Using passkeys for Tailscale authentication

Passkeys are a method for authenticating users to a Tailscale network (tailnet) using passwordless authentication.

Passkeys are available for all plans.
This feature is currently in beta.

How it works

Passkeys are based on the FIDO Alliance standard. This standard uses public key cryptography by generating a private key on the user’s device that is never exposed to the outside world. You can store passkeys on a device or in a keychain. For example, when you create a passkey using an Apple ID, you can use the same passkey on other Apple devices with the same Apple ID.

Supported passkey managers

Tailscale supports passkey management from the following:

  • 1Password
  • Apple
  • Bitwarden
  • Google
  • Microsoft
  • Yubikey

Because Tailscale cannot determine the source of a passkey, any other company that provides passkeys should also work with Tailscale.

Inviting a passkey user

A user invite is for one-time use. You should only send one to a single user you want to invite to the tailnet.

You need to be an Owner, Admin, or IT admin to generate invites.

  1. Open the Users page of the admin console.
  2. Select Invite external users via link.
  3. Select the user role you want to automatically assign for the invite link.
  4. Click Generate & copy invite link to copy the URL to your clipboard.
  5. Send the URL link to the user that you want to invite to your tailnet.

When you create a user invite, it displays in the Users page of the admin console, with the Invited badge. When a user authenticates using the invite link, it expires and no longer displays on the Users page of the admin console.

Invite in the Users page

To resend an invite:

  1. Click on the ellipsis icon menu.
  2. Select Copy invite link.

Your Tailscale billing includes invited users who join and transfer data in your tailnet. This includes invited users who are paid users in other tailnets. Tailscale bills for every active user on every tailnet.

Creating a passkey user from an invite

  1. From a web browser, go to the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

  2. In the Tailscale login page, click Sign in with a passkey.

    Sign in page for Tailscale
  3. Enter a unique user name to register with your passkey. The @passkey value is automatically appended. The user name you select must be a universally unique name across all of Tailscale. For example, if bobbuilder@passkey is used by someone in another tailnet, it cannot be registered in your tailnet.

    Create a new passkey
  4. Click Create passkey and join.

  5. Choose how you want to create and store the passkey. Follow the instructions on the device you are using for passkey authentication.

  6. Authenticate with the tailnet using your chosen method for authentication. When a passkey user authenticates, the user displays on the Users page of the admin console.

Passkey user in the Users page

Signing in with an existing passkey

  1. From a web browser, go to the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

  2. In the Tailscale login page, click Sign in with a passkey.

    Sign in page with passkey
  3. Click Sign in with a passkey.

    Sign in using an existing passkey
  4. Log in to the tailnet using your passkey authentication method.

Passkey user name rules

  • Can contain a combination of lowercase alphanumeric characters (a-z and 0-9) and hyphens (-).
  • Cannot begin with a number.
  • Must be between 3 and 63 characters in length.

Deleting an invite

You need to be an Owner, Admin, or IT admin to delete invites.

When you create a user invite, it displays on the Users page of the admin console with the “Invited” badge. If the invite is unused and you want to delete the link, click on the ellipsis icon menu and select Remove invite.

Limitations

  • Users cannot create a new tailnet using passkey key authentication. You must create the tailnet before sending user invites for passkey authentication.