.. _passkeys-ztna-client:

ZTNA-Client Passkeys Authentication
====================================

ZTNA connection agents (or OpenVPN-compatible clients) can use Passkeys (FIDO2) as a second-factor authentication when connecting via RADIUS.

Prerequisites
-------------
- Genian agent or OpenVPN-compatible client
- Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE)
- HTTPS and proper server configuration
- ZTNA-Client configuration (see: :ref:`ztna-client`)

Authentication modes
--------------------

1st factor Password and 2nd factor Passkeys
'''''''''''''''''''''''''''''''''''''''''''
- When connecting the ZTNA client, complete the 1st factor authentication (password or primary authentication) then use Passkeys as the 2nd factor.
- If Passkeys are already registered, connection can use Passkeys for the 2nd factor.
- If not registered, the system may request Passkeys registration during the connection flow.

.. note::
   ZTNA-Client using Passkeys requires RADIUS server configuration that accepts Passkeys as a 2nd factor.

Configuration
-------------

1. Go to Policy > RADIUS Policy > Task > Create
2. Configure the condition (user group etc.) to match the users and set detailed RADIUS options:
   - attribute: User-Name
   - condition: user is one of the User Group
   - value: USER-ALL
3. In the policy Preferences, set the 2nd factor to Passkeys and configure RADIUS to accept Passkeys.

Related documents
-----------------
- :ref:`passkeys-auth`
- :ref:`ztna-client`
- :ref:`twostep-auth`