Skip to main content

Passkeys

Passkeys are a passwordless, phishing-resistant authentication method that uses your device's biometrics (fingerprint, face recognition) or PIN. They comply with FIDO2 and WebAuthn standards.

note

Passkeys are an alternative to password + 2FA. You can use either method (or both) to secure your account.

Passkeys vs. Two-Factor Authentication

AspectPasskeys2FA with Authenticator
SetupRegister your device onceSetup authenticator app or hardware token
LoginBiometric or PIN (local to device)Password + time-based code
RecoveryBackup keys or registered devicesRecovery codes
Phishing RiskVery low (cryptographic binding to domain)Moderate (OTP can be intercepted)
User ExperienceOne tap/fingerprintTwo steps (password + code)
PortabilitySynced across devices (iCloud Keychain, Google Password Manager)Tied to specific authenticator app

Recommendation: Use passkeys if your device supports biometric authentication. Combine with 2FA for extra security.

Registering a Passkey

Prerequisites

  • A device with biometric support (fingerprint, face ID, Windows Hello, etc.) or PIN-capable device
  • A supported browser (Chrome 120+, Safari 16+, Firefox 120+, Edge 120+)
  • Your Plexicus account (email and password already registered)

Step 1: Navigate to Passkeys Settings

  1. Log in to your Plexicus account
  2. Go to SettingsAuthenticationPasskeys
  3. Click Register a New Passkey

Step 2: Provide a Passkey Name

Give your passkey a friendly name (e.g., "iPhone 15 Pro", "Windows Laptop", "YubiKey 5"). This helps you identify which device/key to use when logging in.

Step 3: Verify Your Identity

Plexicus requires you to confirm your identity before registering a new passkey:

  • Enter your current password, or
  • Use an existing 2FA code if you have 2FA enabled

Step 4: Biometric/PIN Confirmation

Your browser will prompt you to confirm with your device's biometric or PIN:

  • iPhone/iPad: Face ID or Touch ID
  • Android: Fingerprint or face unlock
  • Windows: Windows Hello (face or fingerprint) or PIN
  • Mac: Touch ID or password
  • Hardware Key: Physical button press (for FIDO2 keys like YubiKey)
note

This verification happens on your device—Plexicus never sees your biometric data.

Step 5: Backup Keys (Optional)

After registering, Plexicus provides backup keys — a set of single-use codes (e.g., "ABC-123-XYZ") that can recover access if you lose your device.

Important: Store backup keys in a secure location (password manager, physical safe). You can use each code once.

Using a Passkey to Log In

On Login Page

  1. Enter your email address
  2. Click Use Passkey (instead of entering a password)
  3. Your browser will prompt for biometric/PIN
    • Complete the biometric/PIN on your device
  4. You'll be logged in instantly

If passkey fails:

  • Ensure you're using a registered device
  • Check that biometric/PIN is enabled on your device
  • You can fall back to password login

Managing Passkeys

View Registered Passkeys

  1. Go to SettingsAuthenticationPasskeys
  2. You'll see a list of registered passkeys with:
    • Device name (e.g., "iPhone 15 Pro")
    • Registered date
    • Last used timestamp
    • Status (active/inactive)

Remove a Passkey

  1. Find the passkey you want to remove (e.g., old phone, lost device)
  2. Click Delete
  3. Confirm deletion
  4. The passkey can no longer be used to log in
warning

If you remove all passkeys and don't have a password set, you risk lockout. Ensure you retain at least one authentication method.

Rename a Passkey

  1. Click the passkey in your list
  2. Click Edit or Rename
  3. Enter a new name (e.g., "iPad Air — updated Nov 2025")
  4. Save

Recovery Scenarios

Lost Device

If you lose the device with your registered passkey:

  1. Use an alternative passkey if you registered multiple devices
  2. Or, use your password to log in
  3. Remove the lost device from SettingsPasskeys

All Passkeys Lost

If you lose all registered passkeys and cannot access your password:

  1. Click Can't access your account? on the login page
  2. Provide your email and identity verification (if applicable)
  3. Use a backup key (from your passkey registration) if available
  4. Contact support for account recovery
note

Backup keys are one-time use. Store them securely and separately from your devices.

Security Considerations

Device Security

  • Your passkey is encrypted and stored securely on your device
  • Biometric data (fingerprints, face) is never transmitted to Plexicus or stored centrally
  • Only cryptographic signatures are sent during authentication

Phishing Protection

  • Passkeys are bound to app.plexicus.ai specifically
  • Phishing sites cannot trick your device into using your passkey (unlike OTP codes)
  • You must authenticate with your device before login

Backup Key Storage

  • Never share or email backup keys
  • Store in a password manager or physical safe
  • Do not store in the same location as your password

Device Compromise

If your device is compromised:

  1. Log into your account from another device
  2. Remove the compromised passkey from SettingsPasskeys
  3. Register a new passkey on a secure device

Combining Passkeys with 2FA

You can use both passkeys and 2FA for defense-in-depth:

  • Scenario 1: Primary login with passkey, but still enforce 2FA during sensitive actions (API token creation, role changes)
  • Scenario 2: Use passkey for everyday login; require 2FA for administrative operations

Both work independently and can be toggled in SettingsAuthentication.

WebAuthn Environment

Passkeys rely on the WebAuthn standard. Plexicus uses:

  • RP ID (Relying Party): plexicus.ai
  • RP Name: Plexicus
  • Origin: https://app.plexicus.ai

For self-hosted deployments, these values may differ. Contact your admin for the correct WebAuthn configuration.

Troubleshooting

"Passkey registration failed"

Cause: Browser doesn't support WebAuthn, or biometric not available.

Resolution:

  1. Use a supported browser (Chrome 120+, Safari 16+, Firefox 120+, Edge 120+)
  2. Ensure biometric/PIN is enabled on your device
  3. Try a different device
  4. Contact support if issues persist

"Passkey not recognized during login"

Cause: Using a different device or browser than expected.

Resolution:

  1. Ensure you're using a device with a registered passkey
  2. Try another registered device
  3. Use password login as fallback
  4. Check SettingsPasskeys to see which devices are registered

"Backup key is invalid"

Cause: Code entered incorrectly or already used.

Resolution:

  1. Double-check the backup key code (copy-paste if possible)
  2. Ensure the code hasn't been used before (each code is single-use)
  3. If you've lost all backup keys, contact support for account recovery