Reference

Passkeys

Sign in or confirm sensitive actions with Touch ID, Face ID, Windows Hello, or a hardware key — no password to remember, no codes to copy.

For
Everyone
Find it at
Profile → Security → Passkeys
Reading time
4 min

In one sentence

A passkey is a credential stored on your device (or synced via iCloud or Google) that signs you in with one tap of Touch ID, Face ID, Windows Hello, or a hardware key — and the same passkey confirms sensitive actions when your org's auth policy requires it.

Three things to remember
  • Enrol once, use everywhere. A passkey covers both sign-in and step-up confirmations.
  • Enrol multiple devices. Phone, laptop, hardware key — they all live alongside each other in your profile.
  • Recovery doesn't depend on the device. Your account is recoverable through the password / temp-password path even if every enrolled device is lost.

Enrolling a passkey

  1. Open your Profile from the sidebar.
  2. Find the Security · Passkeys card.
  3. Click + Add a passkey and (optionally) name the device — "MacBook Air", "iPhone", "YubiKey 5".
  4. Your browser surfaces the platform's native prompt. Approve with Touch ID, Face ID, Windows Hello, or your hardware key.
  5. The new passkey appears in the list with the device name, when it was added, and (if relevant) a Synced badge for iCloud / Google-managed credentials.

You can enroll as many passkeys as you have devices. Each one is private to you — other people in your organization can't see or remove your credentials.

The Security · Passkeys card on the Profile page with Add a passkey button and existing devices listed

Signing in with a passkey

On the login page, click Sign in with a passkey. The browser offers credentials it has for this site — pick one and tap to confirm. No email or password.

If your browser supports conditional UI (recent Chrome / Safari), the passkey may auto-suggest from autofill before you click anything.

Confirming sensitive actions (step-up)

If your organization's auth policy requires step-up, certain actions prompt for a fresh passkey confirmation:

  • Approving any step on a document, or direct-publishing a patch revision
  • Approving or closing a Management of Change (MOC)
  • Approving an Exemption
  • Approving a JHA or FMEA
  • Closing an NCR
  • Closing a meeting

Click the action as normal. A Confirm with your passkey modal appears. Tap to confirm — the action proceeds and the audit trail records the timestamp. The next five minutes of sensitive actions skip the prompt automatically.

If you haven't enrolled a passkey yet

If step-up fires on you before you've enrolled a passkey, the modal shows an amber-tinted panel with an Enroll a passkey now link instead of a dead-end error. The link opens your profile in a new browser tab so you don't lose the form you were in the middle of submitting.

The flow:

  1. Click the action as usual.
  2. The Confirm with your passkey modal opens; instead of the fingerprint prompt you see "No passkey enrolled — add one in your profile first."
  3. Click Enroll a passkey now — your profile opens in a new tab on the Security · Passkeys card.
  4. Add a passkey there.
  5. Switch back to the original tab. The modal is still open. Click Confirm with passkey again — the new credential satisfies the prompt and the action proceeds.

If your org admin has set up the policy carefully, they were warned about your missing passkey before the toggle went live (see the Two-tier guard section in Auth & sign-in policy) — but the inline enrollment CTA is here as a fallback so nobody gets hard-blocked.

See Auth & sign-in policy for the policy that turns step-up on.

Recovery

SituationWhat to do
Lost a device, still have your passwordSign in with email + password, enroll a new passkey from the Security card, optionally remove the lost device.
Lost all devices, no passwordAsk an admin for a temporary password (Admin → Users → reset). Sign in with that, then enroll a new passkey.

Passkeys are scoped to your account, not your device — even if you lose every device you've ever enrolled, your account is recoverable.

Removing a passkey

In the Security card, click the trash icon next to the passkey. Confirm in the dialog. The passkey is invalidated immediately — anyone holding the device can no longer use it to sign in or confirm actions on your behalf.

If it was your only passkey, you'll fall back to email + password sign-in (assuming that method is allowed by your org's auth policy).

Was this helpful?
Suggest an edit →