IMS Labs

Platforms

All platforms →

Protocols

All protocols →

Company

About →
NEW YORK · LONDON · HONG KONG · DUBAI
Visit IMSDV.com ↗︎ Login to Cortex Portal →
PROTOCOLS / IDENTITY & AUTHENTICATION

Keystone

Passkey-bound encryption, normalised across every platform. The standard underneath every IMS Labs application.

// WHAT IS KEYSTONE

The standard, explained

From user biometric / PIN authentication to sensitive user data protection — the full passkey based, end to end solution every IMS Labs application inherits

// WHY NOW

The market has already moved

Enterprises are shipping passkeys. Regulators ratified the highest assurance level. Governments are retiring SMS as a factor. Three signals from three different parts of the stack.

ENTERPRISE DEPLOYMENT
87%
Of enterprises now deploying passkeys
NIST RATIFICATION
AAL3
Highest authenticator assurance level
SMS-OTP SUNSET
2026
UAE, India, Philippines removing SMS as a factor
// WHAT IS A PASSKEY

Cryptographic key pairs, hardware-bound

Built on WebAuthn and FIDO2. Backed by Apple, Google, Microsoft, Yubico. The private key never leaves the device.

No shared secret. Nothing to phish

The server issues a challenge. The user's device signs it with a private key that never leaves the secure enclave. The server verifies against a stored public key.

WEBAUTHN · FIDO2 · CTAP 2.2
USER BIOMETRIC / PIN SIGN CHALLENGE SECURE ENCLAVE PRIVATE KEY NEVER LEAVES DEVICE SIGNATURE READY RETURN SIGNATURE SERVER PUBLIC KEY VERIFY AUTHENTICATED · NO PASSWORD EXCHANGED

Different category, not better passwords

Passwords leak through phishing, breach, reuse, and shoulder-surfing. Passkeys can't leak. There's nothing to leak. The cryptographic root is hardware-bound.

NIST AAL3 · PHISHING-RESISTANT
PASSWORDS FAILURE MODES PHISHING User typed it on a fake page DATA BREACH Server hash leaked, cracked offline REUSE Same one across 47 sites RECOVERY SMS, security questions, codes SECRET LEAVES THE DEVICE PASSKEYS PROPERTIES PHISHING-PROOF Domain-bound, can't be tricked BREACH-PROOF Server holds public key only UNIQUE PER SITE Different keypair for every origin RECOVERY Cloud sync or device transfer PRIVATE KEY STAYS IN HARDWARE

Four working groups defining the next layer

Passkey is the visible surface. Underneath, the spec is rapidly extending into payments, credentials, and agent authorisation.

FIDO ALLIANCE · IETF · W3C
CXP / CXF DRAFT Credential Exchange Kills passkey vendor lock-in. Apple shipped CXF in iOS 26. CREDENTIAL PROVIDER SIG PAYMENTS WG ACTIVE Passkeys for EMV 3DS Visa & Mastercard co-chair. Click to Pay integration. FIDO ALLIANCE · LAUNCHED 2025 DIGITAL CREDENTIALS EARLY Verifiable credentials Bridges passkeys + mDLs + eIDAS 2.0 wallets. DCWG · KYC / AML LANDING AGENT AUTH IETF DRAFT Passkey + AI agents Humans via passkey, agents via OAuth delegation. DRAFT-EMBESOZZI-OAUTH-AGENT
// 04 / WHERE THE SPEC FALLS SHORT

Browsers don't agree on how passkeys do encryption

Passkeys can do more than log you in. They can also unlock encryption keys for your data. The standard made that part optional, so each browser shipped a different implementation. Same standard, four different behaviours.

W3C WebAuthn L3 · § 5.10.5

The standard says support may vary across implementations

One word — MAY — and every browser interprets it differently. Chrome supports it fully. Safari, iOS, and Android each ship a partial version.

The reality Fragmented
Keystone · IMS Labs proprietary

One encryption layer that works the same on every browser

Keystone normalises every authenticator behaviour. The same passkey unlocks the same data, whether the user is on iPhone, MacBook, Android, or YubiKey. Drop-in for every IMS Labs surface.

Our answer Uniform
// THE KEYSTONE LAYER

Passkey-bound encryption, made portable

Non-custodial by default. Optional custodial recovery. Same clean code path on every platform and hardware key.

PRF support is fragmented. Keystone normalises it

WebAuthn PRF lets passkeys derive encryption keys. The spec exists, the implementations don't agree. Keystone is the proprietary layer that makes one code path work everywhere.

FRAGMENTED → UNIFIED
RAW PRF SUPPORT · APRIL 2026 CHROME FULL EDGE FULL SAFARI PARTIAL iOS PARTIAL ANDROID PARTIAL KEYSTONE NORMALISES KEYSTONE LAYER · IMS LABS One unified PRF-derived key, every platform, every authenticator PROPRIETARY ENCRYPTION ON TOP OF WEBAUTHN PRF
// STANDARD ACROSS THE STACK

The default for every IMS Labs application

Keystone isn't a separate product. It's the authentication and encryption layer underneath everything we ship.

LIVE

Cortex Portal

LP and GP authentication, per-user encrypted data rooms, optional custodial recovery.

ROLLING OUT

Cortex

Operator and analyst access. Standardising across every Cortex surface.

DEFAULT

IMS Labs SaaS

Every new application ships with Keystone as the auth and encryption baseline.

DEFAULT

Customer surfaces

Same passkey authenticates and decrypts. Zero-knowledge on the server.

// OUR POSITION

Passkeys for humans. Delegated tokens for agents

WebAuthn requires a user-presence gesture. AI agents can't provide one. The temptation is to break the spec or run a service-account passkey. We don't.

Humans authenticate via passkey. Agents act under scoped, time-limited OAuth 2.1 tokens delegated by the human. Audit trail stays clean. Standard stays intact.

HUMAN AUTH
Passkey · WebAuthn / FIDO2HARDWARE-BOUND · AAL3 · PHISHING-RESISTANT
AGENT AUTH
Delegated OAuth 2.1 tokenSCOPED · TIME-LIMITED · REVOCABLE · LOGGED
SPEC TRACK
IETF agent-native auth draftPUBLISHING ADOPTER VIEW AS DRAFT EVOLVES
PROTOCOLS

What else IMS Labs is tracking

Keystone is live. Agent protocols, verifiable credentials, and content provenance are next.

Explore protocols
SEE IT LIVE

Keystone, deployed in Cortex Portal

The first product built on Keystone. The pattern every future IMS Labs application inherits.

Explore Cortex