Technical answers for security teams, identity architects, and engineers.
What problem does LastID solve that existing MFA and SSO do not?
LastID addresses the gap between authentication and verification. MFA tokens can be phished, replayed, or socially engineered. Caller ID is trivially spoofed. Email headers are easily forged. AI-generated voice and video remove the last human signals. LastID provides cryptographic proof of human identity that cannot be forged or socially engineered.
How do we verify vendors and contractors outside our authentication perimeter?
LastID enables cross-organization trust without directory federation or B2B integration. External parties prove their credential, you verify cryptographically. Each vendor receives a unique pairwise DID, meaning they cannot be tracked across organizations.
How are the issuer signing keys protected?
All credential signing uses AWS KMS with hardware security modules. Keys are generated in HSM, sign in HSM, and cannot be exported. The HSMs are FIPS 140-2 Level 3 certified. Device-side private keys are generated in and bound to Secure Enclave (iOS), StrongBox (Android), or TPM.
What standards does LastID use?
Exclusively published standards with no proprietary protocols: BIP39 for mnemonic generation, P-256/secp256r1 for ECDSA, X.509 for certificate chains, SD-JWT for selective disclosure, OAuth 2.0 with PKCE, OpenID Connect, DPoP (RFC 9449), OpenID4VCI for issuance, OpenID4VP for presentation, and RFC 8485 VoT for assurance claims.
How does it integrate with existing OIDC infrastructure?
LastID acts as a drop-in identity provider that works with existing auth infrastructure. The verification flow uses standard OAuth 2.0 authorization code flow with PKCE. Your systems receive verified identity claims through standard OIDC mechanisms with VoT (Vector of Trust) claims.
What is the credential format?
Credentials use SD-JWT (Selective Disclosure JSON Web Token) format with ES256 (P-256 ECDSA) signing. Revocation uses W3C Bitstring Status List. Token responses include DPoP-bound access tokens, id_token with pairwise sub, and VoT claim (e.g., "P3.Cf.Mb.Ac").
How do we verify credentials offline at the edge?
The SDK supports offline verification with no round-trip to issuer required. Revocation status is encoded in compact bitstrings using W3C Bitstring Status List. Verifiers fetch cached status lists, not individual lookups. This is both privacy-preserving and scalable to millions of credentials.
What's the SDK integration complexity?
The TypeScript SDK provides a fluent policy builder API that is type-safe and schema-validated. Initialize HumanIDPClient with endpoint and clientId, build a PersonaPolicy with required claims, generate a request URL, display QR, poll for completion, verify the presentation. The SDK uses DPoP proof-of-possession tokens for replay resistance.
How do policy builders work?
Policy builders provide type-safe fluent API for credential requests. Use requireLastID() to set the issuer and enable credential chain inference. Use requireClaim() for mandatory fields, optionalClaim() for user-choice fields. setVerificationRequirement() can enforce claims come from verified credentials (e.g., email from VerifiedEmail, not just Persona).
What platforms does LastID support?
LastID is available on iOS and Android. The app uses hardware-backed key storage: Secure Enclave on iOS, StrongBox or TEE on Android. The app supports offline credential viewing and multiple personas (Work, Personal, Anonymous) for context-appropriate disclosure.
How do I recover my identity if I lose my device?
LastID uses QR-based recovery from your 24-word mnemonic. If a device is stolen: revoke its certificate (immediate via status list), recover identity to a new device using the mnemonic, issue new credentials. The master key remains untouched. No security questions, no social engineering vectors.
What is a Persona?
A Persona is your digital identity profile. Each persona contains display name, contact info, professional details, and avatar. You can create multiple personas (Work, Personal, Anonymous) to share different information with different parties. Each persona has configurable visibility and can be verified to different trust levels.
Can I use LastID offline?
Yes. Credentials are stored locally with namespace-based caching. You can view credentials, personas, and contacts offline. Operations requiring server communication (verification exchanges, credential issuance) require connectivity. The app displays connection state clearly.
What biometric authentication is available?
Platform-native biometrics: Face ID and Touch ID on iOS, fingerprint and face on Android via BiometricPrompt. Biometric fallback to passcode is disabled for key generation. Only true biometric authentication can authorize cryptographic key creation.
How does device binding work?
Device keys are generated in hardware security modules (Secure Enclave on iOS, StrongBox on Android) and bound to the device. Key attestation provides cryptographic proof of the security level. This enables detecting identity cloning attempts, device swaps, and emulators.
What directory providers are supported?
Okta, Microsoft Entra ID, and Google Workspace. Directory webhooks handle real-time user lifecycle events. When users are suspended or deleted, the system automatically revokes their enterprise certificates.
How does certificate revocation work?
Multiple levels: certificate status field (active/revoked), attestation log integration for status queries, CRL generation with configurable distribution points, and OCSP endpoints. Revocation is immediate. Directory webhook handlers trigger automatic revocation on user suspension.
How does LastID handle personal data?
Privacy-by-design: PII lives in credentials, not databases. The system stores only DIDs, public keys, and revocation status. No names, addresses, or birth dates. Pairwise identifiers prevent correlation. Each verifier receives a unique DID. Two verifiers cannot compare notes to track users.
What user consent controls exist?
Users control what goes where. The credential system supports multiple personas with context-appropriate disclosure. Selective disclosure via SD-JWT means users choose which claims to reveal. Prove over-21 without revealing birthday. Prove employment without revealing salary. The master identity is never stored. It is computed on-demand and immediately discarded.
How is sensitive data protected?
Multiple encryption layers: organization-specific KMS keys encrypt OIDC configs and PII fields, field-level encryption for sensitive data, TLS/HTTPS for all communications, FIPS endpoints in production. Audit logging with hash chains for tamper detection.
Have a question not covered here?
Request Demo