Staffbase supports passkeys as a secure, passwordless way for users to sign in to the App or Intranet. Instead of entering the password, users can authenticate using their fingerprint, facial recognition, or their device's screen lock PIN. Once a passkey is created, users can seamlessly sign into the Staffbase platform using it for all subsequent sign-ins.

How Passkeys Work With App/Intranet

Passkeys are based on the latest Fast Identity Online (FIDO) standards, developed by the FIDO Alliance, an open industry association dedicated to passwordless authentication.

When a user creates a passkey, the device generates a unique cryptographic key pair:

• Private Key: Securely stored on the user's device and never shared externally.
• Public Key: Securely shared with Staffbase.

These keys work similarly to a lock and key. The private key is used to verify sign-in requests sent from Staffbase using the public key.

How Passkeys Work During Sign-In

Passkeys inherently support multi-factor authentication. The two factors include:

1. Something you have: Your device, where the passkey is stored.
2. Something you are or yours:
   
   • Biometric verification, like fingerprint or facial recognition
   • Something that is yours, like a device screen lock pin or pattern.

This two-factor approach makes passkeys extremely secure by combining something physical with something personal.

During a passkey sign-in:

1. Staffbase sends a request based on the public key. 
2. Your device uses fingerprint, facial recognition, or screen lock to unlock the private key.
3. The private key authenticates the request and sends it back to Staffbase to complete the sign-in process.

Your fingerprint, facial recognition, or screen lock details are never shared with Staffbase. This sensitive information remains on your device and is only used to unlock the private key.

If you use passkeys to sign in to multiple accounts, each account gets its own unique key pair. This adds an extra layer of security by preventing credentials from being reused across services.

Benefits of Passkey

Improved Security

• Phishing-resistant: Passkeys can’t be tricked into being shared with malicious websites.
• No password leaks: Eliminates the risk of password thefts and data breaches.
• Biometric or device-based authentication: Authentication happens using fingerprint, facial recognition, or the device's screen lock PIN.

Enhanced User Experience

• One-tap sign-in: To unlock, just use your fingerprint, facial recognition, or device's screen lock PIN. This makes your sign-in experience as seamless as unlocking your device.
• No passwords: There is no need to remember or type long passwords. Unlike passwords, passkeys cannot be forgotten when using biometric options.

Ease of Administration

• Fewer password reset requests: Reduced reliance on passwords lowers the volume of reset requests and minimizes the risk of credential-based attacks, such as phishing or password reuse.
• Shorter session timeouts: Administrators can implement stricter session timeout policies to enhance security without negatively affecting platform usage or user experience.

How Users Experience Sign-In With Passkey

Your user experience may vary based on the device and the password manager available on your device. 

For example:

• Using the same ecosystem: If you use a macOS to sign in to your desktop and an iPhone to sign in to your mobile app, only a single passkey is created as the private key is shared between the devices.
• Using different ecosystems: If you use a macOS to sign in to your desktop and an Android device for your mobile app, each generates a different passkey.

In the example below, the mobile app uses Google Password Manager, whereas the desktop app uses iCloud Keychain.

In the example below, the sign-in process using fingerprint is shown. Facial recognition and screen lock authentication work just as seamlessly.

Additional Helpful Information

• Managing Passkeys