Passkeys

The Passkeys identity service allows users to authenticate with Specops Authentication using the passkeys they have enrolled with. Passkeys are a feature on computers and smartphones that securely log users into their accounts across the web by using biometrics like a fingerprint or face scan, or a PIN. Basically, a passkey is a digital credential (authenticator), tied to a user account and a website or application. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator.

Specops Authentication supports both platform and cross-platform authenticators. Authentication of passkeys is established through the WebAuthN protocol.

When users choose to authenticate using the Passkeys identity service, they will be presented with a pop-up showing a list of all available passkeys from which they have to choose one to authenticate with. Note that even though all available passkeys are listed, users can only authenticate with passkeys which they have enrolled with in Specops Authentication. The number of enrolled passkeys is limited to 10. Please refer to End User page for more information on passkey enrollment.

Configuring Passkeys


The only thing that can be configured for this identity service is whether or not a verification is enforced.

    Specops Authentication WebIdentity Services

  1. Click in the list on Passkeys.
  2. Check the Require verification checkbox. See section below for an explanation on required verification.
  3. Click Save.

Require verification

In cases where a passkey does not automatically require a user verification (passkeys such as Windows Hello or Bitwarden automatically require user verification by means of facial recognition or a password), the user will be presented with a request for a PIN code. An example of such a passkey can be found in some iterations of Yubikey.

Users who have not previously set a PIN for their Yubikey will not be presented with the verification step if the Require verification setting is unchecked. Users who have previously set a PIN will be presented with the verification step regardless of whether or not the setting has been activated.

Users without a registered PIN for their authenticator will not be able to authenticate with that particular passkey if the Require verification setting is turned on at a later date.

NOTE
Since a verification PIn can only be registered at enrollment, it is advised that users who are unable to authenticate with their passkey due to a missing PIN code, do the following:
  • Log in to the enrollment page
  • Remove the Passkeys enrollment.
  • Enroll again with the passkey. They will be prompted to set a PIN code.

User enrollment

Users have to enroll each of their passkeys separately in order to use them to authenticate with Specops Authentication. The maximum number of enrolled passkeys is five. Please refer to the End User page for more information.

Passkeys limitations

The Passkeys identity service is incompatible with the secure browser. For password resets using the secure browser Passkeys will therefore not be shown in the list of available identity services.