Passkey Authentication
Sarah authenticates using a passkeyβa modern, phishing-resistant credential stored securely in her device's hardware. The experience differs slightly between first-time setup and returning visits.
π Two Scenarios
First Time: Customer sets up passkey with onboarding details
Returning: Customer simply confirms with biometric authentication
π First Time Setup
Set Up Your Verification Account
Enter your details to create a secure passkey
Browser Prompts: Create Passkey
"shepwedd.com wants to create a passkey for sarah.mitchell@example.com"
π Returning User
Sign In with Passkey
Verify it's you to access your verification portal
Browser will prompt for Face ID, Touch ID, or Windows Hello
π Key Points About Passkeys
Private Key Never Leaves Device
The cryptographic private key is stored in your device's secure hardware (TPM, Secure Enclave). It never travels over the networkβonly the public key is shared.
Domain-Bound Credentials
The passkey is cryptographically bound to shepwedd.com. Even if a phishing site looks identical, the passkey won't work on fake domains.
Phishing-Resistant
Unlike passwords, passkeys cannot be phished, intercepted, or stolen. The browser and device work together to verify the authentic domain.
Simple User Experience
No passwords to remember or type. Just a quick biometric confirmation (Face ID, Touch ID, or Windows Hello) and you're authenticated.
π The Security Architecture
Passkeys use public-key cryptography (WebAuthn standard):
Device creates public/private key pair. Private key stored in hardware security module.
Public key sent to shepwedd.com server. Private key stays in device.
Server sends challenge. Device signs with private key. Server verifies with public key.
Browser enforces that passkey only works on shepwedd.comβnever on phishing sites.