View and manage Passkey/FIDO2 tokens
The Passkey/FIDO2 Tokens page provides a complete list of all passkeys and FIDO2 tokens registered by users in your tenant. It shows administrators which Passkey/FIDO2 tokens are enrolled and the security of their devices.
Administrators do not add Passkey/FIDO2 authenticators to a user's list directly. Users must self-register their Passkey/FIDO2 token in the User portal. If a Passkey/FIDO2 token is used for User ID sign in, ensure the resource rule allows Passkey/FIDO2 authentication.
Only users assigned the User Passkey/FIDO2 Token Management permission can view and manage the Passkey/FIDO2 Tokens list.
View the Passkey/FIDO2 Tokens page
- Click > Resources > Passkey/FIDO2 Tokens. The Passkey/FIDO2 Tokens page appears.
- The Passkey/FIDO2 Tokens page lists all registered tokens across the tenant. Each row represents a single registered passkey or FIDO2 token associated with a user. For a description of the table in the Passkey/FIDO2 Tokens page, see Passkey/FIDO2 Tokens table.
- Click the expansion icon (▶) next to a token to see the token details. For a description of the token details fields, see Passkey/FIDO2 token details. For more information on the authenticator metadata source, see Authenticator metadata overview.
- Click to enable filtering. For a description of the available filters, see Available filters.
- To clear all applied filters at once, click the Reset button in the filter sidebar. You can also remove individual filter values one at a time.
- Do the following, as required to manage an individual token from the Passkey/FIDO2 Tokens page. To perform these actions for specific users, see
- Click Disable () to temporarily deactivate a token and confirm the prompt. The token record is retained, but the user cannot use it to authenticate until it is re-enabled.
- Click Enable () and confirm the prompt to activate a previously disabled token, allowing the user to authenticate with it again.
- Click Delete () and confirm the prompt to delete a token.
- To perform multi-token actions, see Multi-token actions.
Manage tokens from the Users page
You can also manage an individual user's tokens from the Users page.
- Click > Members > Users.
- Select the user you want to manage.
- Click the Authenticators tab.
- In the token row, click Actions () , then select Enable, Disable, Rename, Details, or Delete, as required.
Passkey/FIDO2 Tokens table
| Column | Description |
|---|---|
| Status | Indicates whether the token is currently Active or Disabled. |
| Passkey Name | A custom name provided by the user before initiating the passkey registration. It helps identify the token in the list. |
| Authenticator | The name and type of authenticator used — for example, Windows Hello VBS Hardware Authenticator, Apple Passwords, YubiKey. This can be a Platform Authenticator (built into the device) or a Roaming Authenticator (external hardware key). |
| User ID | The unique user ID of the user who registered this token. |
| FIDO Certification | Indicates whether the authenticator is certified by the FIDO Alliance. Certified authenticators meet strict security standards. |
| Synced | Shows whether the passkey is synced (backed up to cloud and available across devices) or device-bound (exists only on the original device). |
| Date Added | The date and time when this token was registered. |
| Date Last Used | The date and time when this token was last used to authenticate. |
| Actions | Available actions for the token. See Authenticator metadata overview. |
Passkey/FIDO2 token details
| Field | Description |
|---|---|
| Algorithm | The cryptographic algorithm used by the token (for example, RS256, ES256). This determines how the authentication signature is generated and verified. |
| Authenticator ID (AAGUID) | A unique identifier (AAGUID) that identifies the make and model of the authenticator device. This is assigned by the authenticator manufacturer and helps determine which device type was used during registration. |
| Relying Party ID | The domain or application identifier that this token is bound to. A passkey registered for one application cannot be used to authenticate on a different one. |
| Key Protection | Describes how the private key is stored on the device. For example, a key stored in a hardware security chip (TEE or Secure Element) is highly protected and cannot be extracted. A software-protected key is stored in the device's memory and may be less secure. |
| Matcher Protection | Describes where the user verification check (such as a fingerprint scan or PIN entry) is processed. If processed inside a secure hardware chip, it is tamper-resistant. If processed in software, it relies on the operating system for security. |
| Transport Method | The communication channel the authenticator uses to interact with the browser or device. Common values include USB (plugged in), NFC (tap to authenticate), BLE (Bluetooth), and Internal (built into the device). |
| Feature Flags | Indicates the security properties confirmed during authentication: User Present (the user physically interacted with the device), User Verified (the user completed a verification step such as biometric or PIN), and Backup Eligible (the passkey can be synced or backed up to the cloud). |
For definitions of all these fields and their possible values, refer to the Glossary.
Authenticator metadata overview
IDaaS resolves authenticator details using the FIDO Metadata Service (MDS) blob — an official, signed list of authenticator metadata published by the FIDO Alliance. It includes device details and certification status for authenticators that have passed FIDO certification requirements.
On each new passkey registration, IDaaS follows this process:
- Checks whether a newer MDS blob is available from the FIDO Alliance. If one is available, the local blob is updated.
- Looks up the registering authenticator by its AAGUID in the updated blob.
- If a matching record is found, IDaaS updates the authenticator's stored metadata (name, certification status, key protection, matcher protection, and so on).
- If no record exists yet for that AAGUID, IDaaS creates a new authenticator metadata record.
Authenticators not listed in FIDO MDS
Some authenticators are not included in the public MDS blob. For these, IDaaS falls back to a locally maintained metadata repository. This repository provides only a name and icon for each authenticator.
The following fields are not available for authenticators sourced from the local repository:
- Key Protection
- Matcher Protection
- FIDO Certification
For the full list of supported authenticators and their icons, see Community authenticator list.
Available filters
| Filter | Description |
|---|---|
| Status | Filter tokens by their current state — Active or Inactive. |
| Passkey Name | Search by the custom name the user provided during passkey registration. |
| Authenticator Name | Filter by the name of the authenticator device (for example, Windows Hello, Apple Passwords, YubiKey). |
| User ID | Search for tokens registered by a specific user using their unique user ID. |
| Date Added | Filter tokens by the date they were registered. You can specify a date range. |
| Last Used Date | Filter tokens by the date they were last used for authentication. You can specify a date range. |
Multi-token actions
You can select multiple tokens using the row selection checkboxes at the start of each row. Once you select one or more tokens, the following actions are available for all selected tokens:
| Action | Description |
|---|---|
| Enable selected | Enables all selected tokens at once. |
| Disable selected | Disables all selected tokens at once. |
| Delete selected | Permanently deletes all selected tokens at once. |
Deleting selected tokens is irreversible. Verify your selection carefully before confirming.
When to use these actions
| Scenario | Recommended Action |
|---|---|
| User lost their hardware key | Delete the associated token. |
| User's device is temporarily unavailable | Disable the token until the device is back. |
| Suspicious authentication activity on a token | Disable immediately and investigate. |
| Offboarding a user | Delete selected tokens associated with that user. |
| Enforcing a new security policy (for example, no synced passkeys) | Filter synced tokens and Disable selected or Delete selected. |