ECDHE + Curve25519

Stateless Public Key
Infrastructure for Mobile.

True Out-of-Band architecture with ECDHE Man-in-the-Middle protection. No shared secrets. No sensitive data on the front channel.

Transport:TLS RSA 2048
Encryption:AES256-GCM
Compliance:PSD2 / SCA
Request Architecture ReviewTechnical Whitepaper
Out-of-Band Architecture
ClientMobile App + SDK
✗ Front Channel Blocked
ServiceYour Backend
✓ Back Channel · TLS 2048 + ECDHE
Covr
Secure Cloud

Authentication originates from Covr Cloud, never the client device.

The Silent Crisis

Legacy Authentication is Your
Biggest Risk.

The SMS Trap

The Problem

SMS and OTPs were never designed for security. They are vulnerable to SIM Swapping and Man-in-the-Middle attacks.

The Reality

If you rely on telcos for security, your door is already open.

The Friction Tax

The Problem

89% of users demand a passwordless experience. Clunky authentication flows cause sign-up drop-offs and drive users to competitors.

The Reality

High security shouldn't mean high frustration.

The Compliance Squeeze

The Problem

PSD2, SCA, and GDPR compliance are non-negotiable. Legacy systems struggle to meet the requirements for 'Strong Customer Authentication' without ruining the UX.

The Reality

Non-compliance is an existential risk.

Core Architecture

Security Through Isolation

Two architectural principles that make credential theft mathematically impossible.

True Out-of-Band (OOB) Authentication

The transaction channel (Front Channel) is physically isolated from the authentication channel (Back Channel).

Protocol
TLS RSA 2048-bit
Secured connections for all channels
Mechanism

Authentication requests originate from the Covr Secure Cloud, never the compromised client device.

Data Hygiene

Zero sensitive information transmitted via front channel.

Stateless PKI & Cryptography

We do not store passwords. We rely on asymmetric cryptography to validate identity without exposing credentials.

Curve
Elliptic Curve Curve25519
with SHA-256 hashing
Exchange
ECDHE

Elliptic-Curve Diffie-Hellman Ephemeral key agreement ensures forward secrecy and prevents replay attacks.

Sealing

All transactions sealed using signature chains.

Security Stack

Cryptographic Foundation

Industry-standard algorithms. Independently auditable.

LayerTransport Security
SpecificationTLS RSA 2048-bit
FunctionHardened transport layer for Front/Back channels.
LayerPayload Encryption
SpecificationAES256-GCM
FunctionAuthenticated encryption for data integrity and confidentiality.
LayerKey Exchange
SpecificationECDHE
FunctionEphemeral key exchange with active MITM-protection.
LayerBrute Force
SpecificationRate Limiting
FunctionHard cap at 5 attempts before lockout.
LayerCompliance
SpecificationPSD2 / SCA
FunctionFull support for 1AA, 2AA, and 2DA flows.

All specifications independently auditable. SOC 2 Type II certified.

The Proof

Proven Results at National Scale.

60%

Reduction in Fraud

Stops account takeovers and phishing dead in their tracks.

95%

Drop in Support Costs

Automated, encrypted recovery eliminates expensive help-desk tickets.

0

Credential Sharing

Device-bound keys make sharing credentials physically impossible.

Device Integrity

Four Layers of Protection

Credentials aren't just stored—they're cryptographically bound to the device hardware.

Tamper Detection
RASP
Encryption
Secure Enclave

Secure Enclave

Hardware Root of Trust

Private keys never leave device hardware. Bound to TEE.

1

Storage Encryption

AES256-GCM + PBKDF2

Military-grade encryption for data at rest.

2

RASP Protection

Runtime Defense

Code obfuscation, anti-debugging, SSL Pinning.

3

Tamper Detection

Real-time Monitoring

Detects rooted devices and instrumentation attempts.

4
Ω

Onyon Secure Storage

Proprietary

Keys are generated and sealed within the device's Trusted Execution Environment (TEE). Export is cryptographically impossible.

Advanced Protocols

The Differentiation

Unique intellectual property that separates Covr from generic MFA.

Protocol

DiME

Data Integrity Message Envelope

Covr utilizes the DiME open data format to ensure verifiable trust chains across all transactions.

Encapsulation

Envelopes contain encoded claims and application-specific encrypted data.

Immutability

Digital signatures ensure data cannot be altered post-creation.

DiME.seal({
  claims: identity_token,
  payload: encrypted_data,
  signature: ecdsa_sig
});
Recovery

User-Driven Recovery

Secure two-factor recovery for lost/stolen devices or forgotten PINs without admin intervention. Zero help-desk tickets. Zero credential exposure.

Isolation

Data Independency

SDK data is legally and technically separated from Application data. Complete data sovereignty. Prevents cross-contamination and simplifies compliance audits.

The Comparison

Why Leaders Are Switching from OTP.

SIM Swap Protection
SMS / OTP(Legacy)
Vulnerable
Covr(Next-Gen)
Immune
Man-in-the-Middle Defense
SMS / OTP(Legacy)
Vulnerable
Covr(Next-Gen)
Protected
User Experience
SMS / OTP(Legacy)
High Friction (Codes)
Covr(Next-Gen)
Seamless (1-Tap/Face)
Recovery Cost
SMS / OTP(Legacy)
$50+/ticket
Covr(Next-Gen)
Zero (Automated)
Privacy Model
SMS / OTP(Legacy)
Shared Secrets
Covr(Next-Gen)
Zero-Knowledge

Developer Promise

Launch in Days. Not Months.

Security upgrades shouldn't stall your roadmap. Covr is designed for rapid deployment with a developer-first mindset.

covr-init.js
// It really is this simple.
Covr.initialize({
apiKey: "YOUR_API_KEY",
environment: "production"
});

Lightweight SDK

Full integration with just 5–10 lines of code.

Flexible Deployment

SaaS-based. Works with Cloud, On-Prem, or Hybrid.

Universal Compatibility

iOS, Android, and Web.

Covr Implementation

Business Value

Protect Your Revenue.

Security that pays for itself. Transform authentication from a cost center to a competitive advantage.

95%cost reduction

Stop Bleeding Cash

Eliminate fraud losses and drastically reduce the operational overhead of password resets and locked accounts.

3xfaster signups

Accelerate Growth

Remove the friction from onboarding. Higher conversion rates mean more revenue per user.

100%SCA compliant

Be Compliant

Automatically comply with EU regulations (GDPR, PSD2, SCA) for safer payments and data privacy.

Next Steps

Ready for Technical Review?

Our solutions architects are available for detailed architecture discussions and integration planning sessions.

Request API AccessRequest Technical Specs
SOC 2
Type II Certified
PSD2
SCA Compliant
GDPR
Privacy by Design
99.9%
Uptime SLA