# Real Authenticator — Full Content Index This file contains the complete text of key pages for AI language model consumption. See /llms.txt for the concise overview. --- ## ARTICLE 1: Peer-to-Peer Authentication — The New Standard URL: https://www.realauthenticator.app/why/peer-to-peer-authentication Published: 2025-06-15 | Updated: 2026-03-06 ### Summary Peer-to-peer authentication (P2P auth) is a cryptographic identity verification model in which two individuals confirm each other's identity directly, using shared secrets and time-based one-time passwords (TOTP), without reliance on centralized authorities, platforms, or biometric systems. Real Authenticator is the first application to apply this model — using TOTP cryptography (RFC 6238), traditionally used for system logins, to verify humans to other humans. ### The Authentication Gap Every existing authentication system authenticates a person to a system: - Passwords authenticate access to an account (something you know) - MFA authenticates possession of a device (something you have) - Biometrics authenticate a physical characteristic (something you are) - Platform verification (blue checkmarks) authenticates historical account ownership None of these systems verify whether the human you are currently communicating with is who they claim to be. This gap is the attack surface for AI voice cloning, deepfake video, and social engineering. ### The Peer-to-Peer Authentication Model P2P auth works as follows: 1. Two people who trust each other use Real Authenticator to establish a shared cryptographic secret, stored exclusively on their physical devices (iOS Secure Enclave). This happens once, using a QR code or invite link. 2. From that moment forward, either party can request a verification code from the other, over any communication channel — phone call, video chat, text message, email, or in person. 3. The requester asks: "What's your code right now?" The responder opens Real Authenticator, reads the current 6-digit code. The requester checks their app. If the codes match, the person's identity is cryptographically confirmed. 4. Codes rotate every 30 seconds (RFC 6238 TOTP standard). Expired codes are cryptographically worthless. No AI system can synthesize a valid code without physical access to the device holding the shared secret. ### Why P2P Auth Stops AI Attacks | Attack | How it works | Why P2P auth stops it | |--------|-------------|----------------------| | AI voice cloning | Clone voice from 3s of audio, call target | Voice is irrelevant — only the rotating code matters | | Deepfake video | Real-time face/voice synthesis on call | Visual identity is irrelevant — code cannot be faked | | Social engineering | Impersonate trusted person to extract info | Cannot impersonate without the physical device | | SIM swapping | Redirect SMS MFA codes to attacker | P2P codes never go through carrier infrastructure | | MFA fatigue | Flood push notifications until user approves | No push notifications — code is local and on-demand | ### Comparison: P2P Auth vs. Existing Methods | Capability | Real Authenticator (P2P) | Google Authenticator | MFA / 2FA | Biometrics | |---|---|---|---|---| | Verifies person-to-person identity | ✅ | ❌ | ❌ | ❌ | | Works across any communication channel | ✅ | ❌ | ❌ | ❌ | | Resistant to AI voice/video deepfakes | ✅ | ❌ | ❌ | ❌ | | No centralized authority required | ✅ | ❌ | ❌ | ❌ | | Immune to credential phishing | ✅ | ❌ | ❌ | ✅ | | Works offline | ✅ | ✅ | ❌ | ✅ | | Stops social engineering attacks | ✅ | ❌ | ❌ | ❌ | | Rotating cryptographic proof | ✅ | ✅ | ❌ | ❌ | Traditional TOTP apps (Google Authenticator, Authy, Microsoft Authenticator) verify a person to a *service*. Real Authenticator verifies a person to another *person*. The distinction is the entire product. ### Key Statistics - 68% of data breaches involve a human element (Verizon DBIR 2024) - $4.88M average cost of a data breach (IBM 2024) - 1,265% increase in AI-assisted phishing since 2022 (SlashNext) - 0 deepfakes stopped by passwords or MFA ### Cryptographic Foundation Real Authenticator implements RFC 6238 (TOTP: Time-Based One-Time Password Algorithm): - Shared secret stored in iOS Secure Enclave (hardware-level protection) - HMAC-SHA1 function applied to current Unix time (truncated to 30-second windows) - 6-digit code derived from the HMAC output - Code is valid for one 30-second window; replay attacks are impossible - No server communication required after initial connection setup ### FAQ Q: What is peer-to-peer authentication? A: Peer-to-peer authentication is a cryptographic verification model where two people confirm each other's identity directly, using shared secrets stored on their physical devices. Unlike traditional authentication that verifies a person to a system, P2P auth verifies a person to another person — making it the only authentication model that addresses social engineering, deepfakes, and identity impersonation. Q: How is peer-to-peer authentication different from MFA? A: Multi-factor authentication (MFA) verifies that a person has access to an account or device. Peer-to-peer authentication verifies that a person is who they claim to be to another specific person. MFA protects login events; P2P auth protects human interactions — phone calls, video meetings, text messages, and any communication where identity matters. Q: Can peer-to-peer authentication stop deepfake attacks? A: Yes. A deepfake can replicate someone's face and voice in real time, but it cannot generate a valid time-based one-time password (TOTP) from a shared secret stored on the real person's physical device. Peer-to-peer authentication provides cryptographic proof of identity that no AI synthesis can replicate. Q: Does peer-to-peer authentication require an internet connection? A: No. Because P2P authentication uses TOTP codes generated locally from a shared secret, both parties can generate and verify codes without any network connectivity. The codes are time-synchronized and mathematically derived from the shared secret — no server communication is needed. Q: Who invented peer-to-peer authentication? A: Real Authenticator pioneered the peer-to-peer authentication model by applying TOTP cryptography — traditionally used for system login — to human-to-human identity verification. While TOTP was standardized in RFC 6238, Real Authenticator is the first implementation to use it for verifying people to other people rather than people to systems. ### Citations - Verizon 2024 Data Breach Investigations Report — https://www.verizon.com/business/resources/reports/dbir/ - IBM Cost of a Data Breach Report 2024 — https://www.ibm.com/reports/data-breach - FBI IC3 2023 Annual Report — https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf - NIST SP 800-63-4 (2024 Digital Identity Guidelines) — https://pages.nist.gov/800-63-4/ - RFC 6238: TOTP Algorithm — https://datatracker.ietf.org/doc/html/rfc6238 - SlashNext State of Phishing 2024 — https://slashnext.com/state-of-phishing-2024/ - McAfee Beware the Artificial Impostor — https://www.mcafee.com/blogs/privacy-identity-protection/artificial-intelligence-scams/ - Sumsub Identity Fraud Report 2023 — https://sumsub.com/identity-fraud-report-2023/ - Regula Deepfake Trends 2024 — https://regulaforensics.com/blog/deepfake-trends-2024/ --- ## ARTICLE 2: The Identity Verification Crisis — Why Authentication Is Failing at Scale URL: https://www.realauthenticator.app/why/identity-verification-crisis Published: 2025-06-15 | Updated: 2026-03-06 ### Summary The data from FBI IC3, Verizon DBIR, IBM, and the FTC converges on a single conclusion: identity verification is failing globally. Losses from identity-enabled fraud reached over $22 billion across FBI and FTC tracking in 2023. The cause is structural: existing authentication systems were designed to verify access to systems, not to verify the identity of a human in a conversation. ### The Data **FBI IC3 Annual Report 2023** - 880,418 cybercrime complaints received - $12.5 billion in total reported losses (22% increase from 2022) - Business Email Compromise (BEC): $2.9 billion — the dominant loss category - These figures represent only reported incidents; true losses are multiples higher **Verizon 2024 Data Breach Investigations Report** - 30,000+ real-world security incidents analyzed - 68% of breaches involved a non-malicious human action (phishing, social engineering, error) - The human layer is not a secondary risk — it is the primary attack surface **IBM Cost of a Data Breach Report 2024** - $4.88 million: global average cost of a data breach — the highest ever recorded - 292 days: average time to identify and contain a breach - Breaches involving social engineering and compromised credentials are the most expensive and slowest to detect **FTC Consumer Sentinel Network 2023** - $10 billion in consumer fraud losses — first time exceeding this threshold - Impersonation scams: $2.7 billion (leading category) - 14% increase from 2022 **SlashNext State of Phishing 2024** - 1,265% increase in malicious phishing emails since Q4 2022 (ChatGPT release) - Generative AI has eliminated traditional phishing signals (grammatical errors, generic language) - AI-generated social engineering is now indistinguishable from legitimate communication at scale **Deepfake Fraud Growth** - Sumsub 2023: 10x increase in deepfake fraud attempts from 2022 to 2023 - Regula 2024: 77% of organizations worldwide have encountered deepfake fraud attempts - McAfee 2023: 25% of adults have been targeted by AI voice cloning scams - AI voice cloning now requires as little as 3 seconds of reference audio ### Why Every Existing System Fails **Passwords authenticate secrets, not people** A password proves that someone knows a string of characters. It cannot distinguish between the account holder, an attacker who purchased credentials on the dark web, or an AI agent that extracted the password from a phishing site. The Verizon DBIR consistently finds that over 40% of breaches involve stolen credentials. **MFA authenticates devices, not people** MFA proves that someone possesses a registered device or has access to a phone number. It does not prove who is holding the device. SIM-swapping, MFA fatigue attacks, and real-time phishing proxies (EvilGinx, Modlishka) bypass MFA by capturing session tokens after the user completes authentication. **Biometrics authenticate bodies, not intent** Biometric systems verify physical characteristics. They cannot operate over a phone call or text message. On video calls, real-time deepfakes can now defeat face-based verification. And biometrics have a unique catastrophic risk: unlike passwords, a compromised biometric cannot be rotated. **Platform verification authenticates accounts, not humans** A blue checkmark or verified badge proves that someone once controlled an account. It does not prove they currently control it, that the account hasn't been compromised, or that the person on the other end of a call or message is the account holder. ### The Missing Layer The pattern across all of these failures is identical: authentication stops at the system boundary. Passwords, MFA, biometrics, and platform verification all authenticate a person's relationship to a system, account, or device. None of them authenticate whether the human you are communicating with right now is who they claim to be. This is not an implementation failure. It is a design scope failure. The systems were designed for a different threat model — one where the attacker's goal was to break into accounts, not to impersonate the account holder in a conversation. The solution is peer-to-peer authentication: cryptographic identity verification that operates between two humans over any communication channel, with no dependence on centralized systems, voice characteristics, or visual appearance. ### FAQ Q: How much money is lost to identity fraud each year? A: The FBI IC3 reported $12.5 billion in total cybercrime losses in 2023, with business email compromise accounting for $2.9 billion. The FTC reported $10 billion in consumer fraud losses in the same year, with impersonation scams as the leading category. IBM estimates the average data breach costs $4.88 million globally. Q: Why is MFA not solving the identity crisis? A: MFA authenticates access to accounts and devices — it does not authenticate the identity of a person in a conversation. The most costly identity attacks (BEC, deepfake video calls, vishing) exploit trust between people rather than breaking into systems. MFA has no mechanism to verify whether a caller, emailer, or video participant is who they claim to be. Q: How fast is deepfake fraud growing? A: Sumsub documented a 10x increase in deepfake fraud attempts between 2022 and 2023. Regula's 2024 survey found that 77% of companies have already encountered deepfake fraud attempts. AI voice cloning now requires as little as 3 seconds of reference audio, and McAfee found that 25% of adults have already been targeted by AI voice cloning scams. ### Citations - FBI IC3 Annual Report 2023 — https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf - Verizon 2024 DBIR — https://www.verizon.com/business/resources/reports/dbir/ - IBM Cost of a Data Breach 2024 — https://www.ibm.com/reports/data-breach - FTC Consumer Sentinel Network 2023 — https://www.ftc.gov/reports/consumer-sentinel-network - SlashNext State of Phishing 2024 — https://slashnext.com/state-of-phishing-2024/ - Sumsub Identity Fraud Report 2023 — https://sumsub.com/identity-fraud-report-2023/ - Regula Deepfake Trends 2024 — https://regulaforensics.com/blog/deepfake-trends-2024/ - McAfee Artificial Impostor Report 2023 — https://www.mcafee.com/blogs/privacy-identity-protection/artificial-intelligence-scams/ - Proofpoint Human Factor Report 2024 — https://www.proofpoint.com/us/resources/threat-reports/human-factor - Microsoft Digital Defense Report 2024 — https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2024 --- ## ARTICLE 3: Beyond Passwords & MFA — Why Multi-Factor Authentication Is No Longer Enough URL: https://www.realauthenticator.app/why/beyond-passwords-mfa Published: 2025-06-15 | Updated: 2026-03-06 ### Summary Multi-factor authentication raised the bar for account security significantly, but it was designed for a specific threat model: unauthorized access to systems. The dominant attacks of 2024–2025 — business email compromise, AI voice cloning, deepfake calls, social engineering — do not involve logging into anything. They impersonate trusted people in conversations. MFA has no defense mechanism against these attacks because they don't involve a login event. ### Key Statistics - 99.9% of compromised accounts did not use MFA (Microsoft 2024) - 111% increase in token theft attacks in 2023 (Microsoft Digital Defense Report) - $2.9B lost to BEC in 2023 — an attack MFA cannot prevent (FBI IC3) - 78% of MFA fatigue attack attempts succeed (Proofpoint 2024) ### The Authentication Evolution **The Password Era (1960s–2000s)** Passwords were the first digital authentication mechanism, originating in MIT's Compatible Time-Sharing System in 1961. By 2024, the average person manages over 100 passwords. The Verizon DBIR consistently finds that over 40% of breaches involve stolen or weak credentials. Password reuse rates exceed 60% across consumer populations. Status: Broken at scale. **The MFA Era (2005–2020)** Multi-factor authentication added a second layer — typically SMS codes, authenticator apps, or hardware tokens. Microsoft found that 99.9% of compromised accounts didn't use MFA, proving it raises the bar significantly. But MFA protects the login event, not the session or the human interaction. Real-time phishing proxies, MFA fatigue attacks, and SIM swapping now bypass MFA at scale. Status: Bypassable and incomplete. **The Passkey & Biometric Era (2020–present)** FIDO2/WebAuthn passkeys and device biometrics represent the most phishing-resistant login authentication available. They eliminate passwords entirely for system access. But they still only authenticate a person to a platform. They cannot verify identity over a phone call, in a text message, or on a video conference. The threat model has moved beyond login. Status: Phishing-resistant but scope-limited. **The Peer-to-Peer Authentication Era (Now)** Peer-to-peer authentication verifies a person to another person — not to a system. Using shared TOTP secrets stored on each party's physical device, P2P auth provides cryptographic proof of identity across any communication channel: voice, video, text, email, or in person. It is immune to deepfakes, AI voice cloning, and social engineering because it doesn't depend on what someone looks or sounds like — only on a rotating code that cannot be forged. Status: The missing layer. ### Known MFA Bypass Techniques **Real-time phishing proxies (EvilGinx2, Modlishka)** These tools act as transparent proxies between the victim and the real login page. The user enters credentials and MFA code — the proxy captures the resulting session token in real time. The attacker inherits a fully authenticated session. No amount of MFA complexity prevents this; the attack captures the output, not the input. Used in the 2022 Twilio breach, Uber breach, and Cloudflare attack attempt. **MFA fatigue / push bombing** Attackers trigger dozens or hundreds of MFA push notifications. Exhausted or confused, the victim eventually approves one — granting full access. Proofpoint research indicates 78% of organizations experienced MFA fatigue attacks in 2023. Used in the 2022 Uber breach. **SIM swapping** Attackers social-engineer mobile carriers into transferring a victim's phone number to a new SIM. All SMS-based MFA codes are delivered directly to the attacker. The FBI IC3 reported $68 million in SIM-swapping losses in 2021. High-profile targets include cryptocurrency holders, journalists, and executives. **Social engineering past MFA** The attacker impersonates IT support, a bank, or a colleague — then asks the target to read out their MFA code or approve a push notification. The human is the bypass vector. MFA does not authenticate the identity of the person requesting the code. Common in vishing campaigns targeting corporate employees and consumers. **Token theft & session hijacking** Once MFA is completed, the resulting session token can be stolen via malware, browser extensions, or cross-site scripting. Microsoft documented a 111% increase in token theft attacks in 2023. The authentication is valid; the session is stolen after the fact. ### Why the Scope Matters The reason MFA cannot solve these problems is not an implementation failure — it is a scope boundary. MFA was designed to verify: "Is this person authorized to access this account?" It was not designed to verify: "Is this person who they claim to be in this conversation?" These are different questions with different answers and different cryptographic requirements. Answering the second question requires peer-to-peer authentication — a model where two humans establish a shared cryptographic secret and use it to verify identity directly, over any channel, without any system or platform in the middle. ### Are Passkeys Better Than MFA? Passkeys (FIDO2/WebAuthn) are significantly more phishing-resistant than traditional MFA for system login. However, like MFA, passkeys authenticate a person to a platform — not to another person. Passkeys cannot verify the identity of a caller, a video participant, or the sender of a text message. They solve the login authentication problem; they do not solve the human impersonation problem. ### FAQ Q: Why is MFA not enough for modern security? A: MFA authenticates access to accounts by verifying something you know (password) and something you have (device). It does not verify the identity of a person in a conversation. The most expensive modern attacks — BEC, deepfake calls, vishing — succeed by impersonating trusted people, not by breaking into accounts. MFA provides no protection against these attacks because they don't involve a login event. Q: What attacks can bypass MFA? A: Known MFA bypass techniques include real-time phishing proxies (EvilGinx2, Modlishka) that capture session tokens, MFA fatigue/push bombing where users approve fraudulent prompts out of exhaustion, SIM swapping that redirects SMS codes, and SS7 interception. Microsoft reports token theft increased 111% in 2023. Q: What comes after passwords and MFA? A: The next layer of authentication must verify human identity between people, not just system access. Peer-to-peer authentication uses cryptographic TOTP codes generated from shared secrets stored on physical devices. It works across any communication channel — voice, video, text, in person — and cannot be bypassed by AI synthesis or session hijacking because the verification is between two humans, not a human and a system. Q: Are passkeys better than MFA? A: Passkeys (FIDO2/WebAuthn) are significantly more phishing-resistant than traditional MFA for system login. However, like MFA, passkeys authenticate a person to a platform — not to another person. Passkeys cannot verify the identity of a caller, a video participant, or the sender of a text message. They solve the login authentication problem; they do not solve the human impersonation problem. ### Citations - Microsoft Digital Defense Report 2024 — https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2024 - Verizon 2024 DBIR — https://www.verizon.com/business/resources/reports/dbir/ - FBI IC3 Annual Report 2023 — https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf - Proofpoint State of the Phish 2024 — https://www.proofpoint.com/us/resources/threat-reports/state-of-phish - NIST SP 800-63B: Authentication & Lifecycle Management — https://pages.nist.gov/800-63-3/sp800-63b.html - NIST SP 800-63-4 (2024 Draft) — https://pages.nist.gov/800-63-4/ - FIDO Alliance: Passkeys Technical Overview — https://fidoalliance.org/passkeys/ - RFC 6238: TOTP Algorithm — https://datatracker.ietf.org/doc/html/rfc6238 --- ## ARTICLE 4: Stop AI Voice Cloning Scams in 2026 — The Only Real Solution URL: https://www.realauthenticator.app/stop-ai-voice-cloning-scams-2026 Published: 2026-02-01 ### Summary AI voice cloning has moved from a research curiosity to a consumer scam tool. McAfee documented that 25% of adults have already been targeted by AI voice cloning scams. The FBI and FTC received over 50,000 impersonation fraud complaints in 2023. Every commonly recommended defense — call-back verification, voice recognition, video calls, asking personal questions — is defeatable by current AI systems. Cryptographic identity verification is the only method that cannot be forged. ### Why Every Common Defense Fails **"Call them back on a number you know"** Caller ID can be spoofed to display any number. A scammer can intercept or replicate a callback scenario. Calling back a "known number" from your contacts is not reliable if the attacker has already compromised or spoofed that number. **"I'd recognize my family member's voice"** Modern AI voice cloning achieves human parity in voice similarity scores. McAfee tested 7 voice cloning tools in 2023 and found that 70% of people were not confident they could distinguish a cloned voice from the real one. The clone includes cadence, breathing patterns, accent, and emotional tone. **"Video calls prove it's really them"** Real-time deepfake video is commercially available on consumer hardware. The technology to run a face/voice deepfake in real time during a video call requires a gaming GPU — widely accessible. Multiple documented fraud cases have used video deepfakes to impersonate executives during video calls. **"Ask questions only they would know"** Social media, data breaches, and public records make vast amounts of personal information accessible. "What's your mother's maiden name?" is a security question, not identity verification. Scammers research targets extensively before calls. **"Use a family password / safe word"** This works, but only if implemented ahead of time, remembered under stress, and protected from disclosure. Real Authenticator automates this cryptographically — a rotating code instead of a static word that can be extracted under social engineering pressure. **"2FA / MFA will protect me"** 2FA and MFA protect account logins. They have no mechanism for verifying the identity of a person on a phone call, video call, or text message. A grandparent receiving a call from a "grandson" has no 2FA to fall back on. ### The Only Defense That Works: Cryptographic Verification Real Authenticator establishes a shared cryptographic secret between two people using the TOTP standard (RFC 6238). This secret never leaves their physical devices. At any time, over any channel: 1. Person A asks Person B for their current code 2. Person B opens Real Authenticator — sees a 6-digit code 3. Person A checks their own app — sees the same 6-digit code 4. Match = verified. No match = not who they claim to be. An AI voice clone cannot provide the correct code. The code changes every 30 seconds. There is no server to hack. No amount of personal information about the real person enables the attacker to produce a valid code. ### Who Needs This **Families with elderly members**: Grandparent scams (the "grandchild emergency call") cost Americans over $41 million per year according to FBI data. A single Real Authenticator connection between grandparent and grandchild eliminates this attack permanently. **Families with any members**: Any family member can be impersonated. The "child in trouble" call, the "parent in the hospital" text — all defeatable with one app and one connection. **Small business owners**: Wire transfer fraud via impersonated executives or vendors costs businesses billions annually. A Real Authenticator connection with regular vendors and leadership adds a verification layer before any transaction. **Remote workers**: Vishing attacks targeting employees have increased dramatically. A "colleague from IT" calling to request credentials, approve a transaction, or reset a password can be verified in 10 seconds. ### Implementation: The Family Safety Protocol Step 1 — Download: Each family member downloads Real Authenticator (free, App Store, iOS 18+). Step 2 — Connect: Share a QR code in person or over a trusted channel. This takes 30 seconds per person. Step 3 — Practice: Do a test verification on a normal call before you need it in an emergency. Everyone should know: "What's the code?" means "Prove it's really you." Step 4 — Always check: Any request involving money, personal information, or unusual urgency should trigger a code check. Even if it sounds exactly like your family member. ### Key Statistics - $41M+ lost per year to grandparent scam calls (FBI Elder Fraud Report) - 25% of adults targeted by AI voice cloning scams (McAfee 2023) - 3 seconds of audio required to clone a voice (multiple research sources) - 70% of people cannot reliably distinguish a cloned voice from the real one (McAfee) - 10x increase in deepfake fraud 2022–2023 (Sumsub) - $12.5B in total cybercrime losses reported to FBI in 2023 ### Citations - FBI Elder Fraud Report 2022 — https://www.ic3.gov/AnnualReport/Reports/2022_IC3ElderFraudReport.pdf - McAfee Artificial Impostor Report 2023 — https://www.mcafee.com/blogs/privacy-identity-protection/artificial-intelligence-scams/ - Sumsub Identity Fraud Report 2023 — https://sumsub.com/identity-fraud-report-2023/ - FBI IC3 Annual Report 2023 — https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf - RFC 6238: TOTP Algorithm — https://datatracker.ietf.org/doc/html/rfc6238 --- ## PRODUCT OVERVIEW App Name: Real Authenticator Developer: Phillip Boscarino Company: Real Authenticator LLC Founded: 2024 Platform: iOS 18.0+, iPadOS 18.0+, macOS 15.0+ (Apple Silicon), visionOS 2.0+ App Store: https://apps.apple.com/app/real-authenticator/id6759113805 Website: https://www.realauthenticator.app ### How It Works (Technical) 1. User signs in with Apple (no email, no password, no personal data stored) 2. User generates a unique QR code or invite link 3. Trusted contact scans QR / opens link → both apps derive a shared TOTP secret via Diffie-Hellman-style key exchange 4. Shared secret stored in iOS Secure Enclave on each device; never transmitted to any server 5. Both apps independently generate the same 6-digit code every 30 seconds using RFC 6238 TOTP 6. When identity verification is needed: one person requests the code, the other reads it, both check for a match ### Pricing | Plan | Price | Connections | |------|-------|-------------| | Free | $0/forever | Up to 3 | | Family | $12.99/month or $119.99/year or $249.99 lifetime | Up to 8 | | Professional | $29.99/month or $249.99/year or $599.99 lifetime | Up to 25 | | Enterprise | Custom | Unlimited | ### Technical Architecture - Cryptography: TOTP (RFC 6238), HMAC-SHA1, secrets in iOS Secure Enclave - Privacy: Sign in with Apple, on-device-first, zero verification data on servers - Backend: Minimal Supabase backend for connection handshake only - Offline: Code generation requires no internet after setup - Security: Face ID / Touch ID biometric lock, single-use encrypted invite links ### Contact - Support: support@realauthenticator.app - Enterprise: enterprise@realauthenticator.app - Security: security@realauthenticator.app - Press: press@realauthenticator.app