É«É«À²

Why use a passkey?

• are multifactor by nature. They replace the old Aalto multifactor authentication (MFA), except when logging in to email, Microsoft 365, Aalto VPN (virtual private network, VPN) or virtual desktop infrastructure (VDI).
• Passkeys are more convenient to use than the old Aalto MFA. For example, on your phone's browser all you need for login is your thumbprint. When using passkey with your phone, on desktop all you need is to scan a QR code with your phone's camera and give your thumbprint.
• Registering a passkey makes your account more secure. With passwordless login your password cannot be brute forced or used to log in via a browser anymore.

What do I need to use a passkey?

• Your Android phone or iPhone. A reasonably modern Android or iPhone works out-of-the-box. No need to install any software. 

and/or

• A hardware token like a Yubikey or any other FIDO2-compliant security key

Most students use their phones to store passkeys. 

For employees it is advisable to get a Yubikey from Dustin via : search for "Yubikey 5C NFC (USB-C)".

How do I start using passkeys?

Note Once you register a passkey you cannot log in any other way. This means that you must be able to use a passkey for login on both mobile and desktop devices.

• A passkey registered on your phone works natively with the mobile browser.
• Using the passkey from your phone with a desktop browser works best on Chromium-based browsers, for example, Chrome and Edge.
• Hardware tokens (for example, Yubikey) work with almost any desktop or mobile browser.

To start using passkeys you need to first register the passkey. 

Logging in to passkey registration

To register a passkey go to  with your browser.

You can log in either with your Aalto password or suomi.fi authentication.

The passkey registration view

In the registration view you can add new keys and delete old ones. Passkeys with the label "Passwordless" can be used for passwordless login. 

Some authenticators do not implement User Verification correctly. They may require a password even after you have logged in with the passkey.

What if I lose all my passkeys?

After you have registered a passkey, you cannot log in with a password anymore.

If you lose your passkey(s) you can log in to  with suomi.fi authentication and remove all your registered passkeys. If you cannot use suomi.fi login contact IT Service Desk and request your passkeys to be deleted.

After your existing passkeys have been deleted you can log in with a password again to register new ones.

Which passkey provider should I use on my phone?

The majority of Android phones come with Google Password Manager by default while iPhones use Apple Passwords. Both are fine and can be used.

Some passkey providers do not do User Verification (biometrics or PIN code) reliably. When using those passkey providers you will be asked for your password after logging in with a passkey.

The recommended passkey provider on Android is  for the following reasons:
 

• Open source so under continuous auditing
• User Verification is done in conformance with the WebAuthn specification
• Does not need an internet connection to work
• Does not sync, copy or otherwise leak data anywhere by default
• The free version contains all essential features