Passkeys
A passkey is a cryptographic key stored on your device - your laptop, phone, or a hardware security key. Instead of typing a password and waiting for a code, you authenticate using your device’s built-in method: fingerprint, face recognition, or PIN.
Passkeys implement the WebAuthn standard (also called FIDO2). They are phishing-resistant because the key is bound to the specific website it was created for. A passkey created for auth.example.com will never work on auth-example.com.
Registering a passkey
Section titled “Registering a passkey”You must be logged in to register a passkey (use password + OTP for your first login).
- Go to
/register/passkey. - Give the passkey a name so you can identify it later (for example, “MacBook” or “iPhone”).
- Click Register passkey. Your browser will ask you to use your fingerprint, face, or device PIN.
- Done.
You can register multiple passkeys - one per device is typical.
Logging in with a passkey
Section titled “Logging in with a passkey”Go to /login/passkey and click Use passkey. Your browser will prompt you to choose a passkey and authenticate with your device.
Passkey login counts as both factors - you do not need to complete OTP or TOTP after a successful passkey authentication.
Requirements
Section titled “Requirements”Passkeys require JavaScript. The login and registration pages load a small JavaScript file (/static/js/passkey.js) to handle the WebAuthn API calls. No external scripts are loaded.
Your browser must support WebAuthn. All modern browsers (Chrome, Firefox, Safari, Edge) and most recent mobile browsers support it.
Multiple passkeys
Section titled “Multiple passkeys”You can register as many passkeys as you want. This is encouraged - register one on each device you regularly use. If one device is lost, the others still work.
Admins can see which passkeys are registered for a user at /admin/users/:id. Individual passkeys can also be revoked from there.