Effective July 30, 2026, Deltek will discontinue its Active Directory service.

While this change may initially feel disruptive, it also creates a meaningful opportunity for government contractors to modernize how users access Deltek Costpoint, streamlining the end-user experience, strengthening security, and simplifying system access. This transition is about more than adapting to a platform update; it’s about building a more efficient and secure foundation for your operations.

To support this shift, Deltek offers two authentication options: Passkey and Single Sign-On (SSO). Understanding how each works and how they can complement one another will help you determine the best approach for your organization.

What Is Passkey?

Instead of typing a password that can be hacked or stolen, Passkey lets you verify your identity using your device. Costpoint authentication is usually done by using a device PIN.  But it can also be done by using:

• A fingerprint scan (Touch ID)
• Face recognition (Face ID or Windows Hello)
• A simple USB security key touch

In Costpoint, Passkey is used for both login authentication and digital document signing.

Why Use Passkey?

Passkey delivers meaningful benefits for your team and your organization:

• No more forgotten passwords. Eliminate the hassle of password resets and account lockouts.
• Stronger security. Passkey credentials cannot be guessed, phished, or stolen in a data breach.
• Faster login. Authenticate in seconds using biometrics or a PIN.
• Works on all your devices. Smartphones, laptops, desktops, tablets, and smartwatches are all supported.
• Cross-device flexibility. Use your smartphone to authenticate when logging in on a PC or laptop.

Passkey vs. Single Sign-On (SSO) – Which Is Right for You?

Many organizations already use SAML-based Single Sign-On (SSO) to manage Costpoint access. Passkey is not a replacement for SSO; it is a complement to it. Here is how to think about your options:

Passkey Only

Best for organizations without an existing IdP, or those looking for a simpler, device-based passwordless solution. This is a particularly good fit for companies whose workforce includes employees or contractors who are not issued company email addresses, as Passkey registration can be completed without one. Authentication happens directly on the user’s registered device, eliminating the need for a central identity system while still maintaining strong security.

SSO / SAML Only

Best for organizations with an existing identity provider (IdP) that want centralized, IT-managed authentication. This option works well when all users have company email addresses, and your organization wants a single system to control and audit access. Login is managed through your IdP, such as Okta, Azure AD, or Google, giving IT full visibility into who is accessing Costpoint and when.

SSO + Passkey Together

Costpoint supports enabling both at the same time. With the Passkey (FIDO) checkbox enabled alongside SAML Single Sign-on, Passkey acts as a backup login method — particularly useful when users need to authenticate on a phone or device where SSO is not available. This is the most flexible option for organizations that want centralized SSO on laptops while still giving users passwordless access on mobile.

Important: When Passkey is used alongside SAML SSO, authentication via Passkey bypasses IdP auditing. Organizations with strict compliance or audit requirements should factor this into their decision.

How to Get Started

• Step 1: Admin enables Passkey. Your system administrator configures Passkey (FIDO) for user accounts in Manage Users, ensures that the Passkey checkbox is checked under Preferences User Can Change, and sends a registration invite to the user.
• Step 2: Register your device. Click the unique link in your invite email, enter the one-time passcode, and follow the prompts to complete registration.
• Step 3: Log in. Enter your username and system on the Costpoint login page, then verify using your registered device.

Note: Passkey is not supported in the Costpoint TE Mobile app. Use the Costpoint Progressive Web App on smartphones instead.

Username-less Login (Kiosk Mode)

For organizations with shared workstations, Passkey supports a fully username-less and passwordless experience. Kiosk mode allows multiple users to check in from a single shared device using their own Passkey credentials.

To enable it, users navigate to the Costpoint login page using a special URL with the ?kiosk=1 parameter (e.g., https://machineA.subdomain.mycompany.com/CPWeb?kiosk=1). Clicking Log In without entering a username or password will prompt for Passkey credentials via USB key or device biometrics. Once verified, the user is logged in.

Frequently Asked Questions

Can I use Passkey alongside my current login method?

Yes. Costpoint allows Passkey to be enabled alongside your existing authentication method, including SAML Single Sign-on. In this configuration, Passkey serves as a backup login option rather than replacing your primary method.

Users are not receiving the Passkey registration link – how to resolve?

• Check Junk or Spam Mail: Ensure that auto-generated emails from Deltek Cloud are not being filtered into your junk or spam folders.
• Approved/Safe Email Addresses: Add the following email addresses to your approved list:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
• Configure SPAM Filters: Allow inbound email transmissions from the IP address 167.89.11.197, which is owned by Sendgrid.
• If the items above are in place, submit a Deltek support case and ask that your email configuration be reviewed by the Cloud team.

What happens if I lose my device?

Your system administrator can remove your lost device’s Passkey from your Costpoint account in Manage Users. Once removed, that device can no longer be used to authenticate. You can then register a new device using the email invite process.

Can I register more than one device?

Yes. You can register multiple FIDO-compliant devices on your account — for example, both your work laptop and your smartphone — giving you flexibility in how you authenticate.

Does Passkey work for digital document signing as well as login?

Yes. In Costpoint, the same Passkey credential used to log in can also be used to digitally sign configured document types, such as invoices or subcontractor approvals. Your administrator sets up the document types; you simply use your Passkey to sign.

Will Passkey work on my phone’s Costpoint mobile app?

Passkey is not supported in the Costpoint TE Mobile app. If you want to use Passkey authentication on a smartphone, you will need to access Costpoint through the Progressive Web App instead.

Ready to Get Started?

Navigating technical transitions and ensuring compliance can be challenging, but PCI is here to help. With expertise in government contracting and Deltek systems, our team simplifies Passkey implementation and ensures your systems run smoothly. Our software support team handles every stage of Deltek integration, from configuration to rollout, minimizing disruptions so you can focus on your mission. Beyond technical support, PCI’s consulting services optimize your Costpoint environment to meet DCAA, CMMC, and FedRAMP requirements. We provide system reviews, strategic roadmaps, and actionable advice to turn compliance into a competitive advantage.

Experience peace of mind with PCI. Contact us today to learn how we can support your SSO transition and help you build a more secure and efficient operation.

You Might Also Like:

• [Blog] Your Guide to Deltek’s SSO Transition
• [Blog] Promote to Production: Maximizing the Power of Your Costpoint System
• [On-Demand Webinar] Optimizing Revenue and Billing Setups: Best Practices & Setup Options