User Agent Passkeys Authentication

Windows Agent login supports Passkeys (FIDO2) as a second-factor authentication.

Prerequisites

• Using an agent that supports Passkeys

• Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE)

• HTTPS and proper server configuration

Authentication modes

1st factor Password and 2nd factor Passkeys

• After completing the agent login with the 1st factor (password or other primary auth), the agent can use Passkeys as the 2nd factor.

• If Passkeys are already registered, agent login can be performed using Passkeys.

• If Passkeys are not registered, the agent may present a registration prompt after successful primary authentication.

Note

Agent-based Passkeys 2-factor authentication requires the agent to be configured under Preferences > Authentication > Agent Authentication > Authentication Method.

Configuration

1. Single-factor (1st) authentication setup

• Path: Policy > Node Policy > Authentication Policy > Authentication Method > Select 2-Step Authentication Method option

• Option: Passkeys - Passkeys: Use Passkeys as the 2nd factor for agent authentication.

Note

If agent authentication is configured to use Passkeys only, adjust the Preferences > User Authentication > User Account > "1-Step User Authentication Set Method" accordingly to avoid leaving accounts inaccessible.

2. Passkeys registration

• Agent login flow: Log in with user ID/PW, then perform local authentication and register device information; complete registration when prompted.

Related documents

• Passkeys Authentication

• 2-Step Authentication