Using synced passkey in Safewhere Identify

Continue with the Passkey authentication guide, this document explains how to use passkeys stored in Google Password Manager and iCloud Keychain with Safewhere Identify.

Google Password Manager

According to Google documentation (supported environments and use cases), here are some key notes:

Google Password Manager stores, serves and synchronizes passkeys on Android and Chrome. Google Password Manager is enabled by default as a passkey provider on Android and available for all apps including Chrome and other browsers. Chrome on desktop operating systems (Windows, macOS, Linux and ChromeOS) comes with Google Password Manager support as well.

Passkeys are synchronized across devices that are part of the same ecosystem. For example, if a user creates a passkey on Android, it's available on all Android devices as long as the user is signed in to the same Google account. However, the same passkey isn't available on iOS, macOS or Windows, even if you're using the same browser, like Chrome.

A user can use a passkey on their phone to sign in on other devices by scanning a QR code, as long as the phone is near the laptop and the user approves the sign-in on the phone. This works across different operating systems and browsers.

iCloud Keychain

iCloud Keychain ensures that your passkeys are accessible across all your Apple devices linked to the same Apple ID. This seamless synchronization allows you to use passkeys on your iPhone, iPad, and Mac without the need for manual transfers.

Second factor authentication on a Windows machine using a passkey stored in Google Password Manager on the same device

In this demonstration:

• A user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
• During the second factor authentication phase, the user unlocks Windows Hello to create a passkey in Google Password Manager.
• The user logs out of IdentifyMe.
• The user re-accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
• During the second factor authentication phase, the user's passkey in Google Password Manager is selected, and Windows Hello is prompted to authenticate the user.
• The user unlocks Windows Hello to complete the login.

To set up necessary connections in Identify, follow these steps:

1. Create an OTP connection for WebAuthn as shown below. In this demonstration, a passkey is created on the device initiating the WebAuthn registration ceremony, so set the Authenticator type setting to Platform.

2. Set the OTP connection as the second factor of another identity provider (a Username & Password identity provider is used in this demonstration).

After that, a user can log in and create a passkey:

1. A user accesses IdentifyMe via Chrome on a Windows machine, and successfully signs in the first factor authentication.
2. During the second factor authentication phase, Google Password Manager prompts the user to create a passkey.

Note: When a user creates a passkey with Google Password Manager, it is synchronized and end-to-end encrypted. If the first passkey for Google Password Manager is created on a desktop, Chrome asks to create a Google Password Manager PIN. The user needs to sign in to their Google Account and enter their Android device screen lock or Google Password Manager PIN to decrypt a synced passkey on a new environment.

3. After the user clicks the Create button, Windows Hello on the Windows machine is prompted to authenticate the user.

4. After the user is authenticated with Windows Hello, a new passkey is created and saved to Google Password Manager.

The user can now log in using the newly created passkey:

1. The user re-accesses IdentifyMe on a Windows machine and successfully logs in with the first factor authentication.

2. The user's passkey in Google Password Manager is selected, and Windows Hello is prompted to authenticate the user.

3. The user unlocks Windows Hello to complete the login.

Second factor authentication on an iPad using a passkey in iCloud Keychain from an iPhone

In this demonstration:

• A user accesses IdentifyMe on an iPhone and successfully signs in with the first factor authentication.
• During the second factor authentication phase, the user unlocks the phone to create a passkey in iCloud Keychain.
• The user accesses IdentifyMe on an iPad that has the same Apple ID as the iPhone and successfully signs in with the first factor authentication.
• On the iPad, the user chooses to sign in with a passkey in iCloud Keychain.
• The user is prompted to approve the use of their passkey on the iPad device, for example, with Touch ID. After doing so, they're signed in on the iPad.

Note: The passkey itself is not transferred to the iPad but remains securely stored in iCloud Keychain.

To set up necessary connections in Identify, follow these steps:

1. Create an OTP connection for WebAuthn as shown below. In this demonstration, a passkey is created on the device initiating the WebAuthn registration ceremony, so set the Authenticator type setting to Platform.

2. Set the OTP connection as the second factor of another identity provider (a Username & Password identity provider is used in this demonstration).

After that, a user can log in and create a passkey:

1. A user accesses IdentifyMe on an iPhone and successfully signs in with the first factor authentication.
2. During the second factor authentication phase, the user unlocks the phone to create a passkey in iCloud Keychain.

The user can now log in using the newly created passkey:

1. The user accesses IdentifyMe on an iPad that has the same iCloud account as the iPhone and successfully signs in with the first factor authentication.
2. On the iPad, the user chooses to sign in with a passkey in iCloud Keychain.

3. The user is prompted to approve the use of their synced passkey on the iPad device, for example, with Touch ID. After doing so, they're signed in on the iPad.

Second factor authentication on a Windows machine using a passkey in Google Password Manager from an Android phone

In this demonstration:

• A user accesses IdentifyMe on an Android phone and successfully signs in with the first factor authentication.
• During the second factor authentication phase, the user unlocks the phone to create a passkey in Google Password Manager.
• The user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
• On the Windows machine, the user chooses to sign in with a passkey from another device.
• The two devices connect via Bluetooth.
• The user is prompted to approve the use of their passkey on the Android device, for example, with a fingerprint sensor. After doing so, they're signed in on the Windows machine.

Note: The passkey itself is not transferred to the Windows machine but remains securely stored in Google Password Manager, accessible via the Android device for authentication.

To set up necessary connections in Identify, follow these steps:

1. Create an OTP connection for WebAuthn as shown below. In this demonstration, a passkey is created on the device initiating the WebAuthn registration ceremony, so set the Authenticator type to Platform.

2. Set the OTP connection as the second factor of another identity provider (a Username & Password identity provider is used in this demonstration).

After that, a user can log in and create a passkey:

1. A user accesses IdentifyMe on an Android phone and successfully signs in with the first factor authentication.

2. During the second factor authentication phase, the user unlocks the phone to create a passkey in Google Password Manager.

The user can now log in using the newly created passkey:

1. The user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.

2. On the Windows machine, the user chooses to sign in with a passkey from another device.

3. The user is prompted to turn on Bluetooth on the Windows machine.

4. The Windows machine displays a QR code.

5. The user uses the camera of the Android phone or Google Lens to scan this QR code.

6. Then, the Android phone connects to the Windows machine.

7. The user is prompted to approve the use of their passkey on the Android device, for example, with a fingerprint sensor. After doing so, they're signed in on the Windows machine. Note that the passkey itself isn't transferred to the Windows machine.

Second factor authentication on a Windows machine using a passkey in iCloud Keychain from an iPhone

In this demonstration:

• A user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
• During the second factor authentication phase, the user chooses to save a passkey to an iPhone, iPad, or Android device. In this demonstration, the user uses an iPhone.
• The user logs out of IdentifyMe.
• The user re-accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
• On the Windows machine, the user chooses to sign in with a passkey from another device.
• The two devices connect via Bluetooth.
• The user is prompted to approve the use of their passkey on the iPhone device, for example, with Face ID. After doing so, they're signed in on the Windows machine.

To set up necessary connections in Identify, follow these steps:

1. Create an OTP connection for WebAuthn as shown below. In this demonstration, a passkey is created on a device different from the one initiating the WebAuthn registration ceremony, so set the Authenticator type setting to Cross platform.

2. Set the OTP connection as the second factor of another identity provider (a Username & Password identity provider is used in this demonstration).

After that, a user can log in and create a passkey:

1. A user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.
2. During the second factor authentication phase, select the option I have already set it up.

3. On the Register device form, click the Register button. The system will prompt you for an authorization gesture.
4. The user chooses to save a passkey to an iPhone, iPad, or Android device. In this demonstration, the user uses an iPhone.

5. The browser will display a QR code. The user uses the mobile phone's camera to scan it.

6. The user taps on the Use passkey to sign in for Android or Save a passkey on iPhone option that appears on the user's phone screen.

7. The user's phone will then try to connect with the Windows machine via Bluetooth.

8. A notification is displayed when these devices are connected.

9. The user is prompted to authenticate with Face ID to complete the login.

10. After the passkey is saved successfully to the iPhone, a notification is displayed on the Windows machine. Then, the user clicks the OK button.

11. The system will prompt the user to save a recovery code as a backup. Tick the I have safely recorded this code checkbox and click Continue to complete onboarding.

The user can now log in using the newly created passkey:

1. The user accesses IdentifyMe on a Windows machine and successfully signs in with the first factor authentication.

2. On the Windows machine, the user chooses to sign in with a passkey from another device.

3. The user is prompted to turn on Bluetooth on the Windows machine.

4. The Windows machine displays a QR code.

5. The user uses the camera of the iPhone to scan this QR code.

6. Then, the iPhone connects to the Windows machine.

7. The user is prompted to approve the use of their passkey on the iPhone device, for example, with Face ID. After doing so, they're signed in on the Windows machine. Note that the passkey itself isn't transferred to the Windows machine.