Passkey Authentication

Overview

Passkeys provide passwordless login using the WebAuthn/FIDO2 standard. Instead of typing a password, users authenticate with a biometric (Face ID, Touch ID, fingerprint) or a hardware security key (YubiKey, etc.). The result is a login experience that is both faster and more secure than traditional passwords.

What are passkeys

A passkey is a cryptographic key pair: a private key stored securely on your device and a public key stored on the website. When you log in, your device proves it holds the private key without ever transmitting it. The key pair is bound to the specific website domain, which means:

• Phishing-resistant — Passkeys only work on the exact domain they were registered for. A fake login page on a different domain cannot use your passkey.
• No passwords to steal — There is no shared secret that can be leaked in a database breach, intercepted in transit, or guessed by brute force.
• Convenient — A fingerprint scan or face recognition replaces typing a password and 2FA code.

Supported authentication methods

• Face ID (iPhone, iPad, Mac)
• Touch ID (Mac, older iPhones)
• Windows Hello (fingerprint, face, PIN)
• Android biometric (fingerprint, face)
• Hardware security keys (YubiKey, Titan, SoloKeys, etc. via USB, NFC, or Bluetooth)

Enabling passkeys

To enable passkey authentication for your site:

1. Navigate to ArmorPro → Settings
2. Find the Passkey Authentication toggle
3. Switch it on

Settings

User verification modes

• Required — The browser must verify the user (biometric or PIN) every time. Most secure, but may not work with all security keys.
• Preferred — The browser will attempt verification if the device supports it, but will not fail if it cannot. Recommended for most sites.
• Discouraged — The browser will skip verification when possible. Fastest login, but less secure. Suitable for low-risk sites.

Registering a passkey

Each user registers passkeys from their own WordPress profile page:

1. Go to Users → Profile (or click your name in the admin bar)
2. Scroll to the Passkeys (Security Keys) section
3. Click Register New Passkey
4. Your browser will prompt for a biometric scan or security key tap
5. Give the passkey a friendly name (for example, "MacBook Touch ID" or "YubiKey Office")

The passkey is now registered and ready to use for future logins.

Signing in with a passkey

Once you have registered at least one passkey, you can use it to log in:

1. Go to your WordPress login page
2. Click Login with Passkey
3. Your browser prompts for a biometric scan or security key tap
4. You are logged in immediately (no password or 2FA code needed)

Traditional password login remains available as a fallback. Users can always choose to enter their username and password instead.

Managing passkeys

Registered passkeys are listed in the Passkeys (Security Keys) section of the user profile page. Each entry shows:

• Friendly name — The name you gave the passkey during registration (editable inline)
• Last used — The date and time the passkey was last used to log in

You can rename passkeys by clicking the name and editing it inline. To remove a passkey, click the Delete button next to it.

Passkey promotion

After a user logs in with a traditional password, ArmorPro displays a banner offering to register a passkey for faster future logins. This encourages passkey adoption without forcing it. The banner can be dismissed and will not appear again until the next password login.

Security features

Clone detection

ArmorPro tracks the sign_count reported by each passkey. Every time a passkey is used, the counter should increment. If the counter does not increase (or goes backward), it may indicate the key has been cloned. ArmorPro flags this condition so administrators can investigate.

Transport tracking

ArmorPro records the transport type used by each passkey: USB, NFC, or Bluetooth (BLE). This information helps administrators understand how passkeys are being used across the organization.

Passkey sync

Modern passkeys can sync across devices through platform services like iCloud Keychain, Google Password Manager, or Microsoft Account. A passkey registered on your iPhone can automatically become available on your Mac, iPad, and other Apple devices. This makes passkeys more convenient than traditional hardware-bound security keys while maintaining strong security.