.. _passkeys-agent:

User Agent Passkeys Authentication
==================================

Windows Agent login supports Passkeys (FIDO2) as a second-factor authentication.

Prerequisites
-------------
- Using an agent that supports Passkeys
- Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE)
- HTTPS and proper server configuration

Authentication modes
--------------------

1st factor Password and 2nd factor Passkeys
'''''''''''''''''''''''''''''''''''''''''''
- After completing the agent login with the 1st factor (password or other primary auth), the agent can use Passkeys as the 2nd factor.
- If Passkeys are already registered, agent login can be performed using Passkeys.
- If Passkeys are not registered, the agent may present a registration prompt after successful primary authentication.

.. note::
   Agent-based Passkeys 2-factor authentication requires the agent to be configured under Preferences > Authentication > Agent Authentication > Authentication Method.

Configuration
-------------

1. Single-factor (1st) authentication setup
'''''''''''''''''''''''''''''''''''''''''''''''''

- Path: Policy > Node Policy > Authentication Policy > Authentication Method > Select 2-Step Authentication Method option
- Option: Passkeys
  - Passkeys: Use Passkeys as the 2nd factor for agent authentication.

.. note::
   If agent authentication is configured to use Passkeys only, adjust the Preferences > User Authentication > User Account > "1-Step User Authentication Set Method" accordingly to avoid leaving accounts inaccessible.

2. Passkeys registration
''''''''''''''''''''''''''''''

- Agent login flow: Log in with user ID/PW, then perform local authentication and register device information; complete registration when prompted.

Related documents
-----------------
- :ref:`passkeys-auth`
- :ref:`twostep-auth`