Authentication

This page provides information on how to log in to the Palantir platform. In most cases, your enrollment administrator will integrate your organization's existing identity provider with the Palantir platform so that you can log in with the same credentials you use across other internal systems.

Alternatively, Palantir’s self-service passwordless identity provider is available for new enrollments configured for AIP Now and AIP Bootcamps as of Summer 2024.

Your own identity provider

The Palantir platform can integrate seamlessly with your existing identity provider, allowing full end-to-end access administration and management via your existing system. See administration documentation for detailed instructions on how to configure your identity provider for use with the Palantir platform.

Palantir self-service user directory

In some scenarios, your enrollment may be automatically configured with a built-in identity provider. Palantir's self-service user directory is passwordless, leveraging FIDO2 passkeys to offer unparalleled security and a seamless user experience.

If you signed up for a new enrollment with the Palantir self-service user directory, you will receive an email with the subject "Set up your Palantir account" shortly after signing up. After completing the instructions below to set up your account, you can invite additional users to your enrollment in Control Panel by navigating to Authentication > Palantir self-service user directory. Then, select Manage users.

What are passkeys?

FIDO2 (Fast IDentity Online) passkeys are a modern form of authentication designed to enhance security and convenience. Passkeys are a secure way to sign into your account without using a password, eliminating the need to remember complex passwords which can be difficult and frustrating. With a passkey, you can sign in with your fingerprint, face scan, hardware token, or password manager.

How do passkeys work?

A FIDO2 passkey is a physical security key or a platform authenticator, such as a biometric device or a smartphone, that can be used for passwordless authentication. The device generates a unique pair of public and private keys for each service or application. The public key is registered with the service, whereas the private key remains securely stored on the device.

When you use a FIDO2 passkey for authentication, the service will send a challenge to your device. The device will sign the challenge using the private key and send the signed response back to the service. The service then verifies the response using the public key to confirm your identity.

Passkeys provide several benefits:

• Strong security: Public-key cryptography provides a high level of security, and since the private key never leaves the device, it is less vulnerable to attacks.
• Passwordless authentication: FIDO2 passkeys eliminate the need for passwords, making authentication more convenient and reducing the risk of phishing and other password-related attacks.
• Privacy: The unique key pairs generated for each service ensure that your authentication information cannot be used to track your activities across different services.
• Ease of use: Passkeys provide a simple, user-friendly authentication experience that requires only a single action, such as inserting the security key or using a biometric device such as a fingerprint or face scan.

Set up and configure passkeys

The following are instructions on how to use Palantir's built-in passwordless authentication.

To proceed, you must have already received an email from Palantir titled "Set up your Palantir account". Then, follow the instructions below:

1. Select the Sign Up option in the email from Palantir to begin setting up your Palantir account.

   

2. Enter in your email address and temporary password, then select Next.

   

3. Choose between verifying your account with SMS or phone call.

   

4. Verify your phone number with the 6 digit authentication code.

   

5. If you were invited to an existing enrollment, agree to the terms and conditions to proceed. Otherwise, skip to step 6.

   

6. Select Add passkey.

7. Select a destination to save your passkey, then follow the on-screen instructions.

   • For hardware tokens, you may need to select Use another device.
     • You will then need to insert your hardware token, enter its PIN and/or touch the fingerprint sensor on the key.
   • For mobile device tokens, you may need to select Use another device and then scan the QR code with your mobile device.
   • To avoid issues, ensure that you are using a supported browser.
   

8. Once your passkey has been successfully added, you will see the following screen:

   

Sign in with a passkey

1. On the Palantir sign-in page, enter your email address and select Next.
2. Select the Use passkey option to sign in to your account using your passkey.
3. Follow the on-screen passkey instructions to unlock your device and select your passkey.

Add additional passkeys

We recommend you add more than one passkey to your account as backup. You may add up to four passkeys per account.

To add an additional passkey to your account, navigate to Settings > Account. Then, find Authentication. You may also directly visit <your-enrollment-URL>/workspace/settings/authentication.

• Select the Add a passkey option.
  • You may be asked to re-authenticate before adding an additional passkey.
• Select a destination to save your passkey, then follow on-screen instructions.
  • For hardware tokens, you may need to select Use another device. You will then need to insert your hardware token, enter its PIN and/or touch the fingerprint sensor on the key.

Remove a passkey

• To remove a registered passkey, navigate to Settings > Account. Then, find Authentication or visit <your-enrollment-URL>/workspace/settings/authentication.
• Use the Actions dropdown menu next to the passkey you would like remove.
• Select Delete and Confirm you want to remove the passkey. Once removed, you will no longer be able to use this passkey to sign in.

Reset account

If you cannot access any of your passkeys, contact your enrollment administrator to reset your account. To avoid this scenario, we recommend registering at least two passkeys for peace of mind in case access to one passkey is lost.

Passkey types and best practices

Best practices

We recommend that you maintain at least two different passkeys for your account. For example, you can store one passkey on your phone and one in your Chrome profile. In addition, you should configure more than one Enrollment Administrator to assist with account recovery as a backup.

Recommended passkey types

On Windows computers, we recommend the following approaches to managing passkeys:

• Create and store a passkey on a phone or a YubiKey ↗
• Create and store a passkey directly in Google Chrome ↗

On a macOS device, you can create and store passkeys that are synced across your devices using iCloud. On macOS, you can:

• Ensure your iCloud passkey is enabled and use an iCloud passkey ↗
• Create a passkey directly on iOS ↗
• Manage passkeys ↗