Passkeys are a method for authenticating users to a Tailscale network (tailnet) using passwordless authentication.

How it works

Passkeys are based on the FIDO Alliance standard. This standard uses public key cryptography by generating a private key on the user’s device that is never exposed to the outside world. Passkeys can be stored on a device or in a keychain. For example, when you create a passkey using an Apple ID, you can use the same passkey on other Apple devices with the same Apple ID.

Supported passkey managers

Tailscale supports passkey management from the following:

• 1Password
• Apple
• Bitwarden
• Google
• Microsoft
• Yubikey

Since we cannot determine the source of a passkey, any other company that provides passkeys should also work with Tailscale.

Inviting a passkey user

A user invite is for one-time use and should only be sent to a single user that you want to invite to the tailnet.

You need to be an Owner, Admin, or IT admin to generate passkey invites.

1. Open the Users page of the admin console.
2. Click Invite users and select Invite via link.
3. Select the user role you want to automatically assign for the invite link.
4. Click Generate & copy invite link. A URL link is copied to your clipboard.
5. Send the URL link to the user that you want to invite to your tailnet.

When a user invite is created, it will display in the Users page of the admin console, with the Invited badge. When a user authenticates to the tailnet using the invite link, it will expire and no longer display in the Users page.

If you need to resend the invite, click on the menu and select Copy invite link.

When users joins your tailnet by invitation, they are added to your Tailscale billing if they transfer data in your tailnet. This includes invited users who are paid users in other tailnets. Tailscale bills for every active user on every tailnet.

Creating a passkey user from an invite

1. From a web browser, go to the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

2. In the Tailscale login window, click Sign in with a passkey.

   

3. Enter a unique user name that will be registered with your passkey. The @passkey value is automatically appended. The user name you select must be a universally unique name across all of Tailscale. For example, if bobbuilder@passkey is used by someone in another tailnet, it cannot be registered in your tailnet.

   

4. Click Create passkey and join.

5. Choose how you want to create and store the passkey. Follow the instructions on the device you are using for passkey authentication.

6. Authenticate to the tailnet using your chosen method for authentication. When a passkey user authenticates, the user displays in the Users page of the admin console.

Signing in with an existing passkey

1. From a web browser, go to the URL provided in your invite. If you are logged into a tailnet already, make sure you log out.

2. In the Tailscale login window, click Sign in with a passkey.

   

3. Click Sign in with a passkey.

   

4. Log in to the tailnet using your passkey authentication method.

Passkey user name rules

• Can contain a combination of lowercase alphanumeric characters (a-z and 0-9) and hyphens.
• Cannot begin with a number.
• Must be between 3 and 63 characters in length.

Deleting an invite

You need to be an Owner, Admin, or IT admin to delete passkey invites.

When a user invite is created, it will display in the Users page of the admin console, and will have the Invited badge. If the invite is unused and you want to delete the link, click on the menu and select Remove invite.

Limitations

• Users cannot create a new tailnet using passkey key authentication. The tailnet must first be created and user invites for passkey authentication can be sent to subsequent users.
• GitHub users accounts don’t have email addresses, so you cannot use passkeys for GitHub tailnets.