Virtually free

Virtually free

A few cents

Here at ZofToken, we aim to remove all the challenges preventing organizations from using secure authentication methods for all their users and we believe one of the main barriers is related to cost, hence our licencisng model was designed to be 'virtually free' for organizations.

That is why the annual cost (USD 0.50 per token per year) is not only guaranteed forever but also because it's so immaterial that it could even be transferred invisibly to the end user (e.g. as part of rounding in a service fee), having no financial impact at all whether it's an implementation for thousands or millons of users.

Social responsibility

If your organization is a nonprofit or provides any type of social service, please contact us and we can discuss alternatives that adjust to your needs.

User experience

User experience

Quick and easy adoption

Our solution is based on the use of smartphones by the end users. Even though each implementation can be different according to the client's needs, our reference app supports an unlimited amount of tokens (potentially from different organizations) and it implements a very simple model for users, similar to the one they already know with their ATM card, which simplifies onboarding.

Adapting to different clients

In the case of existing or bespoke applications, our SDK provides all the elements and examples required to implement the user experience of choice for our clients, including the support of biometric scanning, one-time passwords or any other means of 2FA authentication that better suits each particular use case.

Scalable and easy to integrate

Scalable and easy to integrate

No need of a large data center to support millions of users

Our networking protocol between the server and the apps is low-latency and high performance.

Our central cryptographic primitive for authentication was selected because of its high security and efficency.

Load tests indicate that with inexpensive hardware (F2s from Azure) , our solution can support more than 10 million users operating at a reasonable frequency for a standard use case, such as a Home Banking service, or health related portals.

Easy to manage

ZofToken supports multiple enrolling methods (deeplinks, QR codes, one-time codes), and also simplifies the blocking, deleting and re-enrolling of users when necessary, in order to simplify administrative processes.

Easy to integrate

We provide a standard API for our backend, extensively documented and without any additional dependencies to other layers that might add complexity. This makes ZofToken trivial to connect with both modern and legacy systems.

Tokens for users can be segmented into multiple services with independent configurations and access levels, offering a high level of adaptability to each particular need (e.g. an organization might issue tokens for internal employees and also external clients on the same instance).

The status of each token can be requested by polling the API but also through webhooks, allowing multiple integration methods and enabling the usage of said tokens within existing systems and processes.



Industry standard cryptography

There is no secret sauce, ZofToken implements standard industry practices for cryptography, leveraging both native platform solutions and proven libraries.

Authentication secret protection in smartphones

Depending on the selected implementation for the app that integrates with ZofToken Server the secret can be protected with the functions offered by the SDK and/or stored within the device's secure storage.

Duress feature

It enables the user to open a token in a special state, which is indistinguishable from the app, allowing the organization to proceed according to established protocols.


Both the backend and the webhooks feature operate under TLS to protect all traffic.

Protected API functions

Each API endpoint within the API is protected by secrets (authkeys) which support whatever granularity level is required for the implementation.

Webhook secrets

Every webhook supports configurable secrets, to guarantee their validation by the receiving system.