Guess what? Bio-authenticated infrastructure has finally arrived! Back in January 2026, WebAuthn Level 3 reached the W3C Candidate Recommendation milestone, which is pretty exciting. Plus, NIST’s SP 800-63-4 is all set and done. We're making some serious progress in online security! On top of that, passkeys are really making a difference when it comes to successful logins, and they’re helping to reduce the number of support calls too. This is especially true if you implement them alongside device attestation, PAD-tested liveness checks, and on-chain policy controls. It's great to see how these features can work together!

That's where 7Block Labs steps in. They're really boosting the whole ecosystem from beginning to end by using ZK-backed privacy along with account abstraction. It’s pretty cool to see how they’re making everything more secure and user-friendly! By using biometric gates, you not only increase your conversion rates but also cut down on OTP fees and stay on track to meet those compliance deadlines for 2026-2027. It's a win-win! If you're looking for more info, you can find all the details here. Happy reading!

Building “Bio‑Authenticated” Infrastructure for High‑Security Apps

These days, when we're talking about high-security applications, the usual ways of authenticating just don't do the trick anymore. That's where bio-authentication steps in! Alright, let’s explore what bio-authentication is all about and how it can help us feel safer in our everyday lives.

What is Bio-Authentication?

Bio-authentication is all about confirming who someone is by using their unique biological traits. It's a cool way to ensure that the person accessing something really is who they say they are! This could range from things like fingerprints to facial recognition and even voice recognition. There are so many cool ways we can identify people these days!

Why Go Bio?

Using bio-authentication isn't just a passing fad; it actually comes with some pretty solid perks.

Boosted Security: Unlike passwords that can slip our minds or become targets for hackers, our biological traits are one-of-a-kind to each of us.
User Convenience: Let’s be real, nobody enjoys trying to remember a complicated password! With bio-authentication, you can just log in with a quick scan or swipe. Super easy, right?
Less Fraud: With bio-authentication, there’s a good chance of cutting down on identity theft since it’s way harder for someone to copy your unique biological traits.

Key Components of Bio-Authenticated Infrastructure

Setting up a bio-authenticated system has a few key parts you need to consider:

1. Data Capture: This is the step where you gather biometric info, such as fingerprints or retina scans. 2. Processing: After we grab the data, it gets transformed into a digital template that we can safely store. 3. Matching: So, when folks log in, their biometric data gets compared to the saved templates we have on file to make sure it's really them. 4. Security Measures: Keeping user data safe is super important, so we make sure everything is encrypted and secure. That way, your information stays protected!

Challenges in Implementing Bio-Authentication

Bio-authentication definitely has its perks, but there are a few hurdles we need to navigate first.

Privacy Concerns: It's totally understandable that folks are careful about sharing their biometrics. After all, it involves some pretty personal stuff! Being open about how we use data is really important.
Cost: Getting bio-authentication systems up and running can really hit your wallet, so it's definitely something to keep in mind when you're planning your budget.
Integration: Combining bio-authentication with the systems you already have can be a bit of a challenge. It usually takes some technical know-how and a good chunk of time to get it right.

Conclusion

Looking forward, bio-authentication is really going to shake things up for high-security applications. If you're looking for something that really steps up security while also making things easier for users, this is definitely worth a look for any app that needs to prioritize trust and safety. Jumping on board with this technology might just be the key to building a safer digital world.

If you're looking to dive into bio-authentication for your apps, here are some great resources to help you get started!

You really can’t underestimate the importance of having sign-ins that can stand up to phishing attacks. It's super important to use biometrics, especially when you're dealing with sensitive stuff like wire transfers, unwrapping HSM keys, or exporting clinical data. Those are high-risk actions, and you want to make sure you’ve got the best protection in place! But here’s the catch:. The rollout of passkeys hasn’t been all smooth sailing. There have been a few hiccups with transferring them between devices, handling attestation, and managing fallback situations. So, back in 2025, Android made some changes to its FIDO attestation formats. As a result, a lot of setups are still having a tough time dealing with the hardware-backed “android-key” and the whole enterprise attestation policy thing. It's been a bit of a challenge for many folks! As a result, we've seen some mixed signals when it comes to trust, and a few projects have hit a bit of a snag. (android-developers.googleblog.com). These days, liveness checks often feel more like a box to tick off during procurement, but they can actually pose a real risk to your program if you’re not careful. So, auditors are really keen on checking out evidence from ISO/IEC 30107‑3 PAD. On the flip side, vendors love tossing around terms like “Level 1, 2, or 3.” But your team might be scratching their heads, trying to figure out how all that ties into FAR/FRR, the different types of PAD, or those iBeta conformance letters. It can definitely get a bit confusing! (ibeta.com). When it comes to mobile devices, it’s pretty much impossible to prove that your keys, which are tied to your device, actually live in the Secure Enclave or StrongBox.
Also, it looks like your backend isn’t checking Key Attestation chains. So, when you say “biometric,” it’s actually more like “device unlock + bearer session.” Honestly, that doesn’t provide much in terms of security. (developer.android.com). You’ve got to strike a good balance between keeping things private and being open for checks and balances. Regulators are really pushing for data minimization these days--just take a look at GDPR and eIDAS 2. 0) On one hand, we have unlinkability, which is super important for keeping things private. On the flip side, security teams really need those tamper-evident audit trails. It’s all about finding that balance, right? In the meantime, product teams are really working hard to create smooth, almost effortless experiences for users. ZK-proofs and cancelable templates definitely show a lot of potential! However, things can get a little complicated when you start digging into the operations involved. (digital-strategy.ec.europa.eu). Hey, just a quick reminder about those important deadlines and costs for PCI DSS v4! So, just a heads up: those zero controls are going to be a must-have starting March 31, 2025. Plus, we’ll need EUDI Wallets to be accessible all across the EU by the end of 2026. Oh, and if you’re keeping track of costs, the SMS OTP carrier fees took another hike in January 2026. Just wanted to keep you in the loop! If there's any mistake, it'll definitely come to light during audits and when we look at operational expenses. (blog.pcisecuritystandards.org).

Hey, just a heads up! If you happen to overlook your audit window for Q2-Q3 2026, you'll need to start gathering documentation for those compensating controls around multi-factor authentication, liveness checks, and key attestation. Plus, be prepared for those one-time password (OTP) costs to creep up on you! Honestly, that fee hike from T-Mobile could easily stack up to six figures a year if you're working on a big scale. And from what I can see, it doesn't seem like OTP pricing is going to go down anytime soon, either. (help.twilio.com).

Hey, just a heads up--if you skip validating attestation and PAD, you’re really setting yourself up for some serious breach and chargeback risks. Absolutely! The latest FRTE/FRVT advancements really highlight how effective modern algorithms can be. But here's the catch: all of that only works if you're enforcing match-on-device protocols, ensuring there’s up-to-date biometric data, and implementing anti-spoofing measures that meet those 30107-3 standards. It's all about making sure everything's in place for the best results! (pages.nist.gov).

If you ignore on-chain enforcement, you're basically reintroducing weak points in the system. Just picture this: you’ve got a typical Web2 login check, but at the same time, those multi-step transactions are rolling out using unsupervised session keys or externally owned accounts (EOAs) that don’t have any kind of policy guidelines in place. It’s a recipe for disaster! Hey, just a heads up! Make sure you're using those ERC-4337 stacks for session keys and policy modules. They’re super handy, and skipping them could leave the door wide open for unauthorized transactions. Better to be safe than sorry! (alchemy.com).

We build trust based on biometrics, making sure it stands strong against real-world challenges and scrutiny from auditors. Here are the main pillars:

We're all set with the assurance baseline that matches the 2026 standards and deadlines. Let's start things off with an AAL2/AAL3 profile that aligns with SP 800-63-4 and PCI DSS v4.

So, we’ve got PSD2 SCA (which stands for Payment Services Directive 2 Strong Customer Authentication) and eIDAS 2 (that’s the Electronic Identification, Authentication and Trust Services). Just a heads up on those terms, they're pretty important in the world of digital payments and online security! 0/EUDI Wallet acceptance. Think of this requirements map as your go-to backlog and a narrative for the auditor. It’s all laid out here to help you navigate through everything smoothly! (nist.gov).

2) Passkeys/WebAuthn L3 really done, not just "it worked on staging"

We're excited to announce that we're launching WebAuthn Level 3, which is scheduled for release on January 13, 2026, along with device attestation! So, basically, we're gonna set up a bunch of platform authenticators--like Face ID, Touch ID, and Android's BiometricPrompt Class 3. On the server side, we'll handle those attestation chains too, which involves dealing with the roots from Apple and Google, along with the RKP policy. We're currently using version 3 of the FIDO Metadata Service.

Make sure to set up authenticator policies, like needing the devicePublicKey extension or preventing the use of low-assurance authenticators. So, what's the ultimate goal here? It's all about developing keys that are tied to specific devices that we can actually verify, rather than just depending on those UI biometrics. Take a look at this: (w3.org). It's pretty interesting! When you look at user experience and conversions, FIDO case studies highlight that using passkeys can seriously improve success rates and help reduce the number of support requests. It's pretty impressive! For instance, Microsoft has reported a whopping 98% success rate with passkeys, while traditional passwords are lagging behind at only 32%. Isn't that wild? It really shows how much more effective passkeys can be! KDDI mentioned that they saw around a 35% drop in support calls, which is pretty impressive! And over at Zoho, they’ve noticed a 10% reduction in reset requests. Seems like things are looking up for both of them! Keeping that in mind, we’re going to set our acceptance goals based on these amazing benchmarks. If you're interested in learning more about that, check it out here: (fidoalliance.org). We're also keeping an eye on cross-device functionality to make sure everything works smoothly across different devices. So, here's the deal: we're planning to sync up those passkeys and make sure we put together some straightforward documentation about the quirks of different providers--like the restrictions of Windows Hello and Chrome profiles. This way, we can help prevent users from getting locked out, which can definitely catch teams off guard if they don't think it all the way through. If you want to dive deeper into this, feel free to check it out here: help.coinbase.com. You’ll find all the info you need!

3) Biometric liveness and template protection you can defend in procurement

Liveness/PAD: We partner with vendors that hit the benchmarks laid out in ISO/IEC 30107‑3 Level 1/2/3 compliance letters, such as iBeta. We make sure to figure out exactly what kind of Presentation Attack Detection (PAD) coverage you need and tweak the thresholds to fit your unique fraud risk. To keep everything secure, we like to store biometrics right on the device itself (you know, match-on-device) whenever possible. This not only cuts down on unnecessary data but also helps lower the chances of any security breaches. If you're interested in learning more, you can check it out here.
Template protection: So, when we're dealing with server-side processing--like in those remote presence situations--we go ahead and set up cancelable templates. We also like to use some pretty cool techniques like Homomorphic Encryption (HE) or Multi-Party Computation (MPC) to help with matching. We're really focused on keeping a clear record of the revocation process. So, instead of messing with the actual facial data, we switch things up by rotating the transforms. Recent studies have shown that simplifying templates and creating systems that are friendly for higher education can really make a difference. We definitely take these insights to heart when we're working on our architecture and evaluating vendors. If you want to dive deeper into it, just check it out here.

4) ZK Privacy That Gets the Thumbs Up (and Works at Scale)

We're really focused on using ZK claims like "over 18," "same-person re-verification," or "enrolled-device present" while keeping personal info under wraps. We use Halo2/PLONK for our circuits, and we incorporate Poseidon and Keccak lookups too. To keep ZKML running smoothly, we’ve got some clever sparsification tricks up our sleeves that help reduce the number of constraints and speed up the proof times. It’s all about making things more efficient! We're also working on setting realistic performance SLOs, and we're taking into account the latest findings in ZKML. For example, we're looking at speed boosts of about 46% for provers when using sparsified CNNs. Plus, we're making sure to avoid any speculative cryptographic approaches. (arxiv.org).

So, in places where zero-knowledge (ZK) isn’t fully locked down yet--like with the selective disclosure for the EUDI Wallet at launch--we’ve put together a game plan. We’ll start off by doing on-device matching and sharing just the essentials. Once the EU toolbox gets its groove and everything’s more standardized, we’ll transition to using the official ZK evidence. (biometricupdate.com).

5) On‑chain enforcement with account abstraction and policy modules

We’ve made it super easy by adding biometric proofs directly into our transaction policy. What this means is that for any user action to be approved, it needs to have a fresh WebAuthn assertion specific to the platform (or a zero-knowledge proof of presence) that gets the green light from either a policy contract or a paymaster. We're using modular smart accounts from the ERC-4337 ecosystem, and they come with session-key permissions. That covers stuff like ACLs, time limits, gas caps, and particular paymasters. So, if a session key gets compromised, your balances will stay safe and sound! Basically, we're taking biometrics and using them for some serious spending and contract guidelines, going beyond just a log-in method. (alchemy.com).

When it comes to EOAs, we're really focused on the hybrid approach from EIP-7702 and EIP-4337. With this approach, wallets can bring in some smart, temporary logic to EOAs. Plus, we'll take care to validate the chains and infrastructure that your users are really relying on. (alchemy.com).

Effective key management that keeps CISOs and auditors smiling. Hey there! Just a heads up, we keep our server-side keys securely tucked away in FIPS 140-3 validated HSMs. Plus, we’ve got a solid plan in place to transition away from the 140-2 modules before September 21, 2026. Everything's on track! When it comes to mobile security, keys are stored safely in something called the Secure Enclave or StrongBox. Plus, there's a registration attestation process in place to make sure everything's verified and secure. Pretty neat, right? We can’t accept any keys that don’t meet the required security level outlined in the attestation. (csrc.nist.gov).

7) Metrics, Rollout, and Runbooks Your GTM Can Sell

We're putting together some straightforward KPIs that tie back to FIDO's field data from 2025-2026. So, what are we shooting for? We’re hoping to hit at least a 95% success rate on first tries, reduce support tickets by 20-35%, and also cut down password usage by 20% once we launch. Fingers crossed we can make this happen! On top of that, we'll be figuring out the OPEX savings by looking at the OTPs we’re going to swap out. We’ll take into account how many SMS you usually send and the rates you’re currently getting from your carriers.
If you want to dive deeper into this topic, feel free to head over to fidoalliance.org. There’s a bunch of interesting stuff waiting for you there!

What this looks like in practice (brief, in‑depth examples)

Fintech with rules (EU + U.S.) )**.
Objective: So, the plan is to move away from those SMS OTPs and passwords and switch things up with passkeys instead! We'll make sure that SEPA wire transfers prompted for biometric verification. And of course, we’ll keep everything in line with the PSD2 SCA standards and PCI DSS v4. 0 audit requirements.
Build: We're excited to announce the launch of WebAuthn L3, complete with device attestation and a minimum data security (MDS) policy. This involves using Android's StrongBox and Apple's Secure Enclave to add an extra layer of security. For those high-risk transactions, we're going to go ahead and do a PAD L2 selfie liveness check. It adds an extra layer of security, ensuring everything's legit! Plus, there’s a daily limit on ERC-4337 session keys when it comes to USDC, and they’ll only be able to access Uniswap.
By the way, banks are planning to upgrade their HSMs to meet FIPS 140-3 standards. (w3.org).
Outcome targets: We're shooting for a success rate of at least 97% with passkeys. Microsoft and LY Corp have shown that these can be 2-3 times more effective than the old methods we were using. On top of that, we’re looking to cut those OTP costs by 30% by shifting those tricky high-risk processes over to biometric approvals. We're also going to align our audit package with SP 800-63-4 AAL2/AAL3 and PCI v4.

1. (fidoalliance.org).

EUDI Wallet as a Relying Party (Hoping to Launch in 2026).
Objective: We’re looking to integrate the EU Digital Identity Wallet (QES) and make age verification a breeze with zero-knowledge methods. The best part? We won’t need to store any personal information at all! Let's make sure we're all set for the 2026 mandate.
Build: We're diving into wallet-presented verifiable credentials that give folks the option to share only what they want. Plus, if you're 18 or older, there's a handy zero-knowledge proof feature you can choose to use! When you sign up, we're going to use PAD L2, and for your daily logins, we’ll be rolling out some cool match-on-device features. We’re going to have a policy engine that makes sure recent biometric checks are done for any high-risk actions. We're working to align our timelines with the European Commission's actions and the various national rollouts, and we're looking ahead all the way to 2026. (commission.europa.eu).
Example C - Healthcare/PHI Portal (U.S.)

So, here’s a look at one of the portals we have in the healthcare sector, particularly for handling Protected Health Information (PHI) in the U.S. It’s designed to keep everything secure while making it easy for patients and providers to access necessary information. This setup is super important because it balances the need for privacy with the convenience of sharing health info. )**.

Objective: We're really working to reduce the number of account lockouts and keep fraud related to protected health information (PHI) at bay. Plus, we're making sure that biometrics aren't stored in the data lake.
Build: We’re rolling out passkeys that use match-on-device authentication. Plus, we’re adding verification through both Android and Apple attestation to keep everything secure. To access the FHIR export, you'll need to go through a recent biometric check, and we’ll also add an audit stamp on the blockchain (in a private Layer 2, of course). Plus, just to be safe, we’ll have cancelable templates ready for emergencies and handy runbooks to help us deal with any situations where we might need to revoke attestations. We're taking a look at this in comparison to SP 800-63-4, with a special focus on AAL2+ flows. (developer.android.com).

Best Emerging Practices We Use in 2026 Builds

Authenticator Policy during Registration: We really believe in sticking to our authenticator policy from the very start. We’re utilizing the FIDO Metadata Service version 3. It's important to make sure that the devices we use have the right biometric accuracy descriptors and also align with our enterprise policy standards. If they don't? Well, we’re like, “no way!” "Take a look at it here: (fidoalliance.org)."
Hardware-Backed Attestation: We ensure that we're on top of hardware-backed attestation, which includes things like Secure Enclave and StrongBox. We also pay attention to important details such as securityLevel, authTimeout, and userAuthType to tailor those prompts based on the level of risk involved. For all the info you need, just head over to source.android.com.
Managing Session Keys: We handle "session keys" just like we do with JWTs, using some pretty effective circuit breakers to keep everything running smoothly. We're talking about things like on-chain spend limits, specific time frames for transactions, contract allowlists, and, of course, a paymaster you absolutely need. I mean, let’s be real, nobody really needs unlimited session keys, right? More info here: (alchemy.com).
Testing Live-Capture Libraries: We make it a priority to keep our live-capture libraries fully PAD-tested all the time. So, what that means is we’re only taking in the latest iBeta conformance letters--whether it's Level 1, 2, or 3. Also, we’re making sure to monitor the BPCER and FNMR caps in line with the ISO 30107-3 guidelines. Just keeping everything on track! Take a look at the details over at ibeta.com. You'll find all the info you need there!
ZK Claims Design: When we're putting together ZK claims, our main focus is on making sure they're provable and easy to work with. We choose circuits that our infrastructure can process in just seconds instead of waiting for minutes. We're also diving into ZKML because it really helps us simplify those tricky constraints. Learn more here: (arxiv.org).
OTP Retirement Plan: We're looking ahead and thinking about the OTP retirement plan, keeping an eye on the fee situation. We're keeping a close eye on our SMS volume each month, especially with those carrier fee changes coming in 2026. We're also focusing on moving users over to passkeys in key areas of our business to make sure everything runs smoothly. For guidance, see (help.twilio.com).
Monitoring Business Growth: At the end of the day, it's super important to keep an eye on how much your business is actually growing. At FIDO's 2025 showcase, we saw some pretty impressive stats: better login success rates, faster authorizations, and less demand for support. So, we're planning to use those numbers as our quarterly targets and will be including them in our go-to-market presentations. Check it out at (fidoalliance.org) to get all the details!

Prove -- the GTM metrics your board and auditors will accept

Conversion and completion Try to hit a login success rate of around 95-98% when it comes to using passkeys. Microsoft and a few other folks have taken note of this, and the word on the street is that passkeys can actually score you 2. You can get authenticated 6 to 8 times faster than with regular passwords or those one-time passcodes (OTPs). Pretty impressive, right? Hey, just a quick reminder to make sure you include these updates in your release notes! You can check out the details here.
Cost takeout
Have you considered swapping out a bunch of your OTPs? If you want to figure out how much you could save, just take the number of SMS messages you send each month and multiply that by the current T-Mobile pass-through fees plus the rates from your provider. It’s a pretty straightforward calculation! You could really save a good chunk of money on operational costs. (help.twilio.com).
Support deflection Let’s aim to cut down on those auth-related support tickets by around 20 to 35%. Sounds like a solid plan, right? Once you launch, take a moment to look at your progress by checking out the case studies from KDDI and Zoho. They can give you some great insights! (fidoalliance.org).
Compliance posture Hey, just a quick reminder to get your auditors set up with everything they need! Make sure they have the SP 800-63-4 AAL mapping, the 30107-3 PAD conformance letters, those attestation verification logs, and all the evidence for PCI DSS v4. It’ll make the whole process a lot smoother!

0. 1 controls. Getting these documents together can really help smooth out the findings and speed up your audits. (nist.gov).

Who this is for -- and the keywords you actually need to rank and procure on

Heads of Platform Security and Risk in Banking and Payments. Alright, so here’s the scoop on the keywords we're going to use in your RFPs and other documents: we’ll be incorporating “PSD2 SCA inherence” and “3DS 2.” Just wanted to keep you in the loop! You've got terms like "frictionless," "TRA thresholds," "delegated authentication," "account takeover prevention," "AAL2/AAL3 mapping," "FIDO2 enterprise attestation," "FIPS 140-3 HSM migration," and "PCI DSS v4" floating around. They may sound pretty technical, but they each play a crucial role in the world of cybersecurity and digital identity. It's all about making sure our online experiences are secure while keeping things running smoothly.

0. 1 evidence pack. ” (eba.europa.eu).

EU Digital Identity and Public Sector Identity Leaders. Make sure to keep an eye out for these key phrases: “EUDI Wallet relying party integration,” “qualified electronic signature (QES),” “selective disclosure,” “implementing acts compliance,” and “cross-border wallet acceptance testing.” These are super important! ” (digital-strategy.ec.europa.eu).
Healthcare CIOs/CISOs Hey there, healthcare pros! Just a quick heads-up--make sure to keep an eye out for these important keywords: “SP 800‑63‑4 AAL2/AAL3 PHI export gating,” “FHIR R4/SMART on FHIR session binding,” “match-on-device,” “cancelable biometrics,” and “StrongBox/Secure Enclave attestation.” They’re really worth noting! ” (nist.gov).

How We Engage (Fast)

Discovery (2 weeks): We’ll start our journey by exploring the threat model together and putting together an assurance map that includes AAL, PAD, and attestation. Let's get into the details and make sure we’re all on the same page! We’ll also dive into the OTP cost model and get clear on our on-chain policy goals. So, what’s in it for you? Well, you’ll end up with some pretty solid findings and a clear roadmap. Plus, there are handy T-shirt sizes included to give you a better idea of the effort involved. How cool is that? For more info, take a look at NIST's guidelines. They’ve got some really useful insights!
Pilot (6-8 weeks): So, here’s the plan! We’re going to dip our toes into using passkeys along with device attestation and PAD L2. We'll zero in on a high-value flow to see how everything works together. We're planning to dive into creating an ERC-4337 smart account that includes some session-key limits. Plus, we’ll sketch out a plan for integrating HSM. Sounds like an exciting project, right? In this phase, we’ll keep an eye on how well logins are going, how the one-time password (OTP) is being shown, and we'll also look at the differences in ticket performance compared to FIDO benchmarks. If you're looking for more details, check out the FIDO Alliance website. They've got some great info on World Passkey Day and real-world passkey deployments. Just click here to dive in!
Hardening Phase (8-12 weeks): During this time, we'll focus on zero-knowledge claims where it fits. We'll set up a complete attestation policy using FIDO MDS, and take a closer look at PCI DSS v4.

0. Here's some evidence paired with the mapping from SP 800-63-4. Plus, we’re going to make sure we’re all set for wallets that are accepted by EUDI. If you're looking for more details on these standards, you can check out the resources from the FIDO Alliance. They've got some great info there!

Scale & Operate: In the end, it’s really all about the little things for us.
We're going to whip up some runbooks for stuff like revoking attestation keys and figuring out the timing for PAD recertifications. And don't worry, we’ll also keep track of carrier fees to make sure everything's in check! No worries! We’ll make sure to send you quarterly updates on our go-to-market strategies. If you're curious about security key attestation, you might want to take a look at Android’s developer resources. They’ve got some great info there!

Where 7Block Labs Fits In Right Now

Hey there! Are you on the lookout for engineers who can set up WebAuthn L3 with device attestation and connect it to on-chain policy? Well, you’re in luck! Our fantastic custom team is geared up and ready to handle all the off-chain stuff as well as dive into some Solidity work too. Let’s make this happen! Hey there! Just wanted to let you know that we’ve got a whole bunch of cool features in our toolkit. We’re talking smart-contract policy modules, ERC-4337 smart accounts, session-key enforcement, and ZK circuits. If you're curious about what we can do, check out our smart contract development and cross-chain solutions development pages! Looking to set up wallets and backends, manage device attestation, or whip up some top-notch RFP documentation? We've got you covered! Check out our web3 development services and blockchain integration for everything you need. Looking to ditch OTP and take your authentication game to the next level? We’ve got your back with our awesome security audit services! From PAD and attestation to AA policies and PCI/NIST mapping, we’ve got everything you need to boost your security. Thinking about launching a product that your users will interact with, featuring on-chain capabilities? We’ve got you covered! Our team will provide a full-on dApp development experience, complete with cool biometric gates and a user experience designed around your policies. Let's make something awesome together! Hey there! If your plans include tokenized access or entitlements, we've got your back. Check out our asset tokenization services. Plus, don't forget to take a look at our enterprise key flows in the asset management platform we develop. We’re here to help you make it all happen!

Technical appendix -- specific specs we anchor to

WebAuthn L3 CR: Mark your calendars for January 13, 2026! This one is definitely worth watching because the editors are cooking up some really cool new extensions.
Check it out here.
Android StrongBox/KeyMint: Just a heads up, be sure to check out the latest on key attestation verification. It’s good to stay in the loop! This covers the Biometric Class 3 thresholds, along with the expected levels for FAR, FRR, and PAD. If you're looking for more details, just check this out here. It’s a good resource!

Hey there! Let me tell you about the FIDO Metadata Service v3. 1**: Alright, let’s dive into the details on authenticator metadata requirements. These are super important for keeping enterprise policies in line! Also, make sure you keep an eye out for the hardware attestation changes coming your way in 2025 and 2026. You won’t want to miss those! If you want to dive deeper into the details, you can check it out here.

NIST SP 800-63-4: The final version is scheduled to come out on August 1, 2025. It’s a good idea to keep this in mind as you work on aligning with AAL and getting your audit narrative ready. If you want to dive deeper into this topic, check it out here.
**PCI DSS v4.

0. Just a heads up: some controls with future dates are going to be mandatory after March 31, 2025. So, when you're working on assessments in 2026, make sure you're ready to meet those evidence expectations! Dive deeper here.

EUDI Wallet timeline: So, here’s the deal: by the end of 2026, all Member States need to roll out these wallets. The rollout of the implementation acts is planned to happen in waves throughout 2024 and 2025. If you're looking for more details, you can check it out here.
FIPS 140‑3 migration: Just a quick note! The move to FIPS 140‑3 is on the horizon, and it’s important to remember that the historical status for 140‑2 will start to be relevant after September 21, 2026. So, keep that in mind as you plan ahead! If you want to get the full details, check it out here.
Field Evidence for Passkeys: We're diving into how much people know about passkeys and whether they're actually using them. We'll also check out how often they successfully log in and consider how this could ease some of the support needed for FIDO's plans in 2025. Hey, take a look at the insights right here. You might find them really interesting!

Your Next Step -- A Specific, Useful, and Personal CTA

Hey there! So, if you're an exec dealing with some tough hurdles, here's the deal:

You’ll need to trim down your OTP expenses by at least 25% after T-Mobile bumps up their fees in January 2026.
Plus, you’ve got to nail that PCI DSS v4 compliance for Q2-Q3 of 2026.

It's definitely going to be a challenge, but I’m sure you can tackle it! 0. Alright, here’s the plan: we need to tackle that one assessment with the AAL2/AAL3-mapped biometrics. Plus, we’ve got to make sure the EUDI-Wallet is good to go by December 2026. So, let’s roll up our sleeves and get started!

Hey there! Want to chat with our lead architects for 45 minutes? We’ll take a good look at your attestation logs, PAD letters, and on-chain policy design. In just 72 hours after our session, you’ll receive a handy 2-page action plan that’s customized just for you. Let's get started!

First things first, reach out to our awesome blockchain integration team! They’re ready to help you out. We’re here to mix together the ideal combo of web3 development services and security audit services just for you. Our goal? To help you hit those deadlines and crush your ROI targets!

Want to dive deeper? Just hop over to help.twilio.com for more info!