Why we recommend moving to Passkey MFA
You may already be using Multi-Factor Authentication (MFA) with a one-time password (OTP) — a six-digit code generated by an authenticator app each time you log in. This is a solid step forward in protecting your account, and we strongly encouraged it. However, OTP has a well-known limitation: it can still be defeated by phishing.
If a member of your team is tricked into entering their username, password, and OTP on a convincing fake login page, an attacker can use those credentials in real time to gain access to your systems. The code is valid for a short window, and that is all an attacker needs. There is no technical fix for this within OTP itself — the vulnerability lies in the fact that the code is something a person types, and therefore something they can be manipulated into typing in the wrong place.
Passkeys, also called Security Key MFA, solve this problem entirely.
What is Passkey MFA?
Passkey MFA allows you to sign in using either:
A physical security key (such as a YubiKey, Google Titan Key, or SoloKey) that plugs into a USB port, or
A passkey stored on your mobile device (Android or iOS), using your fingerprint, face ID, or device PIN to confirm your identity.
When you log in, your device creates a unique cryptographic link between your account and our official sign-in page. Critically, this link will only work on the genuine login page — it cannot be replicated or triggered by a fake website. Because there is no code to type, there is nothing to hand over to an attacker, even accidentally.
The secret part of the key never leaves your device. Even if an attacker can see your screen or intercept your network traffic, they cannot obtain or copy it.
Key benefits of Passkey
Phishing-resistant by design: Unlike OTP, Passkeys cannot be captured and replayed by a fake website. The authentication is bound to our real login page — it simply will not function anywhere else.
Nothing to type, nothing to lose: There is no code to read out, enter into a form, or inadvertently share. Login becomes a quick tap or touch rather than a manual process.
Faster logins for your team: Staff spend less time fumbling with phones and authenticator apps. A touch of a key or a fingerprint confirmation is all that is needed.
Works for shared environments: A physical security key can be shared across a team at a workstation without requiring individuals to have their own mobile device to hand — ideal for hotel front desk and back office settings.
Reduces risk to your business: Account compromise via phishing is one of the most common causes of data breaches in hospitality. Passkeys remove the primary attack vector.
How to make the move
The process is straightforward and can be completed in a few minutes per user.
Step 1 — Decide which passkey method suits your team
You have two options:
Mobile device passkey — uses an Android or iOS phone or tablet that your staff already carry. No additional hardware purchase required.
Physical security key — a USB device such as a YubiKey. Recommended where staff do not carry personal devices, or where a shared key at a workstation makes more sense.
Step 2 — Check your browser and device are ready
Before enrolling passkeys, verify that your browser and device support them. This avoids failed enrolment attempts on incompatible hardware, and helps you make an informed decision before requiring passkeys for all staff.
Check your device
You must have Bluetooth available on your PC to complete the Passkey set up.
Windows 11 22H2 or later is required for cross-device passkeys and Android 9+ or iOS 16+ phone
Check browser feature support
Open your browser and go to tools.passkeys.dev/featuredetect. The page runs a series of feature detection checks automatically.
Confirm that at least one of the following features shows as Available:
Passkey Platform Authenticator.
User Verifying Platform Authenticator.
Cross-Device Authentication hybrid transports.
🤓 Tip: If none of these features shows as Available, update your browser to the latest version or switch to a supported browser - for example, the latest Chrome, Safari, Edge, or Firefox.
Test passkey registration and authentication
Once your browser passes the feature check, confirm that passkeys work end-to-end:
Go to webauthn.io - a free testing tool backed by the FIDO Alliance.
Enter any username in the registration field, then click Register and follow your browser or device prompts - biometric, PIN, security key, or phone. A success message confirms your browser can create passkey credentials.
Using the same username, click Authenticate and follow the prompt to sign in. A success message confirms your browser can use passkey credentials for login.
🔖 Note: This is a public test site. No real account is created and no sensitive data is involved.
If both checks complete successfully, your browser and device are ready to proceed with enrolment.
Step 3 — Your admin resets the user’s current OTP MFA
As users are already enrolled in OTP, the existing MFA method must be cleared before a new one can be set up. An admin user, with user management rights, needs to reset the OTP MFA for the relevant user via the standard MFA reset process in the platform. Once reset, the user will be prompted to enrol in a new MFA method on their next login.
📌Note: Only admin users who themselves have MFA enabled can perform this action.
Step 4 — The user enrols in Passkey MFA
On their next login, the user will be prompted to choose an MFA method. They should select Passkey Key.
If using a mobile device:
Select iPhone, iPad, or Android device and scan the QR code displayed on screen.
Follow the prompts on the mobile device to create and confirm the passkey, using fingerprint, face ID, or PIN.
Name the passkey when prompted and click Continue.
If using a physical security key:
Insert the security key into the USB port when prompted.
If it is new, set up a PIN for it now. If previously set up, enter the existing PIN.
Touch the key when prompted.
Name the key when prompted and click Continue.
⚠️Important: Passkeys created on an iPhone can currently be used on other devices (such as laptops or PCs), but not on the same iPhone due to a known limitation. We are actively working with our provider to address this issue.
Frequently Asked Questions (FAQs)
What if a staff member loses their security key or phone?
Your admin can reset the user’s MFA following the same process as Step 2. The user will then be prompted to enrol a new key or device on their next login.
Can we use a mix of OTP and passkey across our team?
Yes. You can migrate users individually, so there is no requirement to switch everyone at once. We recommend prioritising users with admin or elevated privileges first.
What if we use Trusted Browsers alongside OTP?
Passkeys can actually replace the need for Trusted Browsers in many scenarios, as a shared physical security key at a workstation achieves a similar outcome while providing stronger security. If you currently rely on Trusted Browsers, speak to us about whether passkeys might be a better fit.