Skip to main content

About Passkeys and Social Login

Passkeys and social login provide straightforward ways to configure access to your Iru tenant. Users can create their own passkeys, or use their existing Google or Microsoft account to access your tenant. While they’re easy to configure, they do have inherent limitations compared to configuring a Single Sign-On authentication method. If you’re looking to Require Authentication for enrollment, passkeys and social login can only be used for manual enrollments.

How Passkeys and Social Login Work

Passkeys use standards-based technology that eliminates shared secrets, making them resistant to phishing attacks. When a user registers a passkey, it’s stored in their credential manager and can be synced across their devices. During login, the credential manager authenticates the user without requiring a password. Social login allows users to authenticate using their existing Google or Microsoft accounts. For Microsoft Social, authentication matches users based on their User Principal Name (UPN) in Microsoft Entra ID, not just their email address. Google Social and Microsoft Social can be limited to specific domains for additional security.

Passkeys

Designed to replace traditional passwords, passkeys offer a more secure and user-friendly way to sign into websites and applications. You can see Apple’s About the security of passkeys and Use passkeys to sign in to websites and apps on iPhone pages for more information.

Send Authentication Registration Request

Admins and Account Owners can send authentication registration requests to users so they can register a passkey.
1

Navigate to the Account Menu Button

In Iru Endpoint, in the sidebar, click the Account Menu Button.
2

Access Authentication Settings

Click the Access option in the menu.
3

Select User

Click the ellipsis (⋮) next to the user you would like to send the authentication registration request to.
4

Select Manage Authenticators

From the ellipsis (⋮) menu, select Manage authenticators.
5

Send Authentication Registration

Click the Send Authentication Registration button.
6

Accept Authentication Registration Email

Click the Accept button in the invitation email.
7

Click Register Passkey

Click the Passkey button under the Register a Passkey section.
8

Complete Passkey Registration

Follow the prompts for your preferred credential manager to register the passkey.
9

Choose Passkey at Login

You can now choose the Passkey button at the Iru login page.
10

Select Passkey from Credential Manager

Choose your passkey from your credential manager to authenticate.

Register a New Passkey

You can register additional passkeys for your account without an administrator sending a registration request. You may register multiple passkeys per user account.
1

Open My Account

Click your name at the bottom of the left navigation, then select My Account.
2

Navigate to Authenticators

In the My Account page, click Authenticators.
3

Add Authenticator

Click the + Authenticator button.
If you see a notice that you cannot add additional authenticators without an existing one, contact an administrator to send a registration link as described in the Send Authentication Registration Request section.
4

Select Passkey

In the Add authenticator dialog, click the Passkey button.
5

Save in Credential Manager

Follow the prompts to save the passkey in your preferred credential manager.
6

Complete Passkey Sign-In

When prompted, authenticate using an existing passkey. If your existing passkey is stored in a different credential manager, select it from that credential manager when prompted.
7

Complete Registration

Follow the prompts to complete the passkey registration.

Credential Managers

It’s important to save your passkeys in a way that allows you to access them across multiple devices. Most popular credential managers, such as 1Password and Apple’s Passwords app, support saving and synchronizing passkeys. When registering passkeys, if the expected credential managers do not prompt to save the passkey, check the settings of the related app or browser extension to ensure that prompts to save passkeys are enabled. If you have multiple credential manager browser extensions enabled, you may need to disable the other extensions to avoid conflicts.

Manage Your Passkeys

You can suspend or delete your registered passkeys.
1

Open My Account

Click your name at the bottom of the left navigation, then select My Account.
2

Navigate to Authenticators

In the My Account page, click Authenticators.
3

Expand Authenticator

Click the disclosure triangle (⌄) to the right of the authenticator you would like to suspend.
4

Suspend Authenticator

Click Suspend authenticator to temporarily disable the authenticator.
5

Delete Authenticator

You must suspend an authenticator before you can delete it.
Now that the authenticator is suspended, you can click Delete authenticator to completely remove it.
6

Confirm Authenticator Deletion

Click Yes, delete to complete deleting the authenticator.
7

Unsuspend Authenticator

You can also click Unsuspend authenticator if the wrong authenticator was suspended.

Manage Passkeys for Team Members

You can suspend, delete, and reset all of the registered passkeys for team members.
1

Navigate to the Account Menu Button

In Iru Endpoint, in the sidebar, click the Account Menu Button.
2

Access Authentication Settings

Click the Access option in the menu.
3

Select User

Click the ellipsis (⋮) next to the user you would like to manage.
4

Select Manage Authenticators

From the ellipsis (⋮) menu, select Manage authenticators.
5

Reset All

If you want to remove all passkey registrations from a user, click the Reset all button.
This action will remove all authenticators for the given user. Registering a new authenticator will be required to log in.
6

Expand an Authenticator

Click the disclosure triangle (⌄) to the right of the authenticator you would like to suspend.
7

Suspend Authenticator

Click Suspend authenticator to temporarily disable the authenticator.
8

Delete Authenticator

You must suspend an authenticator before you can delete it.
Now that the authenticator is suspended, you can click Delete authenticator to completely remove it.
9

Confirm Authenticator Deletion

Click Yes, delete to complete deleting the authenticator.
10

Unsuspend Authenticator

You can also click Unsuspend authenticator if the wrong authenticator was suspended.

Social Login

Social login allows users to authenticate using their existing Google or Microsoft accounts without needing to configure complex Single Sign-On authentication methods. There are two social login options available in Iru: Microsoft Social and Google Social.

Limit Authentication to Domain

For Google Social and Microsoft Social, you can optionally limit authentication to one or more domains. This allows you to restrict social logins to your organization’s specific domains. Another level of security you can add after limiting to specific domains is to enable Multi-Factor Authentication for the social login platforms. Learn more about using MFA for signing in with Google Workspace and Office 365:
To use a social login method for Require Authentication during enrollment, you’ll need to limit that method to specific domains. See Configure Require Authentication for Enrollment for more information.

Microsoft Social

When using the Microsoft Social authentication method, the match between the user in Iru and the user in Microsoft is based on the User Principal Name (UPN). This is an important distinction because a user’s email address and UPN could be different. In cases where the email address in Microsoft Entra ID matches the email of the user in Iru, it will still fail if the UPN of the related user in Microsoft Entra ID does not match.

Manage Tenant Authentication

You can either allow or disallow Passkey, Google Social, and Microsoft Social tenant authentication methods individually. You cannot disallow the authentication method that was used to access your current session.