Skip to main content

Security & Trust

How Trustaige protects your organization with standards-based, phishing-resistant authentication.

Architecture

Passwordless by Design

Trustaige eliminates passwords entirely. Authentication is based on cryptographic proof of identity through hardware-bound credentials that cannot be phished, stolen, or replayed.

No Shared Secrets

Traditional authentication stores passwords or tokens on the server โ€” creating a target for attackers. Trustaige stores only public keys. Private keys live exclusively in your device's secure element and are never transmitted.

Phishing Resistant

WebAuthn credentials are origin-bound โ€” they only work on the exact domain they were registered with. Even a perfect phishing page on a lookalike domain cannot trigger a credential response. This is protection by protocol, not by user training.

Biometric Privacy

Biometric verification happens locally on your device to unlock the private key. Biometric data is never transmitted to or stored on Trustaige servers.

Challenge-Response Protocol

Each authentication generates a unique cryptographic challenge signed by the user's private key. Responses cannot be forged or replayed.

FIDO Metadata Service

Trustaige validates authenticator attestation against the FIDO Alliance Metadata Service, verifying that hardware is genuine, certified, and hasn't been compromised.

Authenticator Assurance Levels

Support for NIST 800-63B AAL1 through AAL3 โ€” the highest level of assurance with hardware-bound, phishing-resistant authentication.

Standards

Built on Open Standards

Every protocol we support is an open, auditable standard maintained by independent bodies.

FIDO2 / WebAuthn

W3C & FIDO Alliance

OpenID Connect

OpenID Foundation

SAML 2.0

OASIS Standard

SCIM 2.0

IETF RFC 7643/7644

OAuth 2.0 + PKCE

IETF RFC 6749/7636

Infrastructure

Session & Infrastructure Security

Defense in depth across every layer of the platform.

Session Management

Server-side session management with device fingerprinting. Users can view all active sessions, see device details, and revoke any session with one click.

Audit Logging

Every authentication event, profile change, administrative action, and session lifecycle event is recorded with full context.

Transport Security

All traffic is encrypted with TLS. HSTS enforced in production. Content Security Policy with per-request nonces prevents XSS and injection attacks.

Key Management

JWKS-based key management with rotation support for token signing. JSON Web Key Sets are published at standard discovery endpoints.

Ready to Eliminate Passwords?

Start a trial and experience phishing-resistant authentication for your organization.