feat(acc): webauth

pages/account/concepts.mdx

@@ -38,14 +38,22 @@ A **M**edia **A**ccess **C**ontrol Address is a unique ID assigned to network in
 
 ## Multifactor Authentication (MFA)
 
-Multifactor authentication (MFA) is any form of verification that requires two factors to authenticate to a device you wish to connect to. Scaleway supports MFA for Cloud accounts in the form of a security code that you use in addition to your [password](#password) when you log in. You can receive the code via SMS or an authenticator app on your smartphone. Enabling MFA adds an additional layer of security against unauthorized access to your account.
+Multifactor authentication provides extra layers of security. In addition to the first factor (password, authentication code or SSO, for example), other factors (such as one-time passwords and passkeys) are required to access your account.
 
-Refer to the [How to use MFA](/account/how-to/use-2fa) documentation page for more information.
+You can enable Multifactor Authentication (MFA) on your Scaleway account for enhanced security. Even in the event of a leaked password, your account is protected.
+
+Two MFA methods are available:
+    - **One-time password (TOTP)** - method through which you access your account using a unique, time-based validation code generated by an app.
+    - **Passkey** - a secure authentication method based on public-key cryptography that replaces traditional passwords. Instead of entering a password, you prove your identity using something you have (like your device) and something you know or are (like a PIN or biometric verification).
 
 ## Password
 
 A password is a string of characters associated with your account's email address that allows you to access the [Scaleway console](https://console.scaleway.com/). It is personal and must not be shared with anyone. Alternatively, you can use an [authentication code](#authentication-code) to authenticate yourself.
 
+## Password Manager
+
+A password manager is a secure tool that stores and manages your login credentials—like usernames, passwords, and passkeys—in an encrypted vault. You only need to remember one master password to access the vault, and the manager can automatically fill in your login details for websites and apps.
+
 ## Single Sign-on (SSO)
 
 Single Sign-On (SSO) allows you to use your Google, Microsoft, or Github account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google, Microsoft, or Github account.

pages/account/how-to/change-ownership-organization.mdx

@@ -42,7 +42,7 @@ The process of changing the Owner of an Organization varies, depending on whethe
   The Owner account is now registered under the newly entered email address.
 
 ### Ownership transition
-Ensure you communicate the current password to the new Owner and [disable MFA](/account/how-to/use-2fa/#how-to-disable-mfa), if enabled. This lets them easily access the Owner account, and they can re-enable multifactor authentication on their personal device later on.
+Ensure you communicate the current password to the new Owner and [disable MFA](/account/how-to/use-2fa/), if enabled. This lets them easily access the Owner account, and they can re-enable multifactor authentication on their personal device later on.
 
 If the old Owner must still have access to the Organization, you can [create a Member account](/iam/how-to/manage-members/#how-to-create-a-member) using their email address.
 Then, using permission sets, you can grant them rights to view, edit, and manage resources within the Organization. [Learn more about permission sets](/iam/reference-content/permission-sets/#scoped-by-project)

pages/account/how-to/log-in-to-the-console.mdx

@@ -109,12 +109,27 @@ If you were added to a Scaleway Organization as an [IAM Member](/iam/concepts#me
 
 If [Multifactor Authentication (MFA)](/account/how-to/use-2fa) is enabled on your account, MFA authentication will be an additional step for all methods of log in described on this page.
 
-If the login information provided in any of the previous methods is valid, you will be redirected the Multifactor Authentication screen.
-
-1. Enter a valid two-factor token or backup key.
-    <Message type="note">
-      This is the token provided in your MFA app.
-    </Message>
-2. Click **Log in**.
+You can authenticate using either a:
+    - **One-time password (TOTP)** - method through which you access your account using a unique, time-based validation code generated by an app, or
+    - **Passkey** - secure authentication method that eliminates the need to create, manage, or remember passwords.
+
+If the login information provided in any of the previous methods is valid, you will be redirected the Multifactor Authentication screen. If both MFA methods are enabled in your account, you will see the **passkey** screen by default.
+
+<Tabs id="mfa-login">
+  <TabsTab label="Log in with a passkey">
+  1. Click **Use passkey**. Your password manager pops-up.
+  2. Follow the steps in your password manager.
+
+  If the passkey is valid, you are redirected to the Organization dashboard.
+  </TabsTab>
+  <TabsTab label="Log in with TOTP">
+  1. Click **Switch to authenticator app**.
+  2. Enter a valid TOTP token or backup key.
+      <Message type="note">
+        This is the token provided in your TOTP app.
+      </Message>
+  2. Click **Log in**.
 
-If the code is correct, you are redirected to the Organization dashboard.
+  If the code is correct, you are redirected to the Organization dashboard.
+  </TabsTab>
+</Tabs>

pages/account/how-to/use-2fa.mdx

@@ -3,98 +3,117 @@ title: How to use Multifactor Authentication (MFA)
 description: Enable and use Two-Factor Authentication (2FA) in Scaleway.
 tags: authentication 2FA two-factor two multifactor security google authenticator authenticator
 dates:
-  validation: 2025-09-03
+  validation: 2025-10-01
   posted: 2022-01-14
 ---
 import Requirements from '@macros/iam/requirements.mdx'
 
+Multifactor authentication provides extra layers of security. In addition to your password (the first factor), other factors (such as TOTP and passkeys) are required to access your account.
 
-You can enable multifactor authentication on your Scaleway account for heightened security. Once enabled, an additional security code generated by your phone is required to access your account.
+You can enable Multifactor Authentication (MFA) on your Scaleway account for enhanced security. Even in the event of a leaked password, your account is protected.
 
-Multifactor authentication provides extra layers of security. In addition to your password (the first factor), other factors (such as an MFA app) are required to access your account. Even in the event of a leaked password, your account is protected.
+Two MFA methods are available:
+    - **One-time password (TOTP)** - method through which you access your account using a unique, time-based validation code generated by an app.
+    - **Passkey** - secure authentication method that eliminates the need to create, manage, or remember passwords.
+
+<Message type="important">
+  If you are an account Owner, you can set up the two different MFA methods at the same time. We recommend you have at least one of the two MFA methods set up at a time, to keep your account safe.
+</Message>
 
 <Requirements />
 
 - A Scaleway account logged into the [console](https://console.scaleway.com)
 
-## How to download an MFA app
+## How to enable TOTP
 
-To use [multifactor authentication](/account/concepts/#multifactor-authentication-mfa) on your account, you first need to download an MFA app onto your smartphone. Once configured, MFA apps display a constantly rotating set of codes to use with your different accounts when you are prompted for one during login. Popular MFA apps include:
+To use TOTP on your account, you first need to download an authenticator tool. Once configured, TOTP apps display a constantly rotating set of codes to use with your different accounts when you are prompted for one during login. Popular TOTP apps include:
 - [Authy](https://authy.com/download/)
 - [FreeOTP](https://freeotp.github.io/)
 - [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en&gl=US)
 
-Download the app of your choice and install it onto your smartphone.
-
-## How to enable MFA
-
-1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
+1. Download the app of your choice and install it onto your smartphone.
+2. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
     <Message type="important">
-      If you are logged in as an [IAM Member](/iam/concepts/#member), click **Credentials** in your user overview page and scroll down to the **Multifactor authentication** section.
+      If you are logged in as an [IAM Member](/iam/concepts/#member), click **Credentials** in your user overview page.
     </Message>
-2. Click **Enable MFA**, in the **Multifactor authentication** section. A pop-up displays.
+3. Click **Set up TOTP**, in the **Multifactor authentication** section. A pop-up displays.
 3. Enter the code shown on the pop-up into your MFA app, or scan the QR code into your app.
   Your app sets up MFA for your Scaleway account and displays a 6-digit code.
-4. Enter the 6-digit authentication code given by your app into the pop-up box, then click **Submit**. A pop-up displays.
-5. Download or copy the backup codes shown, and save them in a safe place. These codes will be the only way to regain access to your account without your MFA app.
+4. Enter the 6-digit authentication code given by your app into the box, then click **Submit**.
+5. Download or copy the backup codes shown, and store them in a safe place. These codes will be the only way to regain access to your account without your TOTP app.
 
-MFA is now enabled on your account.
+TOTP MFA is now enabled on your account.
 
-Next time you log in to your Scaleway account, you will be prompted for an MFA code. Use your MFA app to get the code and enter it in the Scaleway console.
+Next time you log in to your Scaleway account, you will be prompted for a TOTP code. Use your TOTP app to get the code and enter it in the Scaleway console.
 
-## How to update MFA
+### How to update TOTP
 
-If you no longer have access to the device in which you set up your MFA, you can update your MFA information and set it up via the Scaleway console.
+If you no longer have access to the device in which you set up your TOTP, you can update your TOTP information and set it up via the Scaleway console.
 
 <Requirements />
 
-- A Scaleway account logged into the [console](https://console.scaleway.com)
 - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
-- [Enabled MFA](#how-to-enable-mfa) on your account
+- [Enabled TOTP](#how-to-enable-totp) on your account
 
 <Message type="important">
   If you have lost access to your account and are not able to log in, follow the [Cannot log into my account](/account/troubleshooting/cannot-log-into-my-account/) troubleshooting procedure.
 </Message>
 
 1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
-2. Click **Update MFA**, in the **Multifactor authentication** section. A pop-up displays.
+2. Click **Update TOTP**, in the **Multifactor authentication** section. A pop-up displays.
 3. Enter the code shown on the pop-up into your MFA app, or scan the QR code into your app.
-  Your app sets up MFA for your Scaleway account and displays a 6-digit code.
-4. Enter the 6-digit code given by your app into the pop-up box, and click **Submit**. A pop-up displays.
-5. Download or copy the backup codes shown, and save them in a safe place. These codes will be the only way to regain access to your account without your MFA app.
+  Your app sets up TOTP for your Scaleway account and displays a 6-digit code.
+4. Enter the 6-digit code given by your app into the pop-up box, and click **Submit**.
+5. Download or copy the backup codes shown, and store them in a safe place. These codes will be the only way to regain access to your account without your TOTP app.
+
+### How to delete TOTP
+
+1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
+2. Click **Delete TOTP**, in the **Multifactor authentication** section. A pop-up displays.
+3. Type **DELETE** in the box to confirm, then click **Delete TOTP**.
 
-## How to disable MFA
+TOTP is now disabled on your account.
 
 <Message type="important">
-  If you disable MFA as a Member of an Organization that has MFA enforced, you will need to re-enable it before the Organization's [grace period](/iam/how-to/comply-with-sec-requirements-member/#grace-period) ends, otherwise your Member account will be locked.
+  If you delete TOTP as a Member of an Organization that has MFA enforced, you will need to re-enable it before the Organization's [grace period](/iam/how-to/comply-with-sec-requirements-member/#grace-period) ends, otherwise your Member account will be locked.
 </Message>
 
-1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
-2. Click **Disable MFA**, in the **Multifactor authentication** section. A pop-up displays.
-3. Type **DISABLE** in the box to confirm, then click **Disable**.
+## How to enable passkeys
+
+A passkey is a passwordless authentication method that allows you to securely log in to apps and websites through public-key cryptography. Passkeys at Scaleway are supported by the WebAuthn standard.
 
-MFA is now disabled on your account.
+When you enable a passkey, your authenticator tool generates a public/private key pair. The private key stays securely on your device while the public key is sent to Scaleway.
 
-## How to regain access to your account
+When you log in, the Scaleway sends a challenge to your device. Your device uses the private key to sign the challenge. Scaleway verifies the response using the public key.
 
-### If you lose your MFA device
+<Message type="important">
+  This MFA method is currently not available for IAM Members.
+</Message>
 
-If you lose your authentication device, you can regain access to your account using the backup codes that were generated when you enabled MFA.
+<Requirements />
 
-When you log into your account, you are prompted for an MFA code.
+- [Owner](/iam/concepts/#owner) status
+- Set up a [password manager](/iam/concepts/#password-manager) on your device
 
-Enter one of your **backup codes** instead of a code generated by your MFA device in real-time, then click **Log in**. You are logged into your account and can [disable MFA](#how-to-disable-mfa) if you wish.
+1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
+2. Click **+ Add passkey**, in the **Multifactor authentication** section. A pop-up displays.
+3. Enter the passkey name you configured in your password manager.
+4. Click **Start**. Your password manager will be called and a pop-up might appear in your browser.
+5. Follow your password manager's instructions to confirm and finish setting up the passkey.
+    If the process was successful, you will see a pop-up affirming that the **passkey was added**.
+6. Click **Close**.
 
-### If you lose your MFA device and backup codes
+You see a list of your passkeys.
 
-If you lose both your MFA app and backup codes, the only way to regain access to your account is through a manual identity verification.
+### How to delete a passkey
 
-To do so, make a request to our Trust and Safety team. You must make your request from the e-mail address registered on your account. In your email, provide the following information:
+1. Go to your [Account Security](https://console.scaleway.com/settings/account/security) page.
+2. Click <Icon name="delete" />, next to the passkey you want to delete in the **Multifactor authentication** section. A pop-up displays.
+3. Type **DELETE** in the box to confirm, then click **Delete passkey**.
 
-- The telephone number registered on your account
-- If you have an individual account, your passport or local ID card
-- If you have a corporate account, the certificate of incorporation and a copy of the last Scaleway invoice you received
+TOTP is now disabled on your account.
 
-Submit the complete set of required documents via email to `[email protected]`.
+<Message type="important">
+  Keep in mind that the passkey will be deleted from your Scaleway account only. You may need to manually delete it from your authenticator service account.
+</Message>
 
-After analyzing your documents, our team will deactivate your two-factor authentication (2FA).

pages/account/reference-content/protecting-yourself-fraud-phishing.mdx

@@ -31,7 +31,7 @@ Phishing is a method where attackers trick you into providing personal informati
 
 ### Multifactor authentication (MFA)
 
-Enable [Multifactor authentication (MFA) on your Scaleway account](/account/how-to/use-2fa/#how-to-update-mfa) to add an extra layer of security. MFA requires a second form of verification beyond just a password.
+Enable [Multifactor authentication (MFA) on your Scaleway account](/account/how-to/use-2fa/) to add an extra layer of security. MFA requires a second form of verification beyond just a password.
 
 ### Strong password practices