FIDO2 · WEBAUTHN · CTAP · FIPS 140-3

No passwords
No OTPs
One biometric tap

MultiAuth replaces passwords and OTPs with FIDO2/WebAuthn passkeys - device-bound cryptographic credentials that eliminate phishing, replay and MFA fatigue by design.

The problem

Passwords and OTPs were never built for this threat model.

AiTM

the dominant phishing vector - in 2026

0

secrets safely shared between client and server

Use Cases

Every organisation that needs phishing-resistant, standards-based authentication.

Key features

Discover why passkeys are the future of authentication

Passwordless Security

Eliminate password vulnerabilities with cryptographic security

FIDO2 Compliance

Built on the industry-standard FIDO2 protocol for maximum compatibility

Biometric Authentication

Leverage device biometrics like fingerprint and face recognition

Cross-Platform Support

Works across devices and platforms for a consistent experience

Phishing Resistant

Domain-bound credentials prevent phishing attacks

Easy Implementation

Simple API integration with comprehensive documentation

Three pillars of MultiAuth

Three factors of authentication - delivered in a single tap.

Possession (the device), inherence (biometric) and intent (origin-bound signature) - unified into one cryptographic gesture.

PILLAR 01
FIDO2 / WebAuthn Passkeys

Device-bound public-key credentials generated in the platform secure enclave. The private key never leaves the device. No secrets traverse the web.

PILLAR 02
Biometric verification

Face ID, Touch ID, Windows Hello, Android fingerprint as the user verification gesture. Biometric data never leaves the device - never transmitted, never stored remotely.

PILLAR 03
Phishing resistance by design

Passkeys are cryptographically scoped to the origin domain. A passkey for app.example.com cannot be used at attacker.com - phishing eliminated at the protocol level.

End-to-end flow

Corporate SSO - signed in under six seconds.

From passkey creation to everyday sign-in - two workflows that eliminate passwords and OTPs entirely.

Create a Passkey
Create a passkey workflow
Sign In with Passkey
Sign in with a passkey workflow
FIDO passkeys vs TOTP authenticator

Two factors. One survives a phishing campaign.

Property
FIDO Passkeys · MultiAuth
TOTP Authenticator
Phishing resistance
Cryptographic origin scoping - bound to RP ID.
None. Codes entered into any page the user visits.
Shared secrets
None. Only the public key is stored server-side.
Symmetric seed stored on server and device.
Replay attack
Immune. Challenge-response with origin-bound signature.
Vulnerable. AiTM captures and forwards in real time.
MFA fatigue
Eliminated. One biometric gesture.
Friction of opening app and typing a 6-digit code.
SIM swap
Immune. No phone numbers or SMS infrastructure.
Backup codes and SMS recovery flows are exploited.
User experience
Single biometric tap. Works via cross-device auth.
Open authenticator, read code, type before expiry.
Device loss
Passkeys sync via iCloud, Google or Microsoft.
Seeds are per-device. Manual re-enrollment required.
Credential theft
Private key never leaves the secure enclave.
Seed stored on filesystem - extractable if compromised.
Standardisation
FIDO2 · WebAuthn · CTAP - open standards.
RFC 6238 - no browser API, needs separate app.
Standards & protocols

Built on FIDO Alliance, W3C and NIST - not proprietary protocols.

Framework
Title
How MultiAuth applies it
FIDO2
FIDO Alliance standard for passwordless
Full FIDO2 specification including WebAuthn and CTAP for platform and cross-platform authenticators.
WebAuthn
W3C Recommendation L3
Passkey registration and assertion via the Credential Management API in Chrome, Safari, Firefox and Edge.
CTAP
Client to Authenticator Protocol
Roaming authenticators - Yubikey, Google Titan, NFC and BLE security keys participate in the WebAuthn flow.
SAML 2.0
Enterprise SSO bridge
Integrates with existing SAML identity providers - passkey as additional factor or password replacement.
OpenID Connect
Federated identity
OIDC bridge lets MultiAuth passkeys authenticate any OIDC-compatible application.
FIPS 140-2/3
Government-grade crypto
Operations leverage FIPS-certified secure enclaves - Apple Secure Enclave, TPM 2.0, Google Titan M.
No passwords • No shared secrets • Phishing-resistant

Built on FIDO Alliance and W3C open standards. No proprietary protocols, no vendor lock-in - passkeys that work across Chrome, Safari, Firefox and Edge.

FIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google SyncFIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google SyncFIDO2 · CTAP2W3C WebAuthn L3FIPS 140-3 Secure EnclaveES256 · EdDSA · RS256Discoverable CredentialsOIDC · SAML 2.0 BridgePlatform & Roaming AuthenticatorsEnterprise AttestationiCloud · Google Sync
REGISTER · AUTHENTICATE · VERIFY

See Sovio MultiAuth
in your ecosystem.

Schedule a personalised demo to see FIDO2 passkeys, biometric verification and origin-bound authentication running end to end in your environment.