Set up a passkey
A passkey is a credential stored on your device — backed by Touch ID, Face ID, Windows Hello, or a hardware security key — that counts as a second factor on your account. It satisfies the same multi-factor requirement as an authenticator-app code, and it's phishing-resistant: the browser binds it to your workspace address, so an attacker on a lookalike site can't reuse it.
You manage passkeys on the Two-factor authentication page in the My portal, alongside your authenticator-app setup. You can register several — one per device — and remove any of them at any time.
:::note Sign-in step Registering a passkey here records it as a valid second factor and clears your workspace's multi-factor requirement. At the sign-in screen itself, you currently complete the second step with a code from your authenticator app or a recovery code — see Two-factor authentication (TOTP). :::
:::note Before you begin
- You have a signed-in account on the workspace. No admin role is required.
- You're on a device with a passkey authenticator: a phone or laptop with biometrics, a password manager that stores passkeys, or a FIDO2 hardware key (for example, a YubiKey).
- You're using a current version of Chrome, Firefox, Safari, or Edge. A passkey lives on the authenticator that created it, so register from each device you want to hold one.
- Open the page from the left sidebar under My profile → Two-factor authentication,
or go to
/my/profile/two-factor. :::
Register a passkey
Each passkey is created in your browser and tied to the device or key in front of you. Give it a name you'll recognise later, then approve the prompt your device shows.
- Open Two-factor authentication in the My portal and scroll to the Passkeys (FIDO2 / WebAuthn) card.
- In Name this passkey, type a label that tells the device apart from your others.
- Select Register passkey. The button changes to Waiting for device… while the browser opens its passkey prompt.
- Complete the prompt on your device — touch the fingerprint sensor, approve Face ID or Windows Hello, or tap your hardware key.
When it succeeds, the page reloads and a green confirmation appears:
Passkey "<name>" registered. You can use it instead of (or alongside) your
authenticator app at sign-in. The new passkey is listed in the card, and the badge in
the card header updates to show how many you have registered.
| Field | Required | Default | Notes |
|---|---|---|---|
| Name this passkey | Yes | Empty | Free text, up to 100 characters. Use something device-specific, for example iPhone 15, Work MacBook, or My YubiKey. |
You can't register the same device twice. If a passkey from this device already exists on your account, the browser blocks the new registration — remove the old entry first, or register a different device.
A passkey and an authenticator app aren't mutually exclusive — either one satisfies your workspace's multi-factor requirement. Keep an authenticator app set up as well so you can always complete the second step at sign-in. See Two-factor authentication (TOTP).
What's stored against each passkey
Each registered passkey shows its name and a short activity line. The page never displays the underlying key material — only the human-readable details.
| Detail | Shown as | Notes |
|---|---|---|
| Name | The label you set | The device name you typed when registering. |
| Registered | A relative time | When you added the passkey, for example 3 days ago. |
| Last used | A relative time, or not used yet | Set the first time the passkey is used to verify you. |
Registering and removing a passkey are recorded in your workspace's activity log, so administrators have an audit trail of credential changes. The log captures the passkey's name — never its keys.
How a passkey satisfies multi-factor
A registered passkey counts as a second factor, exactly like a confirmed authenticator app. If your workspace requires multi-factor authentication, registering one passkey clears that requirement — you don't also have to set up an authenticator app.
At the sign-in screen, you complete the second step today with a code from your authenticator app or a one-time recovery code. See Two-factor authentication (TOTP) for that step.
A passkey is bound to the workspace address it was registered for. A passkey created for one workspace can't be used on a different workspace, even with the same email — register a separate passkey there.
Remove a passkey
Remove a passkey when you replace, lose, or stop trusting a device. Removing it here deletes the server-side record; it doesn't erase the credential stored on the device.
- Open Two-factor authentication and find the passkey in the Passkeys card.
- Select Remove next to it.
- Confirm the prompt: Remove this passkey? You can re-register from the same device any time.
The page reloads with a confirmation, and the entry disappears from the list.
If a passkey is your only second factor, removing your last passkey without a confirmed authenticator app may leave your account without multi-factor protection — and your workspace's security policy may then block sign-in until you re-enrol. Set up TOTP or register a replacement passkey before removing your last one. See Two-factor authentication (TOTP).
How passkeys are configured
These settings are fixed by the platform; you don't change them, but they explain what to expect from the prompt and which authenticators work.
| Setting | Value | What it means for you |
|---|---|---|
| Authenticator type | Platform or roaming | You choose at registration — a built-in biometric (Touch ID, Face ID, Windows Hello) or a cross-platform key (for example, a YubiKey). |
| Signature algorithms | ES256 and RS256 | The widely supported FIDO2 algorithms. Almost every modern authenticator works; a very old key that supports neither is rejected. |
| User verification | Preferred | The device asks for a biometric or PIN when it can, confirming it's you and not just possession of the device. |
| Prompt timeout | 90 seconds | The browser prompt stays open this long before it gives up. If it times out, select Register passkey again. |
| Scope | Your workspace address | The passkey is bound to your workspace subdomain at registration and can't be reused on another workspace. |
Troubleshooting
| Symptom | What to do |
|---|---|
| This browser does not support WebAuthn. Use Chrome, Firefox, Safari, or Edge. | Your browser can't run the passkey ceremony. Switch to a current version of a supported browser and try again. |
| Give this passkey a name first. | The Name this passkey field is empty. Enter a label, then select Register passkey. |
| The button stays on Waiting for device… | The device prompt is open or was dismissed. Complete the biometric or hardware-key prompt, or wait for the 90-second timeout and start over. |
| Passkey registration session expired. Start over. | More than a few minutes passed between starting and finishing. Reload the page and register again. |
| Passkey could not be verified. Try a different key or device. | The browser response didn't validate. Try a different authenticator, or register from another device. |
| Registration is blocked silently | A passkey from this device is already registered. Remove the existing entry, then register again. |