passkey compatibility

Which passkeys work with Authii?

Authii encrypts your data with a key the server never sees. To do that we rely on a WebAuthn extension called PRF, which most modern passkeys support — but a few don't yet, and a few need a software update first. If you've seen a “PRF not supported” message, this page tells you what to change.

On macOS

Touch ID on the keyboard sensor (lid open). Built into every Mac with a sensor since 2018; works in Safari, Chrome, Edge, Brave, Arc.
iPhone via QR— pick “Use a phone, tablet, or security key” in the passkey picker and scan the QR with your iPhone. Face ID approves; iCloud Keychain stores the passkey across all your Apple devices. Works whether the Mac's lid is open or closed. Bluetooth must be on.
YubiKey 5 series over USB-C or Lightning. PRF works in firmware 5.7+.

If your laptop lid is closed:Touch ID isn't reachable. iPhone-via-QR is the cleanest fix — same passkey works once the Mac lid is open later.

Bitwarden / 1Password browser extensions don't work with Authii right now.Bitwarden's “PRF support” announcement covered logging into the Bitwarden vault with a PRF-capable passkey from elsewhere — not offering PRF on passkeys stored insideBitwarden's extension. That second piece is an open Bitwarden feature request with no ETA. Until it ships, in the Bitwarden popup click “Use a phone, tablet, or security key” — that routes through the system passkey UI (iCloud Keychain on Mac) which does support PRF.

On Windows

Windows Hello — fingerprint, face, or PIN. PIN-only works fine if your machine has no biometrics. Requires Windows 11 25H2 with the February 2026 cumulative update (KB5077181)— that release added the underlying hmac-secret support PRF needs. Older Windows builds: Hello will authenticate but won't return PRF. Use a YubiKey or paired phone instead until you're on a current Windows.
Phone via QR— pick “Use a phone, tablet, or security key” and scan with an Android phone (Google Password Manager) or iPhone (iCloud Keychain). Both support PRF over the cross-device hybrid transport. Bluetooth on the Windows machine must be on. Works on every Windows build, no patch level required.
YubiKey 5 series over USB-A / USB-C / NFC. PRF works on firmware 5.7+. Works on every Windows build.

Bitwarden / 1Password browser extensions don't work with Authii. Their PRF announcements covered logging into their own vaults; passkeys stored insidethose extensions don't yet provide PRF to third-party sites. Open feature request, no ETA. Click “Use a phone, tablet, or security key” in the popup to route through the system Hello / hybrid UI instead.

On iPhone / iPad

iCloud Keychain — the default passkey provider on iOS 17+. Face ID or Touch ID approves; the passkey syncs to your other Apple devices automatically. PRF fully supported.
YubiKey 5 series via Lightning or USB-C — PRF works on firmware 5.7+.

Heads-up:if you've set Bitwarden or 1Password as your default passkey provider in Settings → Passwords → Password Options, switch back to iCloud Keychain for now — their mobile passkey flows don't yet expose PRF.

On Android

Google Password Manager — the default passkey provider on Android 14+. Fingerprint or face approves; passkeys sync via your Google account. PRF fully supported.
YubiKey 5 series via USB-C or NFC — PRF works on firmware 5.7+.

Heads-up:if you've set Bitwarden or 1Password as Android's default passkey provider in Settings → Passwords & accounts, switch back to Google Password Manager for now — those mobile flows don't yet expose PRF.

On Linux

Phone via QR— pick “Use a phone, tablet, or security key” and scan with an iPhone (iCloud Keychain) or Android phone (Google Password Manager). Both support PRF over hybrid transport. Bluetooth must be available on the Linux machine.
YubiKey 5 series over USB-A / USB-C — PRF works on firmware 5.7+.
Bitwarden Browser Extension v2024.2+works in Chromium-based browsers (Chrome, Brave, Edge) once “Use Bitwarden for passkeys” is enabled in extension settings.

Most Linux laptops don't have a built-in fingerprint sensor surfaced as a WebAuthn platform authenticator. The phone-via-QR or hardware-key paths are usually best.

Why does Authii need PRF?

Authii encrypts each user's master record (the index of the organisations they belong to, their identity record, etc) with a key derived from their passkey via the PRF extension. The server holds only ciphertext for these — even an Authii operator with full database access cannot read them.

For documents you sign in End-to-End-Encryptedmode, the same passkey-derived key is what unwraps the document key. Without PRF, the server would have to hold every user's decryption material — which removes the whole point of the model.

That's why we don't fall back silently: a passkey without PRF would be a quietly weaker product, not the same one. Better to fail loud and tell you exactly what to do.

Try signing up again →