Passkey Authentication

What Are Passkeys?

Passkeys are a modern, passwordless authentication method that replaces traditional passwords with cryptographic credentials stored on your device. They use the WebAuthn/FIDO2 standard, which is supported by all major browsers and operating systems.

Instead of typing a password, users authenticate with:

• Face ID on iPhone and Mac
• Touch ID on Mac and iPhone
• Windows Hello on Windows devices
• Fingerprint or face unlock on Android
• Hardware security keys like YubiKey

Why Use Passkeys?

Passkeys offer several advantages over traditional passwords:

• Phishing-resistant: Passkeys are bound to your specific website and cannot be used on fake sites
• No passwords to remember: Users authenticate with biometrics or a PIN they already use
• No passwords to steal: There's no password that can be leaked in a data breach
• Fast and convenient: Sign in with a quick tap or glance
• Works alongside 2FA: Can be used independently or with TOTP for additional security

Enabling Passkey Authentication

To enable passkey authentication for your WordPress site:

1. Go to ArmorPro → Settings
2. Find the Passkey Authentication section
3. Toggle Enable Passkey Auth to on
4. Select which user roles can use passkeys
5. Optionally adjust the max passkeys per user (default: 10)

User Verification Settings

The User Verification setting controls whether users must verify their identity (with biometrics or PIN) when using a passkey:

• Required: Always require biometric or PIN verification
• Preferred (Recommended): Request verification when available, but allow passkeys that don't support it
• Discouraged: Skip verification when possible (less secure)

Setting Up Your Passkey

Once passkeys are enabled, users can register their passkeys from their WordPress profile:

1. Go to Users → Profile
2. Scroll to the Passkey Authentication section
3. Click Add Passkey
4. Give your passkey a friendly name (e.g., "MacBook Pro" or "iPhone")
5. Follow the browser prompts to create the passkey

Signing In with a Passkey

When passkeys are enabled, users see a "Sign in with Passkey" button on the WordPress login page. Clicking this button:

1. Triggers the browser's passkey selection
2. Prompts for biometric verification (Face ID, Touch ID, etc.)
3. Signs the user in immediately upon success

No username or password is needed. The passkey identifies the user automatically.

Managing Passkeys

Users can manage their registered passkeys from their profile page:

• View passkeys: See all registered passkeys with their names and last-used dates
• Rename: Click the edit icon to rename a passkey
• Delete: Remove passkeys you no longer use or have lost access to

Passkeys vs. Two-Factor Authentication

Passkeys and TOTP-based 2FA serve different purposes and can be used together:

Browser Support

Passkeys are supported in all modern browsers:

• Chrome: Version 67 and later
• Safari: Version 14 and later
• Firefox: Version 60 and later
• Edge: Version 79 and later

If a user's browser doesn't support WebAuthn, the passkey login button simply won't appear. They can still sign in with their password.

Troubleshooting

Passkey button doesn't appear

• Make sure passkeys are enabled in ArmorPro settings
• Verify your browser supports WebAuthn (see browser support above)
• Try a different browser to isolate the issue

Can't create a passkey

• Ensure you're on HTTPS (passkeys require a secure connection)
• Check that your device supports the authentication method (biometrics, security key)
• Try restarting your browser

Passkey authentication fails

• The passkey may have been created on a different device
• Your device's biometric data may have changed (re-register the passkey)
• The passkey may have been deleted from your device's password manager

"Possible cloned authenticator" error

This security message appears if the passkey's signature counter is lower than expected, which could indicate the passkey was copied. Delete and re-register the passkey if you see this error.