Solution
Privasys Wallet
Your phone, turned into a hardware-grade authenticator. Privasys Wallet verifies the server is genuine before you sign anything, keeps your identity in your device’s secure chip, and shares only what you choose. No passwords. No data on our servers. Now available on iPhone and Android.
Trust should flow in both directions.
Verify before you authenticate
Today, when you sign in to a cloud service, you prove who you are. But who proves what is running on the other side? Privasys Wallet checks the server’s hardware attestation before your private key is ever used. You authenticate only after you know the service is genuine.
FIDO2, hardware to hardware
Authentication is based on FIDO2/WebAuthn, the same standard used by passkeys across the industry. Your private key is generated and stored in your phone’s secure hardware. It never leaves the device, not to us, not to the cloud, not to anyone.
No passwords. No shared secrets.
There is no password to leak, phish, or brute-force. Authentication is a cryptographic challenge-response between your device’s secure hardware and a hardware-protected enclave. Both sides prove their identity. Neither side reveals a secret.
Your keys, your sovereignty
Privasys Wallet puts you in control. Your cryptographic keys are bound to your device's secure hardware. You choose which services to connect to, and you can see the attestation evidence for every connection before approving it. Data sovereignty starts with identity sovereignty.
How it works, under the hood.
RA-TLS verification
When you connect to an enclave-backed service, the wallet inspects the server’s TLS certificate for embedded attestation evidence. It verifies the hardware quote, confirms the code measurement, and checks the configuration root, all before your FIDO2 credential is used. Standard RA-TLS, no custom protocol.
Secure Enclave keys
On iOS, keys are generated and stored inside the Secure Enclave. On Android, keys are stored in StrongBox or the platform TEE. Signing operations happen inside the hardware. The private key is never exported, never serialised, never available in application memory.
Encrypted notifications
Push notifications from cloud enclaves are encrypted end-to-end with AES-256-GCM. The decryption key is shared between the app and a dedicated Notification Service Extension through the device keychain, so notification content is never visible to Apple, Google, or any intermediary.
Trusted app registry
The wallet maintains a local registry of verified enclave applications. Each entry records the measurements from the last successful attestation. If an enclave’s code changes unexpectedly, the wallet flags it immediately. You see what changed before deciding whether to proceed.
Available now on iPhone and Android.
Free. Open source under AGPL-3.0. No account to create. Bring your own identity, back it up with a 24-word recovery phrase or trusted guardians, and sign in to anything that supports Privasys ID.