What are passkeys? | A passkey is an ultra secure, easy to use, alternative to signing in with a password.
With a passkey, you can sign into your account with your fingerprint, face scan, or a simple PIN. Passkeys provide strong cryptographic protection against security threats like phising and data breaches. Each passkey is unique to each website and can only be used by the website where it has been registered. |
| How does a passkey work? | A passkey consists of two parts, a public and private key. You keep the private key and it will only work with the public key kept by the website. It's a bit like a front-door key which will only work with our front-door lock. One part is useless without the other. Your key won't work on any other website, including fake websites, because they can't copy our lock, and no one can open our lock without using your special key. Access to your private key is protected by your PIN or biometrics on a device in your possession or a device you control. An attacker cannot use the private key without using your specific device and knowing how to unlock it. |
| Is a simple PIN safer than a complex password? | Yes. A simple PIN setup as a passkey is cryptographically protected by the security device (Windows Hello or your phone) and the actual security interaction with the website is much stronger than a 'strong' password and includes other checks to avoid a phising attack. |
| Do passkeys provide two factor/multi factor authentication (2FA/MFA)? | Yes. Passkeys are inherently a two factor/multi-factor authentication (2FA/MFA) system. They rely on something you have (the device that stores the passkey) AND something you are (biometrics) OR something you know (PIN). Passkeys are also inherently more secure and easier to use than email or text 2FA/MFA codes. |
| Do I have to use a passkey? | No, currently, adoption of passkeys is not mandatory, but we recommend that you use passkeys as a secure alternative to passwords. They are much stronger and easier to use than passwords, but if you are unable to use a passkey for any reason, you can still sign in with your password at the moment. However, you may be obliged to adopt passkeys for multi-factor authentication account security, if your organisation requires 2FA/MFA account security. |
| If I have more than one account, can I use passkeys? | Yes. You can create a passkey for each account and then choose which account to login with. After choosing the account, you'll be asked to choose the passkey method to use. |
| Is my biometric data shared with you? | No. Your biometric data stays on your device and is never shared with us or any service provider. |
| Do passkeys expire? | No, not usually, but this does depend on the provider managing the passkey, but there's no common practice to expire passkeys at the moment. |
| If I lose access to my passkey device, can I still log in with my password? | Yes, currently, you can still log in with your existing password should you not be able to use your passkey. This may change in the future. |
| What happens to my passkeys if I lose my device? | To use a passkey, your device will ask for your fingerprint, face, PIN or pattern to unlock your device. Without doing this, nobody else can use your passkey and it will remain secure on the device. You can still log in to your account using another device that has your passkey. If you do not have a passkey set up on another device, you can use your password instead or register a new passkey. |
| Are passkeys backed up? | It depends. Windows Hello based passkey details will be added to your Windows account. Passkeys created on Android devices are backed up and synced with your Google Account. For Apple based devices, the passkey is saved to your iCloud Keychain, so you can use it on other devices where you're signed in with your Apple ID. Other services may vary. We suggest you check the details of the service you use and ensure your passkeys are protected. |
| What happens if someone steals my passkey from your system? | Passkeys consist of two parts - a public and a private key. Only the public key is stored on our system when it is registered and it's useless without the corresponding private key, which is stored only on your device. Without physical access to your device and a way to unlock it, no one can log in to your passkey protected account on our systems. This two part separation is one of the main reasons why passkeys are so secure. |
| Can I use a passkey in my password manager software? | It depends, some password managers/account managers will work with passkeys now and some will be adding this capability in the near future. |
| I use several different computers, can I still use passkeys? | Yes, your sign-in credentials should be accessible to you on the same system wherever you login. If you have any difficulties check with your computer support service. |
| How can I remove a passkey? | To remove a passkey from your audit account, please submit a request to our help desk. They will remove the passkey from your account. You will also need to remove the passkey from your device, computer or mobile phone. For Windows Hello passkeys, open up the Accounts/Passkeys section, find the passkey and delete it. You can do something similar on your phone too. |