Step A3 of 4

Link Outlook Add-in

Agent connects Outlook to passkey identity for verified email operations

📧 Opening Outlook Add-in

📧 Microsoft Outlook - Undoubt Verification Add-in
🔐 Undoubt Verification

Sign in to connect this Outlook to your verified agent identity.

First-time setup: Authenticate with your passkey to enable verification features.

🔐 Authentication Flow

1

Add-in Opens Web View

Clicking "Sign in with Passkey" opens a web view (or external browser) to portal.shepwedd.undoubt.com. This is where passkey authentication happens.

2

Agent Authenticates with Passkey

Emma uses her passkey (created in Step A2) to authenticate. Browser prompts for Face ID/Touch ID/Windows Hello.

3

Backend Issues Device Token

After successful passkey auth, backend issues a short-lived device token specific to this Outlook installation.

4

Add-in Stores Token Securely

Add-in stores the token in Office encrypted storage or local secure store. Associated with agent ID, firm tenant, and device ID.

🔑 Passkey Authentication

portal.shepwedd.undoubt.com

Authenticate to link Outlook add-in

👤

Touch ID / Face ID / Windows Hello

Agent: Emma Thompson

Firm: Shepherd & Wedderburn LLP

🎫 Device Token Issued

✓ AUTHENTICATION SUCCESSFUL

Device token issued for Outlook add-in:

DEV-TOKEN-SW-ET-4B7C-9A21

Expires: 30 days | Renewable with passkey re-auth

What Gets Stored?

📱 Device Token

Short-lived token (30 days) that proves this Outlook installation is linked to Emma's agent account. Stored encrypted in Office storage.

👤 Agent Identity

Agent account ID (AGENT-SW-ET-7A29), firm tenant ID (FIRM-SW-A8F2-4D91), permissions profile.

🖥️ Device Fingerprint

Device ID/profile for logging and audit trail. Helps detect if token is used from unexpected device.

🔐 No Private Keys

Add-in does NOT store passkey private keys. Those remain in device hardware. Only the device token is stored.

How Add-in Uses Device Token

Every Add-in Operation

When Emma clicks "Add Verification Reference" in Outlook, the add-in:

  • Calls backend API with the device token
  • Backend verifies token validity and expiration
  • Backend checks agent identity (Emma) and permissions
  • Backend validates firm tenant (Shepherd & Wedderburn)
  • If valid, backend processes the verification request
  • If token expired, add-in prompts Emma to re-authenticate with passkey

Token Lifecycle

Expiration & Renewal

  • Initial Issue: 30-day validity when first linked
  • Automatic Renewal: Add-in can renew token silently before expiration
  • Re-authentication: If expired, add-in prompts for passkey auth again
  • Revocation: Org admin can immediately invalidate token (e.g., agent leaves firm)
  • Device Change: New device requires new passkey authentication
  • Audit Trail: All token issuance/renewal/revocation logged

✅ Setup Complete!

🎉 Outlook Add-in Linked

Emma can now use Undoubt verification features in Outlook

What Emma Can Do Now

  • Compose emails and click "Add Verification Reference"
  • Backend generates secure reference (REF-XXXX-XXXX) linked to her agent ID
  • Receive client emails and click "Verify Customer Instruction"
  • Backend checks customer references (CREF-XXXX-XXXX) and returns verdicts
  • All operations logged with her agent identity for audit trail
  • Permissions enforced: She can issue bank details (enabled by org admin)
← Previous Step Next: Policies & Constraints →