.. _passkeys-cwp:

User CWP Passkeys Authentication
================================

On the User CWP login page, Passkeys (FIDO2 WebAuthn) can be configured as primary (1st) or secondary (2nd) authentication.

Prerequisites
-------------
- Modern browsers (Chrome/Edge/Safari/Firefox)
- Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE); Android devices may support Bluetooth or built-in authenticators
- HTTPS and proper server configuration

Authentication modes
--------------------

Passkeys Only
''''''''''''''
- Shows an identifier input field on the login page.
- After identifier input, the system prompts for the Passkey authentication associated with that account.
- If a platform authenticator is available, authentication is performed using Passkeys.
- If platform authentication is not available, the system may offer alternative device registration methods.

.. note::
   Some Android devices require additional setup steps (Bluetooth permission or QR code enrollment) for platform authenticators.

Password or Passkeys
'''''''''''''''''''''
- Shows an identifier input field on the login page.
- After identifier input, users may be presented with either Password or Passkeys depending on the account configuration.
- If no platform authenticator is available, a fallback to password is supported.

Configuration steps
-------------------

.. toctree::
   :maxdepth: 1

   ../managing-users/users

Related documents
-----------------
- :ref:`passkeys-auth`
- :ref:`twostep-auth`