# MFA-Passkeys (FIDO2 / WebAuthn)

### Scope <a href="#scope" id="scope"></a>

This section explains how to use **Passkeys (FIDO2 / WebAuthn)** as a Multi-Factor Authentication (MFA) method, including:

* What passkeys are and how they work
* How to set up a passkey
* How passkey verification works during sign-in

> Passkeys are a **passwordless, phishing-resistant authentication method** that uses your device’s built-in security (biometrics or screen lock).

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you want the **highest level of account security with the simplest user experience**, passkeys are the recommended option.

Passkeys allow you to:

* Sign in using **biometrics** (Face ID, Touch ID, Windows Hello)
* Or your device **PIN / screen lock**
* Avoid typing one-time codes or passwords during verification

Passkeys are supported on:

* Modern browsers (Chrome, Safari, Edge, Firefox)
* iOS, Android, macOS, Windows devices

***

### Purpose <a href="#purpose" id="purpose"></a>

Passkeys provide **strong, phishing-resistant authentication** by:

* Eliminating shared secrets (no codes to steal)
* Binding authentication to a **specific device**
* Leveraging FIDO2 / WebAuthn standards

This significantly reduces risks from:

* Phishing attacks
* Credential reuse
* Man-in-the-middle attacks

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before setting up a passkey, make sure that:

* Your account is created and signed in
* **Multi-Factor Authentication (MFA)** is enabled
* Your device supports:
  * Biometrics (Face ID, Touch ID, fingerprint), or
  * Secure screen lock (PIN / pattern)
* You are using a supported browser

<figure><img src="/files/AlIHKONrNdKUMFST4cAW" alt=""><figcaption></figcaption></figure>

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Enable Multi-Factor Authentication <a href="#step-1-enable-multi-factor-authentication" id="step-1-enable-multi-factor-authentication"></a>

1. Go to **Account → Security**
2. Turn on **Multi-Factor Authentication**

<figure><img src="/files/cBqDTRYL93UKHFSh99wF" alt=""><figcaption></figcaption></figure>

> ⚠️ Email verification is automatically enabled when MFA is turned on.\
> Passkeys are added as an **additional verification method**.

***

#### Step 2: Set up passkey <a href="#step-2-set-up-passkey" id="step-2-set-up-passkey"></a>

1. In **Security → Multi-Factor Authentication**
2. Select **Passkey**
3. Click **Set up passkey**
4. Click **Create passkey**

<figure><img src="/files/vbbznDQ39J6QBpX87WGo" alt=""><figcaption></figcaption></figure>

***

#### Step 3: Verify your identity on device <a href="#step-3-verify-your-identity-on-device" id="step-3-verify-your-identity-on-device"></a>

1. Click **Continue**
2. Follow the on-screen instructions provided by your device:
   * Face ID / Touch ID
   * Device PIN or screen lock

<figure><img src="/files/Pi5FfhgGLSHrjfDNmOvK" alt=""><figcaption></figcaption></figure>

> 🔐 Your private key is securely stored on your device and never shared.

***

#### Step 4: Passkey created successfully <a href="#step-4-passkey-created-successfully" id="step-4-passkey-created-successfully"></a>

Once verified:

* Your passkey is registered
* MFA using passkey is now active

<figure><img src="/files/BKfLks4KM0beVcunKjW7" alt=""><figcaption></figcaption></figure>

***

### Sign-in flow with passkey <a href="#sign-in-flow-with-passkey" id="sign-in-flow-with-passkey"></a>

When signing in with passkey enabled:

1. Enter your **email and password**
2. Passkey is selected as the **default verification method**

<figure><img src="/files/thra961qiJc2JMbzVX8w" alt=""><figcaption></figcaption></figure>

* Click button **Continue**
* Verify your identity using a registered passkey.

<figure><img src="/files/MC6uaN2CkIRnNyCdVcza" alt=""><figcaption></figcaption></figure>

* ✅ Sign-in completes automatically after successful verification.

***

### Security motes <a href="#security-notes" id="security-notes"></a>

* Passkeys are **phishing-resistant**
* No verification codes are generated or transmitted
* Private keys never leave your device
* Each passkey is bound to a specific device
* You can remove a passkey from **Security settings** at any time

***

### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

**Device lost or replaced?**

* Use Email MFA or Authenticator App (if enabled)
* Register a new passkey on your new device

**Passkey not available?**

* Ensure your browser and OS are up to date
* Make sure device lock or biometrics are enabled

***

### Summary <a href="#summary" id="summary"></a>

<table data-header-hidden><thead><tr><th width="374"></th><th></th></tr></thead><tbody><tr><td><strong>Item</strong></td><td><strong>Description</strong></td></tr><tr><td>MFA method</td><td>Passkeys (FIDO2 / WebAuthn)</td></tr><tr><td>Verification type</td><td>Biometrics / Device lock</td></tr><tr><td>Used during</td><td>Sign-in after password</td></tr><tr><td>Internet required</td><td>No (after initial setup)</td></tr><tr><td>Security level</td><td>Very high</td></tr><tr><td>Best for</td><td>Passwordless-like, high-security access</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oten.gitbook.io/identity-support/user-guide/account-management/account-security/multi-factor-authentication-optional/mfa-passkeys-fido2-webauthn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.