WebAuthn security keys provide strong protection against phishing and account takeover. They use cryptographic hardware to verify your identity. In Zenovay, security keys and platform authenticators are both registered as passkeys, available on every plan.
What is WebAuthn?
WebAuthn (Web Authentication) is a modern standard for passwordless and multi-factor authentication using:
- Hardware security keys: Physical devices like YubiKey
- Platform authenticators: Built-in systems like Touch ID, Face ID, Windows Hello
Zenovay registers both as passkeys. Whether you use a hardware key or your device's biometrics, the setup flow is the same.
Why WebAuthn is Secure
- Phishing-resistant: Keys verify the website domain
- Cryptographic: Uses public-key cryptography
- No shared secrets: Private keys never leave the device
- Tamper-resistant: Hardware-based security
Security Key Options
Hardware Security Keys
| Brand | Models | Features |
|---|---|---|
| YubiKey | 5 Series, Security Key | USB-A, USB-C, NFC |
| Google Titan | USB-A, USB-C | Bluetooth option |
| Thetis | Pro, Bio | Fingerprint models |
| Feitian | ePass, BioPass | Various form factors |
| SoloKeys | Solo V2 | Open source |
Platform Authenticators
| Platform | Technology | Requirements |
|---|---|---|
| macOS/iOS | Touch ID / Face ID | Apple device with biometrics |
| Windows | Windows Hello | Windows 10/11 with compatible hardware |
| Android | Fingerprint/Face | Android 7+ with biometrics |
| Chrome | Profile-based | Chrome 70+ |
Passkeys are available for accounts that have a password. If you signed in only with Google or GitHub, set a password first, then add a passkey.
Setting Up a Hardware Security Key
Get a Security Key
Purchase a WebAuthn-compatible security key. YubiKey 5 series is recommended.
Go to Security & Access
Go to Settings → Account → Security (
/settings/account/security) in Zenovay.Add a New Passkey
On the Passkeys card, click New passkey.
Name It (Optional)
Give it a recognizable name like "Office YubiKey" or "Backup Key". You can leave this blank.
Insert Your Key
Insert your security key into a USB port (or have NFC ready on mobile).
Touch the Key
When your browser prompts, touch the button on your security key to complete enrollment.
Add a Backup Method
Register a second key, or keep your authenticator app and backup codes ready, so you're never locked out.
Always register at least two passkeys, or have your authenticator app and backup codes ready. If you lose your only key, you could be locked out.
Setting Up Touch ID / Face ID
macOS with Touch ID
Ensure Touch ID is Set Up
Go to System Settings → Touch ID & Password and add a fingerprint.
Use Safari or Chrome
Use a browser that supports Touch ID authentication.
Add in Zenovay
Go to Settings → Account → Security, then on the Passkeys card click New passkey.
Authenticate
When prompted, use Touch ID to register. Name it something like "MacBook Touch ID".
iOS with Face ID
Use Safari
Open Zenovay in Safari on your iPhone/iPad.
Add a New Passkey
Go to Settings → Account → Security, then on the Passkeys card click New passkey.
Allow Face ID
When prompted, allow Face ID or Touch ID.
Verify Identity
Complete Face ID or Touch ID verification to finish enrollment.
Windows Hello
Set Up Windows Hello
Go to Windows Settings → Accounts → Sign-in options. Set up fingerprint, face recognition, or PIN.
Use Edge or Chrome
Open Zenovay in Microsoft Edge or Chrome.
Add a New Passkey
Go to Settings → Account → Security, then on the Passkeys card click New passkey.
Authenticate with Windows Hello
Use your configured Windows Hello method to complete enrollment.
Using Security Keys to Log In
Once a passkey is registered, when you sign in:
- Enter your email and password
- Your browser prompts for your passkey
- Insert your key (if not already inserted)
- Touch the button or use biometrics
- You're signed in
If you've added a passkey, you can also sign in with the passkey and skip the password entirely.
NFC Security Keys (Mobile)
On compatible Android devices:
- When prompted, tap your NFC security key to the back of your phone
- Hold until verified
Managing Multiple Security Keys
We recommend registering multiple passkeys:
Recommended Setup
- Primary key: For daily use
- Backup key: Stored securely at home or office
- Travel key: Smaller form factor for travel
Adding Additional Keys
- Go to Settings → Account → Security
- On the Passkeys card, click New passkey
- Follow the registration process
- Give each key a unique name
Removing Keys
- Go to Settings → Account → Security
- On the Passkeys card, find the key in your list
- Open the menu next to it and choose Revoke
- Confirm in the dialog
The Passkeys card shows when each passkey was last used, so you can tell which ones are still active before revoking.
Never revoke your last passkey without having another method configured, such as your authenticator app and backup codes.
Browser Compatibility
| Browser | Support Level | Platform Authenticator |
|---|---|---|
| Chrome 67+ | Full | Yes |
| Firefox 60+ | Full | Yes |
| Safari 13+ | Full | Yes (Touch ID, Face ID) |
| Edge 79+ | Full | Yes (Windows Hello) |
Browser Settings
Ensure your browser allows security keys:
- Chrome: Settings → Privacy → Security → Use security key
- Safari: Security keys work by default
- Firefox: about:config → security.webauth.webauthn enabled
Troubleshooting
Key Not Detected
- Try a different USB port
- Check USB hub compatibility (try direct connection)
- Update browser to latest version
- Try a different browser
- Check if the key works on other sites
"Security Key Not Allowed"
- Ensure you're using HTTPS (not HTTP)
- Check your browser supports WebAuthn
- Update your browser
- Try incognito mode
Touch ID / Face ID Not Working
- Ensure biometrics are set up on your device
- Try re-registering the passkey
- Check your browser has permission to use biometrics
- Restart your browser and try again
"This Site Can't Use Your Key"
This can happen if:
- The domain changed (phishing protection working)
- The key was registered on a different domain
- Browser security settings block the key
Security Best Practices
Physical Security
- Store backup keys securely: Safe, safety deposit box, or secure drawer
- Don't leave keys plugged in: Remove when not in use
- Keep track of keys: Know where each one is
Digital Security
- Register multiple keys: At least two for redundancy
- Keep firmware updated: Update security key firmware when available
- Use with a strong password: A passkey is one factor, not a password replacement on its own
Passkeys and Passwordless Sign-In
Zenovay registers your security keys and platform authenticators as passkeys. Once a passkey is enrolled, you can:
- Sign in without entering your password
- Use your device's biometrics or a hardware key to authenticate
- Manage all of your registered passkeys from Settings → Account → Security
Next Steps
- Set up multi-factor authentication for a complete account-security setup
- Review security best practices
- Enforce MFA across your team