Select authentication options
Auth and access
Enable Passkeys to sign in users
Passkeys are a passwordless sign-in method based on the Web Authentication (WebAuthn) standard. Users authenticate with device biometrics (Face ID, Touch ID, Windows Hello), a platform authenticator, or a FIDO2 security key — no password required.
Passkeys complement your existing auth methods rather than replace them. Email/password, passwordless OTP, social sign-in, and enterprise connections continue to work as before. When enabled, users can sign in with a passkey from the login page, and credential users can be prompted to register one after sign-in.
Enable passkeys in Kinde
Link to this section-
Go to your Kinde dashboard > Settings > Policies.
-
Scroll down to the Passkeys section.
-
Select Optional or Mandatory to enable passkeys.
-
Select Save.
This sets the default passkey policy for the entire environment.
Organization override
Link to this sectionYou can override the default passkey policy for an organization.
-
Go to your Kinde dashboard > Organizations, and select the organization you want to configure.
-
Select Policies.
-
Under Passkeys, enable Override environment passkey settings.
-
From the dropdown menu, choose Off, Optional, or Mandatory for that organization.
-
Select Save.
When you configure an org override, the UI shows the current environment default.
Passkey policies
Link to this sectionPasskeys are controlled by a policy with three values:
| Policy | Behavior |
|---|---|
off | Passkeys are disabled. No sign-in button, no setup prompts, no account portal passkey management. |
optional | Passkeys are enabled. Users see Sign in with passkey on login. After credentials sign-in or registration, users without a passkey are prompted to set one up, but can choose Not now. |
mandatory | Same as optional, except users must complete passkey setup before continuing. The skip option is not shown. |
The default policy for new environments is off.
When passkeys are enabled, users can:
- Sign in with a passkey from the login page
- Register a passkey after signing in with email/password (or other credentials)
- Manage passkeys from the account portal (add, rename, delete)
Passkeys are stored per user per environment. Each registered passkey is linked to a passkey identity on the user record.
Policy resolution
Link to this section- Environment policy — the default for all organizations in the environment.
- Organization override — an organization can override the environment default with its own policy.
When an organization override is disabled, the organization inherits the environment policy.
User experience
Link to this sectionPost-login passkey setup
Link to this sectionAfter a user signs in or registers using credentials (email/password, username, or phone OTP), Kinde may prompt them to set up a passkey if:
- Passkeys are enabled for the relevant organization
- The user does not already have a passkey
- Policy is
optionalormandatory - For
optionalonly: the user has not previously chosen Not now
The setup screen explains that the user can use device biometrics or a security key for faster sign-in next time.
| Policy | Setup screen |
|---|---|
optional | Continue registers a passkey; Not now skips and records the decline |
mandatory | Continue only — setup is required to proceed |
Passkey setup is not triggered after social or enterprise SSO sign-in.
Sign in with passkey
Link to this sectionWhen passkeys are enabled (optional or mandatory), the login page shows a Sign in with passkey button.
- Shown only on sign-in, not sign-up (users need an existing account and a registered passkey).
- Displayed alongside credential and SSO options according to your auth page layout.
- Uses the browser WebAuthn API to perform a challenge–response assertion.
Users who have never registered a passkey cannot use this button to create an account.
Account portal
Link to this sectionAuthenticated users can manage passkeys under Profile in the account portal when passkeys are enabled:
- View registered passkeys (name, last sign-in, sign-in count)
- Add passkey for the current device or a security key
- Rename a passkey
- Delete a passkey
Admins can also view a user’s passkeys from the Users section in the Kinde admin.
Recommended rollout
Link to this sectionStart with optional
Link to this section- Set environment policy to
optional. - Confirm Sign in with passkey appears on your login page.
- Sign in with email/password as a test user and complete passkey setup.
- Sign out and sign back in with the passkey.
- Subscribe to passkey lifecycle webhooks if you need visibility.
Move to mandatory (if needed)
Link to this sectionUse mandatory when you want every user who signs in with credentials to register a passkey after first sign-in. Consider:
- Users on devices without WebAuthn support will be blocked at setup
- Social/SSO-only users are unaffected (they do not currently see the setup prompt)
- Organization overrides let you pilot mandatory policy on a subset of orgs first
Disable passkeys
Link to this sectionSet policy to off. Existing passkey credentials remain stored but are not usable until re-enabled. Users cannot sign in with or manage passkeys while disabled.
Technical details
Link to this sectionPasskeys use the Web Authentication (WebAuthn) standard.
Domain and HTTPS
Link to this section- The Relying Party ID (RP ID) is derived from your Kinde auth domain (hostname without port).
- HTTPS is required in production. HTTP is permitted only for
localhostduring local development. - Your custom auth domain must be correctly configured; passkeys are bound to that domain.
Browser and device support
Link to this sectionUsers need a browser and device that support WebAuthn. This includes:
- Modern Chromium, Safari, and Firefox browsers
- Platform authenticators (Touch ID, Face ID, Windows Hello)
- FIDO2 hardware security keys
Do passkeys replace passwords?
Link to this sectionNo. Passkeys are an additional sign-in method. Users who register a passkey can still sign in with email/password unless you restrict that separately.
Can a user have multiple passkeys?
Link to this sectionYes. Each device or security key can be registered separately (for example, laptop, phone, YubiKey).
What happens if a user skips optional setup?
Link to this sectionKinde records the decline. They will not be prompted again until they clear that state (for example, by registering a passkey from the account portal, or if that decline is reset administratively).
Does passkey sign-in work for new user registration?
Link to this sectionNo. The Sign in with passkey button is sign-in only. New users register with credentials (or SSO), then may be prompted to add a passkey.
Can I configure passkeys per application?
Link to this sectionPolicy is set at the environment or organization level, not per application. All apps in an environment share the same passkey policy (subject to org overrides).
What Kinde plan do I need to use passkeys?
Link to this sectionAll paid plans support passkeys (Pro, Plus, Scale, Enterprise). See Kinde pricing for more information.