Passkeys are a secure authentication method that can be used as a replacement for passwords. Resource Access Management (RAM) users can use passkeys for logons and multi-factor authentication (MFA). A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes.
Benefits
Security
A passkey is a credential based on the Fast IDentity Online 2 (FIDO2) specifications. FIDO2 uses the standard public key cryptography technology to provide phishing-resistant authentication. During registration with an online service, your client creates an encryption key pair that is bound to the domain name of the service. The client stores the private key and registers the public key with the service. The encryption key pair is a passkey, and each service has a unique passkey. For more information, visit the FIDO Alliance official website.
A passkey eliminates the need for plaintext passwords. This helps prevent the leak risks that are caused when a password is shared or improperly saved.
Confidentiality
Biometric data, such as fingerprints and faces, is saved only to your authentication device, such as your laptop, mobile phone, or hardware security key. Biometric data is not transmitted to Alibaba Cloud. Alibaba Cloud only obtains authentication results from your authentication device.
Ease of use
A passkey allows you to use the built-in authentication methods such as fingerprint recognition and facial recognition in your device to complete authentication. This way, you do not need to enter authentication information such as verification codes.
A passkey is a secure authentication method. If you use a passkey to log on, you do not need to implement MFA. We recommend that you enable other MFA methods. If your passkey is lost or not bound to a new device, you need a password for logons. In this case, MFA provides an additional layer of security. MFA can also minimize risks caused by unexpected high-risk operations when you perform sensitive operations in the console.
Limits
You can bind a maximum of five passkeys to a RAM user. To prevent logon failures when you log on from different devices, we recommend that you bind a passkey to your frequently used devices in advance.
The names of passkeys that belong to a RAM user must be unique to distinguish devices.
By default, RAM users in all Alibaba Cloud accounts are allowed to bind passkeys for two-factor authentication. If a RAM user wants to use a passkey to log on to the Alibaba Cloud Management Console, a RAM administrator must enable the corresponding feature in the Security section. For more information, see Step 1: Enable RAM users to log on by using passkeys.
Supported device types
Browser version
Google Chrome 108 and later
Microsoft Edge 108 and later
Safari 16.1 and later
Mozilla Firefox 122 and later
Computers
If your computer runs Windows 10 or Windows 11, you can save a passkey to your computer. Windows Hello is used for authentication.
If your computer runs macOS Ventura later than macOS Ventura 13, you can save a passkey to iCloud Keychain. The passkey can be synchronized among multiple devices whose operating system versions meet the requirement.
You can save a passkey to browsers whose versions meet the preceding requirements. The passkey can be synchronized among multiple devices by using Google Chrome and Microsoft Edge.
Mobile devices
If your mobile device runs iOS later than iOS 14.5, you can save a passkey to the mobile device. If your mobile device runs iOS later than iOS 16, you can save a passkey to iCloud Keychain. The passkey can be synchronized among multiple devices.
If your mobile device runs iOS later than iOS 14.5, you can save a passkey to the browser of your mobile device. The version of the browser must meet the preceding version requirements.
Mobile device vendors customize Android systems. Mobile phones that use custom Android systems generally do not support passkeys. In this case, we recommend that you save passkeys to Google Chrome.
If you want to use a computer to bind a passkey and save the passkey to your mobile device by scanning a quick-response (QR) code with your mobile device, the operating system of your mobile device must be iOS later than 14.5. If the operating system is another iOS version or Android, we recommend that you save the passkey to Google Chrome.
Other devices
Security keys that comply with the FIDO2 specifications are supported and can be connected to your device by using USB, Bluetooth, and near field communication (NFC) peripherals. Original Universal 2nd Factor (U2F) devices can be upgraded to security keys.