Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Biometric 2FA

Replace SMS one-time-password. Make a selfie the second factor.

Step up sensitive flows with a sub-2-second face match against the enrolled portrait. Phishing-resistant. SIM-swap-proof. $0.10 per authentication. 500 verifications free every month.

Start freeRead the docs
Backed by
Y Combinator
GBTC Finance
Bondex
Crnogorski Telekom
UCSF Neuroscape
Shiply
Adelantos

Trusted by 2,000+ organizations worldwide.

Dark cinematic Biometric 2FA stack — four floating translucent glass panels in 3D perspective on pure black, threaded by a luminous Didit Blue line and framed by glowing scanner brackets. Each panel carries a small pale-white motif representing a padlock, a face-match oval pair, a mobile device, and a crossed-out SMS bubble.

Phishing-resistant · SIM-swap-proof

No code to phish. No SIM to swap.

The second factor is the user's face, matched 1:1 against the portrait they enrolled at sign-up. Liveness blocks the print / replay / mask / Generative Adversarial Network (GAN) attack on the same frame. Sub-2-second verdict on entry-level Android. $0.10 per authentication. 500 verifications free every month.

How it works

From sign-up to verified user in four steps.

  1. Step 01

    Create the workflow

    Pick the checks you want — ID, liveness, face match, sanctions, address, age, phone, email, custom questions. Drag them into a flow in the dashboard, or post the same flow to our API. Branch on conditions, run A/B tests, no code required.

  2. Step 02

    Integrate

    Embed natively with our Web, iOS, Android, React Native, or Flutter SDK. Redirect to a hosted page. Or just send your user a link — by email, SMS, WhatsApp, anywhere. Pick what fits your stack.

  3. Step 03

    User goes through the flow

    Didit hosts the camera, the lighting cues, the mobile hand-off, and accessibility. While the user is in the flow, we score 200+ fraud signals in real time and verify every field against authoritative data sources. Result in under two seconds.

  4. Step 04

    You receive the results

    Real-time signed webhooks keep your database in sync the moment a user is approved, declined, or sent to review. Poll the API on demand. Or open the console to inspect every session, every signal, and manage cases your way.

Drop-in for SMS OTP · Bound to the user, not a code

Six capabilities. $0.10 per auth.

One adaptive workflow, one signed verdict, same callback shape as your existing OAuth flow. No carrier dependency, no SS7 surface, no SIM-swap exposure.
Read the docsGet an API key
01 · Tap-to-authenticate flow

One tap. Sub-2-second selfie. Done.

Open a Sessions API call, redirect the user to the hosted UI, capture one passive frame. Liveness + Face Match 1:1 + the signed webhook return inside the same two seconds. No app install, no SDK, no carrier path.
Biometric Authentication module
02 · Face Match 1:1

Match the live selfie to the enrolled portrait.

The portrait captured during the user's original KYC session is the template. Every subsequent authentication compares the new selfie to it and returns a similarity_score (0-1). Tune the auto-approve threshold per workflow. $0.05 per standalone Face Match call; $0.10 when bundled with Liveness.
Face Match 1:1 module
03 · Defeats the SMS attack surface

SIM swap. OTP phishing. Smishing. SS7. All blocked.

The four attacks the United States Federal Bureau of Investigation (FBI) and United Kingdom National Cyber Security Centre (NCSC) warn about for SMS one-time-password — SIM swap, OTP phishing, smishing kits, carrier interception — all defeat SMS. None of them work against a live selfie matched to the enrolled portrait. The FIDO Alliance lists on-device face as phishing-resistant.
Why SMS is broken
04 · Step up where it matters

Trigger only on the surfaces that warrant it.

Login from a new device, transfer above your risk threshold, password / settings change, account recovery. Pair with Device + IP Analysis so a re-auth on a brand-new device + brand-new Internet Protocol (IP) automatically steps up. Same flow, smarter triggers.
Device & IP Analysis module
05 · One signed payload

Drop-in replacement for your existing OTP callback.

The webhook delivers status, similarity_score, method, and the X-Signature-V2 header for Hash-based Message Authentication Code (HMAC) SHA-256 verification. Same callback shape, same redirect pattern. Most teams swap SMS for face in a weekend.
Webhook contract
06 · Cheaper than SMS

$0.10 per auth, no carrier fees, no minimums.

United States Tier-1 SMS one-time-password costs between $0.05 and $0.30 per send depending on carrier — and you pay even when the user never receives the code. Didit's biometric authentication is a flat $0.10 with 500 verifications free every month. No carrier dependency, no per-country tariff, no contract minimums.
See pricing
Integrate

One session. One callback. One verdict.

Open a biometric authentication session, capture the selfie in the hosted UI, read the signed verdict on your webhook.
POST /v3/session/Re-auth
$ curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -d '{
    "workflow_id": "wf_bio_2fa",
    "workflow_type": "biometric_authentication",
    "vendor_data": "user-42",
    // base64 reference selfie, ≤ 1MB (omit for liveness-only)
    "portrait_image": "/9j/4AAQSkZJRgABAQE..."
  }'
201Created{ "session_url": "verify.didit.me/..." }
Runs LIVENESS + FACE_MATCH against the supplied portrait_image.docs →
POST /v3/face-match/Server to server
$ curl -X POST https://verification.didit.me/v3/face-match/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -F "image_a=@live.jpg" \
  -F "image_b=@enrolled.jpg"
200OK{ "status": "Approved", "similarity_score": 0.96 }
Use only when you own the capture pipeline. Browser flows = hosted session.docs →
Agent-ready integration

Replace SMS OTP in one prompt.

Paste into Claude Code, Cursor, Codex, Devin, Aider, or Replit Agent. Fill in your stack. The agent provisions Didit, builds the biometric authentication workflow, swaps your existing OTP callback, and ships in a weekend.
didit-integration-prompt.md
You are integrating Didit's Biometric 2FA into <my_stack>. Replace SMS one-time-password (OTP) on sensitive flows — login from a new device, large-value transfer, settings change, account recovery — with a sub-2-second face match against the user's enrolled portrait. Cheaper than SMS. Phishing-resistant. SIM-swap-proof.

  1. Enrol the user's portrait ONCE at sign-up via the standard Know Your Customer (KYC) session.
  2. On every sensitive action, open a Biometric Authentication session that runs Passive Liveness + Face Match 1:1 against the stored portrait. Verdict in sub-2-seconds.

Pricing (public):
  - Biometric Authentication: $0.10 per authentication (Sessions API)
  - Standalone Face Match 1:1: $0.05 per match (server-to-server)
  - First 500 verifications free every month, forever

PRE-REQUISITES
  - Production API key from https://business.didit.me (sandbox key in 60s, no card).
  - Webhook endpoint with Hash-based Message Authentication Code (HMAC) SHA-256 verification using the X-Signature-V2 header.
  - The user has previously enrolled — either via a full KYC session (recommended; the portrait is stored automatically and never leaves Didit) or via a portrait you supply on each re-auth.
  - A workflow_id from the Workflow Builder. The workflow MUST contain LIVENESS, and the session must be opened with workflow_type = "biometric_authentication" (or use a workflow that has FACE_MATCH and pass a portrait_image at session creation).

STEP 1 — Enrolment (one-time, at user sign-up)

  Run a standard KYC session at sign-up. Didit stores the portrait (the face captured during the liveness step) as the user's enrolled template, bound to vendor_data.

  POST https://verification.didit.me/v3/session/
  Body:
    {
      "workflow_id": "<your KYC workflow>",
      "vendor_data": "<your user id>"
    }

  No additional code — once the user passes KYC, their enrolled portrait is ready for every future re-auth.

STEP 2 — Re-authentication (on every sensitive action)

  POST https://verification.didit.me/v3/session/
  Headers:
    x-api-key: <your api key>
    Content-Type: application/json
  Body:
    {
      "workflow_id": "<your biometric_authentication workflow>",
      "workflow_type": "biometric_authentication",
      "vendor_data": "<the same user id used at enrolment>",
      "callback": "https://<your-app>/2fa/callback",
      "metadata": {
        "reason": "<login_new_device | high_value_txn | settings_change | account_recovery>",
        "amount": "<optional, for large-value transfers>"
      },
      "portrait_image": "<base64 JPEG of the user's enrolment selfie, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; OMIT for liveness-only mode>"
    }

  Response: 201 Created with the hosted session_url. Redirect the user to it. The hosted UI:
    - Opens the front camera
    - Captures one passive frame
    - Runs Liveness + Face Match 1:1 against the user's enrolled portrait
    - Returns the verdict in sub-2-seconds

STEP 3 — Read the signed verdict on the webhook

  Body (excerpted for a passing re-auth):
    {
      "session_id": "<uuid>",
      "vendor_data": "<your user id>",
      "status": "Approved",
      "liveness": { "status": "Approved", "method": "PASSIVE", "score": 96 },
      "face": {
        "status": "Approved",
        "similarity_score": 0.96
      }
    }

  Verify X-Signature-V2 BEFORE trusting the body — HMAC SHA-256 of the raw bytes with your webhook secret.

  Session status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.

  Branch your application:
    Approved      → execute the action (sign in, release the transfer, save settings).
    Declined      → block the action, re-prompt with a higher-friction recovery path (support contact / KYC re-do).
    In Review     → hold; route to your operations queue.
    Not Finished  → user abandoned the capture; safe to re-prompt or fall back.

STEP 4 — Alternate path (server-to-server, when you already have the selfie)

  If you already captured the selfie locally (native mobile SDK, in-app camera):

  POST https://verification.didit.me/v3/face-match/
  Headers:
    x-api-key: <your api key>
  Body (multipart/form-data):
    image_a         <the live selfie>
    image_b         <the enrolled portrait>

  Response: similarity_score (0-1), status (Approved | Declined | In Review).

  Use the standalone path only when you trust your client-side capture pipeline. For browser flows or any surface where the SDK is not embedded, always prefer the hosted session — Didit's liveness check is harder to defeat than a raw camera grab.

WEBHOOK EVENT NAMES
  - Sessions: status changes flow through the standard session webhook.
  - Always verify X-Signature-V2 on every payload.

CONSTRAINTS
  - Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
  - Feature enum is UPPERCASE: LIVENESS, FACE_MATCH, ID_VERIFICATION, AML, IP_ANALYSIS, AGE_ESTIMATION.
  - Method enum is UPPERCASE: PASSIVE, FLASHING, ACTIVE_3D.
  - Auth header is x-api-key (lowercase, hyphenated).
  - Webhook signature header is X-Signature-V2 (NOT X-Signature).
  - Status casing matches exactly: Approved, Declined, In Review, Expired, Not Finished, Resubmitted, Kyc Expired, Abandoned.
  - The biometric template is irreversible (a one-way hash) and stored on Didit's infrastructure. You never receive the raw template. Standard data-subject-deletion rules apply.

PRO TIPS
  - Pair Biometric 2FA with Device & IP Analysis (bundled into the 200+ fraud-signal stack). A re-auth that originates from a brand-new device + a brand-new IP should always step up to face.
  - For the strongest possible surface, swap method PASSIVE for ACTIVE_3D — a short motion challenge — on transfers above your operational risk threshold.

Read the docs:
  - https://docs.didit.me/core-technology/biometric-auth/overview
  - https://docs.didit.me/sessions-api/create-session
  - https://docs.didit.me/integration/webhooks

Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.
Need more context? See the full module docs.docs.didit.me →
Compliant by design

Open a new country in one click. We do the hard work.

We open the local subsidiaries, secure the licenses, run the penetration tests, earn the certifications, and align with every new regulation. To ship verifications in a new country, flip a toggle. 220+ countries live, audited and pen-tested every quarter — the only identity provider an EU member-state government has formally called safer than in-person verification.
Read the security & compliance dossier
EU financial sandbox
Tesoro · SEPBLAC · BdE
ISO/IEC 27001
Information security · 2026
SOC 2 · Type I
AICPA · 2026
iBeta Level 1 PAD
NIST / NIAP · 2026
GDPR
EU 2016/679
DORA
EU 2022/2554
MiCA
EU 2023/1114
AMLD6 · eIDAS 2.0
EU-aligned by design

Proof numbers

Proof numbers
  • $0.00
    Per authentication, flat. SMS OTP varies $0.05 to $0.30 in the US.
  • <0s
    End-to-end re-auth on entry-level Android — capture to signed webhook.
  • 0
    Carrier dependencies, SIM-swap surface, or SS7 attack vectors.
  • 0
    Free verifications every month, forever.
Three tiers, one price list

Start free. Pay per usage. Scale to Enterprise.

500 free verifications every month, forever. Pay-as-you-go for production. Custom contracts, data residency, and SLAs (Service Level Agreements) on Enterprise.
Free

Free

$0 / month. No credit card required.

  • Free KYC bundle (ID Verification + Passive Liveness + Face Match + Device & IP Analysis) — 500 / month, every month
  • Blocklisted Users
  • Duplicate Detection
  • 200+ fraud signals on every session
  • Reusable KYC across the Didit network
  • Case Management Platform
  • Workflow Builder
  • Public docs, sandbox, SDKs, MCP (Model Context Protocol) server
  • Community support
Start free
Most popular
Pay per usage

Usage Based

Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.

  • Full KYC at $0.33 (ID + Biometric + IP / Device)
  • 10,000+ AML datasets — sanctions, PEPs, adverse media
  • 1,000+ government data sources for Database Validation
  • Transaction Monitoring at $0.02 per transaction
  • Live KYB at $2.00 per business
  • Wallet Screening at $0.15 per check
  • Whitelabel verification flow — your brand, our infrastructure
See full list of pricesStart free
Enterprise

Enterprise

Custom MSA & SLA. For large volumes and regulated programs.

  • Annual contracts
  • Custom MSA, DPA, and SLA
  • Dedicated Slack and WhatsApp channel
  • Manual reviewers on demand
  • Reseller and white-label terms
  • Exclusive features and partner integrations
  • Named CSM, security review, compliance support
Talk to us

Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.

FAQ

Common questions

Related

Related modules + workflows

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page