Passkeys (WebAuthn)¶
WireBuddy supports passwordless authentication using Passkeys (WebAuthn/FIDO2).
Overview¶
Passkeys provide:
- 🔐 Passwordless Login: No password required
- 🛡️ Phishing Resistant: Cannot be stolen or phished
- 🚀 Fast Authentication: Touch ID, Face ID, or security key
- 🔑 Public Key Cryptography: No shared secrets
How Passkeys Work¶
sequenceDiagram
participant User
participant Browser
participant WireBuddy
participant Authenticator
User->>Browser: Click "Sign in with passkey"
Browser->>WireBuddy: Request challenge
WireBuddy->>Browser: Return challenge + allowed credentials
Browser->>Authenticator: Request signature
Authenticator->>User: Verify (fingerprint/PIN)
User->>Authenticator: Provide biometric
Authenticator->>Browser: Signed response
Browser->>WireBuddy: Submit signature
WireBuddy->>Browser: Authentication successfulSupported Authenticators¶
Platform Authenticators¶
Built into your device:
- macOS/iOS: Touch ID, Face ID
- Windows: Windows Hello (fingerprint, face, PIN)
- Android: Fingerprint, face unlock, screen lock
Security Keys (Cross-Platform)¶
External hardware keys:
- YubiKey (5 series)
- Google Titan Security Key
- Feitian keys
- Any FIDO2-certified key
Browser Support¶
| Browser | Version | Support |
|---|---|---|
| Chrome | 109+ | ✅ Full |
| Edge | 109+ | ✅ Full |
| Safari | 16+ | ✅ Full |
| Firefox | 119+ | ✅ Full |
| Brave | 1.51+ | ✅ Full |
Setting Up Passkeys¶
For Users¶
- Login with password (and MFA if enabled)
- Navigate to Profile → Security → Passkeys
- Click Add Passkey
- Choose authenticator:
- This device (platform authenticator)
- Security key (USB/NFC)
- Follow prompts:
- Touch ID: Place finger on sensor
- Face ID: Look at camera
- Windows Hello: Use configured method
- Security key: Insert key and touch button
- Name your passkey (e.g., "MacBook Pro Touch ID")
- Click Save
For Admins¶
Enable passkeys globally:
Settings → Security → Passkeys → Enable
Options:
- Allow Platform Authenticators: Touch ID, Windows Hello
- Allow Cross-Platform: Security keys
- Require User Verification: Enforce biometric/PIN (recommended)
Using Passkeys¶
Login with Passkey¶
- Navigate to login page
- Enter username (or click "Sign in with passkey")
- Browser prompts for passkey
- Authenticate (fingerprint, face, security key)
- Logged in immediately
Fallback to Password¶
Passkeys are optional. You can always use password + MFA.
Managing Passkeys¶
View Registered Passkeys¶
Profile → Security → Passkeys
| Name | Type | Created | Last Used | Actions |
|---|---|---|---|---|
| MacBook Pro Touch ID | Platform | 2026-01-15 | 2 hours ago | [Rename] [Delete] |
| YubiKey 5C | Security Key | 2026-02-01 | 3 days ago | [Rename] [Delete] |
Rename Passkey¶
Give passkeys descriptive names:
- ✅ "Work Laptop Touch ID"
- ✅ "Phone Fingerprint"
- ✅ "YubiKey Backup"
- ❌ "Authenticator 1"
Delete Passkey¶
Remove passkey immediately:
- Click Delete
- Confirm removal
- Passkey is revoked
Warning
Ensure you have another authentication method before deleting all passkeys.
Security Considerations¶
Attestation¶
WireBuddy supports attestation for key verification:
Settings → Security → Passkeys → Attestation
Options:
- None: No attestation (default, most compatible)
- Indirect: Anonymous attestation
- Direct: Full attestation (verify authenticator model)
Direct attestation allows you to:
- Verify specific security key models
- Enforce corporate key policies
- Detect cloned keys
User Verification¶
Require User Verification:
- ✅ Enabled: Force PIN/biometric (recommended)
- ❌ Disabled: Possession-only (less secure)
User verification ensures:
- User is physically present
- Biometric or PIN verified
- Prevents unauthorized use if device unlocked
Backup Passkeys¶
Register multiple passkeys:
- Primary: Daily use device (laptop, phone)
- Backup: Security key stored securely
- Alternative: Different device
This ensures you can always access your account.
Recovery¶
If all passkeys are lost:
- Recovery codes: Use MFA recovery codes
- Admin reset: Contact admin to disable passkeys
- Password: Use password + MFA
Advanced Configuration¶
Relying Party Settings¶
Settings → Security → Passkeys → Advanced
{
"rpName": "WireBuddy",
"rpID": "vpn.example.com",
"origins": [
"https://vpn.example.com"
],
"timeout": 60000,
"userVerification": "required",
"attestation": "none"
}
Allowed Authenticators¶
Restrict to specific authenticator types:
{
"authenticatorSelection": {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": false,
"residentKey": "preferred",
"userVerification": "required"
}
}
Troubleshooting¶
Passkey Registration Fails¶
Problem: "Registration failed" error
Causes:
- Browser not supported: Update browser
- HTTPS required: Passkeys only work over HTTPS
- Domain mismatch: RP ID doesn't match domain
- Authenticator unavailable: Touch ID disabled, security key not inserted
Solutions:
- Use supported browser (Chrome 109+, Safari 16+, Firefox 119+)
- Access via HTTPS (not HTTP)
- Check authenticator is available and functional
Passkey Login Fails¶
Problem: "Authentication failed"
Causes:
- Wrong authenticator: Using different device/key than registered
- Passkey revoked: Admin deleted passkey
- Timeout: Didn't respond in time (default: 60 seconds)
- User verification failed: Wrong fingerprint/PIN
Solutions:
- Use the same authenticator you registered
- Check passkey still exists in profile
- Respond to prompt within 60 seconds
- Retry biometric or enter correct PIN
Touch ID Not Working (macOS)¶
Problem: Touch ID prompt doesn't appear
Solutions:
-
Check Touch ID is enabled:
-
Restart browser
-
Reset Touch ID (as last resort):
Security Key Not Detected¶
Problem: Browser doesn't detect security key
Solutions:
- Insert key properly: USB-A vs USB-C adapter
- Touch key button: Some keys require touch during detection
- Try different USB port
- Check key compatibility: FIDO2/WebAuthn certified key required
- Update key firmware (if available)
Best Practices¶
For Users¶
- Register multiple passkeys (primary + backup)
- Use descriptive names for easy identification
- Store backup security key securely (not with primary device)
- Test backup passkey periodically
- Review registered passkeys regularly
For Admins¶
- Enable passkeys for all users (optional but recommended)
- Require user verification (biometric/PIN)
- Use platform authenticators for convenience, security keys for high security
- Document recovery procedures
- Monitor passkey usage in audit logs
Migration Guide¶
From Password-Only¶
- Users login with password
- Prompt to register passkey (banner or modal)
- User registers passkey
- Continue using password + passkey
- Optionally disable password once passkey is tested
From Password + MFA¶
- Users login with password + TOTP
- Register passkey as additional method
- Use passkey for faster login
- Keep MFA as backup
Enforcing Passkeys¶
Settings → Security → Enforce Passkeys
Options:
- Optional: Users can choose (default)
- Recommended: Encourage but don't require
- Required: Block password-only login for new accounts
- Mandatory: All users must register passkey (grace period: 30 days)
Comparison: Passkeys vs Other Methods¶
| Feature | Passkeys | Password + MFA | Password Only |
|---|---|---|---|
| Security | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐ |
| Convenience | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| Phishing Resistant | ✅ Yes | ⚠️ MFA can be phished | ❌ No |
| Password Reset | N/A | Needed | Needed |
| Offline | ✅ Works | ✅ Works (TOTP) | ✅ Works |
| Device Required | ✅ Yes | ⚠️ Phone (TOTP) | ❌ No |
Resources¶
Next Steps¶
- Authentication Guide - Overview of auth methods
- Security Overview - Complete security documentation
- User Management - Managing users