Skip to main content

Start using Passkeys to login into OpenVPN account

Abstract

Passkeys replace traditional passwords with a modern, secure method. They let you sign in to your OpenVPN account using the same simple method you use to unlock your device - such as your fingerprint, face scan (Face ID/Touch ID), or local PIN/device password.

To enroll in password-less authentication using Passkeys, follow the steps below:

  1. After you login, expand the User Account menu in the bottom-left corner and select My Account.

  2. On the Security & Privacy tab, in the Passwordless Authentication section, click Set up.

  3. Click Add Passkey.

  4. Sign in with your password and, if set up, your 2FA code.

  5. Follow the on-screen prompts and select an appropriate option to store your Passkey.

    1. Store securely on a service that syncs the Passkey across multiple devices (e.g., iCloud).

    2. Store Passkey on a dedicated external hardware key (e.g., YubiKey).

  6. Verify your identity using your device's local unlock mechanism (fingerprint, face, or PIN) to confirm the creation of the PassKey.

Note

An option to set up a Passkey may be provided to you after login.

To sign in with a Passkey, follow the steps below:

  1. On the Sign In screen, you may see your username with a Passkey label or an option to Continue With Passkey in addition to the normal password method.

  2. Click Continue With Passkey or the Passkey tagged username.

  3. The system automatically suggests the available Passkey credential for your account.

  4. Follow the prompts shown on the registered device to prove your identity.

  5. Once your identity verified, you are logged in immediately.

FAQ

1.

What are Passkeys?

Passkeys replace traditional passwords with a modern, secure method. They let you sign in to your OpenVPN account using the same simple method you use to unlock your device - such as your fingerprint, face scan (Face ID/Touch ID), or local PIN/device password.

Passkeys are built on the FIDO2/WebAuthn standards and eliminate the need to remember complex character strings, making sign-ins faster, safer, and more convenient.

2.

Why should I use Passkeys?

Passkeys have several benefits. Some of which are:

  • Simplicity: No more typing or remembering complex passwords. You sign in with one tap, and your device unlocks.

  • Speed: Authentication is nearly instant, making sign-in faster than traditional password + 2FA.

  • Phishing-Proof: Since the private key never leaves your device and the sign-in is tied to the correct website (via the Origin/Relying Party ID), fake websites cannot trick you into giving away your credentials.

  • No Data Breach Risk: Your credentials are never stored as secrets on the server, meaning they cannot be exposed in a server-side data breach.

3.

What Passkey authentication options are available based on the device's operating system?

  • Microsoft Windows 10 (v1903) or later. Windows Hello (PIN, Face, or Fingerprint) must be enabled.

  • Chrome OS 108/109 or later. Relies on the Google Password Manager and device screen lock.

  • Google Android 9 or later. Google Password Manager is the default authenticator for synchronization. The device must have a Screen Lock (PIN, Pattern, or Biometric).

  • iOS 16 or later. iCloud Keychain must be enabled for cross-device synchronization. Face ID or Touch ID is used for authentication.

  • macOS Ventura or later. iCloud Keychain must be enabled. Touch ID or System Password/PIN is used for authentication.

4.

How do Passkeys work?

Passkeys utilize public-key cryptography to verify your identity without sending any secrets over the network. The pair of keys is:

Private key is securely stored on the user's authenticator device and never leaves it.

Public key is stored on the OpenVPN server and linked to the user's account.

The OpenVPN authentication service sends a unique random challenge. The device uses its Private Key to sign this challenge cryptographically. The service verifies the signature using the stored Public Key. If valid, the identity is confirmed. No password or private key is transmitted over the network.

5.

Which standards do Passkeys follow, and which regulations recommend their use?

Passkeys are widely adopted, based on global open standards, and are highly recommended by leading security authorities.

  • The FIDO Alliance is an open industry consortium (including Apple, Google, and Microsoft) that developed the core FIDO2 specifications. This defines the protocol for secure communication between the authenticator (your device) and the service (OpenVPN).

  • The World Wide Web Consortium (W3C) standardized the client-side API as WebAuthN (Web Authentication API), ensuring the technology works consistently across all major browsers and operating systems.

  • The U.S. National Institute of Standards and Technology (NIST) strongly recommends adopting phishing-resistant authentication, such as FIDO/passkeys, in its digital identity guidelines (SP 800-63-3 and later revisions), thereby validating it as a global best practice.

6.

What is FIDO2?

FIDO2 (Fast Identity Online) - is an advanced authentication standard that enhances user authentication by replacing passwords with more secure methods like biometrics (e.g. Face ID, Touch ID, Windows Hello) or hardware security keys (e.g. YubiKeys), which significantly reduces the risk of cyber attacks such as phishing and password theft.

7.

What is WebAuthn?

WebAuthn is a web standard introduced by the World Wide Web Consortium (W3C) to simplify and standardize strong user authentication online. It uses public-key cryptography to provide strong authentication, making it resistant to phishing and other common online attacks. While WebAuthn lays down the framework for utilizing private keys for authentication, passkeys are a specific implementation of this framework, tailored for easy user interaction and broad application.

8.

What is an Authenticator?

The physical device or software that securely stores and manages the private passkey. Examples include your smartphone, laptop, or a physical security key.

9.

What will happen if I lose access to my Passkey?

If you have lost access to all synced devices and cannot recover your passkeys via your platform provider (Apple, Google, etc.), you will be prompted to use your original “email/password” combination and 2FA (if it was enabled previously).

In this section: