Passkeys
Passkeys are a modern, phishing-resistant way to sign in to EmailConnect without typing a password. They use your device's built-in security — fingerprint sensor, face recognition, device PIN, or a hardware security key — to verify your identity.
What are passkeys?
Passkeys are built on the WebAuthn/FIDO2 standards, supported by all major browsers and operating systems. Instead of a password that can be guessed, leaked, or phished, a passkey is a cryptographic key pair:
- A private key stays on your device (or in your password manager) and never leaves it
- A public key is stored on EmailConnect's server
- When you sign in, your device proves it holds the private key without ever revealing it
Because the passkey is bound to the specific website (app.emailconnect.eu), it cannot be tricked into working on a phishing site. Even if someone creates a perfect copy of the EmailConnect login page, your passkey simply will not activate on the wrong domain.
Synced vs device-only passkeys
When you register a passkey, EmailConnect shows a badge indicating whether it is synced or device-only. This distinction matters for account recovery, so it is worth understanding.
| Synced | Device-only | |
|---|---|---|
| Badge in EmailConnect | Synced (neutral) |
Device-only (warning) |
| Stored in | Password manager or cloud keychain | Device hardware (TPM, Secure Enclave) |
| Available on other devices | Yes, wherever your password manager is installed | No, only on the original device |
| Examples | Bitwarden, 1Password, iCloud Keychain, Google Password Manager | Windows Hello (without Microsoft account sync), YubiKey, Titan Security Key |
| If you lose the device | Still accessible from another device | Gone permanently, no recovery |
Synced passkeys
A synced passkey is stored in a password manager or cloud keychain and backed up to the cloud. This is what most users should aim for. When EmailConnect detects deviceType: multiDevice and backedUp: true, it shows the Synced badge.
If you use a password manager like Bitwarden or 1Password, your passkey is available on every device where that password manager is installed — your laptop, phone, tablet, and any future devices. Losing one device does not lock you out.
Device-only passkeys
A device-only passkey is bound to a specific piece of hardware. When EmailConnect detects deviceType: singleDevice and backedUp: false, it shows the Device-only warning badge.
This includes hardware security keys (YubiKey, Titan) and some platform authenticators like Windows Hello when not synced to a Microsoft account. Device-only passkeys offer strong security, but carry a real risk: if you lose the device, the passkey is gone and cannot be recovered.
Important: If you see the "Device-only" badge on your only passkey, make sure you have another way to sign in — a password, a second passkey, or magic link access via your email. Otherwise, losing that device could lock you out of your account.
How passkeys work with password managers
When your browser detects a passkey registration or sign-in prompt, your password manager may intercept the request before the browser's built-in prompt appears. This is normal and expected.
- Bitwarden, 1Password, KeePassXC: These store the passkey inside your vault, making it available on any device where the extension or app is installed
- iCloud Keychain: Syncs passkeys across your Apple devices automatically
- Google Password Manager: Syncs passkeys across devices signed in to your Google account
If your password manager stores the passkey, it will appear as Synced in EmailConnect because the password manager backs it up to the cloud. This is the most convenient and resilient setup for most users.
Tip: If you want to register a passkey on a specific device (like a YubiKey) rather than in your password manager, look for an option like "Use a different device" or "Security key" in the browser prompt. The exact wording varies by browser and operating system.
Setting up passkeys in EmailConnect
Register your first passkey
- Go to Settings and scroll to the Profile section
- Find the Passkeys area and click Add
- A dialog asks you to name the passkey — enter something descriptive like "Bitwarden", "MacBook Touch ID", or "YubiKey blue"
- Click Continue and follow your browser or device prompt to complete registration
- Your new passkey appears in the list with its name, date, and type badge
The name is just for your reference. It helps you remember which device or password manager holds that passkey, especially when you have several.
Register additional passkeys
You can register multiple passkeys for redundancy. Each one works independently — you only need one to sign in. Having two or more from different sources (e.g., a password manager and a hardware key) means you are protected even if one becomes unavailable.
Managing your passkeys
Your registered passkeys are listed in Settings > Profile under the Passkeys section. Each entry shows:
- Name — the label you chose during registration (or "Passkey" if you skipped naming)
- Date added — when the passkey was registered
- Type badge — either "Synced" or "Device-only"
To remove a passkey, click Remove next to it and confirm. The passkey is deleted from EmailConnect immediately. It may still exist in your password manager or on your device, but it will no longer work for signing in.
Signing in with a passkey
- Go to the EmailConnect sign-in page
- Click Continue with passkey
- Your browser prompts you to select a passkey — choose one from the list
- Authenticate with your fingerprint, face, PIN, or security key
- You are signed in, no password needed
If you have used a passkey before, the sign-in page may show a "Last used" indicator on the passkey button.
Tip: If your passkey is stored in a password manager, make sure the browser extension or app is unlocked before clicking "Continue with passkey."
Best practices
- Register at least two passkeys from different sources (e.g., password manager + hardware key, or two different password managers). This protects you if one source becomes unavailable
- Keep a backup sign-in method — a password, magic link, or social login — in case all your passkeys are temporarily inaccessible
- Name your passkeys descriptively so you can tell them apart at a glance. "Bitwarden" and "YubiKey blue" are more useful than "Passkey" and "Passkey 2"
- Pay attention to the type badge — if all your passkeys show "Device-only", consider adding a synced passkey through a password manager
- Remove passkeys you no longer use — if you replaced a device or stopped using a password manager, remove the old passkey to keep your list clean
Troubleshooting
"Passkey sign-in failed"
- Make sure you are on
app.emailconnect.eu— passkeys are domain-specific and will not work on other sites - Check that your password manager extension is unlocked and active
- Try a different browser if the prompt does not appear
Browser prompt does not appear
- Verify your browser supports WebAuthn (all modern browsers do: Chrome, Firefox, Safari, Edge)
- Disable browser extensions that might block the WebAuthn prompt
- On mobile, ensure your device has a screen lock configured (PIN, fingerprint, or face)
Passkey registered but sign-in does not work
- The passkey may have been registered in a different password manager or on a different device than expected
- Check which password manager intercepted the registration — it may not be the one you intended
- If unsure, remove the passkey in Settings and register a new one, paying attention to which prompt appears
Lost device with a device-only passkey
If you lost the device that held your only passkey, sign in using another method (password, magic link, or social login), then remove the old passkey and register a new one.
Next steps
- Webhook signing — secure your webhook endpoints with HMAC-SHA256 signatures
- API keys and integrations — manage API keys for programmatic access
- Getting started — set up your first domain and alias
Need help?
If you have questions about passkeys or run into issues, contact our support team at support@emailconnect.eu.