Passkeys

Passkeys let you log in without a password using biometrics (fingerprint, face) or a hardware security key. They're phishing-resistant and more secure than passwords.

What Are Passkeys?

Passkeys are a modern authentication standard (WebAuthn/FIDO2) supported by all major browsers and operating systems. When you register a passkey, your device stores a cryptographic key that's used to sign login challenges - your biometric data never leaves your device.

Passkeys are inherently multi-factor (something you have + something you are), so you don't need TOTP or email 2FA when using them.

Registering a Passkey

1. Go to Settings → Passkeys.
2. Click Register New Passkey.
3. Your browser will prompt you to authenticate with your device (fingerprint, face, or security key).
4. Give your passkey a name (e.g., "MacBook Pro" or "YubiKey") to identify it later.

You can register up to 10 passkeys per account - useful if you use multiple devices.

Logging In with a Passkey

If you have passkeys registered, the login flow changes:

1. Enter your email address.
2. Instead of a password field, you'll see a Sign in with passkey button.
3. Click it and authenticate with your device.
4. You're logged in - no password, no 2FA code needed.

Managing Passkeys

From Settings → Passkeys, you can:

• Rename a passkey to help identify which device it belongs to
• Delete a passkey you no longer use
• Regenerate your recovery code

Recovery Code

When you register your first passkey, you'll receive a recovery code (e.g., PK-A1B2C3D4E5F6). Store this somewhere safe - it's your fallback if you lose access to all your passkey devices.

Using a recovery code will:

• Log you in
• Delete all registered passkeys
• Clear the recovery code

Interaction with Other 2FA

Registering a passkey automatically disables Email 2FA (since passkeys provide stronger security). TOTP and passkeys can coexist - TOTP is used when you log in with a password, and passkeys bypass it entirely.