Step 2 of 7

Authenticate with Passkey

Customer proves their identity using device-bound cryptographic authentication

Authentication Flow

🔐

Sign in to Shepherd+Wedderburn

Use your passkey to continue

Welcome Back, Sarah Mitchell

Matter: Property Purchase - 45 Oak Avenue
Reference: REF-9F2A-47B1

👤

Face ID

iOS/macOS

👆

Touch ID

iOS/macOS

🪟

Windows Hello

Windows PC

🔢

Device PIN

Any platform

First-Time vs. Returning Customer

First-Time Customer (One-Time Onboarding)

If Sarah is visiting the portal for the first time, she'll complete a quick onboarding:

  • Enter her matter reference (REF-9F2A-47B1) and surname
  • Or enter a one-time registration code provided by the firm
  • Browser prompts to create a passkey for shepwedd.com
  • She confirms using Face ID, Touch ID, or Windows Hello
  • Her device becomes her identity credential

Returning Customer (Instant Access)

If Sarah has already onboarded, authentication is seamless:

  • Portal recognizes her device
  • Shows "Welcome Back, Sarah Mitchell"
  • She clicks "Sign in with Passkey"
  • Browser prompts for biometric confirmation
  • Authenticated in seconds—no passwords, no codes

🛡️ Why Passkeys Are Unphishable

Domain-bound authentication: Passkeys are cryptographically tied to the firm's domain (shepwedd.com). They will never work on a phishing site, even if the URL looks identical. An attacker cannot steal, intercept, or replay passkey authentication—making it impossible to impersonate the customer.

Passkeys vs. Traditional Authentication

❌ Traditional Authentication

  • Passwords can be phished
  • Email codes can be intercepted
  • SMS can be SIM-swapped
  • Security questions are guessable
  • Shared secrets can be stolen
  • Works on fake sites

✓ Passkey Authentication

  • No passwords to phish
  • No codes to intercept
  • Device-bound credentials
  • Biometric verification
  • Cryptographically signed
  • Only works on correct domain

Technical Security

What Happens Behind the Scenes

When Sarah authenticates with her passkey:

  • Her device generates a cryptographic signature using the private key
  • The signature is sent to the portal's server
  • Server verifies the signature using Sarah's registered public key
  • Authentication succeeds only if signature is valid and from correct device
  • Session is established with Sarah's verified identity
  • All subsequent actions are tied to this authenticated session

What Happens Next?

Ready to Submit Instruction

Now that Sarah is authenticated, she can select what type of instruction she needs to submit—whether it's bank account details, document approval, authority to proceed, or any other sensitive communication with her legal team.

← Previous Step Next: Select Instruction →