Self-Remediation via Credential Extension (Admin Guide)

***Availability: Early Access Only***
Please submit a ticket to Beyond Identity Support to enable this feature on your tenant. 

Note: Support for Android Firefox Browser coming soon.

Overview

Administrators can enable Self-Remediation in the Secure Work Console to allow users to recover access when a passkey cannot be found or has been deleted.

When this setting is turned on, a Get Started button appears below the authentication error message, allowing users to complete credential extension on their own.

Self-Remediation supports all login methods available in the Secure Work flow, including OIDC, SAML, and WS-Federation, not just Beyond Identity as an identity provider (IdP).

Note: This feature is available only in Beyond Identity Authenticator version 2.108.0 and later.

Enable the Self-Remediation Toggle

1. In the Secure Work Console, go to Settings → Advanced Settings.
2. Find the relevant notification (for example, Passkey Not Found Notification).
3. Click the pencil icon to edit.
4. In the Edit Notification dialog, switch on Allow self-remediation (off by default).
5. Click Save Changes.
   
   

How It Works

When enabled, affected users will see a Get Started button beneath the error message after a failed authentication attempt.

Clicking this button starts the credential extension process, allowing the user to set up a passkey on their current device using an existing passkey on another device.
After setup completes, the user is automatically redirected to retry authentication.

After completing credential extension, the user will see a Log in button. Selecting Log in triggers a new authentication attempt by resending the original authentication request to Beyond Identity.

What to Expect:

• If the user does not complete credential extension, the next authentication attempt will fail again because a valid passkey is still missing.
   
• Even when a credential has been extended successfully, the second login attempt may still fail. This is expected behavior, authentication protocols often enforce strict security limits such as time windows, request uniqueness, or one-time submission rules.
  
  As a result, even if Beyond Identity authorizes the request, the target application may still reject the login for reasons such as the request timing out or being duplicated.
   
• If authentication fails after retrying, users can always return to their application and initiate login from there.
  The newly extended credential will be valid for future authentication attempts.

Click here to learn about the self-remediation user experience.