> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/guides/deploy-policy/passkey-step-up.md). # passkey-step-up This policy requires a passkey proof for signing requests above a configured threshold. Small actions pass normally; large ones need a fresh WebAuthn assertion, which the program validates on-chain. Program address (Solana devnet): `7xNwfNHtN11kf5JFNhsQTuciBskmWmZ8XcHSAeNdvorC`. ## What it enforces Below the threshold: the signature goes through under whatever the rest of the policy stack allows. At or above the threshold: the request must carry a WebAuthn assertion that the program checks (the challenge field is pattern-matched strictly, the assertion is verified against the registered passkey). No valid assertion, no signature. ## Configuration * **Threshold**: the value at which step-up kicks in. * **Registered passkey**: the credential whose assertions are accepted. Changes follow the [policy lifecycle](/hub/andromeda/guides/deploy-policy.md). ## How a step-up flows 1. The application detects a request over the threshold. 2. It collects a WebAuthn assertion from the user's passkey. 3. It includes the assertion in the signing request. 4. The on-chain program validates it; if it passes, the signature is approved. ## Combine it * With [`allowlist-destinations`](/hub/andromeda/guides/deploy-policy/allowlist.md): step-up for big moves, allowlist for everything. * With [`velocity-guard`](/hub/andromeda/guides/deploy-policy/velocity-guard.md): step-up for big moves, rate limit overall. ## On-chain guarantees * The WebAuthn assertion is validated by the program using runtime primitives, not by trusting the API. See [Precompile validation](/hub/andromeda/on-chain-programs/precompiles.md). * Strict pattern matching on the challenge field, so a replayed or malformed assertion is rejected. * Init-authority-hash seeded PDA (no front-running). * Replay-nonced configuration changes. ## When to use it * Wallets where routine activity should be frictionless but large transfers need a second factor. * Consumer products that want "approve with Face ID / Touch ID for anything over X". --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/guides/deploy-policy/passkey-step-up.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.