Toggle Side Panel

Shopping Cart

No products in the basket.

Close search

Passkeys & Two-Factor Authentication — FAQ


Passkeys & Two-Factor Authentication — FAQ

What they are, why they matter, and what’s changing for members

We are in the process of rolling out passkeys and two-factor authentication (2FA) to improve the security of member accounts.

This will be optional, at least for now, for most members of the club. But for members whose accounts given them access to personal information – such as Committee members, coaches and some volunteers, this additional security for your website logins will be mandatory.

This page explains what these technologies are, how they work, and what to expect.

The UK’s National Cyber Security Centre (NCSC) — part of GCHQ — now recommends passkeys as the preferred login method, calling them “at least as secure as, and generally more secure than, pairing the strongest password with two-step verification.” The UK Government is rolling out passkeys across all GOV.UK services.
Read the NCSC’s official passkey guidance →

Screenshot of NCSC blog post. "Passkeys are more secure than traditional ways to log in".

What do I need to do?

Most members will want to set up a passkey – they are more convenient and more secure than passwords. You can set up another form of two factor authentication if you want to protect your account from a stolen password, but this is optional for now.

If you have extra permissions on the website (eg Committee, coaches, captain, some volunteers), you will need to do two things:

  1. Mandatory: set up two-factor authentication (2FA) using an authenticator app — this protects your account and stops hackers from getting in if they steal your password; and
  2. Optional but recommended: set up a passkey on each device you use to access the site — this will become is your primary way to log in, fast and secure. It means that your more clunky 2FA app will only be needed when you are logging in on a new device for the first time.

You may be automatically prompted to do both. If not, you can do them in your account settings.

(That’s it. The rest of this page is optional reading).

Optional reading: the Basics

What is two-factor authentication (2FA)?

Two-factor authentication — also written as 2FA, or sometimes called two-step verification (2SV) or multifactor authentication (MFA) — is a way of proving who you are when you log in to a website using two separate pieces of evidence rather than just one.

Think of it like unlocking a safe that needs both a combination and a physical key. You cannot get into the safe unless you have them both. On a website with 2FA turned on, you similarly need two distinct things to log in. There are three classic “factors”:

  • Something you know — a password or PIN
  • Something you have — your phone, a hardware key, or an authenticator app
  • Something you are — a fingerprint or face scan – often described in shorthand as ‘biometrics’

2FA combines any two of these. You have almost certainly encountered it when a website or app asks you to enter your password (something you know) and then you also have to enter a 6-digit one-time code which you get from an app on your phone, or by text message (something you have – your phone).

The idea is that even if your password has been stolen or guessed a hacker cannot log in to your account unless they also have access to the second factor (namely your phone). Indeed, they often require a third thing (your fingerprint or face to get into the phone).

What is a passkey?

A passkey is a modern, secure way to log in that replaces your password entirely. Instead of typing something you’ve memorised, your device handles the authentication for you — you simply approve it the same way you unlock your phone: with your fingerprint, face, or PIN.

Behind the scenes, passkeys use strong cryptography (the same technology that secures online banking). When you set up a passkey for a website, your device creates a pair of mathematically linked digital keys:

  • A private key, kept securely on your device and never shared with anyone
  • A public key, given to the website — which can only be used to verify you, not to impersonate you

When you log in, the website and your device perform a quick cryptographic handshake. No password is typed, transmitted, or stored — so there’s nothing for a criminal to steal or phish.

Passkeys are a standard developed by the FIDO Alliance and are already supported by Apple, Google, Microsoft, and most modern browsers and devices.

What’s the relationship between passkeys and 2FA?

A passkey is itself a form of two-factor authentication, built in. When you use a passkey to log in, you are simultaneously proving “something you have” (the device holding the private key) and “something you are or know” (your fingerprint, face, or PIN used to unlock the device). Two factors, one smooth step.

This is why the NCSC describes passkeys as being at least as secure as — and often more secure than — a strong password combined with a separate 2FA code. Passkeys combine both factors seamlessly, without the friction of typing a one-time code.

However, your account still has a password, and if that password were ever stolen, an attacker could try to log in with it. So using passkeys does not remove the possible vulnerability of a stolen password (unless we were to prevent password logins altogether). This is why members with elevated permissions are also required to set up two factor authentication with an authenticator app — so that a stolen password alone is never enough to get in. See the question below: “I have a passkey — do I also need to set up 2FA?”

Why are passkeys considered more secure than passwords?

Passwords have fundamental weaknesses that criminals exploit every day:

  • They can be phished — tricked out of you by a fake login page
  • They can be stolen if a website’s database is breached (though not ours, because we do not store passwords in our database)
  • They can be guessed if they’re weak or reused elsewhere
  • Email one-time codes, and even SMS one-time codes, can be intercepted by sophisticated attackers

It is surprisingly common for people to re-use passwords. Some of our members are using passwords that are on published lists of known passwords.

Passkeys sidestep all of these problems. Because your private key never leaves your device, there is nothing to phish, steal, or intercept. And because each passkey is unique to a specific website, they cannot be reused across different services even if one site is compromised.

OK: I have set up a passkey. Do I also need to set up Two Factor Authentication?

Yes if you have a club role that gives you access to other people’s data — and here’s why.

Your passkey protects you brilliantly on devices where it’s set up. But your account still has a password, and passwords can be stolen — not necessarily from us, but from other websites where you’ve used the same password, or through phishing. Some passwords can be guessed.

If an attacker gets hold of your password and tries to log in on a new device, your passkey won’t be there to stop them. What will stop them is 2FA. Without the six-digit code from your authenticator app, they hit a wall.

This is the point of mandatory 2FA for members with elevated permissions: a stolen password alone is useless to an attacker. They’d also need physical access to your phone. Even if you don’t have elevated permissions, you might want to protect your own data this way.

Your passkey remains your primary way to log in — fast, seamless, no codes to type. The authenticator app sits quietly in the background and you’ll rarely if ever need it. But it’s the lock on the back door.

What is an authenticator app, and which one should I use?

An authenticator app is a free app on your phone that generates six-digit codes, refreshed every 30 seconds. When you log in, you enter the code currently showing in the app to prove it’s really you. It’s the most common form of traditional 2FA. It is also much safer than emails and SMS messages.

You only need to set it up once. After that, opening the app and reading a code takes a few seconds.

Which app should I use?

Any of these will work. We’d suggest:

  • Google Authenticator — simple and reliable. Free on iPhone and Android.
  • Microsoft Authenticator — slightly more full-featured. Free on iPhone and Android.
  • 1Password or Bitwarden — if you already use one of these password managers, they can handle authenticator codes too.

There is no wrong choice here. If you already have one of these apps installed for another service, just use that one.

How do I set it up?

Go to your account settings and open the Two-Factor Authentication tab. You’ll see a QR code and, beneath it, a setup key with a Copy button.

Open your authenticator app on your phone and tap the + button (or “Add account”). You can either:

  • Point your phone’s camera at the QR code on screen, or
  • Tap “Enter code manually” in the app and paste in the setup key using the Copy button

The app will immediately start generating six-digit codes for the Serpentine website. The website will ask you to enter the current code to confirm everything is working, then tap “I’m Ready” to finish.

If you’re setting this up on the same phone as your authenticator app, you’ll need to use the manual entry option — you can’t point your camera at your own screen.

If you get stuck, email webmaster@serpentine.org.uk and we’ll walk you through it.

Why is the club doing this now?

We are justly proud of the security of our website. Like everyone else, we are constantly being probed by hackers and spammers, and (without wishing to jinx it) so far we have kept them out. But we are not complacent. There is an arms race: hackers are increasingly using AI to increase the breadth and sophistication of their attacks, and so we are increasing our defences to keep pace.

Account security matters even more for those accounts that can access the information of members, access our financial systems, send bulk emails or publish material on our website. Members with these elevated permissions are a more attractive target for account takeover, and we have a responsibility to protect both those members and the club as a whole.

Passkeys are fairly new, but becoming mainstream. Major platforms support them, the UK Government is adopting them across GOV.UK, and the NCSC now actively recommends them over passwords.

We’ve developed our own implementation of passkeys that aims to be easy to use for non-technical members while complying with all the internationally agreed security standards. Once we are confident that it is working well, we will offer our implementation to the open source community so that others can benefit from our work.

Will 2FA become mandatory for Serpies?

Yes, for some people — over time we will be requiring two-factor authentication for members with elevated permissions on the website, such as the committee and coaches. These users can see some (limited) information about all members, and they can publish material on our website. We want to make sure these members’ accounts are secure.

If you’ve been invited to set up a passkey: doing so now is the most convenient way to log in day-to-day. But members with elevated permissions will also need to set up an authenticator app — a passkey alone is not sufficient, because it doesn’t protect your account if your password is stolen and an attacker tries to use it to log in on a different device.

For other members 2FA is optional, but recommended. This will better protect your accounts – which contain your own personal information. We will consider over time whether 2FA should eventually be mandatory for all accounts once we have learned more about how it works for the committee and coaches.

How does a passkey make 2FA more convenient for me?

Traditional 2FA — logging in with a password, then fetching a six-digit code from your phone — is more secure than a password alone but it is often inconvenient. You have to find your phone, open an app, type in a code before it expires, and repeat this every time you log in.

With a passkey, logging in is a single step: you visit the site and approve the sign-in with your fingerprint, face, or device PIN. The two factors happen simultaneously and invisibly. It’s faster than typing a password and far more convenient than typing in a separate 2FA code.

Where can I set up a passkey or other 2FA?

You can go to your account settings, here. Here you will find tabs to set up and manage your passkeys, and to manage other forms of two-factor authentication if you prefer.

If you are in the group for whom 2FA is mandatory, we will prompt you to set up an authenticator app when you next type in your password. We also strongly recommend setting up a passkey — it is by far the most convenient way to log in day-to-day, and works alongside your authenticator app rather than replacing it.

Do I need to set up a passkey on each device?

If your passkey is managed by your phone platform — Apple, Google, or Microsoft — it can sync automatically across all your devices in that ecosystem via the cloud. Set it up once on your iPhone and it will appear on your iPad and Mac without you doing anything.

If you use a third-party password manager like 1Password or Bitwarden, your passkey is available on every device where you have that app installed — regardless of manufacturer.

If you need to, you can have multiple passkeys stored for the Serpentine website – one for each device from which you log in (e.g. phone, desktop, work computer, tablet). You are only likely to need to set these up separately on each device if you’re using a device-bound passkey, or if your various devices use different platforms (Windows and iPhone, for example). If you need to set up multiple passcodes, you can.

One practical note: the first time you use an existing passkey on a new device, your device may ask you to verify your identity (e.g. via your fingerprint or PIN) before it makes the passkey available. That’s a one-off step, not a full re-registration.

What if I don’t have a compatible device?

Passkeys are supported on the vast majority of modern devices — any iPhone running iOS 16 or later, any Android phone running Android 9 or later, and any Mac, Windows PC, or Chromebook with an up-to-date browser. If your device is less than five or six years old, it will almost certainly be able to use passkeys.

If for any reason you cannot use a passkey, please get in touch at webmaster@serpentine.org.uk and we’ll help you find the right solution. Users with elevated permissions will still need to set up an authenticator app for 2FA regardless of whether you use a passkey.

What if I lose my device?

This is a common concern, and the good news is that most passkey setups are designed with recovery in mind. If your passkeys are managed by a platform (Apple, Google, Microsoft) or a password manager, they are backed up to the cloud and will automatically appear on a new device once you sign in to your account.

If you use a device-bound passkey (stored only on one device), you would need to use an alternative login method to access your account and set up a new passkey. We’d strongly recommend using a synced passkey (via your phone platform or a password manager) to avoid this situation.

If necessary, you can contact webmaster@serpentine.org.uk and we can reset your passkeys.

UK Government & Official Guidance

What does the UK Government say about passkeys?

The UK Government has made passkeys a national security priority. At the CYBERUK 2025 conference, the Cabinet Office and the National Cyber Security Centre (NCSC) announced that all GOV.UK services will adopt passkeys as the default login method, replacing SMS-based verification codes.

The NCSC — GCHQ’s technical authority on cybersecurity — has gone further still. At CYBERUK 2026, the NCSC announced it will now recommend passkeys wherever a service supports them, superseding its previous recommendation to use a strong password plus two-step verification. This is described as “a new era of secure sign-in.”

The Department for Science, Innovation and Technology (DSIT) has also confirmed that passkeys are formally recognised as suitable for most authentication scenarios under UK standards, including the updated Cyber Essentials scheme.

In May 2026, the head of GCHQ said:

In this volatile world, there are steps we can all take to protect our communities and our loved ones, to make the UK more prepared and more resilient, so we’re not walking onto the frontline without armour.   

At home, that means taking important action now to switch from passwords for passkeys.

In short: the people responsible for the UK’s cybersecurity are actively championing passkeys as the way forward.

Is this just a trend, or is it here to stay?

Passkeys represent a durable shift, not a fad. They are built on open standards (FIDO2 / WebAuthn) developed collaboratively by Apple, Google, Microsoft, and hundreds of other technology companies through the FIDO Alliance. The NCSC joined the FIDO Alliance in 2025 to help shape the standards from within.

Billions of devices already support passkeys. Microsoft has made new accounts passwordless by default. Apple and Google have built passkey management into their core platforms. The NHS became one of the first government bodies in the world to offer passkeys to users. This is the direction the entire industry is moving.

For the technically curious

Types of Passkey — What’s the Difference?

Not all passkeys work in exactly the same way. There are three broad types, differing mainly in where the passkey is stored and how portable it is. For most members, this distinction won’t matter — your device will handle it for you. But if you’re curious, here’s the breakdown.

What is a device-bound passkey?

A device-bound passkey is stored exclusively on one physical device — for example, locked inside a phone’s secure chip or on a hardware security key (like a YubiKey). It never leaves that device, not even to be backed up.

Pros: Maximum security — the key literally cannot be extracted. Preferred for very high-security scenarios.

Cons: If you lose the device, the passkey is gone. You cannot use it on another device without going through account recovery. This makes it less convenient for everyday use.

This type is more common in enterprise or high-security contexts. Most consumers will use synced passkeys instead.

What is a platform passkey (synced via Apple, Google, or Microsoft)?

A platform passkey is managed by the operating system of your device and automatically backed up and synced across your devices via the platform’s cloud service:

  • Apple devices — passkeys sync via iCloud Keychain, available on all your iPhones, iPads, and Macs
  • Google (Android/Chrome) — passkeys sync via Google Password Manager, across Android phones and Chrome browsers
  • Microsoft (Windows) — passkeys sync via Windows Hello and the Microsoft account ecosystem

Pros: Convenient, automatic, and recoverable if you lose a device. Works seamlessly across all your Apple (or Google, or Microsoft) devices without any extra setup.

Cons: Your passkeys live within one ecosystem — an Apple passkey won’t automatically appear on an Android phone (though there are cross-device workarounds). You’re also trusting your platform provider with backup of your credentials.

This is the most common setup for everyday users and is what most people will encounter when first setting up a passkey.

What is a passkey stored in a third-party password manager?

Third-party password managers — such as 1Password, Bitwarden, Dashlane, or LastPass — increasingly support storing passkeys alongside traditional passwords. The passkey is tied to your password manager account rather than your phone platform.

Pros: Fully cross-platform. A passkey stored in 1Password, for example, is available on your iPhone, Windows PC, and Android tablet equally — regardless of which manufacturer made them. Ideal if you use a mix of devices or want to avoid platform lock-in.

Cons: Requires a subscription to (and trust in) your password manager provider. If you lose access to your password manager account, recovery becomes more complex.

This option is popular with technically minded users who already use a password manager and want their passkeys to live in the same place as their other credentials.

TypeStored where?Cross-device?Best for
Device-boundOne device onlyNoHigh-security / enterprise use
Platform (Apple/Google/Microsoft)Platform cloud (iCloud, Google, etc.)Within ecosystemMost everyday users
Password managerPassword manager cloudYes, fully cross-platformMixed-device users; tech-savvy members

Further Reading & Authoritative Sources

Questions? Contact webmaster@serpentine.org.uk.  This page was last reviewed May 2026.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .