Passkeys
Permiso uses passkeys for authentication; there are no passwords. This page explains what passkeys are, why they're more secure, and how users manage them.
What is a passkey?
A passkey is a cryptographic credential stored on a user's device. When a user logs in, their device proves they are who they say they are using a private key that never leaves the device. There's no password to type, remember, or leak.
From a user's perspective, logging in looks like this:
- On a Mac or iPhone: a Face ID or Touch ID prompt
- On Windows: a Windows Hello prompt (PIN, fingerprint, or face recognition)
- On Android: a fingerprint or screen lock prompt
- With a hardware key (like a YubiKey): insert the key and tap the button
The whole thing takes a few seconds.
Why passkeys are more secure than passwords
Passwords have well-known problems: they get reused, leaked in breaches, and stolen through phishing. Passkeys address all of these:
- Phishing-resistant: a passkey is tied to the specific website it was created on. It can't be tricked into working on a fake login page.
- No credential stuffing: there's no password to leak, so breached credentials from other sites can't be used here.
- Device-bound: the private key never leaves the device. Even if someone intercepts network traffic, they can't use it to log in.
How users register a passkey
When a new user follows a sign-up link and creates their account, the last step is registering a passkey. Their browser or device prompts them to complete the registration. This is usually a Face ID, Touch ID, or PIN prompt. After that, they're logged in.
Multiple passkeys
A user can register more than one passkey. For example, one on their laptop and one on their phone. Having a second passkey on a different device is a good backup in case they lose access to their primary one.
Users can manage their passkeys from Settings → Account → Security. They can add new passkeys and remove ones they no longer use.
If a user loses access to their passkey
If a user gets a new device and no longer has their passkey (or if they accidentally delete it), an admin can send them a one-time login link from the user's profile page. They follow the link to log back in without a passkey, then immediately register a new one.
From Settings → Administration → Users, open the user's profile and click Send login link.
Hardware security keys
Permiso fully supports hardware security keys that implement the FIDO2/WebAuthn standard (like Yubikeys). Signing in to Permiso works the same way as with a regular passkey: the user ensures the key is available and taps the button to authenticate.