Microsoft Edge Retires Master Password as Passkeys Hit 5 Billion

On June 4, 2026, Microsoft retired the master password feature in its Edge browser, ending a decade-old defence that let users encrypt locally stored credentials behind a single additional passphrase. The change, first reported by MSN, shifts Edge to device-based authentication through Windows Hello and passkeys stored in the operating system's credential store. It is the kind of product decision that would normally merit a paragraph in a change log. It arrives, instead, at the end of a six-week disclosure fight that exposed a deeper fault line in how browser vendors think about credential security.

The sequence began on May 6, when Forbes reported that Microsoft had classified a password-security issue in Edge as working "by design." The flaw, detailed by Forbes security reporter Davey Winder, involved Edge loading cleartext passwords into browser process memory where they could be read by any local process with sufficient privilege. An attacker who had already gained code execution on a machine could extract every password Edge had stored, without needing the master password at all. Microsoft's initial response did not dispute the technical finding. The company declined to treat it as a security vulnerability.

Thirteen days later, on May 19, Microsoft reversed course. Winder reported the U-turn: Microsoft confirmed that a "defense-in-depth change" would ship to every supported version of Edge. The company did not reclassify the original finding as a vulnerability, and no CVE was issued. But the practical result was the same. The master password, already undermined by the cleartext-memory exposure, would be removed entirely. Its replacement would be the device's native unlock mechanism: a PIN, a fingerprint, a face. If an attacker could unlock the device, they could reach the passwords. If they could not, the browser offered no secondary gate.

Microsoft has confirmed that a defense-in-depth change will come to every supported version of Edge., Microsoft statement, as reported by Forbes, May 19, 2026

The disclosure timeline is instructive not because it reveals anything unusual about Microsoft's vulnerability-handling process but because it lays bare a category problem that the industry has avoided naming directly. Browser password managers are not password managers. They were never designed to meet the threat model that a dedicated credential vault addresses: a compromised host. They exist to sync credentials across a user's own devices conveniently. Every major browser, Chrome and Firefox included, stores passwords in a format that a sufficiently privileged local process can read. The Edge episode was less a Microsoft failure than a concentrated instance of a systemic architecture choice that the entire passwordless transition is meant to render obsolete.

The transition has numbers behind it. On World Passkey Day, May 7, 2026, the FIDO Alliance released its State of Passkeys 2026 report, which found 90 percent consumer awareness of passkeys and 75 percent self-reported usage, with nearly half of respondents saying they use passkeys most of the time. The raw scale is striking: an estimated 5 billion passkeys are now in use worldwide, up from roughly 2 billion a year earlier. The technology has crossed from early adopter to majority behaviour in consumer markets faster than any authentication mechanism since the SMS one-time code.

The enterprise picture is different. The same FIDO Alliance report placed organisational adoption at 30 percent, a figure that has moved slowly over two years. The reasons are not mysterious. Deploying passkeys at scale requires changes to identity providers, directory services, device management policies, and account recovery workflows, each of which touches a team that can veto the project. A passkey is bound to a device or a platform account. When an employee leaves and their managed device is wiped, the passkeys on it are gone. That is the point. It is also the problem: account recovery for passkeys remains an unsolved operational question that every enterprise deployment must answer with bespoke policy.

The Next Web reported in March 2026 that 76 percent of organisations still rely on passwords as their primary authentication method, despite the accelerating availability of passkey infrastructure. The figure comes from a survey of IT decision-makers and captures something the FIDO Alliance's consumer numbers do not: the gap between what a platform supports and what an organisation deploys is measured in years, not quarters. A passkey created in a consumer Google account is technically the same primitive as one provisioned through Microsoft Entra ID. The policy, compliance, and recovery wrappers around them share almost nothing.

The WebAuthn standard that underpins passkeys is, at the protocol level, a genuine departure from the password model. A password is a shared secret transmitted to a server for verification; a passkey is an asymmetric key pair in which the private key never leaves the user's device. The server stores only a public key. Phishing, in the classical sense of credential harvesting through a lookalike login page, becomes irrelevant because there is no credential to harvest. The browser binds the authentication ceremony to the origin that requested it. An attacker who stands up a fake banking site cannot replay the resulting signature anywhere else.

What WebAuthn does not address is the pre-authentication attack surface. An attacker who can run code on the user's device can still access whatever the operating system exposes to a process running in the user's context, including unlocked credential stores. An attacker who can convince a user to approve a passkey ceremony on a malicious origin that passes a same-site check can still obtain a valid authentication assertion, though its utility is bounded by the scope of the assertion. These are not protocol failures. They are reminders that authentication security is bounded by endpoint security, and that no cryptographic primitive can compensate for a compromised host. The distinction between "an attacker could" and "an attacker did" matters here: the WebAuthn threat model assumes a clean endpoint, and the available incident data does not yet show passkey-specific exploitation at scale.

Microsoft's own trajectory reflects both the promise and the friction. In late April 2026, the company began rolling out Entra ID passkey support to unmanaged Windows devices, including personal and shared PCs, with full availability expected by mid-June. The expansion matters because it closes a gap that had kept passkeys confined to managed enterprise hardware. A contractor using a personal laptop can now authenticate to Entra ID-secured resources with a passkey stored in that device's TPM. The security properties are weaker than on a managed endpoint, but they are stronger than a password transmitted over the public internet. This is the kind of trade-off that enterprise identity teams spend quarters debating.

The credential-theft economy has adapted predictably. Stealer malware, the commodity infostealers sold on forums for a few hundred dollars a month, have added passkey-extraction modules incrementally over the past 18 months. The modules do not break the cryptography. They extract session tokens and, where the operating system permits, exported credential material from platform authenticators left in an unlocked state. An infostealer running on an unlocked Windows machine can harvest whatever the logged-in user can access. This is not a passkey vulnerability. It is the same attack that has worked against password stores, cookie jars, and session tokens for years, now applied to a new credential format. The countermeasure is the same as it has always been: endpoint detection, least-privilege access, and hardware-bound keys that resist software extraction.

The FIDO Alliance is looking beyond human authentication. On April 28, 2026, the consortium announced an initiative to develop standards for trusted AI agent interactions, extending its credential-exchange architecture to agentic systems that act on a user's behalf across services. The work is early, and no draft specification has been published. But the direction of travel is clear: if an AI agent is going to log into a user's bank, book their flights, and file their expenses, someone must define how that agent proves it is authorised and how its authority can be revoked. The credential primitives that FIDO has built for human authentication, asymmetric key pairs bound to an origin, are a natural starting point.

The Edge master password episode has a quiet postscript. Microsoft's documentation now directs users who want a secondary encryption layer for stored credentials to third-party password managers, which encrypt vaults with a key derived from a user-chosen passphrase before the ciphertext ever touches disk. NordVPN, which operates a password manager of its own, issued a press release on June 4 welcoming the Edge change and noting that dedicated credential managers had never relied on browser-based master-password schemes. The statement was self-serving. It was also correct. The function that Edge removed was a defence that a motivated local attacker could bypass. Removing it and replacing it with nothing but the device lock is less secure in one narrow sense, and more honest in every sense that matters.

The post-password landscape, as it stands in mid-2026, is best understood as two overlapping transitions moving at different speeds. The consumer transition, driven by Apple, Google, and Microsoft embedding passkey support into operating systems and browsers, is moving fast enough that a passwordless login is now a normal experience for most internet users in high-income markets. The enterprise transition is moving slowly because it is not really about authentication at all. It is about device trust, account recovery, vendor lock-in, and the organisational willingness to accept that a cryptographic key stored in a TPM is a stronger credential than a rotated password, even if it feels less controllable. The two transitions will converge. The date on which they do is not yet visible from the available data.