> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/account-management/account-security/multi-factor-authentication-optional/mfa-passkeys-fido2-webauthn.md).

# MFA-Passkeys (FIDO2 / WebAuthn)

### Scope <a href="#scope" id="scope"></a>

This section explains how to use **Passkeys (FIDO2 / WebAuthn)** as a Multi-Factor Authentication (MFA) method, including:

* What passkeys are and how they work
* How to set up a passkey
* How passkey verification works during sign-in

> Passkeys are a **passwordless, phishing-resistant authentication method** that uses your device’s built-in security (biometrics or screen lock).

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you want the **highest level of account security with the simplest user experience**, passkeys are the recommended option.

Passkeys allow you to:

* Sign in using **biometrics** (Face ID, Touch ID, Windows Hello)
* Or your device **PIN / screen lock**
* Avoid typing one-time codes or passwords during verification

Passkeys are supported on:

* Modern browsers (Chrome, Safari, Edge, Firefox)
* iOS, Android, macOS, Windows devices

***

### Purpose <a href="#purpose" id="purpose"></a>

Passkeys provide **strong, phishing-resistant authentication** by:

* Eliminating shared secrets (no codes to steal)
* Binding authentication to a **specific device**
* Leveraging FIDO2 / WebAuthn standards

This significantly reduces risks from:

* Phishing attacks
* Credential reuse
* Man-in-the-middle attacks

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before setting up a passkey, make sure that:

* Your account is created and signed in
* **Multi-Factor Authentication (MFA)** is enabled
* Your device supports:
  * Biometrics (Face ID, Touch ID, fingerprint), or
  * Secure screen lock (PIN / pattern)
* You are using a supported browser

<figure><img src="/files/AlIHKONrNdKUMFST4cAW" alt=""><figcaption></figcaption></figure>

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Enable Multi-Factor Authentication <a href="#step-1-enable-multi-factor-authentication" id="step-1-enable-multi-factor-authentication"></a>

1. Go to **Account → Security**
2. Turn on **Multi-Factor Authentication**

<figure><img src="/files/cBqDTRYL93UKHFSh99wF" alt=""><figcaption></figcaption></figure>

> ⚠️ Email verification is automatically enabled when MFA is turned on.\
> Passkeys are added as an **additional verification method**.

***

#### Step 2: Set up passkey <a href="#step-2-set-up-passkey" id="step-2-set-up-passkey"></a>

1. In **Security → Multi-Factor Authentication**
2. Select **Passkey**
3. Click **Set up passkey**
4. Click **Create passkey**

<figure><img src="/files/vbbznDQ39J6QBpX87WGo" alt=""><figcaption></figcaption></figure>

***

#### Step 3: Verify your identity on device <a href="#step-3-verify-your-identity-on-device" id="step-3-verify-your-identity-on-device"></a>

1. Click **Continue**
2. Follow the on-screen instructions provided by your device:
   * Face ID / Touch ID
   * Device PIN or screen lock

<figure><img src="/files/Pi5FfhgGLSHrjfDNmOvK" alt=""><figcaption></figcaption></figure>

> 🔐 Your private key is securely stored on your device and never shared.

***

#### Step 4: Passkey created successfully <a href="#step-4-passkey-created-successfully" id="step-4-passkey-created-successfully"></a>

Once verified:

* Your passkey is registered
* MFA using passkey is now active

<figure><img src="/files/BKfLks4KM0beVcunKjW7" alt=""><figcaption></figcaption></figure>

***

### Sign-in flow with passkey <a href="#sign-in-flow-with-passkey" id="sign-in-flow-with-passkey"></a>

When signing in with passkey enabled:

1. Enter your **email and password**
2. Passkey is selected as the **default verification method**

<figure><img src="/files/thra961qiJc2JMbzVX8w" alt=""><figcaption></figcaption></figure>

* Click button **Continue**
* Verify your identity using a registered passkey.

<figure><img src="/files/MC6uaN2CkIRnNyCdVcza" alt=""><figcaption></figcaption></figure>

* ✅ Sign-in completes automatically after successful verification.

***

### Security motes <a href="#security-notes" id="security-notes"></a>

* Passkeys are **phishing-resistant**
* No verification codes are generated or transmitted
* Private keys never leave your device
* Each passkey is bound to a specific device
* You can remove a passkey from **Security settings** at any time

***

### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

**Device lost or replaced?**

* Use Email MFA or Authenticator App (if enabled)
* Register a new passkey on your new device

**Passkey not available?**

* Ensure your browser and OS are up to date
* Make sure device lock or biometrics are enabled

***

### Summary <a href="#summary" id="summary"></a>

<table data-header-hidden><thead><tr><th width="374"></th><th></th></tr></thead><tbody><tr><td><strong>Item</strong></td><td><strong>Description</strong></td></tr><tr><td>MFA method</td><td>Passkeys (FIDO2 / WebAuthn)</td></tr><tr><td>Verification type</td><td>Biometrics / Device lock</td></tr><tr><td>Used during</td><td>Sign-in after password</td></tr><tr><td>Internet required</td><td>No (after initial setup)</td></tr><tr><td>Security level</td><td>Very high</td></tr><tr><td>Best for</td><td>Passwordless-like, high-security access</td></tr></tbody></table>
