Industries · Public sector
Trustaige is workforce identity for the people inside public-sector organisations — the staff and contractors of ministries, agencies, parastatals, and the public services they run. We exist to do one thing well: protect the organization itself by eliminating its most porous attack surface (passwords) and replacing it with hardware-bound cryptographic keys the user verifies on their own device. For data classified above the open tier, the same policy engine lets you pin access to FIDO Alliance L3 certified authenticators — the highest assurance grade the standard recognizes, with hardware tamper resistance and a restricted operating environment — enforced per application or per role. The private key stays inside the certified hardware. The biometric stays on the user’s own device. The agency owns both ends of the relationship.
The pressures
Password reuse, phishing, infostealer malware — the overwhelming majority of organizational breaches start with a stolen or guessable credential, not a zero-day. The agency that still relies on password rotation, complexity rules, or shared one-time codes is defending against the wrong attacker. Until the credential itself is something that physically cannot be stolen, the perimeter doesn't exist.
For tiers of data that should never be reachable from a consumer-grade authenticator, the question isn't whether your written policy says "high assurance only." It's whether the platform will refuse a sign-in because the authenticator hardware fails the standard. Trustaige reads each authenticator's certification from the FIDO Metadata Service and blocks any request that doesn't meet the configured minimum (AAL3, FIDO L3) — per application, per role, before the resource ever gets touched.
Where the identity platform lives matters. But what it stores matters more. Hosting on-prem with a vendor that still holds fingerprints, face templates, or population-identifier rows is sovereignty on the wrapper, not the substance. Trustaige runs inside your infrastructure and stores no biometrics of any kind — only public keys. There is nothing about a staff member to subpoena from us, because we never had it.
How Trustaige answers them
Per application, per role, per resource: require a minimum NIST SP 800-63B authenticator assurance level (AAL1, AAL2, or AAL3) AND a minimum FIDO Alliance certification level (L1, L2, L3). Trustaige reads each authenticator's certification from the FIDO Metadata Service and refuses any sign-in that doesn't meet the policy. The result: even an administrator with a valid credential cannot open the classified resource from anything other than an L3-certified hardware key with verified user presence. The policy syntax is the same one the rest of your team uses for any other access control — it just happens to map directly to the standard your auditor already reads.
We do not store passwords for anyone, on any tier. Sign-in is a cryptographic challenge between the user's authenticator and the server, with the private key sealed inside hardware the user never had to install. The phishing email that captures keystrokes is operating on the wrong target. The credential dump posted on the open web doesn't apply to anyone in your tenant.
Trustaige offers on-premise deployment — the database, the secret store, and every running component live on your side of the boundary, in the jurisdiction you choose. No customer data, no key material, and no audit trail crosses into a vendor-controlled environment — which is the answer your buyer needs to give every oversight audience that asks. The specific hosting environment, the operational split between your team and ours, and the support model are sized for each deployment in a working conversation — every public-sector environment is different enough that the one-size answer is the wrong one.
Biometric data — fingerprints, face templates, anything derived from a person's body — stays on the user's own device, used locally to unlock their private credential. Trustaige stores no biometrics, no national identifiers, and no population data of any kind. The platform that doesn't hold the data can't lose it, can't be subpoenaed for it, and can't appear in a press cycle as the source of a leak. This is a deliberate architectural choice that differentiates us from national-ID platforms — and the reason public-sector buyers can deploy Trustaige without inheriting a citizen-data liability.
Talk to the team
Walk through a deployment shaped for your public-sector context. We'll talk about your data classification tiers and which ones should require L3 hardware, the oversight bodies you have to satisfy, your hosting constraints, and how Trustaige's enforcement maps to the standard your accreditation regime references — NIST SP 800-63B, the EU's NIS2 directive, ISO/IEC 27001, your national cyber-security framework, or all of the above.
