Passkeys (Touch ID, Face ID, Windows Hello, Android biometric)¶

A passkey is a tiny cryptographic key your device safeguards behind a biometric (fingerprint, face) or device PIN. With a passkey, signing a GxP document is a one-tap action — faster than typing your password and far harder for anyone else to misuse.

GxPSign supports passkeys on every modern device:

How authentication works in GxPSign¶

There are two separate moments where GxPSign checks who you are:

flowchart TD
    A([You open GxPSign]) --> B{Tenant SSO enabled?}
    B -->|Yes, SSO enforced| C[Sign in via your IdP<br/>(Okta, Azure AD, ...)]
    B -->|Yes, optional| D[Choose: SSO or email + password]
    B -->|No| E[Sign in with email + password]
    C --> F([You're in])
    D --> F
    E --> F

    F --> G([You click 'Sign'])
    G --> H{Do you have<br/>a passkey?}
    H -->|Yes| I[Touch ID / Face ID / Hello tap]
    H -->|No, but you have a password| J[Re-enter your password]
    H -->|No, SSO-only user| K[Re-do SSO sign-in via popup]
    I --> L([Signature applied])
    J --> L
    K --> L

    classDef login fill:#ccfbf1,stroke:#0d9488,color:#134e4a
    classDef sign fill:#dbeafe,stroke:#1d4ed8,color:#1e3a8a
    class A,B,C,D,E,F login
    class G,H,I,J,K,L sign

Setting up a passkey¶

Step 1 — Open your passkey page¶

After signing in to GxPSign, go to Your profile → Passkeys (or visit /app/passkeys/).

Step 2 — Click "Add a passkey"¶

Your browser will prompt you to use whatever your device supports — Touch ID, Face ID, Windows Hello, or to plug in a security key.

Step 3 — Give it a name¶

Pick something memorable — e.g. Work MacBook, Personal iPhone, YubiKey #1. You can register as many as you want.

Step 4 — Sign with one tap¶

Next time you sign a document, GxPSign will prompt your device for biometric confirmation. Done in under a second.

Frequently asked questions¶

Can I register multiple devices?¶

Yes — and you should. Register at least two (e.g. phone + laptop) so you're not locked out if one is lost.

My iCloud / Google Password Manager syncs passkeys — do those work?¶

Yes. Passkeys synced via iCloud Keychain (Apple) or Google Password Manager (Android / Chrome desktop) work seamlessly. You enroll once on your Mac and the same passkey is available on your iPhone.

I'm on a borrowed laptop without Touch ID. Can I still sign?¶

Yes — you can either:

• Use your phone as a "cross-device" passkey: GxPSign shows a QR code, you scan it with your phone, do the biometric there, and it sends the signature back over Bluetooth. (This is built into Chrome, Edge, and Safari.)
• Sign in with your password (if your account has one), then re-enter it when signing.

What if I lose my device?¶

Click Remove on that passkey in your settings to disable it. If you've lost all your devices, contact your organization administrator to reset your account.

Does my organization require a passkey?¶

If your organization's admin has set WebAuthn required, you'll need to enroll a passkey before you can sign any documents — the password and SSO fallbacks are turned off. The signing page will guide you to the passkey setup if so.

What happens if my browser blocks the biometric prompt?¶

Make sure your URL bar shows the GxPSign domain (gxpsign.app in production, gxpsign.localhost in dev). Passkeys are bound to the domain — they won't work on a fake lookalike, which is exactly why they're phishing-resistant.

What gets recorded for compliance¶

Every passkey signing event writes an audit-trail entry containing:

• Who — your user ID and email
• When — UTC timestamp at the moment of signing
• What — the document and field signed, with the signature meaning
• How — authenticator_method = "webauthn", the credential ID used, the AAGUID (device-model identifier — e.g. "Apple Touch ID"), userVerified = true, and the authenticator's sign counter

Inspectors can ask "show me which device signed this batch release" and the answer is in the audit log.

See GxP Compliance for the regulatory mapping (21 CFR Part 11, EU Annex 11).