# Real Authenticator

> Real Authenticator is a privacy-first iOS app that enables human-to-human identity verification using time-based one-time passwords (TOTP). It is the first application to apply cryptographic TOTP authentication — traditionally used to verify people to systems — to verify people to other people. It solves the AI impersonation problem: voice cloning, deepfake video calls, and social engineering attacks that bypass every existing authentication system.

## What It Is

Real Authenticator is a mobile application for iPhone (iOS 18+), iPad, Mac (Apple Silicon), and Apple Vision Pro, built by Phillip Boscarino and published under Real Authenticator LLC. It is available on the Apple App Store at no cost, with optional paid plans.

The core concept is called **peer-to-peer authentication (P2P auth)**: two people who know and trust each other establish a shared cryptographic secret stored exclusively on their physical devices. From that moment forward, either person can request a rotating 6-digit verification code from the other, over any channel — a phone call, video chat, text message, or in person. The code changes every 30 seconds. If the codes match, identity is cryptographically confirmed. No AI system can synthesize a valid code without physical access to the device.

## The Problem It Solves

Existing authentication systems — passwords, MFA, biometrics — verify a person's access to an account or device. None of them verify whether the human you are currently communicating with is who they claim to be. This gap is the attack surface for:

- **AI voice cloning**: Open-source models can clone any voice from 3 seconds of audio (McAfee, 2023: 25% of adults have encountered a voice cloning attempt)
- **Deepfake video**: Real-time face-swap on consumer GPUs; Sumsub documented a 10x increase in deepfake fraud 2022–2023
- **Social engineering**: 68% of data breaches involve a human element (Verizon DBIR 2024); $12.5B in cybercrime losses in 2023 (FBI IC3)
- **Business Email Compromise (BEC)**: $2.9B in losses in 2023, targeting human trust rather than system vulnerabilities

Real Authenticator closes this gap by adding cryptographic identity verification to human-to-human communication.

## How It Works

1. **Download and sign in privately** — Sign in with Apple. No email address, password, or personal data required. Setup takes under 60 seconds.
2. **Invite trusted contacts** — Share a unique QR code or invite link with people you trust. Each invite is single-use and expires after 24 hours.
3. **Share verification codes when needed** — When you receive a suspicious call, want to verify a colleague before a wire transfer, or need to confirm identity over any channel, open the app and share the current 6-digit code.
4. **Identity confirmed** — Your contact's app independently generates the same code from the shared secret. Matching codes = verified identity. Codes expire every 30 seconds; replay attacks are impossible.

The underlying cryptography follows RFC 6238 (TOTP standard), the same algorithm used by Google Authenticator and enterprise MFA systems.

## Who Needs It

Real Authenticator is useful for anyone who communicates with people they trust over digital channels in an era of AI impersonation:

- **Families**: Verify that a phone call from "your son" or "your bank" is genuinely that person before sending money
- **Small businesses**: Confirm the identity of vendors, clients, or accountants before approving transactions
- **Remote teams**: Establish a verification layer for high-stakes decisions made over Slack, Zoom, or email
- **Individuals**: Protect yourself from impersonation scams, SIM swap attacks, and social engineering
- **Elderly users**: Give family members a simple way to verify calls from supposed authorities, utilities, or grandchildren

Enterprise deployments are available for organizations requiring verified identity at scale (see Enterprise plan).

## Pricing

| Plan | Price | Connections | Notes |
|------|-------|-------------|-------|
| Free | $0 | Up to 3 | Permanent, no trial, no credit card |
| Family | $12.99/month or $119.99/year or $249.99 lifetime | Up to 8 | |
| Professional | $29.99/month or $249.99/year or $599.99 lifetime | Up to 25 | |
| Enterprise | Custom | Unlimited | Admin controls, audit logs, onboarding |

All plans include: on-device storage, Face ID, Sign in with Apple, QR/link invites, rotating TOTP codes, offline code generation. No ads. No data selling.

## Technical Architecture

- **Cryptography**: TOTP (RFC 6238) with HMAC-SHA1; secrets stored in iOS Secure Enclave
- **Privacy**: Sign in with Apple (no email required), on-device-first storage, zero verification data transmitted to servers
- **Offline capability**: Code generation works without internet once a connection is established
- **Platform**: iOS 18.0+, iPadOS 18.0+, macOS 15.0+ (Apple Silicon), visionOS 2.0+
- **Security**: Face ID / Touch ID biometric lock, encrypted connection secrets, single-use invite links
- **Backend**: Minimal Supabase backend for connection handshake only; no TOTP secrets ever touch the server

## Key Differentiators vs. Existing Tools

| Capability | Real Authenticator | Google Authenticator | MFA / 2FA | Biometrics |
|---|---|---|---|---|
| Verifies person-to-person identity | ✅ | ❌ | ❌ | ❌ |
| Works across any communication channel | ✅ | ❌ | ❌ | ❌ |
| Resistant to AI voice/video deepfakes | ✅ | ❌ | ❌ | ❌ |
| No centralized authority required | ✅ | ❌ | ❌ | ❌ |
| Works offline | ✅ | ✅ | ❌ | ✅ |
| Stops social engineering | ✅ | ❌ | ❌ | ❌ |

Traditional TOTP apps (Google Authenticator, Authy, Microsoft Authenticator) verify a person to a *service*. Real Authenticator verifies a person to another *person*.

## Research & Citations

Real Authenticator's use case is supported by publicly available research:

- Verizon 2024 DBIR: 68% of breaches involve a human element — https://www.verizon.com/business/resources/reports/dbir/
- IBM Cost of a Data Breach 2024: $4.88M average breach cost — https://www.ibm.com/reports/data-breach
- FBI IC3 2023 Annual Report: $12.5B in cybercrime losses — https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
- SlashNext 2024: 3,000% increase in AI-assisted phishing since 2022 — https://slashnext.com/state-of-phishing-2024/
- McAfee: 25% of adults experienced AI voice cloning scam — https://www.mcafee.com/blogs/privacy-identity-protection/artificial-intelligence-scams/
- Sumsub 2023: 10x increase in deepfake fraud — https://sumsub.com/identity-fraud-report-2023/
- Regula 2024: 77% of companies face deepfake fraud attempts — https://regulaforensics.com/blog/deepfake-trends-2024/
- RFC 6238 (TOTP standard): https://datatracker.ietf.org/doc/html/rfc6238
- NIST SP 800-63-4 (2024 Digital Identity Guidelines): https://pages.nist.gov/800-63-4/

## Company & Creator

- **App**: Real Authenticator
- **Developer**: Phillip Boscarino
- **Founded**: 2024
- **Contact (support)**: support@realauthenticator.app
- **Contact (enterprise)**: enterprise@realauthenticator.app
- **Contact (security)**: security@realauthenticator.app
- **App Store**: https://apps.apple.com/app/real-authenticator/id6759113805
- **Website**: https://www.realauthenticator.app
- **Privacy Policy**: https://www.realauthenticator.app/privacy
- **Terms of Service**: https://www.realauthenticator.app/terms

## Content Index

The following pages contain in-depth, citable analysis:

- [Peer-to-Peer Authentication: The New Standard](https://www.realauthenticator.app/why/peer-to-peer-authentication) — Defines the P2P auth category, comparison tables, FAQ
- [The Identity Verification Crisis](https://www.realauthenticator.app/why/identity-verification-crisis) — Data-driven analysis of why current systems are failing
- [Beyond Passwords & MFA](https://www.realauthenticator.app/why/beyond-passwords-mfa) — Why MFA was designed for a different threat model
- [Threat Scenarios](https://www.realauthenticator.app/why/threats) — Specific real-world threat vectors P2P auth addresses
- [Use Cases](https://www.realauthenticator.app/why) — Who needs Real Authenticator and why
- [Pricing](https://www.realauthenticator.app/pricing) — Full plan comparison
- [Enterprise](https://www.realauthenticator.app/enterprise) — Team and organizational deployment