managed directly in the browser.