Badilisha maswali ya usalama na nambari za mara moja za SMS kwa kulinganisha tena biometriska dhidi ya selfie ya usajili. Uamuzi wa chini ya sekunde 2, ~$0.15 kwa urejeshaji, iBeta Level 1 imethibitishwa.
Robinhood Ventures
Inaaminika na mashirika 2,000+ duniani kote.
Kwa nini ukaguzi wa uso unashinda SMS
SIM-swap inashinda nambari za SMS za mara moja. Phishing inashinda maswali ya usalama. Wawakilishi wa usaidizi wanajishinda wenyewe chini ya shinikizo. Ulinganishaji wa uso wa moja kwa moja dhidi ya selfie ya usajili inashinda zote tatu — kwa $0.15 kwa urejeshaji, uamuzi wa chini ya sekunde mbili, 500 bure kila mwezi.
Chagua ukaguzi unaotaka — ID, liveness, ulinganishaji wa uso, vikwazo, anwani, umri, simu, barua pepe, maswali maalum. Ziburute kwenye mtiririko kwenye dashibodi, au tuma mtiririko huo huo kwenye API yetu. Panga masharti, fanya majaribio ya A/B, hakuna code inayohitajika.
Pachika asili na SDK yetu ya Web, iOS, Android, React Native, au Flutter. Elekeza kwenye ukurasa uliopangishwa. Au tuma tu mtumiaji wako kiungo — kwa barua pepe, SMS, WhatsApp, popote. Chagua kinachofaa stack yako.
Didit inasimamia kamera, ishara za mwanga, uhamishaji wa simu, na ufikiaji. Wakati mtumiaji yuko kwenye mtiririko, tunapima ishara 200+ za udanganyifu kwa wakati halisi na kuthibitisha kila sehemu dhidi ya vyanzo vya data vya mamlaka. Matokeo chini ya sekunde mbili.
Webhooks zilizosainiwa kwa wakati halisi huweka database yako sawa mara tu mtumiaji anapoidhinishwa, kukataliwa, au kutumwa kwa ukaguzi. Piga API inapohitajika. Au fungua console kukagua kila session, kila ishara, na kudhibiti kesi kwa njia yako.
Didit · Kulinganisha Nyuso 1:1
Usajili
Urejeshaji
Didit · Passive Liveness
Didit · Sera ya Kuongeza Hatua
Didit · Fallbacks
Didit · Kumbukumbu ya Ukaguzi
Didit · Sera ya Kipindi
$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workflow_id": "wf_account_recovery",
"vendor_data": "user-7382",
"metadata": { "trigger": "forgot_password" },
// base64 enrolment selfie, ≤ 1MB
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'status: Approved.nyaraka →// X-Signature-V2 verified upstream
if (payload.status === "Imeidhinishwa") {
tumaBaruaPepeYaKurejeshaNenosiri(payload.vendor_data);
sajiliKifaaKipya(payload.metadata);
} vinginevyo ikiwa (payload.status === "Imekataliwa") {
security.logRecoveryAttack(payload);
}X-Signature-V2 kabla ya kusoma payload.nyaraka →You are integrating Didit into an account-recovery flow. Replace knowledge-based recovery (security questions, SMS OTP, support-rep verification) with a biometric re-match against the user's enrolment selfie. ONE Didit session, two checks:
- Passive Liveness — make sure the recovery selfie is a real human, not a print / screen / mask / deepfake.
- Face Match 1:1 — match the recovery selfie against the user's enrolment selfie. If similarity is above your threshold, the recovery is approved.
Bundle pricing (verified live, 2026-05-16):
- Passive Liveness: $0.10 per recovery
- Face Match 1:1: $0.05 per recovery
- Total: ~$0.15 per recovery — public price, no minimums
- First 500 verifications free every month, forever
- SMS / WhatsApp One-Time Passcode (OTP) fallback: $0.03 per OTP (when biometric isn't possible)
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60s, no card).
- Webhook endpoint with HMAC SHA-256 verification using the X-Signature-V2 header.
- User's enrolment selfie on file — captured during initial KYC via a previous /v3/session/. Stored under your tenant in encrypted form.
- A workflow_id from the Workflow Builder that runs Passive Liveness + Face Match 1:1 against the stored reference.
STEP 1 — Trigger recovery on the right signal
Recovery is gated by your risk policy. Typical triggers:
- User clicks "Forgot password" — always.
- Sign-in from a new device + new IP country at the same time.
- Sign-in after account dormancy (e.g. 180+ days).
- Sensitive action: large withdrawal, payout to a new beneficiary, account-settings change.
Each trigger opens a Didit session.
STEP 2 — Open the recovery session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf id with Passive Liveness + Face Match against enrolment selfie>",
"vendor_data": "<your user id, max 256 chars>",
"callback": "https://<your-app>/account/recovery/callback",
"metadata": {
"trigger": "forgot_password",
"device_fingerprint": "<your device fingerprint>",
"ip_country": "ES"
},
"portrait_image": "<base64 JPEG of the user's enrolment selfie, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; the recovery flow matches the new live selfie against this stored reference>"
}
Response: 201 Created with a hosted session URL. Redirect the user (web or in-app webview) to the URL. Sub-2-second median verdict on completion.
STEP 3 — Read the signed webhook on the verdict
Didit POSTs to your callback. Session statuses are Title Case With Spaces:
Body (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 }
}
Status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
Verify the X-Signature-V2 header BEFORE reading the body — HMAC SHA-256 of the raw bytes with your webhook secret.
STEP 4 — Branch on the verdict
Approved → unlock recovery: send the password-reset email, register the new device, complete the sensitive action.
In Review → soft-fail the recovery, route to support for human review.
Declined → block the recovery; log the hit. Could be a printed-photo or screen-replay attack — surface to security.
Resubmitted → user retried after a soft rejection — re-read.
Kyc Expired → reference selfie has aged out (per your retention policy) — fall back to documented recovery flow.
STEP 5 — Fallback for users who can't take a selfie
Camera missing, low light, hardware refused permission. Two graceful fallbacks:
- SMS / WhatsApp / Telegram One-Time Passcode (OTP) via Didit Phone Verification, $0.03 per OTP.
- Email magic link via your existing transactional email provider, $0.03 per email.
- Authenticator app — Time-based One-Time Password (TOTP) or FIDO2 hardware key, free.
Configure the fallback chain in the Workflow Builder. Selfie always tried first.
WEBHOOK EVENT NAMES
- Sessions: status changes flow through the standard session webhook.
Verify X-Signature-V2 on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces (Approved, In Review). Do not lowercase or snake_case them.
- The recovery similarity threshold is configurable per app — start at 0.85, tune up for high-assurance apps (banks, brokerages) and down for low-friction consumer apps.
- Liveness is a Presentation Attack Detection (PAD) Level 1 model — defeats prints, screens, masks, deepfakes on consumer cameras. Active liveness (head-tilt prompts) is available for higher-friction higher-assurance flows at $0.15.
- The user's enrolment selfie must have been captured by Didit (any prior /v3/session/ with face capture). Bring-your-own enrolment image is roadmap.
- Default audit retention is 5 years configurable in the Business Console.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/core-technology/face-match/overview
- https://docs.didit.me/core-technology/liveness/overview
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / mwezi. Hakuna kadi ya mkopo inayohitajika.
Lipa tu kwa unachotumia. Moduli 25+. Bei za umma kwa kila moduli, hakuna ada ya chini ya kila mwezi.
MSA & SLA maalum. Kwa idadi kubwa na programu zilizodhibitiwa.
Anza bure → lipa tu wakati ukaguzi unafanyika → fungua Enterprise kwa mkataba maalum, SLA, au uhifadhi wa data.
Didit ni miundombinu ya utambulisho na udanganyifu — jukwaa ambalo tulitamani lingekuwepo tulipokuwa tukijenga bidhaa sisi wenyewe: wazi, rahisi, na rafiki kwa waendelezaji, ili lifanye kazi kama sehemu halisi ya stack yako badala ya black box unayoingiza.
API moja inashughulikia kuthibitisha watu (KYC, know your customer), kuthibitisha biashara (KYB, know your business), kuchunguza pochi za crypto (KYT, know your transaction), na kufuatilia miamala kwa wakati halisi — kwenye stack iliyojengwa kuwa:
Msingi wake: aina 14,000+ za hati katika lugha 48+, vyanzo vya data 1,000+, na ishara za udanganyifu 200+ kwenye kila kipindi. Miundombinu ya Didit inajifunza kwa nguvu kutoka kila kipindi na inaboresha kila siku.
Kwa sababu mtiririko wa kurejesha ni sehemu rahisi zaidi ya kupita uthibitishaji. Mtumiaji amesahau nenosiri — kwa ufafanuzi huwezi kuliuliza. Programu nyingi hurudi kwenye:
Kulinganisha uso moja kwa moja dhidi ya selfie ya usajili kunashinda zote nne.
Matatizo matatu ya kimuundo ambayo hayawezi kutoweka:
Taasisi ya Kitaifa ya Viwango na Teknolojia (NIST) ya Marekani imependekeza waziwazi dhidi ya SMS kwa urejeshaji wa uhakika wa juu tangu 2017 (SP 800-63B).
Mtiririko kamili kwa kawaida huchukua chini ya sekunde 30 kuanzia mwanzo hadi mwisho — chukua kitambulisho, piga picha ya hati, piga selfie, umemaliza. Hiyo ndiyo kasi zaidi sokoni. Watoa huduma wa zamani wa KYC kwa kawaida huchukua zaidi ya sekunde 90 kwa mtiririko huo huo.
Kwa upande wa back end, Didit inarudisha matokeo ndani ya chini ya sekunde mbili kwa p99, ikipimwa kutoka wakati mtumiaji anamaliza selfie hadi wakati webhook yako inapoanza. Upigaji picha wa simu umeboreshwa kwa simu za polepole na mitandao ya polepole: progressive image compression, upakiaji wa lazy software development kit, na uhamishaji wa kugusa mara moja kutoka desktop kwenda simu kupitia QR code ikiwa mtumiaji anaanza kwenye web.
Matukio mawili:
Kutumia picha yako mwenyewe ya usajili — mkusanyiko wako wa selfie uliopo — iko kwenye roadmap.
Kila kipindi huishia kwenye mojawapo ya hali saba zilizo wazi, kwa hivyo code yako inajua nini cha kufanya kila wakati:
Approved — kila ukaguzi umepita. Endeleza mtumiaji.Declined — ukaguzi mmoja au zaidi umeshindwa. Unaweza kumruhusu mtumiaji kurudia hatua maalum iliyoshindwa (kwa mfano, piga tena selfie) bila kurudia mtiririko mzima.In Review — imewekwa alama kwa ukaguzi wa kufuata kanuni. Fungua kesi kwenye console, angalia kila ishara, amua kuidhinisha au kukataa.In Progress — mtumiaji yuko katikati ya mtiririko.Not Started — link imetumwa, mtumiaji bado hajaifungua. Tuma ukumbusho ikiwa itakaa muda mrefu sana.Abandoned — mtumiaji alifungua link lakini hakumaliza kwa wakati. Mshirikishe tena au muda wake uishe.Expired — muda wa link ya kipindi umeisha. Unda kipindi kipya.Webhook iliyosainiwa inawaka kwenye kila mabadiliko ya hali, kwa hivyo database yako inabaki sawa kila wakati. Vipindi vilivyoachwa na vilivyokataliwa ni bure.
Data za uzalishaji huchakatwa na kuhifadhiwa katika Umoja wa Ulaya kwa chaguo-msingi, kwenye Amazon Web Services. Mikataba ya biashara inaweza kuomba maeneo mbadala kwa mamlaka ambazo wasimamizi wake wanahitaji.
Usimbaji fiche kila mahali. AES-256 ikiwa imetulia kwenye kila database, hifadhi ya object, na backup. Usalama wa Tabaka la Usafirishaji 1.3 ikiwa inasafirishwa kwenye kila API call, webhook, na kipindi cha Business Console. Data za kibayometriki zimesimbwa kwa kutumia Customer Master Key tofauti.
Uhifadhi ni wako kudhibiti. Uhifadhi chaguomsingi ni usio na kikomo (unlimited) isipokuwa ukisanidi muda mfupi zaidi — kati ya siku 30 na miaka 10 kwa kila application — na unaweza kufuta kipindi chochote cha kibinafsi wakati wowote kutoka kwenye dashboard au API.
Vyeti: SOC 2 Type 1 (ukaguzi wa Type 2 unaendelea), ISO/IEC 27001:2022, iBeta Level 1 PAD, na uthibitisho wa umma kutoka Tesoro / SEPBLAC / CNMV ya Hispania kwamba uthibitishaji wa utambulisho wa mbali wa Didit ni salama zaidi kuliko kumthibitisha mtu ana kwa ana. Ripoti kamili inapatikana /security-compliance.
Didit inatii kanuni kwa chaguo-msingi kwa wasimamizi muhimu wa miundombinu ya utambulisho:
Memo ya kina, kila cheti, kila barua ya mdhibiti: /security-compliance.
Njia tatu za integration — chagua inayofaa stack yako:
Dashboard ileile, bili ileile, bei ileile ya kulipa-kwa-mafanikio kwa zote tatu. Mwongozo wa hatua kwa hatua unapatikana docs.didit.me/integration/integration-prompt.
Passive Liveness inashinda deepfakes za kawaida leo. Mfumo wa Presentation Attack Detection (PAD) hutafuta:
Mfumo wa PAD wa Didit umethibitishwa na iBeta Level 1. Active Liveness ($0.15) huongeza vidokezo vya kuinamisha kichwa kwa uhakikisho wa juu zaidi dhidi ya deepfake adimu za kitaalamu za wakati halisi.
Ulinzi wa Deepfake ni vita isiyoisha — Didit hufundisha upya mfumo wa PAD kila robo mwaka dhidi ya mashambulizi mapya.
Ndio — hiyo ni Uthibitishaji wa Biometriska, muundo wa kurudia wa uthibitishaji. $0.10 kwa kila uthibitishaji:
v3/session/ contract ileile, workflow_id tofauti. Kawaida kwa crypto exchanges, programu za benki, na bidhaa za watumiaji zenye uhakikisho wa juu. Tazama /products/biometric-authentication kwa muundo wa uthibitishaji unaorudiwa.
Kila jaribio la urejeshaji huweka kumbukumbu:
vendor_data (kitambulisho chako cha mtumiaji) na Didit session_id.trigger uliyopitisha katika metadata (forgot_password / new_device / dormancy / sensitive_action).Inaweza kutafutwa kutoka Business Console, inaweza kusafirishwa kwa kila mtumiaji, uhifadhi wa miaka 5 unaweza kusanidiwa. Udhibiti wa SOC 2 Type 1 + ISO 27001 unasimamia uhifadhi.
API moja kwa KYC, KYB, Ufuatiliaji wa Miamala, na Uchunguzi wa Wallet. Unganisha ndani ya dakika 5.