> For the complete documentation index, see [llms.txt](https://accessiq.gitbook.io/accessiq-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://accessiq.gitbook.io/accessiq-docs/my-account/passkeys.md).

# Passkeys

Register and manage FIDO2/WebAuthn passkeys for passwordless authentication using biometrics or hardware security keys.

## Navigation

Navigate to **My Account > Passkeys** in the sidebar.

## Overview

Passkeys replace traditional passwords with cryptographic credentials tied to your device. When you register a passkey, your device generates a public-private key pair — the private key never leaves your device, and authentication happens via biometric verification (fingerprint, face recognition) or a hardware security key.

AccessIQ supports both platform authenticators (built into your device, such as Touch ID or Windows Hello) and cross-platform authenticators (external security keys like YubiKey). Passkeys are phishing-resistant by design — they are bound to the origin domain and cannot be intercepted or replayed.

If passkeys are not enabled for your account type, the page will display a notice directing you to contact your platform administrator. Tenant administrator accounts may have passkey management disabled at the platform level.

## Supported Authenticators

| Type                  | Examples                             | Category            |
| --------------------- | ------------------------------------ | ------------------- |
| Fingerprint           | Touch ID, Android fingerprint        | Platform (built-in) |
| Face recognition      | Face ID, Windows Hello face          | Platform (built-in) |
| Windows Hello         | PIN, fingerprint, or face on Windows | Platform (built-in) |
| Hardware security key | YubiKey, Titan Security Key, Feitian | Cross-platform      |

## Passkey List

Each registered passkey shows:

* **Name** — The label you gave it during registration (e.g., "MacBook Pro")
* **Type badge** — "Built-in" for platform authenticators or "Security Key" for cross-platform
* **Primary badge** — A highlighted "Primary" label if designated as your default
* **Created date** — When the passkey was first registered
* **Last used** — Relative time since the passkey was last used for authentication (e.g., "3 hours ago")
* **Device info** — Browser and operating system (if available)

## Registering a New Passkey

1. Click **Add Passkey** in the top-right corner.
2. In the dialog, enter a recognizable name for the passkey (e.g., "MacBook Pro", "iPhone", "YubiKey").
3. Click **Continue**. The dialog enters a "Waiting for authenticator" state.
4. Your browser will prompt you to use your fingerprint, face, or security key — follow the native OS prompt.
5. On success, the dialog shows a confirmation message and the passkey appears in your list immediately.

> **Tip:** Choose descriptive names so you can identify which device each passkey belongs to, especially if you register multiple passkeys across different devices.

### Registration Errors

If registration fails, the dialog shows a specific error:

* **"Registration was cancelled or not allowed"** — You dismissed the browser prompt or the authenticator was not recognized. Try again.
* **"Your browser or device does not support passkeys"** — Upgrade to a browser that supports WebAuthn (Chrome 67+, Safari 13+, Firefox 60+, Edge 18+).
* **"Security error: the relying party ID does not match"** — The domain configuration is incorrect. Contact your administrator.

Click **Try Again** to restart the registration flow, or **Cancel** to close the dialog.

## Setting a Primary Passkey

Click the **star icon** next to any passkey to designate it as your primary authenticator. The primary passkey is used by default when multiple passkeys are registered.

* Only one passkey can be primary at a time.
* The star icon appears filled for the current primary passkey and is disabled (non-clickable) on it.

## Removing a Passkey

1. Click the **trash icon** next to the passkey you want to remove.
2. A confirmation dialog appears: "Are you sure you want to remove \[passkey name]?"
3. Click **Remove** to confirm. The passkey is permanently deleted and can no longer be used for sign-in.

> **Warning:** If you remove all your passkeys and do not have another authentication method configured (password, MFA), you may lose access to your account.

## Availability

Passkeys may not be available for all account types. If your tenant administrator has not enabled passkey support, you will see a notice:

> "Passkey management is not available for this account type. Tenant administrator accounts are managed separately and do not support passkey registration through this portal."

Contact your platform administrator to request passkey support for your account.

## Security Considerations

* **Phishing resistant** — Passkeys are bound to the specific domain and cannot be stolen or reused on other sites.
* **No shared secrets** — Unlike passwords, the private key never leaves your device and is never transmitted over the network.
* **Device-bound** — Platform passkeys are tied to the specific device. If you lose the device, the passkey is lost with it. Register passkeys on multiple devices for resilience.
* **FIDO2/WebAuthn standard** — Built on the industry-standard FIDO2 protocol, ensuring interoperability across browsers and platforms.

## Related Pages

* [Multi-Factor Authentication](/accessiq-docs/my-account/mfa.md) — Configure MFA as an additional authentication layer
* [Security Settings](/accessiq-docs/security/settings.md) — Tenant-wide security configuration
* [Profile & Security](/accessiq-docs/my-account/profile-and-security.md) — Manage your account profile


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://accessiq.gitbook.io/accessiq-docs/my-account/passkeys.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
