Imprivata Documentation | Imprivata Enterprise Access Management (OneSign) 25.2 | Topic updated: September 30, 2025

Passwordless Authentication with Device-Bound Passkey

Imprivata Enterprise Access Management supports passwordless authentication for Desktop Authentication with a device-bound passkey.

BEST PRACTICE:

Only enable device-bound passkey at single user computers (Type 1) .

Enable in User Policy

In the Imprivata Admin Console, go to Computers > Computer policies.
Select a computer policy to configure.

BEST PRACTICE:
Only enable device-bound passkey at single user computers (Type 1) .
Go to General > Authentication and select Enable Device-bound passkey.
Click Save.

To enroll the device-bound passkey, the user logs into the desktop or the enrollment utility with two authentication methods.

The device-bound passkey is now enrolled.
The next time the user logs into the desktop, the user will only need to complete their primary factor of authentication. The device-bound passkey is the second factor and is completed 'silently' for them.

The device-bound passkey enrollment can be deleted from the user or computer page in the Imprivata Admin Console.

In the Imprivata Admin Console, go to Users > Users.
Select the user whose enrollment you want to delete.
Go to Security Key > Device-bound passkey.

Enrolled passkeys are listed by hostname and enrollment date and time.
Select the enrollment to delete.
Click Save.

In the Imprivata Admin Console, go to Computers > Computers.
Select the computer where the user enrolled.
Go to Device-bound passkeys.

Enrolled users are listed by username and enrollment date and time.
Select the enrollment to delete.
Click Save.