Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Using passkeys for Tailscale authentication

Passkeys are a method for authenticating users to a Tailscale network (tailnet) using passwordless authentication.

Passkeys are available for all plans.
This feature is currently in beta.

How it works

Passkeys are based on the FIDO Alliance standard. This standard uses public key cryptography by generating a private key on the user’s device that is never exposed to the outside world. You can store passkeys on a device or in a keychain. For example, when you create a passkey using an Apple ID, you can use the same passkey on other Apple devices with the same Apple ID.

Biometrics, a PIN, or a pattern are examples of processes that allow you to authenticate with a passkey, the same way you can unlock a device that supports the FIDO standard.

When a user initially accepts an invite to join a tailnet by using a passkey, a tailnet matching the invitee's passkey username is created. This tailnet's name is in the form <user_name>@passkey. For example, bobbuilder@passkey. This tailnet name is a universally unique name across all of Tailscale. This tailnet is a separate tailnet from the tailnet they are invited to join.

The invited user's Tailscale identity is dependent on the existence of the tailnet created for their passkey username. Other tailnet admins can also invite the same user to join a tailnet, so the user associated with bobbuilder@passkey could join more than one tailnet.

A given passkey username is allowed to be created only once. For example, there will always be only one user associated with bobbuilder@passkey, even if the bobbuilder@passkey tailnet is deleted. If the tailnet for a given passkey username is deleted, the tailnet cannot be recovered, and the passkey username cannot be reused, even by the user that initially created the passkey username.

Deleting a tailnet of the form <user_name>@passkey deletes the associated user's membership to all other tailnets.

Supported passkey managers

Tailscale supports passkey management from the following:

  • 1Password
  • Apple
  • Bitwarden
  • Google
  • Microsoft
  • Yubikey

Because Tailscale cannot determine the source of a passkey, Fido Alliance standard passkeys provided by any other company should also work with Tailscale.

Passkey username rules

A passkey username:

  • Can contain a combination of lowercase alphanumeric characters (a-z and 0-9) and hyphens (-).
  • Cannot begin with a number.
  • Must be between 3 and 63 characters in length.

Invite a passkey user

A user invite is for one-time use, so a given invite should be sent to only a single user. If you want to invite multiple users, send each of them their own invite.

Your Tailscale billing includes invited users who join and transfer data in your tailnet. This includes invited users who are paid users in other tailnets. Tailscale bills for every active user on every tailnet.

For information about inviting a user to your tailnet, refer to:

Refer to Invite any user to your tailnet for additional information about inviting users, including viewing or removing open invites.

Create a passkey user from an invite

  1. From a web browser, open the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

  2. In the Tailscale login page, select Sign in with a passkey.

    Sign in page for Tailscale.

  3. Enter a unique username to register with your passkey, subject to the passkey username rules. The @passkey value is automatically appended. The username you select must be a universally unique name across all of Tailscale. For example, if bobbuilder@passkey is used by someone in another tailnet, it cannot be registered in your tailnet.

    Create a new passkey.

  4. Select Create passkey and join.

  5. Choose how you want to create and store the passkey. Follow the instructions on the device you are using for passkey authentication.

  6. Authenticate with the tailnet using your chosen method for authentication. When a passkey user authenticates, the user displays on the Users page of the admin console.

Passkey user in the Users page.

Sign in with an existing passkey

  1. From a web browser, open the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

  2. In the Tailscale login page, select Sign in with a passkey.

    Sign in page with passkey.

  3. Select Sign in with a passkey.

    Sign in using an existing passkey.

  4. Log in to the tailnet using your passkey authentication method.

Limitations

  • Users cannot create a new tailnet using passkey authentication. You must create the tailnet before sending user invites for passkey authentication.
  • You cannot reuse a previously used passkey username once it has been deleted.

Last updated Dec 20, 2024