Skip to content

Passkeys

We recommend that you use passkey authentication to sign in. This document includes a list of platforms, browsers, credential managers, and security keys that support passkey authentication.

Your operating system and web browser control the creation, storage, and retrieval of the passkey credentials.

Passkey setup

Depending on your device, you can select to store the passkey in one of the following places:

  • In a credential manager on your local computer. This could be a web browser, an operating system, or a commercial credential manager application.
  • On a device-bound authenticator, such as a YubiKey.
  • On a mobile device, using a QR code.

The passkey setup steps differ depending on your device. You'll need the PIN or biometric you use to unlock your device.

For more information, see Set up a passkey.

Passkey support

Sophos passkey support should work with 98% of the browsers and operating systems used, as well as with common credential managers and device-bound authenticators (also known as USB security keys).

The supported platforms are as follows:

  • Windows 10 and 11
  • MacOS 10.15.7 and later
  • Google Android 9 (API level 28) and later
  • Apple iOS 16 and later (iPhone and iPad)

The supported browsers are as follows:

  • Chrome 118 and later
  • Firefox 119 and later
  • Safari 537.36 and later
  • Edge 119 and later

The supported credential managers are as follows:

  • Windows Hello
  • Google Password Manager
  • iCloud Keychain
  • 1Password

The supported device-bound authenticators are as follows:

  • YubiKey 5
  • YubiKey NFC

Note

Additional operating systems and browsers may work if vendors put support in place.

Cross-device passkeys

Cross-device passkeys allow users to sign in to devices by using a passkey they've set up and stored on another of their devices. For example, a user can use a passkey from their mobile to sign in to an online service or application on their laptop or desktop computer.

Note

Check your software or device vendor's documentation to find out if your credential manager supports cross-device synchronization.

Users can authenticate across multiple devices without having to remember and enter separate passwords for each one.

To use cross-device passkeys, you must make sure Bluetooth is enabled on the computer and another device, such as a mobile, and that they're near each other. You'll also need a QR code scanner.

Cross-Device passkey and Microsoft Authenticator

The use of Microsoft Authenticator to enroll and sign in with passkey authentication isn't supported unless the user is using federated Entra ID for sign-in. Sophos users who aren't using Entra ID federated sign-in will see the following errors: "Failed to add passkey" and "Microsoft Authenticator doesn't support this passkey".

Passkey synchronization

Several credential management services allow the synchronization of passkeys between a user's different devices. For example, the user can enroll a passkey on their computer, and then it's available automatically on their mobile through third-party synchronization functionality. Apple's iCloud Keychain allows this functionality to be used for Macs, iPhones, and iPads using the same iCloud identity.

Synchronized passkeys will work for Sophos sign-in. However, the synchronization itself is supported by the individual credential management service. If there are issues with the synchronization, we recommend contacting the service vendor for support.

Known limitations

Some known limitations result from vendor supportability limits by platform, device, browser, or passkey protocols.   

1Password Business provides corporate shared vaults, which may have restrictive enrollment policies. 1Password corporate vault permissions may not allow enrolling passkeys. In this scenario, 1Password will appear as a passkey type in the enrollment pages from the browser, but the option will be grayed out. To gain enrollment permission, contact your administrator. 

For more information, see Manage team policies in 1Password Business.

There are some known limitations to using Samsung Pass. QR code enrollment using Samsung Pass on Android isn't supported and will result in the following error: "Enrollment Unsuccessful".

Third-party documentation

Apple passkey documentation

The links below provide detailed documentation from Apple on how to add, use, and manage passkey authentication on MacOS and iOS.

Google passkey documentation

The links below provide the Google documentation for passkey support on the Android platform and the Chrome browser.

Microsoft passkey documentation

The links below provide Microsoft's documentation for adding, using, and managing passkey authentication on Windows 10, Windows 11, and the Microsoft Authenticator application.