Microsoft Edge Drops Custom Primary Password, Forces Shift to Device Authentication
Microsoft removed the Custom Primary Password feature from its Edge browser on June 4, 2026, automatically migrating all opted-in users to device-based authentication.
The feature had allowed Edge users to set a browser-specific password — separate from their operating system login — to lock saved credentials before autofill could access them.
What Changes Now
Users who never enabled the feature will see no disruption, though Microsoft Password Manager settings will display a simplified layout.
Users who had the feature active will now need to authenticate through Windows Hello, macOS Touch ID, or their standard device sign-in password to view or autofill stored credentials.
Microsoft sent repeated in-product deprecation warnings over the preceding months before the June 4 cutoff.
Saved Passwords Remain Intact
The removal does not delete or alter any saved passwords or passkeys — it changes only the method used to unlock them.
Access to stored credentials is now tied directly to the operating system’s security infrastructure rather than a standalone browser password.
How to Confirm the New Setup
Users can verify their configuration by opening Edge and navigating to Settings > Passwords and autofill > Microsoft Password Manager, then selecting More settings.
From there, they should confirm the “Autofill passwords and passkeys” toggle is enabled and select the option to prompt for device sign-in credentials.
The Broader Shift
Microsoft’s move aligns Edge with a wider industry push toward passwordless, OS-level biometric security — a direction that major platform vendors including Apple and Google have pursued in recent years.
By anchoring credential access to Windows Hello or device biometrics, Microsoft Removes one independent authentication layer in exchange for tighter integration with hardware-level protections already built into modern devices.
Custom Primary Password launched as a niche but valued option for users who wanted a security boundary that existed entirely within the browser, independent of whatever method they used to log into their device.
