Admin Passkeys Authentication

Passkeys (FIDO2) can be configured as primary (1st) or secondary (2nd) authentication methods for admin accounts in the Web Console (MC2).

Prerequisites

  • Modern browsers (Chrome/Edge/Safari/Firefox)

  • Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE)

  • HTTPS and proper server configuration

Note

Passkeys are bound to a specific admin account and device. If a user cannot use Passkeys, you can configure alternative authentication methods (password, OTP, SMS, etc.) for that account.

Authentication modes

Passkeys Only

  • Shows an input field for the identifier on the login screen.

  • After identifier input, the system prompts for the Passkey authentication associated with that account.

  • If a platform authenticator is available, authentication is performed using Passkeys.

  • If no Passkey is registered, you can allow password authentication first, then register Passkeys after successful login.

Password or Passkeys

  • Shows an identifier input field on the login screen.

  • If the account's current authentication method is Password, the password input field is shown.

  • If the account has no authentication method configured, users can register Passkeys as primary.

  • If an account already has Passkeys registered, login will be possible via Passkeys.

  • If no Passkey is registered, allow password authentication then register Passkeys post-login.

  • If Passkeys were previously registered or disabled, the account can still be protected using Password.

Configuration steps

1. Single-factor (1st) authentication setup

  • Path: Preferences > General > Console > 2-Step Authentication Set Method > Select Authentication Method

  • Option: Passkeys or Password or Passkeys - Passkeys: Use Passkeys as the single-factor authentication method. - Password or Passkeys: Allow selecting Passkeys or Password per admin account.

2. Two-factor (2nd) authentication setup (selection)

  • You can add secondary authentication such as SMS/OTP/Email when required.

  • Option: Either custom settings or policy-based enforcement - Custom settings: Configure 2nd factor options per admin account. - Policy enforcement: Enforce 2nd factor for all or specific admin accounts.

Note

If the 2nd factor configuration in Preferences > General > Console > 2-Step Authentication Set Method is set to "Individual settings", and the current authentication user has not configured MFA, the UI will show that the permission is limited.

3. Passkeys registration

  • Path: Management > Administrators > Select Admin Accounts

  • Registration: General > User passkey authentication information > Create a Passkey > complete the registration following the on-screen instructions.