Step 3 of 5

Agent Authenticates

Passkey authentication proves the agent is authorized to verify instructions

Passkey Authentication

shepwedd.com is requesting authentication

Confirm your identity to verify customer instruction

��

Touch ID / Face ID / Windows Hello

Agent: David Thompson
Reference: CREF-73D9-221B
Action: Verify Customer Instruction
🔐 Secure Authentication

Why Authentication is Required

Prevents Unauthorized Access

Before querying the backend for sensitive customer instructions, the add-in requires the agent to authenticate with their passkey. This ensures:

  • The agent, not just Outlook, is performing the verification
  • Malware running on the agent's device cannot query instructions
  • Compromised mailboxes cannot access customer data
  • Every verification attempt is tied to a specific authenticated agent
  • Complete audit trail of who verified what and when

Protection Against Attack Scenarios

🦠 Malware on Device

Even if malware is running on David's computer, it cannot authenticate with his passkey. Only David's biometric can complete authentication.

📧 Compromised Mailbox

An attacker who gains access to David's email cannot query customer instructions—passkey authentication is device-bound and biometric-protected.

🎣 Phishing/Spoofing

Passkeys only work on the correct domain (shepwedd.com). Fake sites cannot trigger authentication prompts.

🔓 Stolen Credentials

No passwords exist to steal. The passkey is stored in device hardware (TPM/Secure Enclave) and cannot be extracted.

Authentication Details

What Happens During Authentication

  • Browser prompts for biometric confirmation (Face ID/Touch ID/Windows Hello)
  • Device generates cryptographic signature using agent's private key
  • Signature is sent to backend along with verification request
  • Backend verifies signature using agent's registered public key
  • If valid, backend processes query for customer instruction
  • Entire transaction logged with agent ID, timestamp, and reference code

What Happens Next?

Backend Query

Now that David is authenticated, the add-in queries the backend with the customer reference CREF-73D9-221B. The backend will check: Does this reference exist? Who submitted it? When? What type of instruction? What payload? Is it still valid?

← Previous Step Next: Backend Query →