--- url: 'https://www.corbado.com/blog/passkeys-incognito-mode' title: 'Do Passkeys Work in Incognito Mode?' description: 'Learn if and how passkeys / WebAuthn work in incognito or private browsing modes of Chrome, Safari, Edge, and Firefox.' lang: 'en' author: 'Vincent Delitz' date: '2024-07-22T13:30:44.233Z' lastModified: '2026-03-25T10:00:37.523Z' keywords: 'passkeys incognito mode, passkeys private mode, passkeys safari private mode, passkeys edge inprivate, passkeys firefox private mode, incognito mode, private mode' category: 'WebAuthn Know-How' --- # Do Passkeys Work in Incognito Mode? ## Key Facts - Passkeys work in incognito mode across most browsers and OS combinations. **Windows 10** with Chrome or Edge is the only exception, where platform authenticator creation fails in incognito. - From **Chrome 129**, the platform authenticator detection API returns true in incognito on Windows 10, but passkey creation still fails and users are directed toward hardware security keys instead. - **Cross-platform authenticators** like YubiKey work in Chrome and Edge incognito on Windows 10, even when Windows Hello platform authentication is unavailable. - On Windows 11 and Android, incognito mode triggers a **persistence warning** popup telling users their created passkey will be saved in the password manager beyond the private session. ## 1. Introduction More and more companies are implementing passkeys into their websites and apps. While doing so, many software developers and product managers question themselves **if passkeys work in in incognito or private browsing modes**, as this has major influence on the overall user experience. With this blog post, we try to answer the following questions: 1. **Do passkeys work in incognito / private browsing mode?** 2. **What is the behavior of passkey authentication in incognito / private mode in Chrome, Safari, Edge and Firefox?** This knowledge ensures a smooth user experience across different browsers and operating systems, positioning your application at the forefront of security and convenience. ## 2. Passkeys and Incognito Mode: An Overview Passkeys are essentially cryptographic keys used for authenticating users without the need for traditional passwords. They offer enhanced security by eliminating the risks associated with password theft and [phishing](https://www.corbado.com/glossary/phishing) attacks. Typically, passkeys are stored securely within the device, and their functionality remains consistent even in incognito or private modes for most operating systems apart from Windows 10 (see [below](#31-passkeys-on-windows-10-and-incognito-edge-inprivate-mode)), provided the device is passkey-ready. Incognito or private modes are commonly used to browse the internet without leaving a trace. This feature is valuable for users who prioritize privacy, and it's essential that authentication methods, such as passkeys, work seamlessly within these modes. In the history of WebAuthn development, however, there have been ongoing discussions and improvements as the behavior used to be quite confusing and inconsistent among operating systems and browser (see these old discussions and bug reports for reference [here](https://github.com/w3c/webauthn/issues/1465), [here](https://github.com/w3c/webauthn/issues/1174) and [here](https://issues.chromium.org/issues/40603881)). ## 3. Behavior of Passkeys in Different Browsers and Operating Systems Understanding the behavior of passkeys in various browsers and operating systems helps in ensuring compatibility and a smooth user experience. **Do passkeys work in incognito / private browsing mode?** | | **Windows 10** | **Windows 11** | **Android 14** | **iOS 17.5** | **macOS 14** | | ------- | -------------- | ---------------------- | -------------- | ------------ | ------------ | | Chrome | ❌ | ✅ (with extra screen) | ✅ | ✅ | ✅ | | Edge | ❌ | ✅ (with extra screen | ✅ | ✅ | ✅ | | Safari | n/a | n/a | n/a | ✅ | ✅ | | Firefox | ✅ | ✅ | ✅ | ✅ | ✅ | ### 3.1 Passkeys on Windows 10 and Chrome Incognito / Edge InPrivate Mode until Version 129 On Windows 10 (22H2), we discovered the only exception for passkeys not reliably working and got the two following screenshots when trying to use a [platform authenticator](https://www.corbado.com/glossary/platform-authenticator) (Windows Hello): ![passkeys windows 10 chrome incognito mode](https://www.corbado.com/website-assets/passkeys_windows_10_chrome_incognito_mode_48fb9e073e.png)_Chrome incognito mode passkey error message on Windows 10_ ![passkeys windows 10 edge inprivate mode](https://www.corbado.com/website-assets/passkeys_windows_10_edge_inprivate_mode_b36b8247c9.png)_Edge inPrivate mode passkey error message on Windows 10_ When we switched into the regular browsing mode, everything worked as expected, so the error message in the popup is misleading. Moreover, if we tried to use a cross-[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) (e.g. hardware [security key](https://www.corbado.com/glossary/security-key), like [YubiKey](https://www.corbado.com/glossary/yubikey), or Cross-Device Authentication via [QR code](https://www.corbado.com/blog/qr-code-login-authentication) / Bluetooth) this worked. When digging further down into the issue and executing the following two commands in the browser console to determine if the [platform authenticator](https://www.corbado.com/glossary/platform-authenticator) (`PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()`) and [Conditional UI](https://www.corbado.com/glossary/conditional-ui) (`PublicKeyCredential.isConditionalMediationAvailable()`) was available, we made an interesting discovery: the first promise returned `false`, while the second one returned `true`, which didn’t make any sense, as platform [authenticators](https://www.corbado.com/glossary/authenticator) are required for [Conditional UI](https://www.corbado.com/glossary/conditional-ui) to work. ### 3.2 Passkeys on Windows 10 and Chrome Incognito / Edge InPrivate Mode (129+) Starting from Chrome 129 (and similarly in Edge, which is Chromium-based), `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` returns `true` even in Incognito / InPrivate mode on Windows 10. Previously, this was `false` in incognito. Despite now returning `true`, the platform authenticator remains unavailable for creating new passkeys, causing a broken user flow. Below is a table that shows the return values of `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` on Windows 10 in different Chrome/Edge versions and modes: | Browser/Version | Normal Mode (W10) | Incognito/Private Mode (W10) | Behavior in UI | | ------------------------- | ----------------- | ---------------------------- | ---------------------------------------------------------- | | Chrome ≤ 128 (pre-change) | true | false | No platform authenticator in Incognito | | Chrome ≥ 129 | true | **true** | Prompts for security key instead of platform authenticator | | Edge ≤ 128 (pre-change) | true | false | No platform authenticator in InPrivate | | Edge ≥ 129 | true | **true** | Prompts for security key instead of platform authenticator | **Observed Behavior:** - In Chrome/Edge Incognito on Windows 10, despite the promise returning `true`, the platform authenticator does not show up for [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices). - Users are instead prompted to add a [security key](https://www.corbado.com/glossary/security-key) (e.g., [YubiKey](https://www.corbado.com/glossary/yubikey)) - While [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) still work for [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices), this is not the expected flow when using platform [authenticators](https://www.corbado.com/glossary/authenticator) such as [Windows Hello](https://www.corbado.com/glossary/windows-hello). ![passkeys windows10 chrome incognito passkey create error](https://www.corbado.com/website-assets/passkeys_windows10_chrome_incognito_passkey_create_error_26dbb6deba.jpg) **Impact of Change:**\ This effectively breaks the flow for adding passkeys to the platform authenticator in Incognito/InPrivate mode. The adjustment in Chrome 129+ was primarily made to enable **login functionality** with passkeys in Incognito mode. Login flows use the same detection mechanism to check for passkey support (`PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()`), and this change ensures that logins can proceed smoothly. However, the unintended consequence is the broken experience for creating passkeys with the platform authenticator in private browsing modes. Further details about this change can be found in the [Chromium Source Code Review](https://chromium-review.googlesource.com/c/chromium/src/+/5791932) and the associated [issue tracker discussion](https://issues.chromium.org/issues/40918391). For websites aiming to provide optimal support for passkeys, detecting incognito mode is currently the only way to mitigate this issue. By identifying when a user is in Incognito/InPrivate mode on Windows 10 with Chrome/Edge, websites can preemptively avoid offering platform [authenticator](https://www.corbado.com/glossary/authenticator) options for [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices). ### 3.3 Passkeys on Windows 11 and Incognito / Edge InPrivate Mode When using [Windows Hello](https://www.corbado.com/glossary/windows-hello) as platform authenticator, a security pop-up appears during passkey creation in incognito mode (on Chrome) / inPrivate mode (on Edge), alerting users that the passkey will be stored and usable later in non-incognito mode (this behavior was tested on [Windows 11](https://www.corbado.com/blog/passkeys-windows-11) 22H2). Considering one of the use-cases of incognito mode, where a user wants to create an account without the trace of any information, this warning makes sense. ![passkeys windows 11 chrome incognito edge inprivate mode](https://www.corbado.com/website-assets/passkeys_windows_11_chrome_incognito_edge_inprivate_mode_71e06a9d1f.png) ### 3.4 Passkeys on Android and Chrome Incognito / Edge InPrivate Mode On [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) and using the incognito mode (on Chrome) / inPrivate mode (on Edge), the behavior is similarly to [Windows 11](https://www.corbado.com/blog/passkeys-windows-11), as there is an informational popup shown that tells the user that the passkey will be saved in the [password manager](https://www.corbado.com/blog/passkeys-vs-password-managers) and anyone with access to the [password manager](https://www.corbado.com/blog/passkeys-vs-password-managers) will also have access to the passkey. ![passkeys android 14 chrome incognito edge inprivate mode](https://www.corbado.com/website-assets/passkeys_android_14_chrome_incognito_edge_inprivate_mode_c7f0cc5097.png) ## 4. Conclusion In summary, passkeys function reliably in incognito and private modes across major browsers and operating systems, with some specific exceptions on Windows 10 for creation of passkeys. By leveraging Corbado's solutions, developers can implement passkeys efficiently, and product managers can enhance user experiences without compromising on security. ## Frequently Asked Questions ### How do I handle passkey creation for users who are in Chrome or Edge incognito mode on Windows 10? Detecting incognito or InPrivate mode is currently the only mitigation available for this issue. By identifying when a user is browsing privately on Windows 10 with Chrome or Edge, websites can avoid offering platform authenticator options for passkey creation and prevent a broken user flow. ### What changed for passkeys in Chrome 129 incognito mode and why does it matter for my app? Chrome 129 changed how PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() behaves in incognito on Windows 10, switching the return value from false to true. The intent was to allow login flows to proceed smoothly, but passkey creation with Windows Hello still fails as an unintended side effect, incorrectly prompting users to add a hardware security key. ### Does Firefox private browsing mode support passkeys without any restrictions? Firefox supports passkeys in private mode across all tested platforms including Windows 10, Windows 11, Android, iOS 17.5 and macOS 14, with no exceptions noted in testing. Unlike Chrome and Edge on Windows 10, Firefox does not restrict platform authenticator availability in private browsing mode. ### Why does Chrome show a popup warning when I create a passkey in incognito mode on Android? On Android 14, Chrome and Edge display an informational popup in incognito mode because the created passkey is stored in the password manager and persists after the private session ends. The popup specifically notes that anyone with access to the password manager will also have access to the passkey.