Authentication and access
The right approach to authentication significantly increases the security of your data. Passwork supports several authentication methods: use passkeys for passwordless sign-in and as a second factor, enable two-factor authentication with mobile apps, configure single sign-on (SSO), and enable client-side encryption.
Use cases
Mandatory two-factor authentication
Goal: ensure that all users use 2FA.
Solution:
Role settings let you enable mandatory two-factor authentication for multiple users at once. Open the required role in the Roles section and scroll down to the Authentication settings.
Enable the Mandatory two-factor authentication option. This policy will be applied to all users assigned to this role.
Users can configure two-factor authentication using the Passwork 2FA mobile app or third‑party apps (for example, Google Authenticator or Microsoft Authenticator), as well as use passkeys as a second factor.
After you enable the policy, users without configured 2FA will not be able to sign in to Passwork.
Passkeys for sign-in and as a second factor
Goal: leverage passwordless sign-in and strengthen 2FA with cryptography.
Solution:
Encourage users to add passkeys on the Authentication page — they support biometrics (Face ID, Touch ID, Windows Hello) and physical security keys based on WebAuthn.
Passkeys can be used both instead of a password and as a second factor when signing in with regular credentials.
To ensure an option for emergency access, we recommend adding several keys (for example, one stored on the device and another on a physical security key).
Configuring single sign-on (SSO)
Goal: allow employees to sign in to Passwork using corporate credentials.
Solution:
Configure SSO on the corresponding Passwork settings page.
Enable the option to prioritize sign-in via SSO in the general settings section so that users are automatically redirected to the corporate sign-in system.
If necessary, you can disable other sign-in methods (local password and LDAP) for specific users, leaving only SSO so that these employees can sign in to Passwork exclusively via the corporate system.
Restoring access when a passkey or 2FA device is lost
Goal: restore a user’s access to their account if they lose a passkey or a device with an authenticator app.
Solution:
Open the user's page in the Users list and click Authentication in the panel on the right.
If a passkey is lost, use the Passkey reset option. After that, the user will be able to add passkeys again in their authentication settings.
If the user no longer has access to their 2FA app, likewise click Reset in the corresponding line. After signing in, the user will be able to set up two-factor authentication again.
Hybrid authentication
Goal: configure different sign-in methods for different categories of users: SSO for employees and standard sign-in for external users.
Solution:
Configure SSO for corporate users, but do not make it the preferred sign-in method.
External users, such as contractors, will be able to use standard sign-in with a login and password.
For external users, be sure to enable mandatory 2FA via authenticator apps or passkeys.
Temporary account lockout for suspicious activity
Goal: automatically lock accounts when suspicious sign-in attempts are detected.
Solution:
Configure lockout policies in the Local authentication lockout policies block of the system settings to automatically lock accounts after several failed sign-in attempts.
Multiple failed sign-in attempts are also recorded in the action log.
If necessary, you can block a user manually until the investigation is complete.
The Security dashboard will show which passwords the blocked user had access to.
FAQ
Can multiple authentication methods be used at the same time?
Yes, several authentication methods can be used simultaneously: local password, SSO, LDAP, and passkeys. In addition, two-factor authentication via mobile apps and passkeys is available. An administrator can configure the methods available to a specific user in the Authentication user settings window.
What should I do if a user loses a 2FA device or passkey?
An administrator can reset linked passkeys or 2FA devices on the user settings page. If the user had several keys added, they will be able to sign in with another key without resorting to the reset process.
Can I restore access to data if I forget my master password?
It is not possible to restore access to data if a master password is lost. However, you can create a service account as a corporate administrator in the required vault type, which you can use to sign in and access critical data.
Is it necessary to enable two-factor authentication for all users?
It is recommended to enable 2FA at least for users who have access to business‑critical data and administrative privileges. Using role settings, you can enforce mandatory two-factor authentication only for specific roles (for example, administrators or vault owners) without affecting other users.
Can we allow sign-in only via corporate SSO?
Yes, for selected users you can keep SSO as the only available authentication method. In the user or role settings, you can disable the local password and other methods (for example, LDAP) so that users can sign in exclusively through the corporate single sign-on system.