FIDO2 · WEBAUTHN · CTAP · FIPS 140-3

No passwords. No OTPs. One biometric tap.

MultiAuth replaces passwords and OTPs with FIDO2/WebAuthn passkeys — device-bound cryptographic credentials that eliminate phishing, replay and MFA fatigue by design.

Book a DemoTalk to Us
auth.sovio.id / passkey
v2.4
Overview
Passkeys
Sessions
Devices
Attestation
Audit
Active passkey
Sovio MultiAuth
verified
PASSKEY · CREDENTIAL ID
cred-d8f0a17b
rp id
auth.sovio.id
algorithm
ES256 · P-256
Challenge signatureWebAuthn · verified
sig:30440220…authcounter ↑ 0x1f
Zero shared secrets. Zero phishing. Zero MFA fatigue.

Built on FIDO Alliance and W3C open standards. No proprietary protocols, no vendor lock-in — passkeys that work across Chrome, Safari, Firefox and Edge.

FIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google SyncFIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google SyncFIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google Sync
01 · The problem

Passwords and OTPs were never built for this threat model.

01
The phishing pandemic
AiTMthe dominant phishing vector — in 2026

OTPs and passwords are the most exploited attack surface in security.

Adversary-in-the-middle proxies capture SMS codes and session cookies in real time. SIM swaps hijack phone numbers. Credential stuffing weaponises every breached database. Legacy MFA — TOTP, SMS OTP, push notifications — is a losing battle.

02
MFA fatigue at scale
0secrets safely shared between client and server

Push notifications and codes overwhelm users into approving fraud.

Users tap-to-approve to make the noise stop. Help desks burn millions on password resets. Every code typed, every prompt approved, every shared secret stored — is a new opportunity for compromise. Authentication should not be a chore.

Step 01 · Register

User chooses to register a passkey — no password required

The browser or OS prompts for the platform biometric (Face ID, Touch ID, Windows Hello, Android fingerprint). No shared secret. No password to remember.

One tap. No form fields.

03 · Three pillars of MultiAuth

Three factors of authentication — delivered in a single tap.

Possession (the device), inherence (biometric) and intent (origin-bound signature) — unified into one cryptographic gesture.

PILLAR 01
FIDO2 / WebAuthn Passkeys

Device-bound public-key credentials generated in the platform secure enclave. The private key never leaves the device. No secrets traverse the web.

PILLAR 02
Biometric verification

Face ID, Touch ID, Windows Hello, Android fingerprint as the user verification gesture. Biometric data never leaves the device — never transmitted, never stored remotely.

PILLAR 03
Phishing resistance by design

Passkeys are cryptographically scoped to the origin domain. A passkey for app.example.com cannot be used at attacker.com — phishing eliminated at the protocol level.

04 · End-to-end flow

Corporate SSO — signed in under six seconds.

  1. 00:00
    Employee opens the corporate SSO portal
    No password field. The portal asks for the work email only.
  2. 00:01
    Email entered, passkey detected
    The browser recognises a registered passkey for this RP ID and surfaces it via Conditional UI.
  3. 00:02
    Server issues a fresh challenge
    A cryptographically random nonce, bound to auth.sovio.id, sent to the authenticator.
  4. 00:03
    Biometric prompt
    Face ID, Touch ID or Windows Hello — one gesture proves possession and presence.
  5. 00:04
    Device signs the challenge
    Private key signs inside the Secure Enclave. The signature includes the origin hash and counter.
  6. 00:05
    Server verifies the assertion
    ES256 verification against the stored public key. Origin check passes. Counter increments.
  7. 00:06
    Session active
    Employee lands on email, CRM and HR tools — no password typed, no OTP entered, no MFA fatigue.
05 · FIDO passkeys vs TOTP authenticator

Two factors. One survives a phishing campaign.

Property
FIDO Passkeys · MultiAuth
TOTP Authenticator
Phishing resistance
Cryptographic origin scoping — bound to RP ID.
None. Codes entered into any page the user visits.
Shared secrets
None. Only the public key is stored server-side.
Symmetric seed stored on server and device.
Replay attack
Immune. Challenge-response with origin-bound signature.
Vulnerable. AiTM captures and forwards in real time.
MFA fatigue
Eliminated. One biometric gesture.
Friction of opening app and typing a 6-digit code.
SIM swap
Immune. No phone numbers or SMS infrastructure.
Backup codes and SMS recovery flows are exploited.
User experience
Single biometric tap. Works via cross-device auth.
Open authenticator, read code, type before expiry.
Device loss
Passkeys sync via iCloud, Google or Microsoft.
Seeds are per-device. Manual re-enrollment required.
Credential theft
Private key never leaves the secure enclave.
Seed stored on filesystem — extractable if compromised.
Standardisation
FIDO2 · WebAuthn · CTAP — open standards.
RFC 6238 — no browser API, needs separate app.
06 · Standards & protocols

Built on FIDO Alliance, W3C and NIST — not proprietary protocols.

Framework
Title
How MultiAuth applies it
FIDO2
FIDO Alliance standard for passwordless
Full FIDO2 specification including WebAuthn and CTAP for platform and cross-platform authenticators.
WebAuthn
W3C Recommendation L3
Passkey registration and assertion via the Credential Management API in Chrome, Safari, Firefox and Edge.
CTAP
Client to Authenticator Protocol
Roaming authenticators — Yubikey, Google Titan, NFC and BLE security keys participate in the WebAuthn flow.
SAML 2.0
Enterprise SSO bridge
Integrates with existing SAML identity providers — passkey as additional factor or password replacement.
OpenID Connect
Federated identity
OIDC bridge lets MultiAuth passkeys authenticate any OIDC-compatible application.
FIPS 140-2/3
Government-grade crypto
Operations leverage FIPS-certified secure enclaves — Apple Secure Enclave, TPM 2.0, Google Titan M.

Every organisation that needs phishing-resistant, standards-based authentication.

07 · Technical depth

For architects, security engineers and identity leads.

multiauth · webauthn.register.jsES256 · Secure Enclave
// 1. Server generates registration options
const options = {
  challenge: base64url(server.generate()),
  rp:   { name: "Sovio", id: "auth.sovio.id" },
  user: { id: base64url(user.id), name: user.email, displayName: user.name },
  pubKeyCredParams: [{ type: "public-key", alg: -7 }],   // ES256
  authenticatorSelection: {
    authenticatorAttachment: "platform",
    residentKey:      "required",
    userVerification: "required"
  },
  timeout: 60000
};

// 2. Browser calls WebAuthn — biometric prompt fires
const credential = await navigator.credentials.create({ publicKey: options });

// 3. Server stores the public key — no password, no OTP seed
await fetch("/api/passkey/register", { method: "POST", body: JSON.stringify(credential) });
// verify · POST /api/auth/verify
clientData = parse(credential.response.clientDataJSON);
assert (clientData.challenge === server.challenge);
assert (rpIdHash(authData) === sha256("auth.sovio.id"));
assert (authData.flags.UP && authData.flags.UV);
ok = ES256.verify(pubKey, clientDataJSON + authData, signature);
assert (authData.counter > stored.counter); → SESSION ✓
Sign-in
< 1 s
tap to session
Algorithms
ES256 · EdDSA · RS256
negotiated by client
Authenticator
Platform · Roaming
Face ID · YubiKey · Titan
SDK
iOS · Android · Web
drop-in WebAuthn
device-bound by design

The private key is generated inside — and never leaves — the device's Secure Enclave. There is no symmetric secret to phish, no seed to extract, no password to reset.

No shared secrets Origin-bound signatures Multi-device sync Secure enclave keys Platform biometrics FIDO2 interoperable
REGISTER · AUTHENTICATE · VERIFY

See Sovio MultiAuth
in your ecosystem.

Schedule a personalised demo to see FIDO2 passkeys, biometric verification and origin-bound authentication running end to end in your environment.

Request a demo Talk to us