FAQ

Frequently asked questions

Passkeys

Where are passkeys stored?

Passkeys are stored locally on the device where you register them. SendAuth supports WebAuthn-capable devices and FIDO2-compliant devices, which means passkeys can be stored on:

Smartphones and tablets - Using biometric authentication (fingerprint, face recognition) or device PINs
Laptops and computers - Using built-in security chips (TPM), biometric readers, or software authenticators
Hardware security keys - Dedicated FIDO2 devices like YubiKeys
Cloud synchronization - Some platforms (like Apple’s iCloud Keychain or Google’s Password Manager) can sync passkeys across your devices

The passkey never leaves your device - only cryptographic signatures are sent to SendAuth during authentication, ensuring your credentials remain secure.

What happens if I store my passkey on my phone, and I get a new phone?

If you registered your passkey on a phone and get a new device, you have several options:

Cloud sync recovery - If your passkey was stored in your platform’s cloud keychain (like iCloud Keychain or Google Password Manager), it should automatically sync to your new device when you sign in
Re-registration - Contact an administrator or registrar who can generate a new passkey registration link for you. You’ll need to verify your identity (preferably in-person or via video call) before being allowed to register a new passkey
Multiple passkeys - It’s recommended to register passkeys on multiple devices beforehand to avoid this situation

Always register passkeys on devices you personally control, and consider registering on multiple devices for backup access.

What happens if I forgot where my passkey was stored?

If you can’t remember which device has your passkey:

Check all your devices - Try authenticating from each device you own (phone, laptop, tablet)
Check cloud-synced authenticators - Look in your platform’s password manager or keychain
Contact support - Reach out to your administrator or someone with registrar permissions who can:
- Generate a new passkey registration link
- Revoke your existing passkeys if needed
- Help you set up new authentication methods

Administrators can see whether a user has passkeys configured but cannot see which specific devices they’re stored on, as this information remains private to your devices.

Can the authentication page be spoofed?

No. Passkeys are associated with a specific domain (e.g., mycompany.app.sendauth.com). Browsers and devices will not allow a passkey to be used for a different domain.

Can my passkey be intercepted?

No. Sensitive information for the passkey never leaves your device. Passkey attestations are transactional and aren’t reusable.

Do I need multiple passkeys?

Possibly. If you are in more than one SendAuth organization (each organization has its own subdomain), you’ll have a distinct passkey for each one.

Auth Flow

I already have an identity provider (IdP) or SSO. Can I still use SendAuth?

Yes. SendAuth can integrate with your existing SSO solution and provide an out-of-band authentication mechanism for sensitive actions.

Are authentication links sensitive?

No. The authentication links will take anyone to a page that requests authentication with your passkey. Because other users won’t have access to your passkey, this is not sensitive.

Security Features

Time-limited - All authentication links expire after 5 minutes to prevent abuse
Single-use - Links can only be used once and become invalid after authentication
IP tracking - SendAuth logs the IP address and geolocation of authentication responses for audit purposes

Best Practices

Verify the source - Always verify that authentication requests come from legitimate sources
Act promptly - Respond to authentication requests quickly due to the 5-minute expiration
Report suspicious requests - If you receive unexpected authentication requests, contact your administrator and reject the request.