Passkeys and Multi-Factor Authentication (MFA)

What is Multi-Factor Authentication (MFA)?

After entering your username and password, MFA adds a second verification step to confirm your identity.

Acorn supports the following MFA methods:

Email – a one-time code sent to your email address
SMS – a one-time code sent to your phone number, if enabled for your tenancy
Passkey – device-based authentication such as Face ID, fingerprint, Windows Hello, or a hardware security key

What are passkeys?

Passkeys are a phishing-resistant form of authentication. Instead of entering a one-time code, users verify with their device or security key.

Examples of passkeys include:

Face ID
Fingerprint unlock
Windows Hello
Hardware security keys

Passkeys provide a more secure and convenient sign-in experience because they reduce phishing risk and rely on device-based authentication rather than codes. This is the main benefit highlighted in the 1.7.6 release notes. Release 1.7.6 - 26 February 2026

Authentication workflow

Enter your username and password on the login page.
If MFA is enabled, you will be prompted to verify your identity.
Choose one of the available verification methods:
- Passkey
- Email
- SMS
Complete the verification step.
Once verified, you are signed in.

If your administrator has enforced passkey-only authentication, users without a registered passkey will be prompted to register one during login. Once set up, the passkey becomes the required login method, while email and SMS are available for recovery only.

Set up a passkey

Users can set up a passkey from their account security settings, or during login if passkey-only authentication has been enforced.

Set up a passkey from your account

Go to your Profile or Account settings.
Open the Security Settings or Authentication section.
If MFA is not already enabled, enable it.
Select Passkey as your preferred MFA method.
Open Manage Passkeys.
Select Create Passkey.
Follow the browser or device prompt to complete setup.

Your browser or device may ask you to verify using Face ID, fingerprint, Windows Hello, or your hardware security key.

Set up a passkey during login

If passkey-only authentication is enabled and you do not already have a passkey registered, you will be prompted to create one at login. After setup is complete, you can continue signing in with the new passkey.

Manage passkeys

Users can manage their registered passkeys from the passkey management area in their account settings.

Depending on your tenancy configuration, users may be able to:

add a new passkey
rename an existing passkey
remove a passkey they no longer use

This section is useful to keep in the article because it gives users a clear next step after setup, but any exact UI labels should match what is currently in-product.

Passkey recovery

If you cannot use your passkey, recovery options depend on how MFA has been configured for your tenancy.

When passkeys are optional

If passkeys are available but not enforced, you may be able to choose another MFA method at sign-in, such as:

When passkey-only authentication is enforced

If passkey-only authentication has been enabled, passkeys are required for normal sign-in. However, email and SMS are still available for recovery only.

If you no longer have access to the device or security key linked to your passkey:

Use the available recovery option on the sign-in screen.
Complete recovery using email or SMS, where available.
After regaining access, register a new passkey on your current device if required.

If you are unable to recover access, contact your administrator or your support contact.

For administrators

Administrators can configure MFA settings at the tenancy level to strengthen login security and support passkey adoption.

The administrators can:

offer multiple MFA options
track MFA adoption
enforce passkey-only authentication for stronger security

Manage MFA settings

Administrators can update tenancy settings to control which MFA options are available to users.

Typical configuration options include:

enabling MFA
allowing users to authenticate with Email, SMS, or Passkey
enforcing passkey-only authentication

If passkey-only authentication is enabled, users who have not yet registered a passkey are prompted to create one during login. After this, passkeys become the required sign-in method, while email and SMS are limited to recovery only.

MFA adoption

Administrators can also monitor MFA adoption to understand which users have enrolled and to support rollout planning.

Rollout tips

When introducing passkeys, consider the following:

Communicate the change to users before enforcement is enabled.
Encourage users to register a passkey before passkey-only authentication is turned on.
Ensure users know what recovery options are available.
Be prepared to support users who need to register a passkey during login.

Troubleshooting

I do not have a passkey yet

If passkey-only authentication is enabled, you should be prompted to register a passkey during login. Follow the setup prompt and complete registration before continuing.

My passkey is not working

Try the following:

retry the passkey prompt
make sure you are using the correct device or security key
use a recovery method if one is available
contact your administrator if you cannot complete sign-in

I changed devices

If your old passkey is no longer available, use the recovery option provided at sign-in, then register a new passkey once you regain access.

Email or SMS is not available as a sign-in option

If your tenancy has enforced passkey-only authentication, email and SMS may only be available for recovery and not for standard sign-in.

My organisation wants stronger protection against phishing

Passkey-only authentication is the strongest MFA option introduced in this release, and is intended to reduce phishing risk while improving convenience for users.