Passkeys
Passkeys are a passwordless, phishing-resistant authentication method that uses your device's biometrics (fingerprint, face recognition) or PIN. They comply with FIDO2 and WebAuthn standards.
Passkeys are an alternative to password + 2FA. You can use either method (or both) to secure your account.
Passkeys vs. Two-Factor Authentication
| Aspect | Passkeys | 2FA with Authenticator |
|---|---|---|
| Setup | Register your device once | Setup authenticator app or hardware token |
| Login | Biometric or PIN (local to device) | Password + time-based code |
| Recovery | Backup keys or registered devices | Recovery codes |
| Phishing Risk | Very low (cryptographic binding to domain) | Moderate (OTP can be intercepted) |
| User Experience | One tap/fingerprint | Two steps (password + code) |
| Portability | Synced across devices (iCloud Keychain, Google Password Manager) | Tied to specific authenticator app |
Recommendation: Use passkeys if your device supports biometric authentication. Combine with 2FA for extra security.
Registering a Passkey
Prerequisites
- A device with biometric support (fingerprint, face ID, Windows Hello, etc.) or PIN-capable device
- A supported browser (Chrome 120+, Safari 16+, Firefox 120+, Edge 120+)
- Your Plexicus account (email and password already registered)
Step 1: Navigate to Passkeys Settings
- Log in to your Plexicus account
- Go to Settings → Authentication → Passkeys
- Click Register a New Passkey
Step 2: Provide a Passkey Name
Give your passkey a friendly name (e.g., "iPhone 15 Pro", "Windows Laptop", "YubiKey 5"). This helps you identify which device/key to use when logging in.
Step 3: Verify Your Identity
Plexicus requires you to confirm your identity before registering a new passkey:
- Enter your current password, or
- Use an existing 2FA code if you have 2FA enabled
Step 4: Biometric/PIN Confirmation
Your browser will prompt you to confirm with your device's biometric or PIN:
- iPhone/iPad: Face ID or Touch ID
- Android: Fingerprint or face unlock
- Windows: Windows Hello (face or fingerprint) or PIN
- Mac: Touch ID or password
- Hardware Key: Physical button press (for FIDO2 keys like YubiKey)
This verification happens on your device—Plexicus never sees your biometric data.
Step 5: Backup Keys (Optional)
After registering, Plexicus provides backup keys — a set of single-use codes (e.g., "ABC-123-XYZ") that can recover access if you lose your device.
Important: Store backup keys in a secure location (password manager, physical safe). You can use each code once.
Using a Passkey to Log In
On Login Page
- Enter your email address
- Click Use Passkey (instead of entering a password)
- Your browser will prompt for biometric/PIN
- Complete the biometric/PIN on your device
- You'll be logged in instantly
If passkey fails:
- Ensure you're using a registered device
- Check that biometric/PIN is enabled on your device
- You can fall back to password login
Managing Passkeys
View Registered Passkeys
- Go to Settings → Authentication → Passkeys
- You'll see a list of registered passkeys with:
- Device name (e.g., "iPhone 15 Pro")
- Registered date
- Last used timestamp
- Status (active/inactive)
Remove a Passkey
- Find the passkey you want to remove (e.g., old phone, lost device)
- Click Delete
- Confirm deletion
- The passkey can no longer be used to log in
If you remove all passkeys and don't have a password set, you risk lockout. Ensure you retain at least one authentication method.
Rename a Passkey
- Click the passkey in your list
- Click Edit or Rename
- Enter a new name (e.g., "iPad Air — updated Nov 2025")
- Save
Recovery Scenarios
Lost Device
If you lose the device with your registered passkey:
- Use an alternative passkey if you registered multiple devices
- Or, use your password to log in
- Remove the lost device from Settings → Passkeys
All Passkeys Lost
If you lose all registered passkeys and cannot access your password:
- Click Can't access your account? on the login page
- Provide your email and identity verification (if applicable)
- Use a backup key (from your passkey registration) if available
- Contact support for account recovery
Backup keys are one-time use. Store them securely and separately from your devices.
Security Considerations
Device Security
- Your passkey is encrypted and stored securely on your device
- Biometric data (fingerprints, face) is never transmitted to Plexicus or stored centrally
- Only cryptographic signatures are sent during authentication
Phishing Protection
- Passkeys are bound to app.plexicus.ai specifically
- Phishing sites cannot trick your device into using your passkey (unlike OTP codes)
- You must authenticate with your device before login
Backup Key Storage
- Never share or email backup keys
- Store in a password manager or physical safe
- Do not store in the same location as your password
Device Compromise
If your device is compromised:
- Log into your account from another device
- Remove the compromised passkey from Settings → Passkeys
- Register a new passkey on a secure device
Combining Passkeys with 2FA
You can use both passkeys and 2FA for defense-in-depth:
- Scenario 1: Primary login with passkey, but still enforce 2FA during sensitive actions (API token creation, role changes)
- Scenario 2: Use passkey for everyday login; require 2FA for administrative operations
Both work independently and can be toggled in Settings → Authentication.
WebAuthn Environment
Passkeys rely on the WebAuthn standard. Plexicus uses:
- RP ID (Relying Party):
plexicus.ai - RP Name:
Plexicus - Origin:
https://app.plexicus.ai
For self-hosted deployments, these values may differ. Contact your admin for the correct WebAuthn configuration.
Troubleshooting
"Passkey registration failed"
Cause: Browser doesn't support WebAuthn, or biometric not available.
Resolution:
- Use a supported browser (Chrome 120+, Safari 16+, Firefox 120+, Edge 120+)
- Ensure biometric/PIN is enabled on your device
- Try a different device
- Contact support if issues persist
"Passkey not recognized during login"
Cause: Using a different device or browser than expected.
Resolution:
- Ensure you're using a device with a registered passkey
- Try another registered device
- Use password login as fallback
- Check Settings → Passkeys to see which devices are registered
"Backup key is invalid"
Cause: Code entered incorrectly or already used.
Resolution:
- Double-check the backup key code (copy-paste if possible)
- Ensure the code hasn't been used before (each code is single-use)
- If you've lost all backup keys, contact support for account recovery
Related Pages
- Two-Factor Authentication — MFA with authenticator apps
- Audit Log — All passkey registration/login events logged
- Change Password — Reset your password if needed