CAI-AUTH
World's first post-quantum multi-factor authenticator. Seven cryptographic innovations protecting your identity with hybrid post-quantum signatures that survive quantum computers. NIST FIPS 203/204 compliant. Patent pending.
POST /v1/proximity/* server routes, YubiHSM 2 driver scaffold, CBB enforcement flag.
Compliance & standards coverage
CAI-AUTH v0.17.3.8 aligns with the strictest defence, banking, and EU regulatory requirements โ designed from day one for Ministries of Defence, Intelligence Services, NIS2 critical operators, PSD3-regulated banks, and reference implementation for eIDAS 2.0 EU Digital Identity Wallet.
/v1/dora/incident live with 4 h SLA timer + Merkle audit anchor.Android App
TOTP authenticator + post-quantum enrollment. Biometric lock, QR scanner, push-to-approve, encrypted backup.
Download APKAPK v0.17.5.4 (versionCode 51) · server v0.17.4.16 · 32 MB · Hybrid Post-Quantum · Bottom-tab nav ยท TOTP card 4 states ยท Edit sheet ยท SECURITY toggles ยท Master password ยท Per-client branding ยท SLSA-3 attested
Chrome Extension
Push-to-approve from browser. Send request, approve on phone with fingerprint. PQ-signed, not just a push.
Download Extensionv0.17.2.4 · Manifest V3 · 29 KB · email-only push · SLSA-3 attested · v0.17.2.5 ext n/a โ Android-only patch
Enterprise
On-premise or SaaS. REST/CBOR API, Python SDK, Docker deploy. Full data sovereignty. GDPR compliant.
Contact Salesโ Service operational
Seven Innovations. Zero Compromises.
Hybrid Post-Quantum Signatures
Hybrid post-quantum signatures combining classical and post-quantum algorithms. Both must verify independently. If quantum breaks one, the other holds.
FIPS 204Push-to-Approve with PQ Signing
The only authenticator where "approve" generates a full hybrid cryptographic signature โ not just a yes/no over TLS. Push notification to phone, biometric confirm.
First in WorldPost-Quantum WebAuthn/Passkeys
First shipping WebAuthn implementation with PQ algorithm (COSE -65535). Any website supporting passkeys can integrate. Software authenticator with hardware binding.
First ShippingML-KEM Encrypted Cloud Backup
Backup encrypted with Hybrid post-quantum key encapsulation. Password-derived via memory-hard key derivation. Server stores only opaque ciphertext. Zero knowledge.
FIPS 203Tamper-Evident Audit Chain
Every authentication event chained into a tamper-evident hash chain. Breaking one link invalidates the entire chain. Transaction-safe with serializable DB isolation.
Append-OnlyThreshold Recovery with Mandatory Delay
Lost your phone? Trusted guardians reconstruct your key via threshold social recovery. Mandatory waiting period โ existing devices get cancellation alerts. Blocks social engineering.
Anti-TakeoverHardware-Protected Biometric Keys
Hybrid post-quantum seeds protected by Android hardware secure enclave. Decryption requires biometric. Seeds zeroed immediately after signing. Keys never leave hardware.
Hardware EnclaveNo Other Product Checks All Seven
Google, Microsoft, Duo, Authy, YubiKey โ none combine PQ signatures + PQ push + PQ passkeys + PQ backup + audit chain + threshold recovery + hardware binding. CAI-AUTH is the only one.
Patent PendingHow We Compare
| Feature | Google Auth | MS Auth | Duo | Wultra | CAI-AUTH |
|---|---|---|---|---|---|
| PQ Signatures | No | No | No | Partial | Yes โ |
| PQ Push Auth | No | No | No | No | Yes โ |
| PQ WebAuthn/Passkeys | No | No | No | No | Yes โ |
| PQ Encrypted Backup | No | No | No | No | Yes โ |
| Threshold Recovery | No | No | No | No | Yes โ |
| Tamper-Evident Audit | No | No | Partial | No | Yes โ |
| Hardware-Protected Keys | No | Partial | No | Yes | Yes โ |
| Self-Hosted | No | No | No | Yes | Yes โ |
| Open Architecture | No | No | No | No | Yes โ |
What CAI-AUTH does for you, in plain words
You stop typing passwords. You stop waiting for SMS codes that arrive late. Your phone becomes the key โ biometric in, biometric out, that's it. Tap your phone on a banking terminal, approve a login on your laptop, sign a document from across the room. Behind the simplicity is post-quantum cryptography that is built to last decades, not months.
One tap, done
Approve logins, payments, document signings in under two seconds. Biometric on your phone is the only thing that authorises anything.
Quantum-safe by default
Your sessions are signed with hybrid post-quantum keys (NSA CNSA 2.0). Whether quantum computers arrive in three years or thirty, your accounts stay safe.
Your data stays in Europe
Self-host on your own infrastructure or use our EU cloud. Zero US vendor dependency. CLOUD Act immune. GDPR compliant from day one.
Works with what you have
Drop-in replacement for SMS, Google Authenticator, hardware tokens. Speaks WebAuthn, FIDO2 Hybrid Transport, and a clean CBOR API for native apps.
Custom enterprise packages
Every organisation is different. We negotiate packages that fit you โ by user count, by deployment region, by integration scope, by compliance requirements. On-premise, hybrid, or fully managed in our EU cloud. Volume pricing for 500+ users. White-label for OEM partners. Dedicated SLAs for systemically important institutions. Air-gap delivery for classified deployments.
Typical engagement: a 30-minute discovery call โ a tailored proposal in 5 business days โ a paid pilot in 30 days โ a multi-year contract once you see what your audit team has to say.
๐๏ธ Coming H2 2026: CAI-Vault
The companion product to CAI-AUTH โ a zero-knowledge digital wallet for your passwords, ID cards, boarding passes, medical documents, and crypto seed phrases. Same hybrid post-quantum cryptography. Same hardware-protected keys. Same EU sovereignty. Plus: tap-to-share documents with police or a notary in thirty seconds, with a full audit trail and biometric approval per scan.
Single CAI Technology subscription bundles AUTH + Vault when Vault ships. Customers on a current CAI-AUTH contract get early access. Drop a note to office@caitech.ro to join the beta list.
Solutions
Pre-packaged deployment patterns, compliance bundles, and integration playbooks tailored to the regulators and auditors specific to your sector.
For Banking & Fintech
PSD3 dynamic linking, PCI-DSS 4.0.1 phishing-resistant MFA, DORA incident webhook, SWIFT CSP v2026, EBA RTS on SCA.
Talk to SalesFor Healthcare
HIPAA Business Associate Agreement, EU Health Data Space alignment, break-glass emergency access (social recovery with mandatory delay window).
Talk to SalesFor Defence & Government
NSA CNSA 2.0 Category 5, NIAP Protection Profile alignment, DoD STIG hardening, air-gap deployment kit.
Talk to SalesFor IT Teams & SMB
Drop-in replacement for Google Authenticator + Duo. Self-host or EU cloud. Predictable per-user pricing. SCIM 2.0 ready.
Talk to SalesFor MSPs & Resellers
Multi-tenant deployment, partner pricing, white-label options, co-marketing budget for design wins.
Become a PartnerFor Developers
Python SDK on PyPI, REST/CBOR API, WebAuthn + FIDO2 Hybrid Transport interop, working examples for Rust/Go/Node.
Developer HubA team of credentialed security professionals
The CAI Technology team carries internationally recognised certifications across information security management, risk and control, audit, and cloud architecture โ the credentials that bank, hospital, and government auditors expect from a vendor before they trust their authentication infrastructure to it. Badges below are issued by ISACA and AWS Training & Certification on the Credly verification platform and are independently verifiable on request.
Additional team credentials:
CISA (Certified Information Systems Auditor โ ISACA),
ISO/IEC 27001 Lead Auditor (PECB / BSI lineage),
CIPP/E (IAPP โ EU privacy law),
ITIL v4 Foundation (PeopleCert / AXELOS).
In progress: CISSP & CCSP (ISCยฒ) ยท ISO/IEC 27701 Lead Implementer ยท CDPSE (ISACA) ยท CCAK (ISACA + Cloud Security Alliance) ยท further team members onboarding through 2026.
Ready to future-proof your authentication?
Quantum computers will break today's cryptography. Don't wait for Google or Microsoft โ they're 3-5 years behind.