Passkeys and two-factor authentication
How passkeys work on Haubot, when to use them instead of a password, and what to do if you want a hardware security key.
Passwords protect roughly nothing once they're phished or reused. Haubot supports passkeys (WebAuthn) as a first-class sign-in method — they replace the password entirely on supported browsers, can't be phished, and are tied to a physical device or password manager you already trust.
What a passkey is
A passkey is a cryptographic key pair. The private key never leaves your device (or your password manager). The public key is stored by Haubot and used to verify that whoever's signing in actually holds the private key.
In practice that means:
- Sign-in is biometric or PIN. Touch ID, Face ID, Windows Hello, a hardware key tap, or a password manager prompt.
- There's no password to phish. A fake Haubot page can't trick your device into revealing the private key.
- There's no password to reuse. Each site gets its own key pair.
Setting up a passkey
- Sign in with your password.
- Go to Dashboard → Settings → Security.
- Click Register passkey.
- Pick where to store it:
- This device — uses your built-in authenticator (Touch ID, Face ID, Windows Hello). - Hardware key — a YubiKey, Solo Key or similar plugged into USB. - Password manager — 1Password, Bitwarden, iCloud Keychain, Google Password Manager.
- Follow the platform prompt to confirm.
You can register multiple passkeys — common pattern is one for your phone, one for your laptop, one hardware key in a drawer as backup. They're all independent; any of them can sign you in.
Using a passkey
Next time you visit /auth/login, choose Sign in with passkey. The browser prompts your authenticator (fingerprint, face, PIN, or key tap), and you're in. No password typed, no SMS code waited for.
The password is still active as a fallback — you can sign in either way. If you want password sign-in disabled entirely, do that from the same Settings → Security page after you've registered at least one passkey.
Hardware keys
A hardware security key (YubiKey 5 series, Solo 2, etc.) is the strongest passkey option for accounts that matter. Plug it in once to register; from then on every sign-in is a button tap. If you carry one already for other services, register it for Haubot too — it's a no-cost upgrade.
Two practical notes:
- Register two keys so you have a spare. Losing the only registered key means falling back to email-based recovery.
- Use the same physical key across all your sensitive accounts. That's the whole point of a hardware key — one device, many sites.
"Two-factor" — what Haubot does and doesn't do
Haubot's passkey flow is single-factor strong authentication when the passkey is biometric-protected (Touch ID / Face ID / Windows Hello). The biometric on the device IS the second factor — you can't extract the passkey without it, and the passkey is bound to that device.
For password sign-in, Haubot currently sends time-limited one-time codes by email for unusual sign-ins (new device, new country). SMS-based 2FA is not used — SMS is the weakest second factor and the industry is correctly moving away from it.
If your security model requires a separate second factor on top of passkey (uncommon for individual business accounts), reach out to support — there are options for organisations with stricter requirements.
Removing a passkey
From Settings → Security, each registered passkey has a "Remove" button. Removing one doesn't sign you out of active sessions — it just prevents that specific passkey from being used for future sign-ins. If you remove all passkeys, sign-in reverts to password only.
If you lose your only passkey
Account recovery falls back to your verified email — see Recovering a lost account for the full process.