Passkeys (WebAuthn)

Why

A passkey is a public-private pair bound to a device. Phishing-resistant: you can't "hand it over" via a phishing link.

Registration

/app/security → Passkeys → Register. The browser invokes Touch ID / Face ID / Windows Hello / YubiKey. After that the passkey is stored in the device keychain and in the backend (the public key only).

Login

On /login you click "Sign in with a passkey" — the browser shows usable credentials.

Anti-enumeration

For an unknown email Unimoni still returns a discoverable challenge — the browser UX looks identical for existing and non-existing emails.

← ← Previous

2FA

SCIM