.avif)
Your technical content is designed for clarity and efficiency, and your internal review process should be no different. However, security checkpoints can often add friction. Hunting for a one-time code in your email inbox or managing yet another password slows down the approval cycle. An eSignature passkey removes these frustrating steps entirely. It allows reviewers to authenticate their sign-off with the same simple action they use to unlock their devices, like a fingerprint or face scan. This creates a faster, more intuitive workflow without sacrificing the rigorous security your audit trail demands, blending convenience with compliance.
Your 3-Step Plan for eSignature Passkeys
The previous article looked at why good workflows matter, why audits are necessary (albeit annoying), and how the eSignature functionality can help remove some audit anxiety. Now we're going to show you how it works, in detail.
How Does an eSignature Passkey Work?
To add this feature to your Heretto instance, talk with your Customer Support Manager and they’ll get it added to your instance. Once the eSignature feature is added to your Heretto instance, login and navigate to the dashboard view. From the sidebar menu, click assignments, then click new and we can create a new assignment that uses the eSignature feature. For demonstration purposes, we’ll use a simple example that requires one signature after reviewing a single document. Since I’m using my own files, I’ve put together cocktail instructions on how to make a Negroni. After clicking new, you’ll see a few steps to follow.
- Assignment Details: Here you’ll be able to write a summary of the assignment, choose a due date, and select whether or not you want to send assignees an email alert of the assignment.
- Workflow: Here’s where the eSignature option comes into play. In the workflow dropdown menu, choose eSignature. After that, you can select users who must electronically sign the document in order for it to be complete.
- Files: It’s tough to assign anything to be electronically signed without choosing the actual file(s). Click add topics and navigate to the file or files you want electronically signed.
Once this form is complete, click create. When the assignment is done being built, it will be sent to the assignment inbox of whoever you assigned it to. In this case, I’ve assigned it to myself, so I’ll navigate to my own inbox to finish the task. When I open the assignment, this is the part where an entire review process would usually take place. Since I’m reviewing and signing, I’ll make sure the document provides the correct cocktail making instructions, click mark completed, then it will lead me to the eSignature form. When the form appears, you can leave any necessary comments in the fillable comment box. More importantly, the system sends an eSignature passcode to the person who just signed off on the document.
This passcode is sent to their email address and is valid for 30 minutes. I’ll navigate to my email inbox and copy the passcode and paste it in the E-signature passcode field. Then click the checkbox that confirms the eSignature. Finally, click sign document and you’re done. This generates a few downloadable documents that are saved in the case of an audit down the road. The most important of which is the E-signature details document which holds the user, signature, timestamp, IP address, comments, and file location of the documents in your Heretto instance. This was a simple example, but assignment workflows can be complexly manipulated to serve the compliance needs of any industry.
Let’s kick the uncertainty of audits and compliance to the curb and start by making your documentation review cycle unquestionably airtight.
What is a Passkey?
While the eSignature passcode in Heretto is a fantastic security layer, the broader tech world is moving toward an even simpler method: passkeys. Think of a passkey as a new, more secure way to sign into apps and websites. Instead of typing a password, you use the same method you use to unlock your device, like your fingerprint, a face scan, or a PIN. It’s a digital key that proves you are who you say you are, without you having to remember complex character combinations. This approach streamlines the login process, making it both faster and more intuitive for users while adding a significant layer of security behind the scenes.
Moving Beyond Passwords and Passcodes
The traditional login process is full of friction. You have to recall a specific password for each site, and if you forget it, you’re stuck in a reset loop. Multi-factor authentication adds another step, requiring you to check your phone for a one-time code. With passkeys, you don't need to type in usernames, passwords, or those temporary codes. The entire authentication process is handled by your device's built-in security. This removes the mental load of password management and eliminates the risk of using weak or reused passwords, which are a primary target for security breaches across the web.
The Role of Public Key Cryptography
So, how can something so simple be more secure? The magic behind passkeys is a proven security method called "public key cryptography." When you create a passkey for a service, your device generates a unique pair of cryptographic keys: a private key and a public key. The private key is stored securely on your device and never leaves it. The public key is sent to the company's server. When you sign in, the server uses the public key to verify a signature created by your private key. Even if a hacker gets the public key from a server, it's useless without the corresponding private key on your device.
Key Advantages of Using Passkeys
Adopting passkeys offers significant benefits that fall into two main categories: a stronger security posture and a much smoother user experience. These advantages address the core weaknesses of password-based systems.
Enhanced Security
Passkeys are inherently more secure than passwords because they are resistant to common online attacks. For example, they are designed to protect against phishing, a technique where attackers trick you into entering your credentials on a fake website. A passkey is bound to the specific website or app it was created for, so it simply won’t work on a fraudulent site. This removes the element of human error that phishing attacks rely on. Since the private key never leaves your device, there's also no password for a hacker to steal from a company's database, neutralizing the threat of large-scale data breaches.
Improved User Experience
From a user's perspective, passkeys are a huge step forward. They offer a quick, one-step login process directly on your device. There’s no need to type anything; a simple fingerprint scan or glance at your camera is all it takes. This creates a seamless and nearly instantaneous authentication flow. Better yet, passkeys are designed to work across different devices and operating systems. After the initial setup, they can even function offline, providing consistent and reliable access without depending on a network connection to receive a one-time code, making the entire process more convenient and efficient.
Types of Passkeys
Not all passkeys are created equal. They generally fall into two categories based on where they are stored and how they can be used: synced passkeys and device-bound passkeys.
Synced Passkeys
Synced passkeys are the most common type and are designed for convenience. These passkeys are stored in a cloud-based service like your Google Password Manager or Apple's iCloud Keychain. This allows them to be securely shared between your different devices, such as your phone, tablet, and laptop, as long as you're signed into the same account. If you get a new phone, your passkeys come with it automatically. This makes for a very user-friendly experience, as you can create a passkey on one device and use it on another without any extra setup.
Device-Bound Passkeys
Device-bound passkeys offer an even higher level of security by being tied to a specific piece of hardware. These passkeys live only on a single physical device, such as a hardware security key like a YubiKey or within a secure, isolated chip on your phone. Because the key cannot be copied or moved from that hardware, it provides superior protection against remote attacks. This type is often preferred in high-security environments where protecting access is critical, as it requires physical possession of the device to authenticate.
Business Benefits of Adopting Passkeys
For businesses, the move to passkeys isn't just about following trends. It offers tangible operational advantages and aligns with the direction the entire digital industry is heading.
Reduced Operational Costs
One of the most direct financial benefits for companies is the reduction in operational expenses. For instance, businesses no longer need to pay for sending text messages to deliver one-time security codes, which can add up to a significant cost at scale. Furthermore, a large percentage of customer support tickets are related to forgotten passwords and account lockouts. By eliminating passwords, businesses can drastically reduce the volume of these support requests, freeing up resources and lowering overhead costs associated with help desk operations.
Wide Industry Adoption
Passkeys are not a niche or experimental technology; they have strong backing from the biggest names in the industry. Major companies like Apple, Google, and Microsoft are actively using and promoting passkeys across their ecosystems. This wide adoption signals that passkeys are becoming the new standard for secure authentication. For businesses, aligning with this standard ensures interoperability and demonstrates a commitment to modern security practices, which can build trust and confidence among customers who are increasingly aware of digital security risks.
Risks and Considerations
While passkeys offer a major leap forward in security and convenience, no technology is without its trade-offs. It's important to understand the primary consideration, which centers on the security of the device itself.
Managing Device Security and Access
The entire security model of a passkey rests on the security of the device it's stored on. If your phone is stolen and it's protected by a weak, easily guessable PIN like "1234," an attacker who gains access to your unlocked device could potentially access your accounts. This shifts the security responsibility from a password you know to a device you have. Therefore, it's crucial to use strong device-level protection, such as a complex PIN or, preferably, biometric authentication like a fingerprint or face scan, to ensure your passkeys remain secure even if the physical device is compromised.
Frequently Asked Questions
What’s the difference between the eSignature passcode and a passkey? Think of them as two different tools for security. The eSignature feature in Heretto uses a time-sensitive passcode sent to your email to verify your identity for a specific sign-off. This is perfect for creating a clear audit trail. A passkey is a broader, newer technology that lets you sign into apps and websites using your device's built-in security, like your fingerprint or face scan, completely replacing the need for passwords or temporary codes.
Is the eSignature process in Heretto secure enough for our compliance audits? Yes, it was designed with compliance in mind. When a document is signed using the eSignature feature, the system generates a detailed report for your audit trail. This document captures the user who signed, a precise timestamp, their IP address, any comments they made, and the file's location in your Heretto instance, creating a solid and verifiable record.
Why should my team care about passkeys if the feature uses a passcode? While our eSignature feature provides excellent security with a passcode, understanding passkeys is about looking ahead. The entire tech industry is adopting passkeys as the new standard for secure and convenient authentication. Knowing how this technology works helps your team stay informed about modern security practices and prepare for a passwordless future.
What happens if I lose the device that stores my passkeys? This is a great question, as your device's security is central to the passkey model. If you use synced passkeys, which are stored in your Apple or Google account, you can typically recover them by signing into your account on a new device. The most important step is to always protect your physical devices with strong security measures, like a complex PIN or biometric authentication, to prevent unauthorized access.
How can I get the eSignature feature turned on for my team? Getting started is simple. All you need to do is reach out to your Customer Support Manager. They will be able to add the eSignature functionality to your Heretto instance, allowing you to immediately start building it into your review and approval workflows.
Key Takeaways
- Simplify your review process with passkeys: Replace cumbersome passwords and one-time codes in your eSignature workflow with the same simple biometrics or PIN you use to unlock your device, creating a faster approval cycle without sacrificing security.
- Protect your content with superior security: Passkeys are inherently safer than passwords because they are resistant to common threats like phishing. Since your private key never leaves your device, the risk of a server-side data breach exposing your credentials is eliminated.
- Understand that your device is the new key: The security of a passkey depends entirely on the security of the device it lives on. Make sure you use a strong PIN or biometric lock, because protecting your device is now the most critical step in protecting your accounts.
