signedapproval
Help Center

Passkey Setup (WebAuthn/FIDO2)

Register a FIDO2 passkey for phishing-resistant, hardware-backed approval authentication.

Key Concepts

Passkeys are the strongest authentication method available in SignedApproval. They use the WebAuthn/FIDO2 standard — the same protocol used by Google, Apple, and Microsoft for passwordless login. Unlike passwords or TOTP codes, passkeys cannot be phished, replayed, or intercepted.

When you register a passkey, your device creates a cryptographic key pair. The private key stays on your device (or in your passkey manager), and the public key is stored on SignedApproval's server. When you approve a request, your device proves it holds the private key by signing a challenge — without ever sending the key itself.

Supported authenticators: Hardware security keys (YubiKey, Titan), platform authenticators (Touch ID on Mac, Windows Hello, Face ID on iPhone), and synced passkeys (iCloud Keychain, 1Password, Google Password Manager).

Step-by-Step Guide
1

Navigate to authentication settings

Log in to your dashboard at signedapproval.net/dashboard and go to Settings. Under the Authentication Methods section, click Register Passkey.

2

Name your passkey

Enter a descriptive name for your passkey, such as "MacBook Touch ID" or "YubiKey 5C". This helps you identify which device to use if you register multiple passkeys.

3

Complete the WebAuthn ceremony

Your browser will display a prompt from the operating system or authenticator. Follow the instructions to verify your identity:

  • Touch ID — Place your finger on the sensor.
  • Face ID — Look at your device (iOS Safari).
  • Windows Hello — Scan your face, fingerprint, or enter your PIN.
  • Security key — Insert your key and tap the button when it blinks.
  • Passkey manager — Choose the passkey from the dropdown (iCloud, 1Password, etc.).
4

Verify registration

After successful registration, your passkey appears in the Authentication Methods list with a green checkmark. You can now use it to authenticate approvals.

Using Your Passkey to Approve

When you click Approve on a pending request, SignedApproval sends a WebAuthn challenge to your browser. Your authenticator signs the challenge, proving you possess the private key. This all happens locally — the private key never leaves your device.

The RP ID (Relying Party ID) for passkeys is signedapproval.net in production. Passkeys registered on signedapproval.net will not work on other domains — this is a security feature that prevents phishing.

Multiple Passkeys

You can register multiple passkeys on your account. This is recommended for resilience — if you lose access to one device, you can still approve with another. Common setups:

  • MacBook Touch ID + YubiKey hardware key
  • iCloud synced passkey + hardware backup key
  • Desktop platform authenticator + mobile passkey
Important
WebAuthn challenges are stored in Redis with a 5-minute TTL. If you take longer than 5 minutes to complete the ceremony, the challenge expires and you'll need to start over.
Tip
If you also register a TOTP authenticator, you can choose which method to use each time you approve. The authentication method is recorded in the signed payload's method field, so verifiers know how the human proved their identity.
Related Articles
TOTP AuthenticatorFace ID / BiometricHow Approvals Work