Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
Passkey authentication is a newer, more secure way to sign in to applications and websites without the use of a password. This passwordless authentication method enables users to sign in with just biometrics, and makes the login process easier because there is no password to remember. Passkey authentication is also harder for attackers to exploit because there is no password to steal or target through a phish.
For example, even with MFA enabled, an attacker could steal your password and then use a phish attack to get you to approve a push notification or provide a one-time password. With a passkey however, authentication generally requires your device and your biometrics, which cannot be stolen.
About Passkeys
A passkey is a digital credential that is stored on a device, such as a phone or laptop. The passkey replaces your password for authentication. Cryptography keeps the passkey secure.
You can create a passkey when you log in to supported applications and websites.
When you set up a passkey for a website, two different keys are created:
- A public key that the website stores
- A private key that your device stores
Passkeys are stored and managed by your device (iCloud Keychain, Google Password Manager, Windows WebAuthn platform, and other OS specific password management systems). You cannot use the AuthPoint mobile app for passkey enrollment or storage.
How Passkeys Work
When you log in to a website with a passkey, this is the high-level authentication flow:
To authenticate with a passkey:
- Navigate to an application or service that requires MFA.
You are redirected to the AuthPoint SSO authentication page. - Log in with your user name or email address.
- Select the passkey authentication option.
- AuthPoint sends a challenge to your device. The device with the passkey does not have to be the same device that you use to log in. For example, you might log in with your laptop but authenticate with a passkey on your phone.
- Your device confirms your identity with biometrics (or another method), then signs the challenge with the private key from your device.
- AuthPoint sends the challenge response to the application or service, which verifies the challenge signature with your public key and then logs you in.
How AuthPoint Supports Passkeys
AuthPoint supports passkey authentication for these resources:
- OIDC resources
- SAML resources
- FireCloud resources
- Microsoft Entra EAM
To allow users to authenticate with passkeys, you enable the option in your zero trust policies. The users for that policy then have the option to use passkeys to authenticate to the resources in that policy.
If you enable both passkey and MFA authentication methods for a policy, users choose which authentication method to use when they log in. You cannot require users to authenticate with both a passkey and MFA. This does not reduce the security of your protected resources. Passkeys are a standalone authentication method that satisfies the MFA requirement with something you have and something you are.
After you enable passkey authentication, when users authenticate to a supported resource, they receive a prompt to register a passkey. They can then use that passkey to authenticate to the protected resource for as long as their policy allows passkey authentication.
If the user does not have the device with their passkey, they can log in with a password and MFA, if their zero trust policy allows.
To use passkey authentication with FireCloud:
- Make sure you configure your zero trust policies to use the FireCloud resource (this is a resource that AuthPoint creates automatically), not a SAML resource configured for FireCloud. Although SAML resources support passkey authentication, you must use the FireCloud resource type for FireCloud passkey authentication.
- FireCloud users must have the connection manager for macOS v1.2.23.41 or higher, and the connection manager for Windows v1.3.9.898 or higher