A new approach to cybersecurity
For Business → ProtectionGrid For Large Corporates → ProtectionGrid For Law Enforcement → Intelligence For Governments → Intelligence
Home / ProtectionGrid / WebAuth
WebAuth · Part of ProtectionGrid

One login for everything.
Total control for you.

WebAuth secures your employees' logins against the most exploited attack vector in business — stolen credentials. Powered by identiqa.id, with passkeys, SSO and continuous risk evaluation.

See pricing See how it works →
81%
of all data breaches involve stolen or weak credentials.
Verizon Data Breach Investigations Report
The login problem

Passwords are the
weakest link. Passkeys aren't.

Most successful cyber attacks don't break encryption — they break humans. WebAuth makes the most common attack patterns mathematically impossible.

Without WebAuth

A typical credential theft

1

Attacker sends a convincing phishing email with a fake login page.

2

Employee enters username and password — even with 2FA, the code is captured.

3

Attacker uses the credentials within seconds — from any country, any device.

4

Account compromised. Email, files, customer data — all accessible. Detection takes weeks on average.

With WebAuth

The same attack — defeated

1

Attacker sends the same phishing email with the same fake page.

2

User's passkey only works on the real domain — fake page can't trigger it.

3

Even if attacker captures something, there's no transferable secret to steal.

4

Attack defeated. The user's credentials never left their device. Phishing-resistant by design.

WebAuth features

Four layers of login defense.

1

Phishing-resistant passkeys

FIDO2 / WebAuthn passkeys replace passwords entirely. Cryptographically bound to the real domain — impossible to phish, impossible to leak.

2

SSO across everything

One identiqa.id login replaces dozens. Connect Microsoft 365, Google Workspace, Salesforce, Slack — and any SAML or OIDC application.

3

Conditional access

Allow or block access based on device, location, time of day, network reputation, or risk signals from Aura AI — continuously, not just at login.

4

Audit-ready logs

Every login attempt, every access decision, every step-up authentication — logged, searchable, exportable to your SIEM. Built for NIS2 and ISO 27001 evidence.

SSO Hub

One identity. Connected everywhere.

identiqa.id is the central identity hub. Connect to your existing identity providers, and let WebAuth secure the login experience across every business application.

Microsoft Entra
Identity provider
Google Workspace
Identity provider
Okta
Identity provider
SAML 2.0 / OIDC
Custom IdP
identiqa.id
SSO Hub · Passkeys · Conditional Access
Microsoft 365
Productivity suite
Salesforce
CRM
Slack
Collaboration
Internal apps
Via AppShield + WebAuth

Bring your existing identity provider, or use identiqa.id natively. Either way, one secure login experience across every app.

Pricing

Per user. Per month.

Simple per-seat pricing. Existing customers automatically receive bundle discounts when WebAuth is combined with other ProtectionGrid modules.

Starter
€99/mo
€3.96 per user · 25 users included
For small teams getting login security right from day one.
Get started
  • Up to 25 users
  • Passkeys (FIDO2 / WebAuthn)
  • SSO for major SaaS providers
  • Standard 2FA fallback (TOTP)
  • Basic audit log
Most popular
Business
€199/mo
€1.99 per user · 100 users included
For mid-market businesses that need real conditional access.
Get started
  • Up to 100 users
  • Everything in Starter, plus:
  • Conditional access policies (geo, device, risk)
  • Custom SAML/OIDC integrations
  • Aura AI risk scoring
  • Quarterly access review reports
Enterprise
On request
For larger organizations with regulatory and compliance demands.
Book a consultation
  • Unlimited users
  • Multi-region deployment
  • Dedicated identiqa.id tenant
  • SIEM integration + real-time alerts
  • NIS2 / ISO 27001 / SOC 2 reporting
  • SLA with response time guarantee
FAQ

Good to know. Before you start.

Don't we already have 2FA? Why do we need passkeys?
Most 2FA methods — SMS codes, authenticator apps, push notifications — are vulnerable to phishing. Attackers run real-time phishing kits that proxy your credentials and 2FA codes to the legitimate site, capturing the session token. Passkeys eliminate this entirely: they're cryptographically bound to the real domain, so a fake login page literally cannot trigger them. This is what FIDO2 / WebAuthn was designed to solve.
How is WebAuth different from Microsoft Entra (formerly Azure AD) or Okta?
WebAuth is not a replacement for your identity provider — it works with Microsoft Entra, Okta, Google Workspace, or any SAML/OIDC IdP. Think of identiqa.id as a security layer that adds passkey support, continuous risk evaluation, and conditional access to whatever IdP you already have. For customers without an existing IdP, identiqa.id can also serve as the primary identity provider. Either model works.
What if a user loses their device or their passkey?
Passkeys are typically backed up to the user's secure cloud (iCloud Keychain, Google Password Manager, 1Password, etc.), so they're available on every device the user signs into. WebAuth additionally supports enrolling multiple authenticators per user — phone, hardware key, backup device. If everything is lost, an admin can trigger a verified recovery flow with step-up authentication. Recovery is documented and audit-logged.
Can we still allow legacy systems that don't support passkeys?
Yes. WebAuth supports a graceful degradation path: passkeys where supported, TOTP-based 2FA where they're not, and conditional access rules (e.g., legacy logins only allowed from corporate networks). Over time you can tighten the policy as more applications support modern authentication.
How does conditional access actually work?
Each login attempt is evaluated against your policy in real time: who, what device, where (geo/IP/network), when, and what risk signal Aura AI sees in current threat intelligence. Common policies include "block sign-ins from anonymizing networks", "require step-up authentication for new devices", or "deny access outside business hours for non-admins". Policies can be tightened or relaxed per user group, and apply continuously — not just at the moment of login.
How long does deployment take?
For a typical mid-market deployment: 1–3 days. Day 1: connect your existing identity provider and configure basic policies. Day 2: roll out to a pilot group, enroll passkeys. Day 3: organization-wide rollout with self-service enrollment. Larger organizations and those replacing legacy IAM systems take longer — our team plans those in detail upfront.
Where is identity data stored?
identiqa.id runs on our own infrastructure in EU data centres (Germany, Ireland, Portugal, Cyprus). Authentication data, session tokens and audit logs stay within EU jurisdiction — never on AWS, Azure or GCP. For regulated customers, dedicated single-tenant deployments are available. Fully GDPR-compliant, NIS2-aligned.
CyberHub portal

See every login.
Manage every policy.

The CyberHub gives you full visibility into your identity infrastructure. Every successful login, every blocked attempt, every step-up challenge — searchable in real time, exportable to your SIEM, ready for audit.

847
Active users
12,420
Logins today
38
Blocked today
m.schmidt @ Microsoft 365 · Berlin Passkey
unknown · login attempt · TOR exit Blocked
a.weber @ Salesforce · new device Step-up
Modular protection

Cybersecurity isn't a single product. It's a system.

Combine the modules that fit your IT landscape. Existing customers automatically receive additional discounts.

AppShield
Zero-Trust app access — works hand in hand with WebAuth for end-to-end identity security.
From €49/mo
SecureDomain
AI-powered protection for your domains and DNS records.
From €7/mo
WebShield
The firewall for your websites and online shops.
From €79/mo
MailShield
Stops threats in emails — stopping phishing before it can target your logins.
From €79/mo
HybridMail
Distribute mailboxes flexibly between cloud and your own infrastructure.
From €59/mo
All modules
See the complete ProtectionGrid: six modules, one platform, one login.
View all →
Free consultation

Book a consultation.

Leave your details and you'll be able to book a consultation slot directly afterwards. We typically respond within 2 hours — no sales pitch, just a real conversation about your identity infrastructure and login security.

500+
customers worldwide
< 2h
response time

Get in touch

By submitting this form, you agree to our privacy policy. We'll get back to you within 2 hours during business hours.

500+
customers
CISO as a Service
Cybersecurity is a CEO topic. But not your full-time job.
Your dedicated CISO takes over: strategy, implementation, ongoing oversight. You focus on your business — we secure it.
Request CISO → See services