Product and Support News

AuthPoint Passkeys for SAML: Now Available

Passkeys for SAML

Passkeys for SAML in AuthPoint is now generally available. You can now enable FIDO2 passkey authentication for SAML resources where AuthPoint acts as the SAML Identity Provider.

What's new

AuthPoint now supports FIDO2 passkeys as an authentication method for SAML-configured resources, extending the passkey support released earlier this year for OIDC. A single passkey enrollment now covers both protocols:

  • WatchGuard FireCloud (Internet Access and Total Access)
  • Microsoft Entra ID via External MFA 
  • OIDC-connected applications
  • SAML-configured resources (new in this release)

One enrollment, both protocols. Users who already registered a passkey for OIDC access do not need to register again. The same passkey works across OIDC and SAML resources managed by AuthPoint, with no re-enrollment required.

Authentication is performed using device biometrics (Face ID, Touch ID, Windows Hello) or a device PIN to unlock the passkey, which then completes the cryptographic handshake with the application. The private key stays on the user’s device and is never transmitted; AuthPoint stores and verifies the public key. This design makes passkey authentication phishing-resistant by default, meeting phishing-resistant MFA requirements found in common compliance frameworks and cyber insurance policies.

Users do not need the AuthPoint mobile app to use passkeys.

What you need to know

Passkey availability is controlled per SAML resource through Zero Trust Policies in WatchGuard Cloud, using the same policy model already applied to OIDC resources. You can enable passkeys for specific SAML applications, roll out access gradually, or restrict passkey use to high-security resources while keeping other authentication options available elsewhere.

OIDC and SAML sessions remain separate. A user who authenticates with a passkey on an OIDC resource will be asked to authenticate again when accessing a SAML resource in the same browsing session.

Passkey authentication satisfies MFA requirements on its own: the combination of device possession and biometric or PIN verification is treated as a complete authentication by AuthPoint.

Passkey private keys are managed by the user’s device platform (Apple iCloud Keychain, Google Password Manager, or Windows WebAuthn) or by hardware security keys such as YubiKey.

Licensing

Passkeys for SAML are included with both AuthPoint MFA and AuthPoint Total Identity Security licenses at no additional cost.

Getting started

To enable passkey authentication for a SAML resource, open the Zero Trust Policy assigned to that resource in WatchGuard Cloud and add Passkey as an allowed authentication method. Refer to the AuthPoint release notes and the AuthPoint Help Center for detailed configuration steps. For questions, contact your WatchGuard Account Manager or use standard support channels.

Registrado por: Authentication
Blog Home

Posts relacionados

Blog Home