Skip to main content

Adding and using passkeys

You can save and use passkeys using the Bravura Safe browser extension. You can view passkeys from the web and desktop clients via item information in the Passkey field.

A future release will support passkeys for Bravura Safe mobile applications.

Add a passkey to Bravura Safe

There are three possible approaches to registering a passkey with Bravura Safe:

  • Register a passkey while creating a new web or online service account and a new login item in Bravura Safe

  • Register or overwrite a passkey for an existing Bravura Safe login item with a domain matching the current web or online service

  • Register a passkey for a new (additional) Bravura Safe login item for the same web or online service domain (e.g., a different account on the same domain)

When creating a new account for a site or service that is using passkeys or selecting to create a passkey, Bravura Safe prompts you to store the passkey in the browser extension.

  1. If you are manually creating a new web account, you may be prompted to start it normally (with username and password, etc.). See example below:

    safe_be_create_passkey_1_new_account

    See also Passkey-only enrollment.

  2. If you do not have an existing login item matching the current web or online service's domain:

    1. Bravura Safe prompts you to store the passkey in the browser extension to a new login item.

      safe_be_passkeys_no_match_save_passkey

      Note

      If your company security policy requires you to use a specific device or hardware key to authenticate to the current website or online service, see Use your device or hardware key for a specific site or service.

    2. Click Save passkey as new login to create and save a new login item to which the passkey will be associated.

    3. Click Save.

      The passkey is saved to a new login item along with any other specified account credentials.

  3. If you have an existing login item(s) matching the web or online service's domain:

    1. Bravura Safe presents the matching login item(s), prompting you to select a login item and save the passkey:

      safe_be_create_passkey_3_interact

    2. To save the passkey to an existing login item, click to select the desired login item and then click Save passkey.

      The passkey is saved to the selected login item.

  4. To add a new login item for a different account on the same site or service, click + next to the Search item field.

    Each unique login item can have only one passkey associated with it. If you require more than one passkey for the same website or online service, create a new login item and save the additional passkey to it.

    1. Create a new login item to which the passkey will be associated.

    2. Click Save.

      The passkey is saved to the new login item.

See also

Log in using only a passkey from Bravura Safe

To log in to a website or online service using a passkey stored in Bravura Safe:

  1. Using a browser, navigate to the login page for the website or online service.

  2. Start the passkey login process. The exact procedure differs for each site or service.

    The site or service requests the credential from an active authenticator (Bravura Safe).

    safe_be_create_passkey_5_use_passkey

  3. The Bravura Safe browser extension prompts you to log in using a passkey stored to a login item(s) in your safe.

    Note

    If you have no matching login items, the Bravura Safe browser extension shows "You do not have a matching login for this site." and provides the opportunity to add and save a new login item to associate the passkey with. See Add a new passkey.

  4. To log in using a passkey:

    1. Select the desired login item (with an associated passkey).

    2. Click Confirm.

      You are successfully logged in to the website or online service.

      safe_be_create_passkey_7_logged_in

      Note

      If the Master password re-prompt option was selected for the login item, enter your master password to use the passkey.

Passkey-only enrollment

Enrolling in a website or online service using only passkey authentication varies by site/service implementation, but generally follows these steps:

  1. Initiate registration:

    • Navigate to the website or online service where you want to register.

    • Locate the option to log in or register with a passkey.

  2. Choose authenticator:

    • The service prompts you to choose the authenticator to use for your passkey (from your active authenticators supporting passkeys; e.g., Bravura Safe).

    • The Bravura Safe browser extension automatically detects services using passkey authentication.

  3. Verification:

    • Bravura Safe prompts you to verify your identity via biometric verification, PIN or a security key.

  4. Generate passkey:

    • Once your identity is verified, Bravura Safe generates a unique passkey (cryptographic key pair); a private key securely stored in Bravura Safe and never shared and a public key sent to the website or online service.

  5. Account creation:

    • The website or online service associates the public key with your new account. This will be used to recognize you in the future.

    • You may be asked to provide additional information (e.g. email/phone) for account recovery or notifications, depending on the service.

  6. Confirmation:

    • After the public key is registered, you should receive confirmation that your account has been created successfully.

    • You might be automatically logged in to the service once registration is complete.

  7. Next logins:

    • For subsequent logins, choose the passkey option and the service will communicate with Bravura Safe (and vice versa).

      See Auto-fill with passkeys (below)

    • Confirm your identity using Bravura Safe, as you did during registration, and if authentication is successful, you are logged in.

  8. Account recovery:

    • If you lose access to Bravura Safe (and any other registered authenticators, if used), follow the web service’s account-recovery process.

    • This might involve using a secondary device, contacting customer support or using recovery information provided during registration.

See

Auto-fill with passkeys

Multiple passkeys for same service

When more than one passkey is registered for the same website or online service (domain), passkey selection can depend on several factors, including:

  • Authenticator design

  • User preferences

  • Login attempt context

Some passkey selection methods include:

  • Synchronized passkeys: In systems like Bravura Safe, where passkeys are synchronized across devices, the same passkey may be available automatically on all user devices, reducing the need to choose between multiple passkeys.

  • Default or primary passkey: The web service may automatically select a default or primary passkey based on the user's settings or the most frequently used passkey.

  • Authenticator prompt: If the user is attempting to access the service using an authenticator with multiple registered passkeys (e.g. Bravura Safe, where multiple login items with passkeys exist for the same domain), the authenticator itself might prompt the user to select which passkey to use. Bravura Safe prompts you with "Log in with passkey?" and a list of matching login items to select from.

  • Last-used passkey: The service might default to the passkey that was last used for authentication on that particular service.

  • Contextual selection: The system may select a passkey based on contextual information such as the user's location, the authenticator being used, or the time of the login attempt (e.g., if a login attempt is made from a work computer with an active authenticator during business hours, a work-related passkey might be chosen).

  • User intervention: When the system cannot choose, it may ask the user to manually choose which passkey to use for the login process. This ensures that the user retains control over the authentication process.

With ongoing advancements in passkey technology and evolving standards, the selection process for multiple passkeys is expected to grow more complex and intelligent. Future methods could include settings determined by the user, machine learning for improved choice automation, and other innovative techniques designed to optimize the process while maintaining robust security and user convenience.

Multiple credentials for same service

Bravura Safe can securely store two credential types for the same website or online service (domain), allowing you to manage all account credentials in one place. It can store:

  • Passkeys

  • Passwords

    Note

    Bravura Safe can also store time-based one-time passwords (TOTPs) for use in two-factor authentication (2FA). See Bravura Safe authenticator TOTP. A future Bravura Safe release will also allow passkeys to be used for 2FA.

    Each unique login item can have only one passkey (and one password) associated with it. If you require more than one passkey for the same website or online service, create a new login item and save the additional passkey to it.

When more than one credential is stored to a login item in Bravura Safe for the same domain, and you attempt to access the associated website or online service account, Bravura Safe prompts you to choose which credential to use for the login process.

Auto-fill with passkeys

Though the process differs from traditional password auto-fill, a passkey can be 'auto-filled' during authentication to a website or online service using Bravura Safe. Steps include:

  1. Authentication with Bravura Safe: When you attempt to log in to a website or online service that supports passkey authentication, the service sends a challenge to Bravura Safe.

    • Some sites allow you to simply click on a login credential field to get started.

  2. User verification: Bravura Safe prompts you to verify your identity using biometrics, PIN or security key.

    • This verifies that the person trying to use the service is actually you.

  3. Challenge signing: After successful user verification, Bravura Safe uses the stored private key to sign the challenge from the website or online service.

    • Your private key is never shared with the service; it is securely stored in Bravura Safe.

  4. Auto-fill process: The signed challenge, which acts as a passkey , is automatically sent back to the website or service.

    • This response mimics the 'auto-fill' action. However, no visible credentials are required; the cryptographic signature provides the proof of your identity.

  5. Server verification: The website or service uses the corresponding public key it has on file for your account to verify the signed challenge.

    • If the signature is verified successfully using the public key, the service confirms that the response has come from your Bravura Safe login item holding the correct private key, and authentication is successful.

  6. Access granted: Once the server confirms that the signature is valid, you are granted access to your account.

This 'auto-fill' process is seamless and minimizes the risk of phishing and other forms of password theft because there is no actual password that can be intercepted or stolen.

In this section: