Overview
Passwordless authentication uses passkeys to verify your identity when logging into certain web applications. RPI's Single Sign-On systems supports passkeys as an alternative to password-based authentication. A passkey is created by a compatible device, which will detect when it’s applicable and guide you through the setup process. Each passkey consists of a pair of cryptographic keys stored on your device. These keys can only be used by that specific device and are protected by your device’s biometrics or PIN.
Procedures
Supported Devices
- iOS devices or Mac's with either TouchID or FaceID. Supports iCloud sync.
- Android devices that have Android Biometrics setup. Firefox app requires Android 12 or newer.
- Windows workstations that are compatible with Windows Hello or Windows Hello for Business.
- YubiKey or Passkey managers that have are PIN or password protected.
How to setup Passkey Authentication SSO
1. Enroll a Passkey with Duo
2. Log in with Passkey
The next time you log in to any application that uses RPI’s Single Sign-On (SSO)—such as Box or SIS—start by entering your RPI username and password. After that, you’ll be redirected to Duo for multi-factor authentication (MFA).
Here, select your passkey method (Touch ID, Face ID, Android biometrics, or Windows Hello) instead of approving a push notification. If this method isn’t selected by default, click “Other Options” and choose your passkey.
3. Save the Passkey in Your Browser
After completing authentication, you’ll be redirected back to the SSO site. You should be prompted to save the passkey in your browser for future logins.
[image showing screenshot of passwordless opt-in page]
4. Passwordless Login
The next time you log in to any SSO-enabled application, you’ll be able to sign in without using your password. Your username should be pre-filled, and you’ll have the option to log in using your passkey.
How Is Passwordless Authentication Secure, and Is It Still Multi-Factor?
Passwords can be guessed, brute-forced, or stolen—often through data breaches or phishing attacks. To improve security while preserving the familiarity of usernames and passwords, many organizations have adopted Multi-Factor Authentication (MFA). With MFA, logging in requires not only something you know (your password) but also something you have (like a phone or hardware token) to confirm your identity.
Passwordless authentication takes this a step further by removing passwords entirely. Instead, it verifies your identity using a combination of:
• Something you have: a registered device that stores your unique passkey
• Something you are: biometrics, such as a fingerprint or facial recognition
Because it uses two different types of authentication factors (a device and a biometric), passwordless authentication still qualifies as multi-factor authentication—and it’s typically more secure, since there’s no password to steal or reuse.
More details about passkeys can be found here.
References/Links
Last Reviewed: 08-Jul-2025
Comments
0 comments
Article is closed for comments.