Add the Passkeys (FIDO2 WebAuthn) authenticator

Add the Passkeys (FIDO2 WebAuthn) authenticator to create passkeys.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the Passkeys (FIDO2 WebAuthn) tile.
  4. On the Passkeys (FIDO2 WebAuthn) authenticator page, enable Create passkeys. See Create passkeys.
  5. Configure the end user experience. See Customize the Passkeys (FIDO2 WebAuthn) end-user experience.
  6. Configure the access controls. See Configure the Passkeys (FIDO2 WebAuthn) access controls.

  7. Click Add. The authenticator appears in the list on the Setup tab.

Create passkeys

To configure the Passkeys (FIDO2 WebAuthn) authenticator to create passkeys, toggle on Create passkeys in the Credential settings section.

When this setting is enabled, the authenticator always creates passkeys, and the Resident Key requirement value is required. This provides a consistent and predictable user experience, and all passkeys features are available.

When this setting is disabled, a mix of passkeys and older legacy U2F credentials are created, and the Resident Key requirement value is discouraged. This can cause an inconsistent user experience because passkey-specific features are unavailable.

Add the Passkeys (FIDO2 WebAuthn) authenticator to the authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Add the authenticator to a new or an existing authenticator enrollment policy.

Edit or delete the Passkeys (FIDO2 WebAuthn) authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.