Multi-Device Human Verification
POY Verify is not phone-only. The architecture supports verification on any device - smartphones, desktops, laptops, and tablets - through three distinct paths that maintain the zero-data security model on every platform.
The Multi-Device Challenge
Many enterprise workflows are desktop-first. Finance teams create invoices on workstations. Compliance officers review documents on laptops. Developers write code on desktop machines. Government contractors access classified systems through secured terminals. A verification system that only works on phones misses the majority of enterprise use cases.
POY Verify solves this with three architectural paths - each maintaining the core principle that biometric data never leaves the user's device and zero personal data is stored on any server.
The desktop application generates a cryptographic hash (SHA-256) of the content being verified - an invoice, a document, a code commit - and displays a QR code containing the hash. The user opens the POY Verify app on their phone, scans the QR code, performs a biometric liveness check, and the phone signs the hash with the Secure Enclave key. The signed stamp is sent back to the desktop over an encrypted channel.
content hash
displayed
QR code
on phone
to desktop
Key Properties
- The phone never sees the actual document - only the SHA-256 hash. The content stays on the desktop. Privacy is maintained for sensitive materials like financial documents, contracts, and classified information.
- The biometric check happens on the phone - using the same Secure Enclave hardware and liveness detection as the standard mobile flow. Zero data transmitted.
- This is the WhatsApp Web model - a proven UX pattern that billions of users already understand. Scan, verify, done.
- Works with any desktop OS - Windows, Mac, Linux, ChromeOS. The desktop only needs to display a QR code and receive the stamp response. No desktop SDK required.
- Ships fastest - the mobile SDK already exists. The QR bridge is an addition to the existing mobile app, not a new platform build.
Best For
Finance teams stamping invoices, compliance officers verifying documents, any workflow where the user is at a desktop but has their phone nearby. Most enterprise environments.
Modern desktop hardware actually contains the same security architecture as smartphones. The biometric verification can run natively on the desktop without any phone involvement.
| Platform | Hardware Security | Biometric Input | Capability |
|---|---|---|---|
| Mac with Apple Silicon | Secure Enclave (in chip) | Touch ID | Full parity with iPhone. Same Secure Enclave, same cryptographic operations, same security model. |
| Mac with T2 chip | T2 Security Chip | Touch ID | Secure Enclave equivalent. Supports hardware-bound key generation and biometric gating. |
| Windows with TPM 2.0 | Trusted Platform Module | Windows Hello (face/fingerprint) | TPM provides hardware key storage. Windows Hello provides biometric input. Microsoft attestation APIs are analogous to Apple App Attest. |
| Windows with USB security key | FIDO2 hardware key | Fingerprint on key | YubiKey Bio and similar provide hardware-bound biometric authentication for desktops without built-in biometric sensors. |
| Chromebook | Titan C security chip | Fingerprint sensor | Chrome OS supports WebAuthn with hardware attestation through the Titan security chip. |
How It Works
A macOS or Windows SDK interfaces directly with the platform's hardware security module. On Mac, the SDK calls the Secure Enclave through Apple's Security framework - the same APIs used by Touch ID and Apple Pay. On Windows, the SDK uses the TPM 2.0 through Microsoft's Cryptography API: Next Generation (CNG) and Windows Hello biometric APIs.
The result is identical to the mobile flow: a hardware-bound private key that never leaves the security chip, biometric authentication that gates access to the key, and a cryptographic stamp signed inside tamper-resistant hardware. No phone required.
Best For
Organizations with modern hardware fleets (MacBooks, Surface devices, TPM 2.0 Windows machines). Developer workstations. Secure facilities where phones may not be permitted. Government and defense environments with hardware security requirements.
This is not a POY-proprietary approach - it is a ratified industry standard. FIDO2/WebAuthn includes a cross-device authentication protocol where the phone acts as a roaming authenticator for the desktop session via Bluetooth proximity.
on desktop
"Stamp"
(Bluetooth)
unlock
complete
How It Works
The user works on their desktop. When they need to stamp content or verify an action, the desktop sends a verification challenge via Bluetooth to their nearby phone. The phone prompts for biometric authentication (Face ID, fingerprint). The user unlocks, and the phone signs the challenge with the Secure Enclave key and returns the attestation to the desktop. No QR code scan needed - just phone proximity.
Apple and Google already ship this in their passkey implementations. When you use a passkey on a website and it prompts your phone, that is FIDO2 cross-device authentication in action. POY Verify can leverage the same standard protocol for human verification attestations.
Standards Compliance
- FIDO2 - Fast Identity Online 2, ratified by the FIDO Alliance (Apple, Google, Microsoft members)
- WebAuthn - W3C Web Authentication standard, supported in all major browsers
- CTAP2 - Client to Authenticator Protocol, handles the Bluetooth communication between desktop and phone
Best For
Seamless desktop workflows where users always have their phone nearby. Lowest friction of the three paths - no QR scanning, no desktop SDK. Leverages standards already deployed by Apple, Google, and Microsoft.
Which Path to Use?
| Criteria | QR Code Bridge | Native Desktop | FIDO2 Cross-Device |
|---|---|---|---|
| Phone required? | Yes | No | Yes (nearby) |
| Desktop hardware req | None | Secure Enclave / TPM 2.0 | Bluetooth |
| User friction | Medium (scan QR) | Low (touch sensor) | Lowest (auto-prompt) |
| Works offline? | Needs local network | Yes | Needs Bluetooth |
| Sensitive environments | Good | Best (no phone) | Good |
| Ship timeline | Fastest | Medium | Medium |
| Standards-based | Custom protocol | Platform APIs | FIDO2/WebAuthn |
Most organizations will use a combination. Path 1 (QR Bridge) ships first and covers 90% of use cases. Path 2 (Native Desktop) serves environments where phones are restricted. Path 3 (FIDO2) provides the smoothest UX for daily workflows once adopted. All three maintain the zero-data security model - biometric data never leaves the device regardless of which path is used.
Zero-Data Guarantee Across All Paths
The core architectural principle is the same on every device: biometric processing occurs inside hardware-secured memory (Secure Enclave, TPM, Titan C), the private key never leaves the security chip, and zero biometric data is transmitted or stored on any server. Whether verification happens on an iPhone, a MacBook, a Windows workstation, or through a FIDO2 cross-device flow, the security and privacy guarantees are identical.
This is not a feature of POY Verify - it is the architecture. The system is physically incapable of accessing biometric data regardless of which device or path is used. That constraint is what makes the zero-data guarantee credible across every deployment scenario.
Ready to Integrate?
POY Verify supports mobile, desktop, and cross-device workflows. Join the waitlist for API access and multi-device SDK documentation.
GET API ACCESS