.. _passkeys-mfagateway:

Configuring MFA with Passkeys
=============================

Passkeys can be used to verify identity by prompting to enter biometric 
information such as a fingerprint, face scan or a PIN only known to the 
person possessing the registered endpoint.

In order to enable MFA with Passkeys, you will need to create a new Radius Policy.

Step 1 - Create a new Radius Policy
-----------------------------------

#. Navigate to Policy in the top panel
#. In the left window, click on Radius Policy
#. Click on Tasks and select Create
#. Enter Name for Radius Policy
#. Under the Conditions section, select the criteria to match on
#. Click Add 
#. Scroll down to the Policy Section
#. Set Access Policy to 'Continue' (this allows for the MFA challenge)
#. Set 2-Step Authentication to 'Passkeys'
#. Click Create

.. note:: Status can be left in 'Disabled' mode until you are ready to test.

.. note:: In order for MFA using Passkeys to function, ensure the Windows Hello options are configured on your PC (PIN, Fingerprint, Face, etc).

Step 2 - Test / Validate
------------------------

#. Connect using the Genian |product_name| Connection manager
#. Right-click on the tray icon
#. Select Network Access and then site name to connect
#. Sign in with user ID/password 
#. A Windows Hello window should display 
#. Enter the appropriate method to verify your identity (PIN, Fingerprint, Face)

.. note:: If you are not presented with an option to choose from, this may be due to limitations of the endpoint you are connecting with. Check Windows Hello and/or Sign On options as applicable to confirm the capabilities of your specific endpoint/OS.

#. You will be prompted to register once and then prompted a second time to verify
#. Once verified, |product_name| Connection Manager should update that you are now connected