{
  "slug": "passwordless-login",
  "title": "Passkeys & Two-Factor Login",
  "description": "Sign in to the CMS without a password using FaceID, TouchID, Windows Hello, or a hardware security key — and add an authenticator-app code on top for two-factor protection.",
  "category": "guides",
  "order": 4,
  "locale": "en",
  "translationGroup": null,
  "helpCardId": null,
  "content": "## Why passwordless\n\nPasswords leak, get reused, and slow you down on mobile. The webhouse.app CMS now supports two passwordless mechanisms that you can use alongside (or instead of) the email/password login you already have:\n\n1. **Passkeys (WebAuthn)** — sign in with a biometric prompt or a hardware security key. Nothing to type, nothing to forget.\n2. **Authenticator-app TOTP** — a six-digit code from Microsoft Authenticator, Google Authenticator, Authy, 1Password, Bitwarden, or any other RFC 6238 app, used as a second factor on top of your existing login.\n\nThey are independent. You can enable one, both, or neither. Both work with the existing GitHub OAuth login and with email/password.\n\n## Passkeys\n\nA passkey is a public/private keypair stored on your device (or in your password manager). The private key never leaves the device. The CMS only stores the public key, so even if our database leaks an attacker cannot impersonate you.\n\nWhen you sign in, the browser asks the operating system to prove you have the private key — that prompt is FaceID, TouchID, Windows Hello, a fingerprint sensor, or a tap on a YubiKey. No passwords cross the wire.\n\n### Add a passkey\n\n1. Sign in to the CMS the way you normally do (email/password or GitHub).\n2. Open **Account → Security**.\n3. In the **Passkeys** card, click **+ Add passkey**.\n4. Your browser shows the platform passkey dialog. Choose where to save the credential — on this device, in your iCloud Keychain, in 1Password, on a security key, or on another phone via QR code.\n5. Approve with your biometric.\n6. The passkey appears in the list. The CMS picks a sensible default label based on your operating system (\"Mac\", \"iPhone\", \"Windows\", etc.) — you can rename it later.\n\nYou can add as many passkeys as you want. A typical setup is one for your laptop, one for your phone (synced via iCloud / Google), and one hardware security key as a backup.\n\n### Sign in with a passkey\n\nOn the login page, click **Sign in with passkey**. The browser shows the same passkey picker. Approve with your biometric and you're in. No email, no password.\n\nIf you have multiple accounts, type your email first — the CMS will tell the browser which credentials are eligible, so the picker only shows passkeys for that account.\n\n### Remove a passkey\n\nOpen **Account → Security**, find the passkey in the list, and click the **×** button. Confirm with **Yes**. The credential is deleted from the CMS immediately. The corresponding key on your device or in your password manager is unaffected — you can clean it up there separately.\n\n### Cross-device sign-in\n\nModern browsers support **cross-device WebAuthn**: on your laptop, click \"Sign in with passkey\" and choose \"Use a phone, tablet, or security key\". The browser shows a QR code. Scan it with your phone's camera (no app needed), approve with FaceID, and the laptop is signed in via a Bluetooth/relay handshake. The passkey itself stays on the phone — your laptop never sees it.\n\nThis is particularly useful for one-off sign-ins on a borrowed computer.\n\n## Authenticator app (TOTP)\n\nA passkey alone is already strong, but if you want belt-and-braces protection — or if your security policy requires two factors — you can layer a six-digit code on top of any login method.\n\nTOTP works with any authenticator app you already have on your phone. The CMS shows a QR code at enrollment, you scan it, and from then on the app generates a fresh six-digit code every 30 seconds.\n\n### Enroll an authenticator app\n\n1. Open **Account → Security**.\n2. In the **Authenticator app** card, click **Add new app**.\n3. Open Microsoft Authenticator, Google Authenticator, 1Password, Authy, or any other RFC 6238 compatible app.\n4. Use the app's \"add account\" flow and scan the QR code shown by the CMS. (If you can't scan — for example because the QR is on the same device as the app — expand **Can't scan? Enter manually** and copy the base32 secret into the app instead.)\n5. The app starts generating six-digit codes. Type the current code into the **123456** field and click **Verify & enable**.\n6. The CMS shows you ten **backup codes**. Save them somewhere safe — a password manager, a printed sheet in a drawer, anywhere offline. Each backup code works exactly once. They are your way back in if you lose your phone.\n7. Click **I've saved them** when you're done.\n\n### Sign in with TOTP\n\nThe next time you sign in with email/password or with a passkey, the CMS will pause after verifying your primary credential and ask for a six-digit code. Open your authenticator app, type the current code, and continue. If you've lost your phone, type one of your backup codes instead — it counts as one use and is then invalidated.\n\nThe code prompt accepts both formats with or without spaces; backup codes can be entered with or without the dash.\n\n### Disable TOTP\n\nIf you want to remove TOTP protection (for example because you're switching to a new authenticator app):\n\n1. Open **Account → Security**.\n2. In the **Authenticator app** card, click **Disable**.\n3. Type a current six-digit code (or a backup code) and click **Disable**.\n4. The CMS removes the TOTP secret and all remaining backup codes. Your next sign-in will go straight to the dashboard without a code prompt.\n\nYou cannot disable TOTP without a valid code — that prevents an attacker who has stolen your active session from removing your second factor.\n\n## Recommended setup\n\nFor most users:\n\n- **One passkey per device** you actually sign in from — laptop, phone, tablet. Keep them synced via iCloud Keychain / Google / 1Password so a lost device doesn't cost you access.\n- **One hardware security key** (YubiKey, SoloKey) stored somewhere safe, registered as a passkey, as a hardware backup.\n- **TOTP enabled** if you handle published content for paying clients or otherwise want a second factor that survives a lost device.\n- **Backup codes printed and stored offline.**\n\nWith that setup you can sign in from any device in seconds, you have multiple recovery paths if any single factor is lost, and an attacker would need both your primary credential and your second factor to get in.\n\n## Frequently asked questions\n\n**Can I still use email/password after adding a passkey?**  \nYes. Passkeys are additive — your password keeps working. If you want to remove the password, change it to something random in **Account → Security → Change password** and store it in your password manager as a recovery option.\n\n**What happens if I lose every passkey and my phone?**  \nYour ten TOTP backup codes are the bottom layer. If you've also lost those, an admin on your team can delete your user record from the CMS and re-invite you, which generates a new password.\n\n**Does TOTP work with hardware tokens like YubiKey?**  \nFor TOTP-over-NFC tokens, yes — tap the YubiKey to your phone, the authenticator app reads the seed, and you get a code. For pure WebAuthn use, just register the YubiKey as a passkey directly — that's faster and more secure than TOTP.\n\n**Can I sync passkeys across two CMS sites?**  \nA passkey is bound to the hostname it was registered on. A passkey for `cms.example.com` does not work on `cms.other.com`. Register a separate passkey on each site.\n\n**Is the TOTP secret recoverable from the QR code if I lose my phone?**  \nNo — once you've scanned the QR and clicked **Verify & enable**, the secret is locked into that authenticator app. The CMS deliberately doesn't let you re-display the QR. Use your backup codes.\n\n## See also\n\n- [User invitations](/docs/user-invitations) — how new accounts get bootstrapped\n- [Sign in with GitHub](/docs/github-login) — OAuth as a third option alongside passkeys and TOTP\n",
  "excerpt": "Why passwordless\n\nPasswords leak, get reused, and slow you down on mobile. The webhouse.app CMS now supports two passwordless mechanisms that you can use alongside (or instead of) the email/password login you already have:\n\n1. Passkeys (WebAuthn) — sign in with a biometric prompt or a hardware secur",
  "seo": {
    "metaTitle": "Passkeys & TOTP — webhouse.app Docs",
    "metaDescription": "Sign in to the CMS without a password using passkeys (FaceID, TouchID, security keys) and add an authenticator-app second factor.",
    "keywords": [
      "webhouse",
      "cms",
      "passkey",
      "webauthn",
      "totp",
      "2fa",
      "security",
      "passwordless"
    ]
  },
  "createdAt": "2026-04-08T20:00:00.000Z",
  "updatedAt": "2026-04-08T20:00:00.000Z"
}