Step 6 of 7

Backend Creates Instruction Record

Permanent, tamper-proof record with unique reference code

Customer Instruction Record

✓ Instruction Verified & Recorded

Customer Instruction Reference

CREF-73D9-221B
Client ID: CLIENT-SM-4892
Customer Name: Sarah Mitchell
Matter Reference: REF-9F2A-47B1
Device-Bound Identity: DEVICE-AP-9821-FID2
Instruction Type: BANK_ACCOUNT_DETAILS
Instruction Payload: {"bank":"Barclays","sort":"20-00-00","account":"12345678","holder":"Sarah Mitchell"}
Timestamp: 2025-12-09T14:32:17.482Z
Digital Signature: MEUCIQDkx7y...9fH2wIgY (non-forgeable)
Status: VERIFIED & IMMUTABLE

🛡️ Impossible to Forge or Spoof

This record is cryptographically secured: No attacker, compromised mailbox, phishing site, or man-in-the-middle can create a valid customer instruction record. The backend verifies the passkey signature against Sarah's registered public key. If the signature is invalid or from an unauthorized device, the instruction is rejected immediately.

What This Record Contains

Complete Audit Trail

  • Client ID: Links to Sarah Mitchell's client record in the firm's system
  • Matter Reference: Associates instruction with the property purchase matter
  • Device-Bound Passkey Identity: Proves it came from Sarah's registered device
  • Instruction Type: Categorizes the instruction (bank account, approval, etc.)
  • Instruction Payload: Complete data submitted by client (JSON format)
  • Timestamp: Exact moment of cryptographic signature (UTC)
  • Digital Signature: Unforgeable proof of authenticity and integrity

Security Guarantees

🔐 Authenticated

Passkey signature proves it came from Sarah Mitchell's registered device with biometric confirmation

🔒 Integrity Protected

Any modification to the instruction would invalidate the cryptographic signature

⏱️ Timestamped

Precise UTC timestamp proves when the instruction was authorized

📝 Non-Repudiable

Sarah cannot later deny submitting this instruction—cryptographic proof exists

🚫 Unforgeable

Cannot be created by attackers, phishing sites, or compromised email accounts

📊 Auditable

Complete trail for regulatory compliance, dispute resolution, and internal review

Protection Against Attack Scenarios

Why Attackers Cannot Fake This

  • Compromised client email: Attacker has no access to Sarah's device or biometric
  • Phishing site: Passkey will not work on fake domain—cryptographically tied to shepwedd.com
  • Man-in-the-middle: Cannot alter instruction without invalidating signature
  • Replay attack: Timestamp and nonce prevent instruction reuse
  • Stolen credentials: No passwords exist to steal—biometric + device required
  • Social engineering: Firm can verify reference code and signature before acting

What Happens Next?

Customer Receives Reference Code

Sarah is now shown her unique customer instruction reference: CREF-73D9-221B. If she also wants to send a courtesy email to her solicitor (e.g., "I've submitted my bank details"), she can include this reference. Even if the email is intercepted or spoofed, the reference cannot be forged—only valid instructions in the backend database count.

← Previous Step Next: Email Reference →