The Passkey method allows customers to authenticate using device-based biometrics or platform authenticators such as Touch ID, Face ID, or Windows Hello. Passkeys provide a phishing-resistant, passwordless authentication experience that improves security and usability.

Enrollment

Customers can choose to add a passkey during account registration or, if passkey promotion is enabled, during login or a password change.

  • Supported passkey methods include:
    • Device biometrics (e.g., fingerprint, facial recognition)
    • Platform authenticators (e.g., Touch ID, Face ID, Windows Hello)
Three-step screenshot showing how a customer creates a passkey using Google Chrome on a desktop device. The first screen prompts the customer to name their device and click "Create passkey." The second screen displays a browser-level confirmation dialog asking the customer to proceed with saving the passkey. The final screen shows a biometric or password prompt (e.g., Touch ID or system password) to verify the customer's identity and complete passkey creation.

Creating a passkey using Google Chrome on a computer

Authentication flow

  1. When a customer interacts with the identifier input field, the device’s passkey autofill feature is triggered, allowing them to select a saved passkey.
  2. Alternatively, customers can select Sign in with passkey to initiate authentication manually.
  3. The browser or operating system UI prompts the customer to confirm their identity (e.g., biometric verification).
  4. If adaptive MFA is configured for passwordless login, the customer is authenticated seamlessly without needing a password or an additional authentication factor.
Two-step screenshot showing how a customer signs in using a saved passkey in Google Chrome on a desktop. The first screen is a Strivacity login page with an option to "Sign in with passkey." The second screen shows a browser dialog displaying a list of available saved passkeys associated with Chrome profiles on the current and other devices. The customer can choose a saved credential or use an external device to complete authentication.

Using a saved passkey in Google Chrome on a computer

Fallback handling

If a passkey cannot be used (for example, if the customer is on an unsupported device), authentication falls back to other methods (if available):

  • Password
  • Multi-factor authentication (MFA)

Limitations

  • Passkeys act as an MFA method during registration but can also serve as a primary authentication method in passwordless flows.
  • To meet system security requirements, customers must configure at least one additional authentication option.

Passkey promotion

Screenshot of the passkey promotion screen in the login journey. The screen encourages customers to create a passkey instead of using passwords, highlighting the benefits of not needing to remember complex passwords. It includes brief educational points explaining what passkeys are, why they’re useful, and where they are stored. At the bottom, there are options to either continue with passkey setup or skip it for now.

Passkey promotion screen

Administrators can encourage customers to adopt passkeys using the passkey promotion feature, available in the Self-service policy.

  • The passkey promotion screen is shown only for applications where passkey authentication is enabled in the Adaptive Access policy.
  • Administrators can configure when the passkey promotion screen appears:
    • During registration
    • During login
    • After a password change

📘

A more in-depth description of Passkeys is available in our passkey documentation.