Passkeys vs authenticator codes — when to use which
Both passkeys and TOTP solve the same problem (proving it's really you), but they have different trade-offs.
Passkeys (WebAuthn):
• How it works — a private key is generated and stored in your device's secure enclave. Sign-in pops a system biometric prompt; the key signs a server challenge. Nothing leaves the device.
• Pros — faster (one tap, no typing), phishing-resistant (the key only signs for the genuine origin), no shared secret a server can leak.
• Cons — tied to the device. Lose the device, lose the passkey. (Apple / Google sync passkeys across their ecosystems, easing this.)
• Best for — your regular devices: laptop, phone, tablet.
TOTP (authenticator apps):
• How it works — a shared secret is provisioned at enrollment; both your authenticator app and our server generate the same 6-digit code from the secret + current time.
• Pros — works on any device that can show a code. Portable to a new phone via the authenticator app's backup.
• Cons — a 30-second window where a phished code can be replayed. Slower (read code, type code).
• Best for — a portable fallback so you can sign in on a borrowed or new device before you've enrolled a passkey.
What we recommend:
• Enroll passkeys on every regular device (laptop + phone). One tap, biometric, fast.
• Add TOTP as backup so you're not locked out if you sign in from somewhere new.
• Save your recovery codes somewhere offline.
Removing a passkey:
Settings → Two-factor authentication → Passkeys → Remove. This deletes the passkey from our server; the device's secure enclave still holds it (use your OS settings to delete it locally if you want).
If you have only one factor (e.g. only TOTP), you cannot remove it without disabling 2FA entirely. Add a second factor first if you want to swap.