Starting with MPChat v1.5.0, your account is protected by a Passkey — a hardware-backed credential stored on your phone — instead of a 6-digit payment password. Passkeys are phishing-resistant, never leave your device, and work with the same Face ID / fingerprint / device PIN you already use. This page explains what a Passkey is, where MPChat uses it, and how to set one up in under a minute.
Passkey at a glance
A Passkey is a cryptographic credential created on your phone's secure hardware (Apple Keychain on iOS, Google Password Manager / OEM equivalent on Android). When you confirm a sensitive action in MPChat, your phone uses Face ID, fingerprint, or your device PIN to unlock the Passkey locally and sign a one-time challenge. Your biometric data and the Passkey itself never leave the device, and there is no password to phish or leak.
If you would rather jump straight to setup, see How to add your first Passkey on MPChat. To understand why v1.5.0 retires the payment password, see Why MPChat v1.5.0 requires a Passkey: what changes for existing users.
Where MPChat uses your Passkey
After v1.5.0, the same Passkey is reused across every sensitive flow. The exact verification combination depends on the operation's risk level:
Account login — sign in with Passkey alone, no SMS / email code required. See Sign in to MPChat with a Passkey.
Withdraw crypto off-platform — Passkey plus one 2FA factor (SMS / email / Google Authenticator). See Verify with Passkey for withdrawals, transfers, red packets and internal transfers.
Internal transfer, friend transfer, red packet, wallet move — Passkey only.
Card actions — apply, view full PAN/CVV, freeze, unfreeze, delete: Passkey only. See Verify with Passkey for card actions.
Reset Passkey — Sumsub face liveness check + KYC + 24-hour withdrawal cool-down. See How to reset your Passkey on MPChat.
Why Passkeys are safer than payment passwords
Hardware-bound — the credential lives in the phone's secure enclave; even MPChat's servers never see it.
Phishing-proof — the Passkey is bound to
mp.net; a fake site cannot trigger it.No password to leak — there is nothing to type, screenshot, or reuse on another site.
One credential, one tap — Face ID / fingerprint instead of remembering a 6-digit PIN.
Device requirements
Passkeys rely on modern OS APIs, so your phone must meet the floor:
iPhone: iOS 16 or later, with the system Passwords app installed (free; iOS 18+ ships with it). If your iPhone does not have it, MPChat shows an in-app banner with a one-tap App Store link.
Android: Android 14 or later. Google Password Manager works out of the box; some Samsung models also support Samsung Pass — both are valid Passkey providers.
If your device does not meet the floor, MPChat still shows the Passkey entry but blocks creation with the message "Your current device system is too old. Please use iOS 16 or Android 14 or later."
For specific error messages and edge cases, jump to Passkey troubleshooting: unsupported device, Passwords app missing, face check failed, account not found.
Will I lose access if I change my phone?
No — and this is the main reason MPChat chose Passkeys over device-locked PINs. Both Apple Keychain and Google Password Manager sync your Passkeys across the same Apple ID / Google account, so a new iPhone or Android phone restored from backup keeps the credential automatically. You can also use a different device temporarily by tapping Use a passkey from another device in the system sheet and scanning a QR code.
What happens to my old payment password?
Once you upgrade to v1.5.0 and add a Passkey, the 6-digit payment password is retired for that account. There is no opt-out and no "reset password" flow any more — if you lose access to your Passkey, you reset it via the Sumsub face liveness check (full reset flow). Older app versions still accept the legacy password until the user updates.
Related articles