Passkeys

Passkeys are a modern, phishing-resistant replacement for passwords. In BrightBlur they do double duty — they authenticate you to the server and unlock your local encryption keys in a single step.

Why use a passkey?

• Phishing protection — passkeys are cryptographically bound to the BrightBlur domain. They cannot be tricked into working on a fake site.
• Biometric login — use your fingerprint or face to log in.
• One-step unlock — BrightBlur uses the WebAuthn PRF extension to derive an encryption key directly from your authenticator, so logging in also unlocks your photos.

A modern browser is required

The one-step unlock relies on the WebAuthn PRF extension. It works on up-to-date Chrome and Safari (and equivalents); on browsers without PRF support, passkey setup will tell you it isn’t available. The PRF must be evaluated on the device you’re using — a passkey synced from another device may sign you in but fail to unlock your keys, in which case BrightBlur signs you back out and explains why.

Managing passkeys

Go to Settings and find the Security section. There you can:

• Add a passkey (or Add another passkey if you already have one) and follow your device’s prompts.
• Rename a passkey to tell your devices apart (e.g. “MacBook”, “iPhone”).
• Revoke a passkey you no longer use. You can’t remove your last passkey unless you also have a password set — otherwise you’d lock yourself out.

Using your passkey

On the login page, enter your email, then tap Log in with passkey to sign in with a single prompt.