Using passkeys for Tailscale authentication
Passkeys are a method for authenticating users to a Tailscale network (tailnet) using passwordless authentication.
How it works
Passkeys are based on the FIDO Alliance standard. This standard uses public key cryptography by generating a private key on the user’s device that is never exposed to the outside world. You can store passkeys on a device or in a keychain. For example, when you create a passkey using an Apple ID, you can use the same passkey on other Apple devices with the same Apple ID.
Biometrics, a PIN, or a pattern are examples of processes that allow you to authenticate with a passkey, the same way you can unlock a device that supports the FIDO standard.
When a user initially accepts an invite to join a tailnet by using a passkey, a tailnet matching the invitee's passkey username is created. This tailnet's name is in the form <user_name>@passkey
. For example, bobbuilder@passkey
. This tailnet name is a universally unique name across all of Tailscale. This tailnet is a separate tailnet from the tailnet they are invited to join.
The invited user's Tailscale identity is dependent on the existence of the tailnet created for their passkey username. Other tailnet admins can also invite the same user to join a tailnet, so the user associated with bobbuilder@passkey
could join more than one tailnet.
A given passkey username is allowed to be created only once. For example, there will always be only one user associated with bobbuilder@passkey
, even if the bobbuilder@passkey
tailnet is deleted. If the tailnet for a given passkey username is deleted, the tailnet cannot be recovered, and the passkey username cannot be reused, even by the user that initially created the passkey username.
Deleting a tailnet of the form <user_name>@passkey
deletes the associated user's membership to all other tailnets.
Supported passkey managers
Tailscale supports passkey management from the following:
- 1Password
- Apple
- Bitwarden
- Microsoft
- Yubikey
Because Tailscale cannot determine the source of a passkey, any other company that provides passkeys should also work with Tailscale.
Inviting a passkey user
A user invite is for one-time use. You should only send one to a single user you want to invite to the tailnet.
You need to be an Owner, Admin, or IT admin to generate invites.
To invite a passkey user via email:
- Open the Users page of the admin console.
- Select Invite external users.
- Add the email address for each user that you want to invite to the tailnet.
- Select the user role you want to automatically assign for the invite link. Only one role can be assigned for all email addresses in a single invite.
- Select Invite to send email invitations to each listed email address.
Alternatively, you can invite passkey users by generating an invitation link. To generate an invite link for passkey users:
- Open the Users page of the admin console.
- Select Invite external users.
- Select the Copy invite link tab.
- Select the user role you want to assign to the invite link.
- Select Generate & copy invite link to copy the invite URL to your clipboard.
- Send the URL link to the user you want to invite to your tailnet.
When you create a user invite, it displays in the Users page of the admin console, with the Invited badge. When a user authenticates using the invite link, it expires and no longer displays on the Users page of the admin console.
To resend an invite:
- Select the menu.
- Select Resend user invite to send another email, or Copy invite link to copy the invite link to your clipboard.
Your Tailscale billing includes invited users who join and transfer data in your tailnet. This includes invited users who are paid users in other tailnets. Tailscale bills for every active user on every tailnet.
Creating a passkey user from an invite
-
From a web browser, open the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.
-
In the Tailscale login page, select Sign in with a passkey.
-
Enter a unique username to register with your passkey. The
@passkey
value is automatically appended. The username you select must be a universally unique name across all of Tailscale. For example, ifbobbuilder@passkey
is used by someone in another tailnet, it cannot be registered in your tailnet. -
Select Create passkey and join.
-
Choose how you want to create and store the passkey. Follow the instructions on the device you are using for passkey authentication.
-
Authenticate with the tailnet using your chosen method for authentication. When a passkey user authenticates, the user displays on the Users page of the admin console.
Signing in with an existing passkey
-
From a web browser, open the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.
-
In the Tailscale login page, select Sign in with a passkey.
-
Select Sign in with a passkey.
-
Log in to the tailnet using your passkey authentication method.
Passkey username rules
- Can contain a combination of lowercase alphanumeric characters (
a-z
and0-9
) and hyphens (-
). - Cannot begin with a number.
- Must be between 3 and 63 characters in length.
Deleting an invite
You need to be an Owner, Admin, or IT admin to delete invites.
When you create a user invite, it displays on the Users page of the admin console with the "Invited" badge. If the invite is unused and you want to delete the link, select the menu and select Remove invite.
Limitations
- Users cannot create a new tailnet using passkey authentication. You must create the tailnet before sending user invites for passkey authentication.
- You cannot reuse a previously used passkey username once it has been deleted.