When I read the report about a hacking group called ByteToBreach claiming access to systems tied to Sweden’s BankID e-government platform, my first thought wasn’t “wow, hackers.” It was, “this is what happens when identity gets centralized, outsourced, and treated like a convenience feature.”
In plain terms, the attacker claimed a source code leak, grabbing things like source code, configuration files, and staff related data including personnummer, plus materials connected to electronic signing and identity verification. CGI (the vendor in the story) disputed the scope and said the incident involved limited test servers, not live systems. Sweden’s government also confirmed there was a leak, and the incident response team (CERT-SE) is investigating.
That push and pull matters, because the bigger lesson doesn’t depend on who wins the PR argument. The lesson is simple: biometrics don’t belong in government sized databases, or in contractor ecosystems that eventually feed them.
If a password leaks, I change it. If my face or fingerprints leak, I’m stuck with them.
This Story Really Tells Me About Digital Trust
Here’s the 8th grade version of what I took from the CGI Sweden story on digital identity. A big contractor that supports government digital services allegedly got hit, and data that helps run those services may have been exposed. Some sources describe it as e-government platform source code and related documentation. CGI says it was limited and isolated. Sweden says it’s real enough to investigate.
That’s not a niche problem. It’s the most normal kind of problem we have now: supply chain risk.
“Supply chain” in security doesn’t mean trucks and warehouses. It means trusted helpers. A vendor builds the platform. Another vendor hosts it. A third vendor manages logins and identity verification. A fourth handles electronic signatures. If one helper gets compromised, everyone downstream can feel it.
Reporting around this incident highlights the concern that even “just” source code and configs can be a roadmap for attackers later. If you want context on what was reportedly involved and how Sweden responded publicly, this summary is a decent starting point: Sweden probes reported leak of e-government platform source code.
And since BankID sits in the same neighborhood of digital trust governed by the eIDAS regulation, people naturally asked the scary question: “Was BankID breached?” Several writeups stress that BankID itself wasn’t directly attacked. Still, the ecosystem around identity matters because attackers don’t always punch the front door. They look for a side door.
Even If BankID Wasn’t Breached, The Ecosystem Still Got Weaker
A modern digital identity system is like a theme park wristband. You tap it at the gate, the ride, the snack bar, and the locker. That’s convenient for fraud prevention, until someone figures out how the wristbands are made, validated, or reset.
Even if the “main system” stays intact, leaked source code and configuration details can help attackers in three practical ways:
First, they can study how the platform is supposed to work, then look for mistakes that weren’t obvious before. Second, they can craft scams that sound real because they know the internal language, the file names, and the workflow for services like remote onboarding. Third, they can hunt for similar systems that were deployed with the same settings, because reuse happens everywhere.
Biometrics Aren’t Like Passwords, Once They Leak, You’re Stuck With Them
When people say “biometrics,” they usually mean biometric verification with face scans, fingerprints, and sometimes iris scans. The pitch is always the same: it’s quick, it’s easy, and it’s “more secure.”
Sometimes it is more secure, but only in a narrow sense. A fingerprint is harder to guess than “Password123.” That’s true. The trade is that your fingerprint is also not replaceable.
I’m fine using biometrics on my own device when they stay on my device, especially with multi-factor authentication. That’s one reason passkeys are interesting. With passkeys, your face or fingerprint acts as an unlock button for a cryptographic key stored locally. That’s very different from sending a reusable biometric token into a large system like Estonia e-ID. I broke that down in my post on passwordless passkeys using biometrics, and it’s a distinction I wish more policies made clearer, particularly for identity verification.
A national ID system that trends toward face matching raises the stakes. It turns “proof of you” into “a permanent identifier that might get copied, stolen, or repurposed.”
A password is a coat you can change. A biometric identifier is your skin. Treat them differently.
Why I Don’t Want My Biometrics Stored Or Normalized By Any Government Entity
I’m not anti-ID. I travel. I show my ID. I’m not trying to make an officer’s job harder.
My line is simpler: I don’t want my face to become the default ticket to move through public life via identity verification at checkpoints. Once we normalize digital identity programs like that, it spreads. It spreads because it’s “efficient,” because a vendor already has the cameras, because budgets are easier than policy debates, and because most people don’t want to argue at a checkpoint.
The problem is that government digital identity programs using biometrics tend to attract four forces that don’t care about my preferences:
Permanence. Biometrics don’t rotate like passwords, so any breach exposing personally identifiable information has a long tail.
Purpose creep. A system built “just for travel” starts showing up in other places, like mobile driver’s license apps. That’s not a conspiracy, it’s how budgets get justified.
Contractor sprawl. Even if the government writes good rules, it still relies on vendors, subcontractors, and integration partners. The Sweden story with agencies like Bolagsverket and Skatteverket is a reminder that the weakest link might not be the agency itself.
Chilling effects. When facial recognition with liveness detection becomes automatic, people change how they behave. It’s subtle, but real.
I also don’t accept “trust us” as a security plan. Agencies can promise deletion timelines and narrow use cases. Policies can also change. Leadership changes. Laws change. Contractors change. Meanwhile, the database keeps existing.
“Temporary” Programs Have a Habit of Becoming Permanent
The most common pattern I see is the “optional first” rollout.
It starts at a handful of locations. Then it expands. Then the signage gets vague. Then the staff gets trained to keep the line moving, not to explain choices. After a while, opting out feels like you’re asking for a favor.
Some traveler advocacy groups say that’s already happening with TSA airport face scans, mainly because people aren’t clearly told they can refuse. The Algorithmic Justice League has been collecting traveler experiences and pushing the message that you still have a choice. Their campaign page is here: You can opt out of TSA face scans.
Centralized Identity Plus Biometrics Raises the Stakes for Everyone
A single login for many services sounds great until you picture failure modes.
If identity is used for banking, benefits, healthcare portals, travel, and document signing, then one breach is no longer “just” one breach. It’s the key ring.
That’s also why vendor incidents bother me more than one-off hacks. When contractors build shared plumbing for many agencies, the blast radius grows. Even if the leaked system is “just a test environment,” people reuse patterns, code, and settings. Attackers know that.
So when I hear “it’s only for convenience,” I translate it to, “we’re building a reusable mechanism to identify you everywhere.” Convenience is real, but so is the risk.
I Opt Out at Airports and Customs, and You Can Too (In the US)
This is the section I wish someone had handed me years ago.
When a camera shows up at the TSA checkpoint and an agent gestures for me to look at it for facial recognition, I opt out. I do it politely. I do it every time. I do it even when I’m tired, because practice is the whole point.
Here’s what I’m trying to avoid: a world where facial recognition becomes the default, and opting out becomes suspicious behavior. I’d rather make opting out normal while it’s still allowed and relatively easy. This keeps me away from biometric verification altogether.
I also plan extra time. TSA manual lanes can take longer during rush periods. That’s not a punishment, it’s just reality when most people flow through the automated path, complete with liveness checks and QR code scanning for phone-based boarding passes.
And while this post focuses on the US, the principle travels well: you don’t have to hand over more identity data than the situation requires. An ID check is one thing. A reusable biometric record is another.
One extra travel tip while we’re here: airports are a perfect place for digital scams too. If you’re killing time on public Wi-Fi, read my guide on captive portal attacks on airport Wi-Fi. Identity and connectivity risks love the same crowded spaces.
What I Say, Word for Word, When They Ask for a Face Scan
I keep it short. I don’t debate. I don’t explain my politics. I just state a preference.
Here are the exact phrases I use:
“I’d like to opt out of biometric screening, please.”
“I prefer a manual ID check.”
If the agent asks “why,” I don’t take the bait. I just repeat the request. In most cases, the TSA process shifts to the standard manual identity verification, my physical ID, my boarding pass if needed, and the officer looking at my face like we’ve done for decades.
If They Pressure Me, Here’s How I Hold the Line Without Escalating
Pressure usually looks like speed, not threats. The line is moving, the agent sounds annoyed, and you feel like you’re holding everyone up. That’s the moment most people comply.
When that happens, I do three things:
I slow my voice down and stay calm. Tension feeds tension.
I repeat the same sentence. Short and boring wins: “I’d like to opt out and do a manual check.”
If needed, I ask for a supervisor. I keep it neutral: “Can you call a supervisor to help me with the TSA opt-out process?”
I don’t argue about facial recognition accuracy, bias, or policy at the podium. That’s not the time. The point is to complete travel and keep your boundary.
Opting out isn’t about causing a scene. It’s about refusing to make biometric collection the default.
The UK’s 2025 Digital ID Push Shows Resistance Works, and Opting Out Is a Form of It
People sometimes tell me, “It’s inevitable.” I don’t buy that.
A good counterexample is the UK’s 2025 digital identity push that heated up in 2025. The plan connected to GOV.UK services and the One Login program, and it triggered a familiar set of concerns: privacy, security, governance driven by KYC AML compliance, and what “optional” would really mean in practice.
The key point for me is this: public skepticism slowed things down. It forced consultation. It made officials explain limits instead of rushing a mandate.
As of March 2026, the UK government is still publishing consultation materials about digital identity, which signals this hasn’t become a simple, settled rollout focused on identity verification to make public services work for citizens. You can see that framing in their own words here: Making public services work with your digital identity.
### When Enough People Say “No,” Mandatory Plans Turn Into “Optional” Ones
Public pressure doesn’t always kill a proposal. Sometimes it reshapes it.
That reshaping matters. It can mean longer timelines, tighter rules on beneficial ownership and governance, clearer opt-outs, or stronger oversight. It can also mean a change in messaging, because the “we’re doing this for fraud prevention and to fight identity theft” pitch often lands badly. Governments then pivot to “convenience,” like digital wallets or initiatives such as Secure Start, because convenience is easier to sell.
In other words, resistance works even when you don’t get a dramatic headline, much like the challenges seen in large-scale biometric ID systems such as India’s Aadhaar program.
Opting out at airports is the same kind of resistance, just quieter. Every opt-out is a signal that people want an alternative lane that respects privacy.
My Goal Isn’t to Avoid ID Checks, It’s to Avoid Permanent Biometric Tracking
I want to be crystal clear: I’m not trying to evade identity checks. I’m trying to avoid turning my face into a reusable key that gets scanned, logged, stored, or shared beyond the moment.
The Sweden incident claim (and CGI’s response) is a reminder that even wealthy countries with mature infrastructure still deal with leaks and vendor risk. When those systems include biometric identifiers, the cost of failure isn’t just high. It’s personal.
So I draw a line where it counts: I’ll prove who I am, but I won’t help normalize biometric collection as the default.
Conclusion
The CGI Sweden leak claim involving BankID and e-government services is a warning about how messy digital identity ecosystems get when vendors, code, and electronic signature workflows stack up. Add biometrics to that mix, and every breach becomes harder to recover from, because you can’t replace your face like a password.
In the US, opting out of airport face scans is a real choice many travelers still have, so I use it. Next time you fly, try it politely, plan a little extra time, and tell one other person they can opt out too. If enough of us keep choosing privacy, “scan first” won’t quietly become the new normal.
These phishing scams use fake pop-ups that are getting better at acting like your computer is screaming for help. One minute you’re reading the news, the next you’re staring at a “virus detected” pop-up warning that feels way too real.
Here’s the bottom line: fake security alerts are built to rush you. They want a click, a call, or a payment before you slow down and think. In this guide, I’ll show you the tells I look for on Windows and macOS, plus what I do the moment one shows up (without turning it into a bigger mess).
What Fake Security Alerts Are Really Trying to Do
A legit security alert helps you make a safe choice. A scam alert tries to make the choice for you, right now, while you’re stressed, using scare tactics.
Most fake security alerts fall into a few buckets:
Browser pop-ups, such as fake antivirus alerts, that pretend to be Microsoft, Apple, or “your antivirus.”
Push notifications you accidentally allowed from a sketchy website.
Email or SMS warnings claiming your account was hacked or billed.
“Cleaner” apps that show scary results, then demand payment to “fix” them.
In March 2026, I’m still seeing the classic tech support pop-up scam where a page claims your PC is infected with scary-sounding malware names, then shows a phone number and tries to keep you trapped in the tab. Some even fake a “command prompt” style scan to look official. Guardio has a clear breakdown of the pattern and safe next steps in their write-up on the tech support pop-up scam warning signs.
These scams rely on social engineering, the psychological manipulation that powers such traps. If you want a simple definition to share with a parent or a coworker, Savi Security’s glossary entry on what a fake alert is nails the idea: it’s fear as a user interface.
A real alert gives you options. A fake warning gives you urgency.
Common Signs of Fake Antivirus Alerts on Windows
Windows is the most impersonated target, mostly because the “Microsoft support” storyline still works on a lot of people.
Here’s what makes me label a Windows warning as fake warnings fast:
First, it’s inside the browser. The page may go full-screen with a system scan animation, flash, beep, or block right-click. That’s theater. Microsoft Defender does not need a random webpage to do its job.
Next, I watch for the “call now” move. Any pop-up that includes a tech support number for “Windows Support” is almost always a scam.
Also, the language gives it away. Scam alerts love phrases like “your computer is blocked” or “network breach detected,” plus countdown timers. Real Windows security messages tend to be calmer, and they don’t threaten you like a movie villain.
Finally, pay attention to what it asks you to do. A scam often pushes one of these actions:
Call a number.
Download a “security tool.”
Allow notifications.
Pay to remove threats.
If you want a deeper scam-adjacent example, fake alerts often show up on hostile Wi-Fi too, when a bad network injects junk pages from malicious websites or redirects through suspicious links. That overlaps with the same instincts I use to spot fake Wi-Fi login pages when I’m traveling.
Red Flags on macOS That I Don’t Ignore
Mac users get hit with fake security alerts too, just packaged differently. These fake antivirus alerts usually pretend your Mac has a “virus infection” and your “Apple security” subscription is expiring, then it pushes you to call or pay.
Here are the macOS tells I rely on:
A big one is the wrong app source. If the pop-up warnings appear in Safari or Chrome, it’s not a macOS system alert. It’s a website doing impressions.
Another clue is the “virus found” notification that wants money fast. macOS does have built-in protections, but it doesn’t pop up and demand $5.99 to save you.
I also look for weird wording and generic branding. Scam pages mix “Apple,” “iCloud,” and “MacOS” in ways Apple never does. They aim to steal your personal information and may also claim your “IP has been hacked,” which is a phrase that sounds technical but means nothing useful.
If you want to see how common this panic is, there’s a very real thread on the Apple forums where a user asks about recognising fake virus notifications on a MacBook. The details change, but the emotion stays the same: fear, urgency, and a payment prompt.
What I Do Right Away When a Fake Alert Pops Up
Panic makes people click. My goal is to break the spell and get back in control.
Here’s my routine, in order, because order matters:
Don’t click inside the alert. Not “OK,” not “Cancel,” not the phone number.
Force-close the browser/app. On Windows, I use Task Manager. On macOS, I use Force Quit.
Reopen the browser while holding safe habits. If the same tab tries to restore, I refuse it. I start a fresh session instead.
Check for notification permission abuse. If a site can send notifications, I remove it right away in browser settings, and I verify that the pop-up blocker is enabled.
Run a real scan. On Windows, I use security software like Microsoft Defender. On macOS, I check Applications and browser extensions for anything I didn’t install.
If the alert wants you to call someone, it’s almost never real support. It’s a trap door.
If I Already Clicked or Called, I Switch to Damage Control
If you clicked a download, entered personal information like a password, or called the number, don’t spiral. Act like you spilled something on the keyboard: stop the spread, then clean up.
If you gave remote access (ScreenConnect, AnyDesk, TeamViewer, “Quick Assist”), disconnect from the internet first. Then remove the remote tool, reboot, and change passwords from a different device you trust.
If money or financial information got involved, treat it like fraud, because it is. The next steps overlap with my general advice on how to avoid online money scams, including calling your bank and disputing charges fast.
Security Hero also documents how these pop-ups work and why calling is where the real damage starts in their guide on tech support scams.
How I Prevent Fake Security Alerts From Coming Back
Once you’ve seen one scam pop-up, you start noticing how often the web tries to “ask permission” for stuff it doesn’t need.
I start with browser housekeeping through smart browser settings. I clear suspicious site data, remove extensions I don’t recognize, stay on top of software updates, and shut down notification permissions for anything that isn’t a site I trust.
Next, I make my logins harder to steal. A lot of these scams don’t need malware at all; they just target credential theft and account hijacking, which can lead to full identity theft. That’s why I’m a fan of passkeys, because they’re tough to use on look-alike sites, and I follow up with multi-factor authentication plus email authentication for extra protection. If you want the practical version, I put it all in my guide to phishing-resistant passkeys explained.
Finally, I teach one simple rule at home: if a screen claims “call now” or “pay now,” you stop and ask a human you trust. Scammers hate speed bumps. Even a 30-second pause ruins their plan. These habits build lasting digital safety.
Conclusion
Fake pop-ups work because they feel urgent, not because they’re smart. When I spot fake security alerts, I focus on the source (browser vs system), the ask (call, pay, download), and the tone (threats and timers) typical of fake warnings. If you take one habit from this, make it this: close the app safely and verify using real tools, not the scary window in front of you. The next time your screen “yells,” you’ll know how to tell if it’s a real smoke alarm or a phishing scams sound effect.
OpenClaw (formerly Clawbot and Moltbot) keeps popping up in my DMs. Friends, family, parents in my neighborhood, and security folks I work with all ask the same thing: “Is it safe to run an AI assistant that can actually do stuff?” Here’s my honest take on OpenClaw security and secure deployment: OpenClaw is impressive because it is an autonomous AI agent that turns a chat message into real actions. But anything that can touch files, browsers, and commands deserves grown-up security. “Convenience is great until it becomes an open door”.
So in this post, I’m going to share how I test OpenClaw in a way that keeps it off the public internet. I’m also going to explain why I personally like Twingate for this, because it lets me keep ports closed while still getting secure remote access.
What OpenClaw Is Great At, And Why That Also Makes It Risky
OpenClaw is a self-hosted AI agent. In plain English, that means it’s a “do-er,” not just a “talker.” You chat with it in an app, and it can run skills that perform real tasks, like updating files, calling APIs, or automating a browser session.
When I say “agent,” I mean software that can take a goal, plan steps, and then act. When I say “skills,” I mean plug-in abilities you enable, like file access or shell commands. If you want a deeper, plain-language rundown of what agents are and why they matter, I wrote AI Agents Explained for 2025 Workflows.
That power is also the risk, especially when considering OpenClaw security and secure deployment.
If OpenClaw can run tools, then a bad prompt, a poisoned skill, or a stolen key can turn “helpful assistant” into “tiny intern with admin access and no fear.” The most common threats aren’t sci-fi. They’re the same boring problems we’ve always had, just with better automation and added runtime risk:
Prompt injection: Trick the agent into ignoring your rules and doing something unsafe via untrusted input.
Prompt injection through authentication bypass: An attacker crafts input to override safeguards and access restricted actions.
Stolen API keys: If someone gets your model tokens, they can burn money or pull data.
Unvetted skills: A skill can be buggy, over-permissioned, or flat-out malicious, enabling remote code execution or data exfiltration.
Accidental exposure: One port-forward, one rushed firewall rule, and you have exposed instances vulnerable on the internet.
My rule: treat OpenClaw like shadow AI that can touch real systems in your home network, because it can. Testing safely beats being fearless.
The Two Ways People Get Burned: Public Exposure And Over-Permissioned Tools
Most “I got wrecked” stories fall into two buckets.
First, public exposure. Someone opens an inbound port for convenience. Maybe it’s SSH, a dashboard, or the OpenClaw gateway itself. The thought process is always the same: “It’s just for a day.” Then life happens, the port stays open, and scanners find it.
Second, over-permissioned tools. People enable the scary skills because they’re fun. Shell access, full disk read and write, browser control, and broad network reach. Then they install a skill they didn’t review, or they paste something into chat that the agent interprets in a surprising way.
Here’s the cause and effect in one sentence: the internet will eventually talk to your agent, and your agent will eventually do what it’s allowed to do.
If you want to see how the broader community is thinking about hardening, I’ve skimmed a few guides, and the most practical one I’ve seen is OpenClaw hardening steps. I don’t agree with every choice, but the defensive mindset is right.
My “Safe Sandbox” Setup For Playing With OpenClaw
When I test OpenClaw (or, for that matter, any new tool), I focus on security and secure deployment. I build in a sandbox mode that assumes something will go wrong. Not because I’m pessimistic, but because it’s cheaper than cleaning up later.
My baseline looks like this:
I run OpenClaw on a spare machine, a VM, or a container. I keep it away from my personal laptop files, family photos, password vault exports, and work credentials. “If I wouldn’t hand it to a stranger at a coffee shop, I don’t mount it into the agent environment”. This setup works well for ecosystem components like OpenClaw.
Next, I keep the OpenClaw gateway bound to localhost. That’s a big one. Localhost means it only listens to itself, not your whole network, and definitely not the internet. If a service must be reachable, I want it reachable through an access layer, not by opening a port and hoping for the best.
I also keep persistent memory and logs locally while I’m learning. I don’t push agent logs into random cloud dashboards on day one. Logs can contain prompts, tokens, filenames, and other “oops” data you did not mean to share.
Containment First: VM Or Container, Limited File Access, And No “God Mode” Accounts
Containment is me asking, “If OpenClaw gets tricked, what’s the blast radius?”
So I start with virtual machine isolation or a container and a dedicated non-admin user. I avoid running anything as root unless I have a clear reason. For file access, I prefer narrow mounts. If the agent needs a folder, it gets one folder, not my whole home directory.
I also keep risky tools disabled at first. Shell execution, shell commands, broad file search, and browser automation are powerful, but they’re also easy to misuse. I turn them on only when I need them, and I turn them back off when I’m done testing that feature.
Gotcha: the “cool demo” permissions are almost never the “safe default” permissions.
Credential Hygiene: API Keys, Tokens, And Skill Review Without Paranoia
Secrets are where most lab setups get sloppy.
I don’t hardcode API keys, SSH keys, or OAuth credentials in plain-text files next to the app. Instead, I use environment variables, or a secrets manager if the setup warrants it. I also keep separate keys for lab vs production. That way, if my test box gets popped, the attacker doesn’t inherit my real-world access.
Rotation matters too. If I’ve been experimenting for a week and sharing screenshots, I assume a key might have leaked. Then I rotate it and move on.
Skills get a quick review with the Skill Scanner (https://clawned.io/), especially those pulled from ClawHub. I’m not doing a full code audit every time, but I do skim for obvious red flags: surprise network calls, broad file permissions, and anything that shells out without guardrails. Info-stealers love config folders, so I treat that directory like it’s sensitive.
For a more “setup-focused” angle (especially if you’re still learning the moving parts), this OpenClaw setup guide is useful background reading.
How I Secure Remote Access With Twingate, So I Don’t Need Public Ports Or A VPN
At some point, you’ll want to use OpenClaw when you’re not at home. That’s where people get tempted to punch a hole in the firewall.
I don’t do that!
Instead, I use Twingate (https://www.twingate.com/) as my preferred way to reach internal resources without exposing them, ensuring OpenClaw security and secure deployment. The core idea is simple: authenticate and authorize every connection, and keep the private service private. From my perspective, the big win is no inbound firewall rules. The connector makes outbound connections, providing network isolation so I’m not publishing a new target to the world.
This is also why I don’t start with a traditional VPN like ExpressVPN for this use case. VPNs can be fine, but they often feel like giving someone a wristband for the whole venue. For a more general comparison, I’ve got thoughts on that in best VPNs for secure remote access, but my OpenClaw stance is tighter access, smaller blast radius.
The Simple Mental Model:Localhost Gateway, Outbound Connector, And Policy-Based Access
I think about it like a locked door with a guest list.
OpenClaw stays on localhost with gateway binding (for example, 127.0.0.1:18789, but use whatever your OpenClaw config sets.) A Twingate Connector sits inside my network and phones out. My devices use the Twingate Client, and I only allow access to the specific resource and port I choose, leveraging this gateway binding for secure localhost exposure.
In Twingate terms, I’m working with a few building blocks:
Connector: The piece that lives in my network and creates outbound connectivity.
Client: The app on my phone or laptop that proves it’s me.
Resources: The internal things I want to reach, like the OpenClaw gateway that implements the Model Context Protocol for agent communication.
Policies: The guest list, which says who can access what, and under what conditions.
Because nothing has to listen on the public internet, scanning bots can’t even knock.
The Policies I Use: Groups, MFA For Anything Serious, And Logging I Actually Review
Policies are where the safety really shows up.
I assign access by group instead of building one-off exceptions, effectively creating an allow-list. For anything tied to sensitive data, I require MFA. If OpenClaw is allowed to touch even mildly important systems, MFA is non-negotiable. Even with this setup, remote access doesn’t solve issues with untrusted input.
Then I turn on logging and actually look at it. I’m not staring at dashboards all day, but I do check for weird access patterns, like odd hours, unknown devices, or repeated connection attempts that don’t match my habits. I also monitor Connector health, because availability signals can double as security signals. If the Connector flaps, I want to know why.
If I’m going to run an AI agent, I want receipts!
Conclusion
OpenClaw is a powerful autonomous AI agent, which is why I treat it as a tool that can interact with real systems. My three guardrails stay the same: isolate the environment, minimize permissions and credentials to prevent risks like credential dumping, and avoid public exposure by using Zero Trust access (Twingate is my go-to for that).
This guide on OpenClaw security and secure deployment emphasizes starting small, keeping risky skills off at first, and proving your setup is safe before you expand it. If you’re running OpenClaw already, I’d love to hear what you’re using it for, and what part you want to lock down next.
If passwords feel like house keys you’ve copied a hundred times and tossed into a dozen junk drawers, you’re not imagining it. Passwords get reused, guessed, phished, and leaked, then we all get stuck playing the reset game at 2 a.m.
That’s why passwordless passkeys are such a big deal, marking the transition to a modern login standard. They let me sign in using my device (and biometric authentication with my face, finger, or PIN) instead of typing a secret string that can be stolen. Better yet, passkeys are now a first-class login option for Google, Apple, and Microsoft accounts as of March 2026.
In this post, I’ll explain what passkeys are, how they work, and what setup really looks like across the big three. I’ll also cover the parts that can surprise you, like recovery and shared devices.
What Passwordless Passkeys Are and Why They Beat Passwords
A passkey is a login credential built on public-key cryptography from the FIDO Alliance (often described under the FIDO2 and WebAuthn standards). That sounds intense, but the day-to-day experience is simple: you choose a passkey at sign-in, your device asks for Face ID, Touch ID, fingerprint, or a device PIN, then you’re in.
Here’s the key idea: a passkey can’t be “typed” into a fake site. With passwords, a phishing page just needs to look convincing long enough for you to hand over the goods. With passkeys, the sign-in is tied to the real site’s domain, so the fake page can’t trick your device into completing the login the same way, making passkeys phishing resistant.
Also, your biometric data isn’t getting shipped off to Google or Apple or Microsoft. Your face or fingerprint is just the “unlock button” for a cryptographic key stored on your device. The site never receives your fingerprint. It receives proof that your device has the right key.
So why are passkeys showing up everywhere now? Because they reduce two ugly problems at once:
Phishing gets much harder because there’s no password to steal and replay.
Credential leaks hurt less because servers store public keys, not reusable secrets (passkeys also thwart credential stuffing attacks that automate mass logins with stolen credentials).
Passwords aren’t dead yet, but passkeys are finally practical for normal people, not just security nerds.
How Passkeys Work When I Tap “Sign In” (No Math Required)
When I create a passkey for an account, my device generates a pair of keys:
A public key that the service can store.
A private key that stays on my device (or in my device’s synced credential manager).
During login, the site sends a challenge. My device signs it using the private key, after I complete user verification to unlock that key with Face ID, Touch ID, a fingerprint scan, or by entering my screen lock PIN. This is asymmetric cryptography at work. The site checks the signature with the public key it already has. If it matches, I’m authenticated.
That’s it. No shared secrets. Nothing reusable for an attacker to copy-paste later.
I explain it to families like this: a password is like telling the bouncer a phrase. A passkey is like showing up with a tamper-proof badge that only works at the right door, in the right building. A scammer can copy your phrase. That same scammer can’t copy your badge from across the street.
One more detail that matters: passkeys often sync. That’s why they feel “magical” after you set them up on one device. Apple syncs them through iCloud Keychain (now surfaced in the Passwords app). Google syncs them through Google Password Manager. Microsoft can store and use them through Windows Hello and the Microsoft Authenticator app, depending on platform and account type.
If you remember one thing, make it this: passkeys protect you from the “I typed my password into a perfect fake” problem, because the login is bound to the real site.
Passkeys on Google, Apple, and Microsoft Accounts (What Setup Looks Like in 2026)
The good news is that Google, Apple, and Microsoft all support passkeys broadly now. The “gotcha” is that each one stores and syncs them a bit differently, so the experience depends on what devices you actually use.
Before I get into each provider, this is the basic flow I see most often:
I sign in normally once (or confirm it’s me).
The account prompts me to create a passkey.
My device asks for Face ID, Touch ID, fingerprint, or device PIN.
Next time, I pick passkey and confirm with biometrics.
Google Passkeys (Google Account and Gmail)
As of early 2026, Google passkeys work on Android 9+, ChromeOS 109+, and on Apple devices when you use Chrome. They save to Google Password Manager, which can sync across your signed-in devices.
In practice, I’ll create a passkey from my Google account security settings or when Google prompts me during sign-in. After that, the login is usually: enter my email address, then approve with my phone’s fingerprint or face unlock. On laptops, it often hands off to my phone or uses a local method if supported.
Where Google shines is friction. If you’re already living inside Android and Chrome, passkeys can feel like the default fast path.
Where people trip up is mixed-device life. If your day is “Windows laptop at work, iPhone at home,” you’ll still get passkeys working (with a QR code for cross-device sign-in on non-Android hardware), but you may see more QR handoffs and device prompts.
Apple supports passkeys on iOS 16+ and macOS Ventura+. They’re stored in Apple’s credential system and show up in the Passwords app, syncing through iCloud Keychain (end-to-end encrypted, assuming you use it).
For most people, Apple makes passkeys feel invisible. I’ll be on Safari, I’ll tap “Continue with passkey,” Face ID pops, and I’m done. On Mac, Touch ID and the system login prompt handle it.
The best part is consistency. The same Face ID you already trust for unlock and Apple Pay becomes the approval for sign-in. That’s comforting for parents and non-technical users because it feels familiar.
The main limitation is the same one Apple always has: you’ll get the smoothest ride inside the Apple ecosystem. If you bounce between Apple hardware and non-Apple devices, you can still use passkeys, but the handoff steps matter more.
Microsoft Passkeys (Microsoft Account, Windows Hello, Authenticator)
Microsoft supports passkeys on Windows 10+ (and Windows 11), plus mobile support through Microsoft Authenticator on iOS 17+ and Android 14+ in common setups. On Windows, Windows Hello becomes the star of the show (face, fingerprint, or PIN).
In real life, this means I can sign into my Microsoft account and approve with Windows Hello, without ever typing a password again on that device. On mobile, I may create and use these digital credentials through Authenticator, which is also handy when I’m signing into Microsoft services on another device.
Microsoft’s world has two flavors: personal Microsoft accounts and work or school accounts tied to Microsoft Entra ID. FIDO2-based passkeys are showing up in both, but your organization can set rules. If you’re a security pro reading this, that policy angle is where your rollout plan lives or dies.
If you want a quick comparison mindset for whether passkeys replace passwords outright or sit beside them for a while, this guide on passkeys vs passwords and what changes summarizes the tradeoffs clearly.
The Stuff People Don’t Tell You: Account Recovery, Backups, and Shared Devices
Passkeys feel like magic right up until the day you lose your phone, break your laptop, or need to sign in on a borrowed device. Then you find out whether you planned the account recovery “what if” part.
Here’s how I keep it sane.
First, I treat passkeys as the primary login, not the only login. Most services still keep passwords as a fallback, and that’s fine. It’s like having a spare key in a lockbox. I just don’t want that spare key to be my daily routine.
Second, I keep strong account recovery options. That usually means up-to-date recovery email and phone, plus more than one trusted device where possible. For high-security accounts, device-bound passkeys or physical security keys add an extra layer since they don’t sync across devices. If you only have one device that can approve logins, you’ve built a single point of failure.
Third, I think hard about shared devices. A family iPad, a classroom Mac, a lab PC, these can get messy because the passkey is protected by whoever can unlock the device. If your kid knows the tablet PIN, they may also be able to authenticate you in some contexts. That’s not always a disaster, but it’s something to decide on purpose.
This is also where classic multi-factor authentication guidance still matters. Passkeys reduce phishing risk, but I still want layered protection for important accounts, especially when recovery paths get involved. If you need a refresher, I’ve got a straight talk version of two-factor authentication basics that explains why extra factors still help.
One more “real world” warning: public Wi-Fi login pages are a favorite trap for credential theft. If a hotel portal ever asks for your Google, Apple, or Microsoft password, I treat that as a giant red flag. Passkeys help here because you’re less likely to type anything secret into a fake page, but you still need to recognize the setup. My deeper breakdown on spotting fake Wi-Fi login pages is worth a quick read if you travel.
Passkeys reduce risk, but recovery settings decide how bad a bad day becomes.
How I Recommend Switching to Passkeys Without Breaking Your Life
I like passkeys, and I’m using them more every month as part of the broader shift to passwordless authentication. Still, I don’t treat this like a switch I flip once and forget. I treat it like upgrading the locks on my house while I’m still living in it.
My practical approach looks like this:
I start with my most abused accounts: email and cloud identity. That’s Google, Apple ID, and Microsoft. Those accounts often reset everything else, so they deserve the strongest login with passkeys.
Next, I set passkeys on at least two devices when I can, using CTAP so they communicate securely to complete a login. For example, phone plus laptop, or phone plus tablet. That way, a lost phone isn’t an automatic crisis.
After that, I clean up my password habits instead of pretending passwords are gone. A password manager still matters for the many sites that don’t support passkeys yet. Also, I keep unique passwords for the services that remain password-based.
Finally, I keep 2FA enabled where it makes sense, especially on social accounts that get targeted for takeovers. If you want a quick walk-through for the apps families actually use, this guide to set up 2FA on social media is a solid weekend project.
For the “are we really near the end of passwords?” angle, I like this perspective on the rise of passwordless authentication in 2026. It matches my take: passkeys are the direction, but the transition to passwordless authentication is uneven.
Conclusion
Passwords had a long run, but passwordless passkeys are the first replacement that feels both safer and easier. Google, Apple, and Microsoft now support them widely, so you can use face recognition, a fingerprint sensor, or device PIN to sign in without handing attackers something reusable. My advice is simple: enable passkeys for your core accounts, set up recovery like you mean it, and keep a password manager for the rest. If you do that, you’ll spend a lot less time resetting logins, and a lot more time actually using your tech.
Is Now The Time to Move From Windows to Linux After KB5074109?
2 weeks ago, my PC started acting like a moody toaster. I didn’t think it would turn into a whole operating system crisis. Then the Windows 11 update KB5074109 landed (released January 13, 2026), and suddenly “normal computer stuff” became a rotating cast of boot failures, apps freezing, and sleep mode doing its best impression of a coma.
I’m not new to troubleshooting, but even I hit that point where you stare at the screen and think, why is the thing I pay time and attention to the one demanding more of both? If you’re tired of Windows on Windows 10 or 11, you’re not alone, and if you’ve been side-eyeing a switch from Windows to Linux, that’s not a weird impulse anymore in 2026. It’s a reasonable question.
I’m focusing on Nobara and Pop!_OS because they’re friendly Linux distributions for normal humans but serious enough for gamers and power users who want to embrace open-source software. And if you want the messy, real timeline, receipts, and all, my full journey is in this shared chat: my Linux switch journal. Here, I’m going to summarize the key steps and lessons without assuming you speak fluent terminal.
What KB5074109 Broke, And Why It’s Making Me Rethink My Relationship with Windows
An update gone wrong can turn a normal work setup into a recovery-mode afternoon, created with AI.
KB5074109 wasn’t “just another Patch Tuesday” for a lot of people. The problem wasn’t only that things broke; it was that the breakage hit basics: booting, stability, and everyday apps. Microsoft did ship out-of-band fixes after the fact for some symptoms (more on that below), but the main damage was trust. When an update can brick the start of your day, you stop treating system updates like routine maintenance and start treating them like Russian roulette with your calendar.
From what I’ve seen in reports and user threads, KB5074109 issues have been persistent on certain Windows 11 builds and configurations, often in environments where a prior update had already left the system in a fragile state. If you want a quick, readable overview of the boot failures tied to this update, NotebookCheck’s summary is a solid starting point: KB5074109 boot failure reports.
Here’s the thing that matters for families and for work: forced updates plus a big blast radius equals risk. When a patch can take out email, cloud files, or booting, the cost isn’t “tech annoyance.” It’s missed school assignments, missed meetings, and a weekend eaten by recovery screens.
The Real-World Problems People Faced After Installing It
The stories were painfully consistent and, honestly, too relatable.
Some people hit boot failures with black screens and errors like “UNMOUNTABLE_BOOT_VOLUME.” That’s not a “reboot and try again” kind of day. That’s a “find another computer and start making a recovery USB” kind of day.
Others ran into Outlook problems, especially with POP and PST files. A common flavor was Outlook freezing or crashing when dealing with mail storage, and it got worse when cloud storage entered the chat. Picture this: Outlook locks up while saving an attachment to OneDrive, and now your “quick email” becomes a troubleshooting session. Windows Latest tracked a pile of these symptoms in one place, including Outlook and freeze issues: KB5074109 reported problems.
Then there were the oddball-but-real issues: Notepad or Snipping Tool refusing to launch, sleep mode failing (S3 sleep issues on some older systems), restart loops, Task Manager acting weird, and even reports of hardware compatibility problems with legacy drivers (like older modem drivers) breaking.
And yes, I saw reports of NVIDIA users hitting black screens. If that’s your world, Pureinfotech documented a set of symptoms and workarounds worth skimming: NVIDIA black screen fix notes.
What I Learned: It’s Not Just One Bad Patch, It’s The Lack of Control
Even when Microsoft fixes a chunk of it, the core lesson sticks: with this proprietary software, I don’t control the timing, and I don’t control the risk. That’s the part that wears people down.
Sure, there are mitigation steps. Uninstall the update, use System Restore, boot into Windows Recovery Environment (WinRE), roll back, pause updates, and repeat. Microsoft’s own user threads show how common “black screen after update” has become as a category of pain: Microsoft Q&A on KB5074109 black screens.
But ask a non-tech parent to do that while the family laptop won’t boot, and you’ll see why this is stressful. It’s not that people can’t learn (even if Windows errors feel more daunting than typing commands in a Linux terminal); it’s that they shouldn’t have to learn disaster recovery because they clicked “Restart now.”
This whole mess also re-lit the privacy conversation for me. When you’re already frustrated, it’s hard to ignore how much telemetry and account tie-in is baked into the experience. I wrote more about that angle here: Microsoft update privacy concerns.
How I’m Deciding If Linux Is Right for Me (And How You Can Decide Too)
My goal isn’t to “switch operating systems.” My goal is to stop wasting time on chaos I didn’t choose. So I built a simple decision framework I can actually live with, and you can steal it.
First, I’m getting honest about what I truly need, versus what I’m just used to. If the only reason I keep Windows is muscle memory, that’s not a good reason. If the reason is a must-have app for work, that’s a very good reason.
Second, I’m measuring my tolerance for troubleshooting. Linux in 2026 is dramatically easier than it used to be, but it’s still not magical. If you want something that behaves like a locked-down appliance, you can test a Linux distribution in VirtualBox first, but you’ll still need a little curiosity.
Third, I’m looking at hardware support like it’s a deal negotiation, especially since the hardware requirements for Wi-Fi, Bluetooth, sleep/wake, GPU drivers, multi-monitor setups, and printers are where “perfect on paper” becomes “why is this button greyed out?”
Finally, I’m weighing security and privacy goals. Not in a tinfoil hat way. In a “who’s in charge of my device” way.
My Deal Breakers: Apps, Files, And Workflows I Can’t Lose
I started with an inventory. Not a fancy spreadsheet, just a real list of what I open every week. You can quickly get one by using this command line command from a PowerShell prompt:
I then fed all of the text files that these commands created into Claude (you could use ChatGPT if you want), which told me which drivers or apps would be an issue.
For many people, the big rocks are Microsoft Office and Outlook. If your life lives inside Outlook desktop with PST/OST files, you need to test carefully. The Office web apps in Microsoft 365 help a lot, and LibreOffice provides a solid local alternative for managing documents. Many work portals are browser-first now, which makes switching easier than it was a few years ago.
I also checked my “adulting apps”: password manager, VPN, backup tool, printer/scanner utilities, and anything tied to school or work identity logins. On the password side, I’m a fan of keeping it simple and consistent across devices, and a password manager is non-negotiable for me. If you need a push on that, here’s why I treat it as basic hygiene: why a password manager is essential.
The file format question matters too. DOCX is usually fine. Photos are usually fine. PST files can be… spicy. CloudSync services, like OneDrive or Dropbox, also change the risk. If your plan is “I’ll move later,” you’ll end up moving during a crisis. Testing is the calm way.
Gaming and Creator Stuff: Where Linux Is Great Now, And Where It Still Hurts
Linuxux gaming is legit now, mostly because Steam’s Proton makes a lot of Windows games run well. But I’m not going to sugarcoat the pain points.
Anti-cheat can still block some titles, and certain launchers can be stubborn. VR support can be hit or miss depending on your hardware and the games you play. Streaming setups can be great (OBS is strong on Linux), but you’ll want to validate capture devices, audio routing, and GPU encoding.
My rule is simple: test your top 5 games and your top 3 creator tools before you commit. If you don’t test, you’re not “switching,” you’re gambling.
Security, Privacy, And Family Use: The Quiet Reasons Linux Is Getting Popular
Linux doesn’t make you invincible. You still need updates, strong passwords, and backups. You can still install something sketchy and ruin your day.
But Linux does change the default relationship. I get more control over when updates happen, what gets installed, and how noisy the system is. Less nagging. Fewer ads baked into the OS experience. Fewer “helpful suggestions” that feel like sales.
For families, that control can be a relief. A kid just needs a stable machine for school, video, and maybe Minecraft. A parent needs an email and a browser that doesn’t implode after an update. Linux can do that.
A home setup where Linux can serve both work and play without constant interruptions, created with AI.
Also, if you’re migrating partly for security, don’t forget the basics still matter across any OS: secure browsing, safe downloads, and encrypted connections when you’re on public Wi-Fi. If you want my practical take, here are the advantages of VPN for privacy.
Nobara vs Pop!_OS: How I’m Starting My Journey
Two popular Linux choices side-by-side, one tuned for gaming and one tuned for daily work, created with AI.
I’m treating Nobara and Pop!_OS like two different vehicles. One is a sporty hatchback that’s fun right away. The other is a reliable SUV that starts every morning and doesn’t make my life exciting.
Both are free. Both can be tested from a USB drive without installing. Both are modern enough that you don’t need to be a Linux historian to use them.
The biggest difference, in plain English, is this: Nobara tries to get you gaming faster out of the box, Pop!_OS tries to be a calm, clean daily system that still plays games. Much of this comes down to their desktop environment choices, which affect the visual and functional feel of the system.
Why I’m Looking at Nobara First
Nobarara is Fedora-based and tuned for gaming and streaming. The whole pitch is “less setup, more playing.” That means codecs and tweaks are commonly included, so you aren’t hunting for basic stuff after installation. It often pairs this with KDE Plasma for a gaming-centric interface that suits tinkerers.
The tradeoff is speed. Faster-moving updates can mean you get newer features sooner, but you might also see more surprises than you’d want on a machine you rely on for work deadlines.
If you’re the type who updates drivers on day one and enjoys tinkering, Nobara makes a lot of sense. If your main goal is “I want Steam and my controller to work today,” it’s appealing. For users with older hardware seeking efficiency, options like Xfce exist across Linux distros, but Nobara shines on modern gaming rigs.
If you want the official voice behind the project, their documentation is worth a skim before you commit: Nobara new user guidelines.
Why Pop!_OS Feels Like The Safer Daily Driver
Pop!_OS is Ubuntu-based and built by System76, and it feels like it was designed by people who want your computer to stop bothering you. The UI is clean, the workflow is friendly with its GNOME base, and it’s especially popular on laptops because it tends to behave well with power management and everyday hardware. Users can easily find and install apps via the Software Manager.
Pop!_OS also offers an NVIDIA-friendly path, which matters if you’ve ever been trapped in driver drama. I’m not promising perfection, but I like stacking the odds in my favor. Those seeking a classic Windows-like feel might look to Linux Mint and its Cinnamon desktop instead.
My personal bias is simple: I want my main machine boring and reliable. I don’t want to “babysit” it. So Pop!_OS is my front-runner for the system I use for writing, admin tasks, browsers, and normal life, with gaming as a bonus.
My Low-Risk Migration Plan: Try Linux Without Nuking Your Windows Life
Testing Linux from a USB drive before installing helps keep the process calm and reversible, created with AI.
If Linux curiosity feels like standing at the edge of a pool, my plan is the shallow end first. No drama, no “wipe the drive and pray,” and no weekend-long rebuild unless I’m sure.
I’m also assuming something important: if Windows just burned you with a bad update, your risk tolerance is low. That’s normal. So my migration plan is designed to keep Windows intact until Linux proves itself in my real routine.
There are a couple of gotchas to keep in mind as you plan. Device encryption and BitLocker can complicate resizing partitions. Secure Boot in your UEFI firmware can block some setups depending on BIOS settings. None of this is a deal-breaker, it just means you should go slow and read the prompts instead of clicking through on autopilot.
Step 1: Test Drive on a USB and Check Your Hardware Basics
A live USB is exactly what it sounds like: you boot Linux from a bootable USB drive and try it without installing. It’s the closest thing to a risk-free test. Download the ISO file for your chosen distro, then use Rufus to create the bootable USB drive.
In my first 15 minutes, I check the stuff that ruins daily life if it doesn’t work: Wi-Fi, Bluetooth, audio, mic, webcam, trackpad gestures, sleep and wake, external monitor, and basic printing.
If you game, add GPU sanity checks. Make sure the refresh rate is right, make sure the resolution isn’t weird, and make sure performance isn’t obviously broken. I’m not benchmarking; I’m just looking for red flags.
Step 2: Dual Boot vs Full Install, And Why I’m Not Rushing It
Dual boot means you keep Windows and install Linux alongside it. When you start the PC, you choose which one to run. It’s a safety net, and it’s great for testing during the installation process.
The downside is complexity. You’re managing partitions, boot menus, and two operating systems that both think they deserve the front seat. If you’re not careful, you can make recovery harder, not easier.
A full install is simpler once you’re ready. One system, one update flow, one set of backups. Clean and calm.
My personal rule: I keep Windows until I’ve had two normal weeks on Linux. Not “two exciting weeks.” Two boring weeks where I can work, browse, game a bit, and sleep with the laptop without surprises.
Step 3: Rebuild My Daily Apps the Linux Way (Without Fighting the OS)
The fastest way to hate Linux is trying to treat it exactly like Windows. The better approach is to use the package manager, install trusted packages, and stop hunting random installers on the web.
My realistic app stack looks like this: Office web for certain tasks, LibreOffice for local docs, Thunderbird if I want a desktop mail client, Steam for games, and OBS for recording and streaming.
This is also where I tighten my “don’t download sketchy stuff” rule. Linux malware exists, and bad habits are still bad habits. If you need a reminder of how ugly random downloads can get, especially in the “free software” corners of the internet, here’s my warning label: dangers of using pirated software.
Backups matter more than any OS choice. I want at least one external drive backup plus cloud sync for the stuff that changes often. If an update breaks something, I want the fix to be “restore and move on,” not “rebuild my life from memory.”
Conclusion
KB5074109 didn’t make Windows perfect; it just made Windows feel less predictable than I’m willing to accept. If you’re frustrated with update chaos or privacy nags, or you’ve got older hardware that still deserves a second life, Linux is worth serious consideration right now. If you’re a gamer who’s willing to test your favorites first, or you want more control over your own device, it’s an especially good time to experiment.
If you have must-have Windows-only apps, a locked-down work laptop, or zero bandwidth for troubleshooting, waiting is the smart move. My recommendation is simple: read my Linux switch journal if you’re ready to switch from Windows to Linux, then try a live USB test of your preferred Linux distribution (like Linux Mint for beginners who might find the other options too complex) this weekend and decide based on evidence, not hype.
Microsoft has been pushing harder to connect Windows and Microsoft 365 to its cloud storage services. The latest Windows 11 setup makes that extra obvious, because OneDrive Backup can switch on by default during a clean install, which is why many want to turn off OneDrive backup in Windows 11 right away.
That surprise from the Out of the Box Experience has led to a lot of angry posts online. I get it. If you expect your files in the usual folders and they suddenly aren’t there, it feels like something got taken.
The good news is this: your files usually aren’t gone. They’ve been moved, then synced to OneDrive. And Microsoft quietly improved the “turn it off” process, so getting your files back into local folders is less painful than it used to be.
Where My Files Went (And Why It Looks Worse Than It Is)
When I’m saving locally, my default folders live under my user profile, like:
c:Usersyour_nameDocuments folder
With OneDrive Backup on, the “real” working folders shift to something like:
C:\Users\your_name\OneDrive\Documents
The files still exist on the PC, and the sync process uploads them to OneDrive online. That’s the whole point of the backup.
The confusion comes from what Windows leaves behind. The original Local folders can still appear in File Explorer, but they may be empty. So I click Documents out of habit, and it looks like everything vanished.
It didn’t. The folder target changed.
Why Microsoft Is Doing This (The Helpful Reason And The Annoying One)
There’s a practical upside in Windows 11. Files that only live on a laptop are easy to lose. Theft happens. Drives fail. Ransomware hits. Cloud backup can save people from a bad day turning into a disaster.
There’s also the part that makes people roll their eyes. Pushing files into OneDrive pushes people toward paid storage. If you only get 5GB free, it doesn’t take long to hit the limit with cloud-only files.
From a security angle, this is where the debate gets real. Privacy matters, and so does choice. Some people don’t want personal data tied to their Microsoft account, leaving their device, and that’s valid.
I’ll say it plainly because it’s the heart of the frustration: Control and trust are the core issues. If I don’t want cloud backup, I should be able to say no, and I should be able to undo it without a scavenger hunt.
How OneDrive Backup Works Now When I Turn It Off
Microsoft changed something important recently. In the past, if I disabled OneDrive Backup, Windows would stop syncing and backing up, but my files often stayed stuck in the OneDrive folder. That meant I had to manually move everything back into my local profile folders.
Now, when I turn off OneDrive Backup in OneDrive settings, Windows can offer an option to move files back to local folders as part of the process. It’s still not as clear as it should be, but it’s better.
What follows assumes I’m on Windows 11 (newer releases), signed in with a personal Microsoft account, and OneDrive Backup is currently enabled.
How I Undo OneDrive Backup And Put Files Back In Local Folders
Step 1: Open The Backup Settings
I look for the OneDrive icon in the Taskbar‘s Notification area, right-click the OneDrive icon, then select Help and Settings and the Settings menu. From there, I go to the Sync and backup area and open Manage backup.
I can also open File Explorer, find my OneDrive (Personal) entry in the left pane, right-click it, go to OneDrive, then Settings, and open Manage backup from the Sync and backup section.
On some Windows 11 builds, I get there via Settings>Accounts>Windows Backup, then a button like Manage sync settings.
Either way, I end up on the Manage backup screen showing the folders that are being backed up. I pause here and check which folders are marked as backed up before changing anything.
Step 2: Turn Off Backup For Each Folder
In the manage backup screen, I use the toggle switch to turn off backup for the Documents folder first (then the Pictures folder, then the Desktop folder, if they’re on). Windows will prompt me with choices.
I pick the option that stops backup and lets me choose where files should live, then I choose Only on my PC.
I repeat that for each folder until they all show as not backed up.
One weird behavior I’ve seen is that a folder can flip back to “Ready to back up,” and the switch turns itself back on. If that happens, I close out instead of saving changes, because saving can re-enable backup.
Step 3: Check My Local User Folders
Next, I open File Explorer and type %userprofile% in the address bar. That brings me to my local profile folders.
I open Documents, Pictures, and Desktop and confirm my files are actually there. This matters because I don’t want to delete anything until I know the local copies look right.
Step 4, Confirm The OneDrive Versions Are Empty (Or Move Anything Left Behind)
I open a second File Explorer window and type %userprofile%OneDrive. I also quickly check the Account tab to verify connectivity.
I look inside the OneDrive versions of Documents, Pictures, and Desktop. If those folders are empty, great.
If I still see files there, I manually move them back. I copy them out of the OneDrive folder and paste them into the matching local folder under %userprofile%.
After I confirm everything is back where I want it, I can delete the now-empty duplicate folders inside OneDrive.
How to Stop The “Start Backup” Prompts In File Explorer
Even after I decide I don’t want OneDrive Backup, Windows may keep nudging me with the Start backup message. In File Explorer, I might see a Start backup button when I’m viewing folders like Documents, Pictures, Desktop, Music, or Videos.
I don’t click it!
If I want the nag to go away, I right-click that Start backup button and choose Stop backup from the menu. I may need to do it in each folder where Windows shows the prompt.
How I Turn Off Microsoft 365 Saving New Files To The Cloud
If I’m using a Microsoft 365 build that defaults new Word files to OneDrive, I change it in the app settings.
Inside Word, I go to Options, then I open the Save section. There’s a checkbox like “Create new files in the cloud automatically.” I cleared that checkbox.
Once I do, the option to save to a local location becomes available, and I set my default save location to local folders.
My Bottom Line
OneDrive Backup doesn’t usually delete your files, but the folder move is easy to miss, and that’s what causes the panic. If you want local storage only, you can turn off OneDrive backup in Windows 11 and, in newer Windows 11 versions, but some Windows update in the future might also move your files back for you. 😉
For those who want to completely avoid the service, advanced options include using “Unlink this PC” as a secondary method of disconnection or “Uninstall OneDrive” as a permanent solution. Professional users needing strict control can turn to the “Group Policy Editor” to “Prevent the usage of OneDrive,” while a quick “Stop backup” provides final advice for immediate relief.
My rule: treat OpenClaw like shadow AI that can touch real systems in your home network, because it can. Testing safely beats being fearless.
Photo by 
An update gone wrong can turn a normal work setup into a recovery-mode afternoon, created with AI.
A home setup where Linux can serve both work and play without constant interruptions, created with AI.
Two popular Linux choices side-by-side, one tuned for gaming and one tuned for daily work, created with AI.
Testing Linux from a USB drive before installing helps keep the process calm and reversible, created with AI.