MIRACL Technologies Limited

Passwordless Multi Factor Authentication

MIRACL helps any organisation replace insecure passwords, complex 2FA and expensive SMS authentication - with a simple PIN.  Purpose-built for sectors where any additional security drives users away, it uses cryptography licensed to Experian, Google, the USAF and Intel to block 99.9% of attacks. All done whilst reducing overall costs.


  • Strong Multi Factor Authentication (MFA, 2FA, 2+FA) as a service
  • Inexpensive PAYG SaaS contract with no termination notice
  • Passwordless, no credentials database and no sensitive information transmitted
  • Standards based API SDK allows cross platform, OS independent deployment
  • Federate and offload authentication with OIDC, SAML2.0, ADFS and RADIUS
  • SAML2.0 solution allows IdP and SP initiated SSO authentication
  • Hands-off access to second device browser session via Mobile App
  • Dynamically revoke and refresh user secrets without disrupting users
  • Python, Django, NodeJS, Ruby, PHP, Java, .NET and more supported
  • Real-time reporting and control of end point devices improving admin


  • Enhance authentication security whilst improving usability
  • Meet the Strong Customer Authentication (SCA) requirements of PSD2
  • Improve User Experience (UX) reducing user churn and increasing retention
  • Reduce GDPR and Brand risks from credential hacking and misuse
  • Replace SMS two step authentication and reduce costs
  • Works with all browsers and mobile apps, cross platform deployment
  • Eliminate user credentials databases to reduce data breaches
  • Zero-knowledge proof protocol = no sensitive information transmitted
  • Renders phishing, MITM, replay and all automated attacks ineffective
  • Every user-device has cryptographic secret allowing dynamic linking and signing


£0 to £0.03 a transaction a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.tanaka@miracl.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 0 9 2 9 2 7 3 7 3 6 8 1 0 2


MIRACL Technologies Limited Michael Tanaka
Telephone: +44 (0) 20 8191 9264
Email: michael.tanaka@miracl.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Although the MIRACL Trust ID service can operate independently by integrating directly with your website/app/service, it can also be integrated to Identity Access Management (IAM) platforms and link to all Single Sign On (SSO) systems.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
No constraints in regards to cloud Authentication, which is provisioned as a service with 99.9% or better up-time. Private Cloud, Hybrid Cloud or On-Premise installations subject to final specification of customer. Federation of user authentication should be done via established standards such as OIDC.
System requirements
  • MIRACL Trust ID subject to integrating the APIs and SDKs
  • Mobile app minimum version requirements: iOS 8 and Android 4.1
  • Software-only solution requiring neither a dongle nor a smartphone
  • Supports all browsers with a consistent interface cross platform

User support

Email or online ticketing support
Email or online ticketing
Support response times
Will vary depending on the service level a client qualifies for/opts for. Details available in the service definition and pricing documents.
The basic service offers business hours email support within 48 hours whilst the premium plus service offers a 24/7 service within 1 hour response. No difference in the response time at weekends.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
We offer 3 levels of support:

1) A basic free service - business hours and limited out of hours.
2) A premium service - 24/7 standard service and shared account manager.
3) A premium+ service - 24/7 customer defined service and dedicated account manager.

The level of service included for free will depend on size of client (number of authentications). Clients can further opt to upgrade their level of support for an additional cost and even tailor the support for their requirements of none of the described support levels fit.

Please see service definition and pricing document for details.
Support available to third parties

Onboarding and offboarding

Getting started
User documentation is provided for admin users for integration as well as user documentation for the service. Further online or onsite training is also available depending on client size/whether required.

The MIRACL Trust ID Platform utilizes a distributed cryptography scheme to ensure high security for its key-generation and authentication services. The scheme incorporates two or more Distributed Trusted Authority (D-TA) servers, which are the core of MIRACL’s distributed cryptosystem. For a typical hosted service, MIRACL provides two physically and geographically separated D-TAs for each partner. In some cases though, it is a requirement for a partner to self-host one of the D-TAs, in which case MIRACL provides an On-Premise D-TA which can be installed on the partner’s premises and connected to the MIRACL Trust Platform. MIRACL provides documentation to describe how to setup such an On-Premise D-TA on Windows-based servers.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
N/A Service engineered to avoid GDPR risk associated with client data. No data stored by MIRACL of any value to customer or end-client.
End-of-contract process
Standard SaaS offering is free to implement with ongoing pricing based on PAYG invoicing in arrears with no contract notice period. Basic support level is included with further support levels available at an additional cost. Some advanced features of the service such as management APIs are for an additional cost. See pricing document for further details.

For On Premise, Hybrid Cloud and Private Cloud implementation is included in the price of the 12 months contract subject to 30 day notice prior to automatic contract rollover. Total cost of of contract is dependant on features required, see pricing document for further details.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service Provider as Buyer - all functions are customised from a browser. As an enterprise service we do not recommend configuring service from a mobile device.

End-User as Customer - MIRACL Trust ID service is cross platform and almost all primary functions are identical. Mobile apps can support additional functions such as daisy-chaining enrolment of devices and remotely authenticating an unsecure desktop.
Service interface
Description of service interface
Buyer admin user - all functions are customised from a browser. Admin Users can monitor authentication/signing activity and set up new points of authentication on websites and mobile apps.

End-User of the Buyer - MIRACL Trust ID authentication is as easy as entering a 4-6 digit PIN code to gain access to the protected service. Setting up new users is default by email verification but can be any process the service provider requires. All functions and features are managed on one page.
Accessibility standards
None or don’t know
Description of accessibility
Buyer Admin User - service accessed via a browser based portal with limited graphics, no visual or audio media, use of colour or animations.

End-User of the Buyer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
Accessibility testing
Buyer Admin User - we have tested with various screen readers, screen magnifiers, speech input, alternative input devices and text to speech. As a browser based portal, most assistive technologies are of some use.

End-User of Buyer - service providers have a great deal of flexibility how they integrate the service and expose it to the end clients. So they can determine the accessibility of the system taking into account platform and form of delivery.
What users can and can't do using the API
Admin User can integrate our service with their website/app/service by connecting to our APIs using 3 simple function calls.

APIs and SDKs can then be used to enrol users, authenticate users to controlled services, authenticate users to multiple services (Single Sign On), irrefutably sign actions/transactions/documents and monitor all actions taken by the end-user, all services are cross-platform and delivered to the End-User via browsers or custom-built applications.

Our APIs and SDKs support open standards such as (but not limited to) SAML, OIDC, ADFS and RADIUS. We support Python, Django, NodeJS, Ruby, PHP, Go, Java, .NET and many other languages with our own SDKs and numerous additional languages using open source clients.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Admin Users have a high degree of customisation capability given service is provisioned via APIs and SDKs.

Buyer has full control over User Flows for Enrolment and Authentication, any service provisioned screens such M-Pin (pin entry screen) can be customised to include customer branding. Private Cloud, Hybrid Cloud and on-premise installation subject to final specification of customer and gives even more detailed control over the operation of the underlying service such as the distribution and revocation of cryptographic secrets.


Independence of resources
Predictive auto-scaling and using elastic cloud servers that scale based on usage.


Service usage metrics
Metrics types
We track all events that go through the MIRACL Trust ID service.
The metrics we provide are number of authentications and unique users broken down by day, month, year, geographic region etc.
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Data can be fetched through the API or in CSV from the service admin portal.
Data export formats
Data import formats
Other data import formats
N/A there is nothing to upload.

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
We never have access to buyers' data. For our service: the portal access, web login access and API access are protected using TLS 1.3.
Data protection within supplier network
Other protection within supplier network
We have implemented Googles BeyondCorp which means we do not have an internal network that gives access to data. We have strong authentication to each service and VPN for sensitive infrastructure used only for administrative actions - not day to day work. Those VPNs are also protected with two factor authentication through our own service. Access to data is given on a needs only basis.

Availability and resilience

Guaranteed availability
SLA depends on the level selected. As an example for an Uptime Commitment of 99.9%, if the availability of MIRACL Services for a given month is less than the applicable Uptime Commitment, MIRACL will provide Buyer with a credit of the Fees paid for the affected MIRACL Services for such month as follows:

Availability less than Uptime Commitment but at least 99.5%: 5% credit.
- Availability less than 99.5% but at least 99%: 10% credit.
- Availability less than 99% but at least 97.5%: 35% credit.
- Availability less than 97.5%: 100% credit.

In the event Partner is not current in its payment obligations when an outage occurs, remedies will accrue, but credits will not be issued until payment obligations are up to date.

To receive service credits, Partner must submit a written request to billing@MIRACL.com, within 30 days after the end of the month in which the MIRACL Services failed to meet the Uptime Commitment, or the right to receive credits with respect to such unavailability will be waived.
Approach to resilience
The service is architectured in such a fashion as to be always available. Each of the multiple interchangeable nodes is distributed across multiple zones in a single data-center. Load-balancing as well as auto-scaling technology is used to ensure availability even under high demand. There is no single point of failure.

Further details available on request.
Outage reporting
The service is end-to-end monitored from a number of places on the globe at least every minute. An internal company dashboard is updated with the results in real-time and the support team are notified should the service be unavailable from any of these points on the globe. The service is configurable to provide email alerts to customers. Once a month the availability information is distributed to customers with a valid contract.

Identity and authentication

User authentication needed
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
All access secured by strong 2 Factor Authentication (2FA) associated to each unique User-AccessPoint combination. Where an AccessPoint is a specific Browser-Device, Mobile etc.

Full, real time, configuration of user roles determined on a per-user basis by admin user. Ability to revoke user access or enable/disable access to individual functions and groups of functions.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Other
Description of management access authentication
2-Factor Authentication tied to each User-AccessPoint combination. Where an AccessPoint is a specific Browser-Device, Mobile etc. This enables customer to know who initiated and how they initiated access.

Service provided with MIRACL Trust ID meaning there are no additional charges associated with adding management users or access points.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
We are Cyber Essentials certified and take a risk based approach to security governance. Currently we are implementing further policies and procedures that align with ISO27001/CSA CCM with a view to get the respective certification.
Information security policies and processes
We have a Security Policy and carry out regular risk assessment to then manage the identified risks. We also carry out internal audits that lead to continual improvement with corrective and preventative actions. Internal audits help in ensuring policies are followed. Information Security is a priority of the Company Board with regular reports being produced to keep it up to date. All reporting is done to the Information Security Officer who then reports to Company Leadership.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We follow all the good practices both for secure software development and for infrastructure. We aim for everything as code (software, infrastructure, policies) approach which gives us a number of important features of the process:
- Each change is reviewed by at least 2 people before it is accepted.
- Audit log of all changes both code or infrastructure (infrastructure is built with code).
- We can version state of the system and revert if needed.
- We can do proper Continuous Integration and Continuous Delivery (CI/CD).
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We aim at limiting the surface that's managed by us and could be potentially vulnerable.

We perform regular in-house vulnerability scanning and take actions based on the recommendations.

We are able to apply patches within hours.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The system generates reporting information on a daily basis. Any unusual activity will result in a SAR (suspicious activity report) going to the COO.

An investigation (typically within hours) will occur.

User ID's, if a compromise is suspected, will be blocked pending further investigation.
Incident management type
Supplier-defined controls
Incident management approach
The user will report the service issue via email, phone or on the user portal. The incident will be logged in our incident management system.

The user will be notified by email of actions or progress made towards resolution of the incident.

Priority will be given to :
- Ensuring the service is not compromised
- Then ensuring the user is capable of accessing the service
- Finally determining the root cause analysis of the incident

No pre-determined processes exist at present, as production incidents are negligible. We will monitor for patterns and create process as appropriate.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£0 to £0.03 a transaction a month
Discount for educational organisations
Free trial available
Description of free trial
The first 1000 authentications per month are free.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.tanaka@miracl.com. Tell them what format you need. It will help if you say what assistive technology you use.