Passkeys, Salesforce Configuration & Implementation
What Is a Passkey?
A Passkey is a modern authentication credential based on FIDO2 and WebAuthn standards. Instead of asking users to remember passwords or enter one-time verification codes, passkeys use cryptographic key pairs stored securely on a trusted device.
When a user signs in:
- The private key never leaves the device.
- Salesforce verifies the authentication using the corresponding public key.
- No reusable password or OTP is transmitted.
This makes passkeys significantly more resistant to phishing attacks than traditional MFA methods.
How Does a Passkey Work?
Traditional authentication: Username > Password > OTP > Login
Passkey authentication: Username > Windows Hello / Face ID / Touch ID / Security Key > Cryptographic Verification > Login
Notice what’s missing:
❌ Password typing
❌ OTP
❌ SMS
❌ Approval notification
Instead, the user’s device securely proves their identity.
Why Passkeys Are More Secure
Traditional MFA still depends on users making the correct decision.
For example:
“Is this login page genuine?”
“Should I approve this notification?”
Attackers exploit these decisions through phishing websites and social engineering.
Passkeys eliminate much of this risk because authentication is cryptographically tied to the legitimate Salesforce login page.
If the website isn’t Salesforce, the passkey simply won’t authenticate.
Where Can Passkeys Be Stored?
Passkeys are not limited to a single device.
Depending on your operating system and organizational policies, they can be stored in:
- Windows Hello
- Apple iCloud Keychain
- Google Password Manager
- Android Credential Manager
- FIDO2 Security Keys
- Enterprise Password Managers supporting Passkeys
Examples include:
- 1Password
- Bitwarden
- Keeper
- Dashlane
These platforms can synchronize passkeys across trusted devices, making device replacement much easier.
Passkeys vs Security Keys
Many administrators confuse these terms.
| Passkeys | Security Keys |
|---|---|
| Software-based | Hardware-based |
| Stored securely on device | Stored on USB/NFC key |
| Uses Face ID / Touch ID / Windows Hello | Requires physical security key |
| Convenient | Highest physical assurance |
| Best for most organizations | Best for highly regulated environments |
Which Passkey Should You Choose?
Salesforce doesn’t require one specific technology.
Choose what best aligns with your organization’s devices.
| Device | Recommended Method |
|---|---|
| Windows Laptop | Windows Hello |
| MacBook | Touch ID |
| iPhone | Face ID |
| Android | Device Passkey |
| Shared Recovery | FIDO2 Security Key |
How to Register a Passkey in Salesforce
The exact navigation may vary slightly depending on your Salesforce edition and release.
Step 1
Login to Salesforce.
Step 2
Open Settings > Personal Settings
Step 3
Navigate to Advanced User Details or Authentication Settings
depending on your Salesforce interface.
Step 4
Choose Register Passkey
Step 5
Salesforce asks how you’d like to authenticate.
Examples:
- Windows Hello
- Face ID
- Touch ID
- Security Key
- Password Manager Passkey
Step 6
Complete authentication.
Windows Hello may ask for:
- Fingerprint
- Face Recognition
- PIN
Face ID asks for facial verification.
Touch ID requests your fingerprint.
Security Keys require touching the physical key.
Step 7
Salesforce confirms registration.
Register Multiple Passkeys
Salesforce supports registering multiple phishing-resistant authentication methods.
This is useful when one administrator uses:
- Office Desktop
- Laptop
- Mobile Phone
- Backup Security Key
We recommend registering at least:
✔ Primary Device
✔ Backup Device
or
✔ Backup Security Key
to reduce operational disruption.
Replacing a Laptop
This is one of the most common questions.
Example:
Old Laptop
↓
Windows Hello Passkey
↓
Laptop replaced
What now?
Recommended approach:
- Login using another registered authentication method.
- Register a passkey on the new laptop.
- Remove the old passkey.
Replacing a Mobile Phone
Similar process.
Example
Old iPhone
↓
Face ID Passkey
↓
New iPhone
If using iCloud Keychain, your passkeys may synchronize automatically after device setup.
Otherwise:
Register a new passkey.
Remove the old one.
Lost Device
If a device is lost:
Immediately
✔ Remove its registered passkey
✔ Register another trusted device
✔ Update recovery documentation
If available, use:
- Backup Passkey
or
- FIDO2 Security Key
to regain access.
Remove a Passkey
Navigate to:
Authentication Settings
↓
Registered Passkeys
↓
Remove
Can I Disable Passkeys?
Yes.
If organizational policies change, administrators can remove registered passkeys and register different phishing-resistant authentication methods.
However, privileged users must continue using at least one Salesforce-supported phishing-resistant authentication method to satisfy PR-MFA requirements.
Salesforce Recommendations
Salesforce recommends organizations begin preparation before production enforcement.
Suggested implementation sequence:
1. Identify privileged users.
Review:
- Profiles
- Permission Sets
- Permission Set Groups
2. Register Passkeys
Prefer:
- Windows Hello
- Face ID
- Touch ID
- FIDO2 Security Keys
3. Test in Sandbox
Validate:
- Administrator login
- SSO
- VS Code
- Salesforce CLI
- Deployment tools
- Connected Apps
4. Train Users
Explain:
- Why PR-MFA is changing.
- How Passkeys work.
- Recovery procedures.
5. Roll Out Before Production
Avoid waiting until enforcement begins.
Early testing minimizes user disruption.
What Changes?
✅ Privileged users require phishing-resistant authentication.
✅ Passkeys become the preferred authentication mechanism.
✅ Administrators should review authentication methods before July 2026.
What Doesn’t Change?
Many administrators worry far more is changing than actually is.
The following generally remain unchanged:
✅ Regular users can continue using supported MFA methods.
✅ OAuth integrations.
✅ JWT integrations.
✅ Client Credentials.
✅ Named Credentials.
✅ Server-to-server integrations.
Provided they don’t rely on interactive privileged logins.
SSO Considerations
Organizations using:
- Microsoft Entra ID
- Okta
- Ping Identity
- Other Identity Providers
should verify how their SSO implementation satisfies Salesforce’s PR-MFA requirements.
Review:
- Authentication policies
- Passkey support
- FIDO2/WebAuthn support
- Identity Provider configuration
Testing in a Sandbox environment before production rollout is strongly recommended.
Integration Considerations
Review authentication for:
- Azure Data Factory
- MuleSoft
- Boomi
- Informatica
- Copado
- Salesforce CLI
- VS Code
- Jenkins
- GitHub Actions
- Connected Apps
Interactive logins used by administrators may require updates, while non-interactive authentication methods such as OAuth Client Credentials or JWT are generally unaffected.