Solved Inconsistent security behavior with Windows 11 and passkey handling

Recently, on a Windows 11 Pro 24H2 machine I kept getting a technical error from Firefox version 145 whenever I attempt to use hardware 2FA. This happened with every account that use a yubikey as a 2FA (non-discoverable) This did not happen if I used edge. This also did not happen with a different Windows Pro machine with identifical Firefox and windows version.

After a lot of debugging, I discovered the issue to be a setting in Settings -> Privacy & Security -> Passkey. Under "Let Apps create and use Passkey", a new entry for the site for each app was added. If you toggle the setting for the site/app to off You can't use hardware 2FA. No prompt to press the Yubikey will appear and it will just fail with an error. What is weird is that this entry only appear on one machine but not the other. There is no GUI to add or remove the entry. In addition, no entry show up for Edge on the same machine blocking firefox. Edge is exempt for some reason.

On the machine with the passkey issue, the passkey setting looks like this:


On the other machine, this is what the passkey settings looks like, as you can see there are no entries.


I am puzzled by this inconsistency across different machine and different apps on the same machine? Is there some sort of setting that controls this? Why isn't edge listed here but firefox is?

Are you on the same build versions? Same patches? These could introduce those discrepancies

Yes, I am on the same Windows 11 Pro 24H2 version. There may be different in minor patch level. The main difference is that one computer is older and was upgraded from Windows 10. The other was purchased this year. The new machine is the one having the issue. The new machine has different default settings out of the box. For example, it doesn't let me login using my password . Apparently this is because it was preset to use windows Hello only, a setting I wasn't aware of and probably wasn't in Windows 10.

I am thinking that this has to do with some sort of security setting and not because of different version.

My guess is that this may be a side effect of the new third party passkey manager that Windows is adding in 25H2.


Yes, I am using 24H2, but the option appears to be avaiable in settings. May be an unintended bug?

OK, I have identify the factor. If you install Firefox from the website using the installer, you do not get prompt to add program to the setting to allow passkeey. If you install firefox from the microsoft store, you get a prompt when you attempt to use the 2FA to add firefox to the list of program that needs to be permitted to use the passkey. I am curious to know why MS store app are handled differently. I might try a different browser to test out if this is speicific to firefox or all browsers.