Yes. oakallow is a security platform, so passkey-based MFA is required on every account. There is no opt-out.
How it works
- You sign in with a passkey, or with an email one-time code if you have not enrolled a passkey yet
- On your first sign-in you are sent to the Security page and asked to enroll a passkey before anything else is unlocked
- 10 single-use recovery codes are generated automatically the first time you enroll a passkey. Save them somewhere safe.
- From then on, every sign-in uses your passkey (Face ID, Touch ID, Windows Hello, fingerprint, or a hardware security key)
- You can add multiple passkeys for different devices, rename them, or remove them from the Security page any time
Why passkeys and not TOTP codes
- Passkeys are phishing-resistant by design. A fake oakallow page cannot use them.
- No six-digit codes to type, lose, or intercept
- Works identically across iOS, Android, macOS, Windows, and hardware keys
- Syncs through your device ecosystem (iCloud Keychain, Google Password Manager, 1Password, etc.) so a lost phone is rarely catastrophic
A note on cross-platform sync. Passkeys created in Apple devices stay in iCloud Keychain. Passkeys created in Google or Chrome stay in Google Password Manager. The two ecosystems do not sync to each other. If you create a passkey on an iPhone and then try to sign in on an Android phone, sign-in still works through WebAuthn cross-device flow (your Android shows a QR code that you scan with the iPhone), but for daily convenience we recommend enrolling at least one passkey per device family.
If you lose access to every enrolled passkey, see the "What if I lose my passkey?" question below.