DaleaWiki

Passkeys and two-factor authentication

Add passkeys, set up TOTP, store recovery codes.

Two ways to make your Dalea account substantially harder to compromise: passkeys (the recommended default) and two-factor authentication via TOTP (useful when you sign in with email-and-password).

Why bother

Lab accounts are valuable targets — they grant access to compounds, animal welfare data, and IP. The threat model isn't sophisticated nation-state actors, it's commodity phishing kits and password reuse. Both passkeys and TOTP defeat those.

A passkey is a public/private key pair stored on your device's secure keychain. Signing in is biometric (Touch ID, Face ID, Windows Hello, your phone's fingerprint sensor) — there's no password to phish or to forget.

Modern OS keychains sync passkeys across your devices: a passkey added on a Mac shows up on your iPhone via iCloud Keychain; on Android via Google Password Manager; on Windows via Microsoft account.

Adding a passkey

  1. Settings → Security → Passkeys

    Click Add a passkey.

  2. Authenticate with your platform

    Touch ID / Face ID / Windows Hello / etc. Your OS prompts you.

  3. Name it (optional)

    "Work MacBook" or "iPhone 15" makes the list readable later.

That's it. Next time you sign in, pick Sign in with a passkey and your device handles the rest.

Managing passkeys

Same settings page lists every passkey on your account: name, the device that registered it, last used, and a delete button. Delete passkeys for devices you no longer have. Renaming is fine — it doesn't invalidate the key.

TOTP (when you can't use passkeys)

If your team is on email-and-password, add TOTP as a second factor. TOTP = the 6-digit code that rotates every 30 seconds in apps like 1Password, Google Authenticator, Authy, or your password manager.

Setting up TOTP

  1. Settings → Security → Two-factor authentication

    Click Enable TOTP.

  2. Scan the QR code

    Use your authenticator app of choice. The app stores the secret and starts generating codes.

  3. Confirm with the current code

    Enter the 6-digit code from your app to prove the setup worked.

  4. Save your recovery codes

    Dalea shows ten one-time recovery codes. Save them in your password manager now. They're the only way back in if you lose your authenticator.

What changes after enabling TOTP

Every sign-in that uses your password now also asks for the rotating code. Sign-ins via OAuth (Google, GitHub, Microsoft) and passkey are unaffected — those already prove device possession.

Recovery codes

Recovery codes are single-use. Use one to sign in if you've lost your authenticator, then immediately disable and re-enable TOTP to get a fresh set. Treat them like the keys to the lab door — if someone has them they can sign in as you.

Mixing both

Passkey and TOTP is valid and secure but generally unnecessary; passkeys already prove device possession. The mainstream recommendation is:

  • Use passkeys as your primary sign-in.
  • Add TOTP as a second factor only on accounts that still rely on passwords (legacy setups, certain SSO migrations).

Recovery scenarios

I lost my laptop
Sign in from another device using your synced passkey, then delete the lost laptop's passkey from your account.
I switched phones
iCloud Keychain / Google PWM / Microsoft account migrate passkeys automatically. If you didn't use those, re-add a passkey on the new device.
I lost my TOTP app
Use a recovery code, then re-enrol TOTP fresh.
I lost everything
Contact your org admin. They can reset your account if SSO is enabled, or escalate to Dalea support.

What's next

Sessions and devices
Roles and permissions
Previous
Your first PK/PD study
Next
Sessions and devices