Skip to main content
Passkeys provide phishing-resistant multi-factor authentication using a device biometric, screen lock, or security key. Your organization may require passkeys for all users or for accounts with elevated permissions. Your role may also require a passkey after magic-link sign-in.
Security options depend on your organization policy and account permissions. If you cannot change a setting, contact your Sofie administrator.

Open security settings

1

Open Account Settings

Use the user menu in the sidebar.
2

Choose Security

Select the Security tab.
3

Review passkey status

Check whether Passkey MFA is enabled, not set up, or required by policy.

Add a passkey

1

Click Add passkey

In Security, click Add passkey.
2

Follow your browser or device prompt

Use your device biometric, screen lock, password manager, or security key.
3

Confirm enrollment

Return to Sofie and verify that the passkey appears in Registered passkeys.
If your browser does not support passkeys, try a current version of Chrome, Safari, Edge, or Firefox on a device with passkey support.

Review registered passkeys

The Registered passkeys list shows passkeys attached to your account. Use it to check:
  • How many passkeys are enrolled.
  • Whether a passkey is synced or device-bound.
  • When a passkey was added or updated.
  • Whether you should add a backup passkey.
If your organization requires passkeys, enroll more than one supported device when policy allows it. This reduces lockout risk if a device is lost.

Sign in with a passkey

On the Sofie sign-in page, enter your email and click Continue with passkey when you want to authenticate with an enrolled passkey. If your organization still allows email magic links, you can use email sign-in to recover from a lost passkey, then replace the passkey from Account > Security. If magic links are disabled because SSO is enabled, use your organization’s SSO recovery process or contact an administrator.

Remove a passkey

You may be able to remove a passkey from Registered passkeys. Before removing one:
  • Confirm you have another working passkey if passkeys are required.
  • Check whether the device was lost, retired, or replaced.
  • Make sure you are not removing the only required authentication method.
Sofie may prevent removal if policy requires at least one passkey.

Replace lost passkeys

If you lose access to your passkeys, follow the recovery flow your organization uses. Sofie may require a recent email sign-in before replacing old passkeys. Ask your administrator for help if:
  • You cannot complete email recovery.
  • You no longer have any enrolled device.
  • Your role requires passkeys and you are blocked from the rest of the app.

Passkey prompts during work

Sofie may ask for a security step before sensitive actions, depending on your organization policy and role. This can happen when:
  • You sign in with a magic link and your role requires a passkey check.
  • You manage users, roles, groups, organization settings, or security settings.
  • You change sensitive account settings.
  • You access elevated-security pages.
If your role requires a passkey after magic-link sign-in and you do not have one yet, Sofie sends you to Account > Security to enroll one.

Idle sign-out

Your role may include an idle auto logout policy. If it does, Sofie can warn you with Still working? before signing you out. Click Stay signed in to continue. If the idle period expires, Sofie signs you out and shows a message on the sign-in page.
Do not share passkeys, device unlock methods, or security keys. Each user should use their own account and authentication method.