Common questions about LastID, from how it deploys to what it replaces.
What does LastID actually do?
LastID verifies the human you are communicating with. Not the account, not the device, the person. When someone needs to prove their identity, they receive a challenge link. They tap or scan it, the app confirms it is really them using biometrics, and you get a clear answer: verified or not. Full audit trail. Works on any channel.
What is a challenge?
A challenge is a verification request you send to someone. It shows up as a link or a QR code. The person opens it in the LastID app, confirms their identity biometrically, and you get the result in seconds. Challenges work in Slack, Teams, SMS, email, WhatsApp, or anything else that supports a link. No integration required.
What are verified calls?
Voice and video calls with continuous identity proof. During a call, the platform keeps confirming that the person who joined is still the person on the line. A visual indicator shows verification status in real time. If something changes, you know immediately.
What credentials can someone carry?
Identity builds up in layers. Everyone starts with a root identity, one per person, theirs forever. From there they can add social proof from other humans, a verified persona from government ID, an anonymous age proof, or employee credentials from their organization. A verifier asks for exactly the layers they need. The person shares only what is requested.
How is this different from MFA?
MFA proves someone has access to a device or an account. LastID proves the actual person is who they claim to be. MFA tokens can be phished, replayed, or socially engineered. Caller ID is spoofed. Security questions are guessable. LastID uses biometrics verified against the original enrollment, independent of the phone manufacturer. It tells you who is holding the phone, not just that the phone is unlocked.
How long does it take to deploy?
Minutes. Connect your existing identity provider. Employees log in the way they already do, go through identity proofing, and receive verifiable credentials. Your entire organization can be verified the same day.
Does it replace our identity provider?
No. LastID sits underneath your existing identity provider. You keep Okta, Azure AD, Ping, or whatever you use. LastID adds the layer that proves the human behind the account is who they say they are. Your identity provider manages accounts and access. LastID proves the person.
What does employee onboarding look like?
Employees log in with their existing enterprise credentials and MFA. They go through identity verification: government ID, selfie, liveness check, and fraud detection. They enroll biometrics. From that point on, every verification confirms the same person who enrolled. The enterprise issues an employee credential on top of the root identity. The whole process takes minutes.
Can we self-host?
Yes. Two options: self-hosted in your own infrastructure where you own everything and nothing leaves your environment, or managed by LastID with isolated tenants where we handle operations and you keep ownership of your keys and data.
What identity providers do you support?
Okta, Microsoft Entra ID, and Google Workspace. When employees are suspended or removed from your directory, their enterprise credentials are automatically revoked.
How do you verify biometrics?
LastID runs its own biometric verification, independent of the phone manufacturer. Liveness detection, anti-spoofing, multiple frames. Every time someone presents a credential, the platform confirms the face right now is the same face that enrolled. It is not a wrapper around Face ID or fingerprint. It verifies the human, not the device.
What happens if someone loses their phone?
Three recovery paths. A recovery phrase that works on any new device. An encrypted QR code with a passphrase. Or recovery split across trusted contacts where no single contact can recover alone. For enterprise deployments, organizations configure recovery policy: delay periods, location verification, device notification, and admin approval.
What audit trail does it produce?
Every identity operation produces a tamper-evident, device-signed audit record. For enterprise deployments, audit events route to your infrastructure. When someone asks what happened, you have a chain of evidence, not an agent's notes.
What personal data do you store?
Almost nothing. Personal information lives in credentials on the user's device, not in our databases. The system stores identifiers and public keys. No names, no addresses, no birth dates. Each verifier receives a unique identifier, so two verifiers cannot compare notes to track a user across organizations.
Can credentials be shared or cloned?
No. Credentials are bound to hardware-backed keys on the user's device. The private key cannot be extracted or cloned. Each verification requires a signature that only the original device can produce. Sharing a credential would require physically handing over the device.
How does it help with helpdesk calls?
Almost every enterprise identity failure happens at the helpdesk. Someone calls and says they lost their phone or need an MFA reset. Today, your agent follows a manual process: security questions, manager approval, callbacks. Fifteen minutes per ticket, no certainty. With LastID, the agent sends a challenge. The caller proves their identity biometrically. Seconds. No human judgment required.
Can it stop deepfake and impersonation attacks?
Yes. Deepfakes fool humans. They do not fool cryptographic verification. When your agent receives a challenge result, it is not based on whether someone sounded right or looked right on camera. It is based on a biometric match against the original enrollment and a signed credential from a trusted issuer. The math decides, not the person.
How does vendor verification work?
External parties prove their credential. You verify it. No directory federation needed. No B2B integration. They get a challenge link, they prove who they are, you get a verified result. Works the same way whether the person is inside your organization or outside it.
Can it be used for customer onboarding?
Yes. Challenge links also work for customer-facing flows. The user scans, presents the credentials you asked for, and they are in. Identity verification built into the onboarding experience rather than bolted on as a separate step.
What about age verification?
Users complete identity verification once to obtain an age credential. When a platform needs age verification, the user presents proof that they meet the age requirement. No actual birthdate is revealed. The platform gets a yes or no, verified against a trusted issuer, with no personal information to store or protect.
What standards does LastID use?
Exclusively published standards with no proprietary protocols. The architecture page covers the full stack: identity derivation, credential formats, selective disclosure, token binding, and integration surfaces. Everything is auditable and interoperable.
Is there an SDK?
Yes. A TypeScript SDK with a fluent policy builder API for requesting specific credentials and claims. Initialize, build a policy, generate a request, display a QR code, verify the result. The architecture page has code examples and integration patterns.
Can credentials be verified offline?
Yes. The SDK supports offline verification with no round-trip required. Revocation status is encoded in compact status lists that verifiers can cache locally. This works at scale for millions of credentials.