# Passkeys & account security

Your passkeys are the second layer of your vault identity. Every time you make a change in the vault (editing a policy, importing a key, creating a user), the vault asks your device to sign that action with a passkey. This page explains how to manage yours.

## What a passkey signs

When you confirm a state-changing action, the vault presents your browser with a WebAuthn signing challenge tied to the specific operation you are performing. Your device signs that challenge with the private key stored in its secure enclave or hardware token. The vault verifies the signature server-side before applying the change.

This means:

* Your session token alone cannot authorize sensitive actions. An attacker who steals your session cookie cannot modify policy or initiate signing.
* The signing challenge is operation-specific. A captured challenge cannot be replayed for a different action.
* Passkeys are phishing-resistant by design. The browser binds them to your vault's exact domain; a fake site cannot obtain a valid passkey signature for your real vault.

## View your enrolled passkeys

Navigate to `/passkeys` in your browser (or use the link from your profile area in the sidebar). The page lists every passkey you have enrolled for your account, along with the device name you gave it and the date it was added.

## Add a passkey

You can enroll passkeys on as many devices as you use regularly. Adding a second passkey on a different device is strongly recommended so you are not locked out if your primary device is unavailable.

1. On the Passkeys page, click **Add Passkey**.
2. Enter a device name to identify this passkey (for example, "Home laptop" or "YubiKey 5").
3. Click **Create passkey**.
4. Your browser invokes the platform authenticator. Approve the Face ID, Touch ID, Windows Hello, or PIN prompt.
5. The new passkey appears in your list.

:::tip
If you use a hardware security key (such as a YubiKey or Titan key), you can enroll it here as an additional passkey. Hardware keys work as a reliable backup when your primary device is unavailable.
:::

## Remove a passkey

1. On the Passkeys page, find the passkey you want to remove.
2. Click **Remove** next to it.
3. Confirm the removal.

**You cannot remove your last passkey.** The Remove button is disabled when only one passkey remains in the list. This prevents you from locking yourself out.

If you need to remove your last passkey (for example, because the device was stolen), another user with the **Manage Users** capability must perform a passkey reset on your account, which removes all your enrolled passkeys at once and lets you enroll fresh ones on your next login.

## Passkey reset (initiated by another user)

A passkey reset is necessary when a user has lost access to all their enrolled passkey devices and cannot add a new one themselves.

**For the user who needs the reset:** contact your vault administrator. You cannot initiate your own reset.

**For the administrator performing the reset:**

1. Navigate to **Users & Groups** and find the affected user on the **Users and Trading Machines** tab.
2. Click the row actions dropdown and select **Reset passkey**.
3. Your browser will prompt you to sign the action with your own passkey.

After the reset is applied, the affected user's passkeys are cleared. On their next login they are presented with the mandatory enrollment modal and must enroll a new passkey before proceeding.

## If your session expires mid-session

If your JWT session token expires while you are working in the vault, a modal overlays the current page prompting you to re-authenticate with your SSO provider. After re-authentication, you are returned to where you were. Your in-progress drafts (for example, an open policy edit) are preserved.
