The platform

Four products.
One identity root.

Verify a person once. Carry that proof into signatures, sign-in, and a vault that the cloud cannot read.

01 / Identity verification

Verify

Prove a person is who they claim once, then reuse that proof. Verify captures a government document, runs a passive liveness check, and matches the face to the document. The result is a signed verification built to the IAL2 standard (not yet certified) that other products read instead of asking the customer to start again.

  • Government document authenticity checks
  • Passive liveness, built to the ISO 30107-3 approach, no awkward head-turns
  • Face match built to the NIST 800-63-4 face recognition guidance
  • One signed, reusable verification record, not a throwaway pass or fail
Verify · product film
02 / Advanced electronic signatures

Sign

Sign binds a verified identity to a document hash, not to a tick-box. The signer sees the exact document, the signature covers its hash, and the receipt records who signed, what they saw, and when. What the signer sees is what they sign.

  • Signatures over the document hash, tamper-evident by construction
  • Advanced electronic signature, anchored to a verified identity
  • Provenance receipt chained into the audit trail
  • Ed25519 or ECDSA P-256, algorithm recorded on every receipt
Sign · product film
03 / Passwordless and TOTP

Authenticate

Authenticate replaces the password with a verified human on an attested device. Passwordless sign-in and a built-in TOTP authenticator carry both identity assurance and authenticator assurance into every login, exposed through standard OIDC.

  • Passwordless sign-in over standard OIDC, the authorization code flow
  • TOTP authenticator built into the same app
  • PKCE (S256) mandatory, exact redirect matching, private_key_jwt client auth
  • Identity assurance and authenticator assurance in one token
Authenticate · product film
04 / Zero-knowledge password vault

Vault

Vault stores secrets the cloud cannot read. Encryption and decryption happen on the device under a key derived from the user, so the server holds ciphertext and nothing else. A breach of our storage yields encrypted blobs.

  • Client-side encryption, the server never sees plaintext
  • Argon2id key derivation at the OWASP floor
  • AES-256-GCM with bound associated data
  • No server-side endpoint returns plaintext, by design
Vault · product film

One integration. All four.