Menu

Homepage

Product Overview

Core Functions

Device Setup

Operation Approval

Configuration

Product Overview

View product

Talisman by Wultra is a universal security hardware token that supports the FIDO2 protocol for phishing-resistant authentication. It provides secure access to online services, including bank accounts. It is designed to be compliant with PSD3/PSR1 legislation, ensuring its use in banking and other segments.

Key features include:

  • Zero-Installation - No software required. Talisman uses WebAuthn (FIDO2), natively supported by modern browsers, with standard interfaces (CTAP).
  • Zero-Transcription - Talisman doesn’t generate OTPs for manual transcription. Authentication uses FIDO2 challenge-response instead of OTPs.
  • Visual Transaction Confirmation - Transaction data is displayed and signed on the device, ensuring integrity and WYSIWYS verification.
  • Compatible with Any Infrastructure - Built on open standards (FIDO2, WebAuthn, CTAP), enabling easy integration across any backend or architecture.

Watch the demo video to see how Talisman works.

Standards

Talisman provides alternative means of strong customer authentication as required by PSD3/PSR1.

This device meets important safety and environmental standards:

  • The device is marked with CE, indicating conformity with relevant safety, health, and environmental standards. This device complies with applicable EU regulatory directives, including directives on electromagnetic compatibility (EMC), and the restriction of hazardous materials (RoHS 2011/65/EU).
  • The crossed-out wheeled bin symbol on the device indicates that it is not regular municipal waste. For its ecological disposal, turn to your local electronic waste collection point or utilize the services of an authorized collection system.
CE Recycling

High-Level Architecture

The proposed solution introduces an integrated transaction authorization framework that combines standards-based FIDO2 authentication with an enhanced visual transaction signing mechanism, enabling secure and user-transparent approval of sensitive operations.

High-Level Architecture

Authenticator

Talisman HW Token

Talisman HW Token protects customer accounts from phishing and malware with a banking-grade FIDO2 hardware token. Talisman’s two-line display guides users through secure, visual transaction confirmations, supporting dynamic linking and PSD3/PSR1 compliance.

WebAuthn Component

A WebAuthn Component is a server-side component that orchestrates WebAuthn registration and authentication flows and translates their outcomes into authorization decisions. Acting as part of the relying party, it generates cryptographic challenges, processes client requests, and ensures that signed responses from the authenticator (e.g., Talisman hardware token) are verified by the FIDO2 server.

It mediates communication between the client and the authenticator via the WebAuthn protocol and evaluates the results of each flow according to defined authentication policies. Based on successful verification, it issues authorization decisions or tokens for accessing protected resources, thereby linking WebAuthn-based authentication with application-level access control.

PowerAuth Authorization Server

In addition to other functions, PowerAuth Authorization Server can be used as a server-side component that mediates communication between the authenticator and the client application via the WebAuthn protocol to sucuessfuly process registration and authentication flows.

It evaluates the results of each flow according to defined authentication policies. Based on successful verification, it issues authorization decisions or tokens for accessing protected resources, thereby linking WebAuthn-based authentication with application-level access control.

Acting as part of the relying party, it generates cryptographic challenges, processes client requests, and ensures that signed responses from the authenticator (e.g., Talisman hardware token) are verified by the FIDO2 server.

FIDO2 Server

A FIDO2 Server is a server-side component responsible for verifying and processing authentication data generated during WebAuthn registration and authentication flows. Acting as part of the relying party, it validates cryptographic responses from authenticators, such as hardware tokens, ensuring their authenticity, integrity, and compliance with the FIDO2 standard.

It handles the verification of attestation and assertion data, manages credential records, and enforces security policies defined by the application. By evaluating each authentication attempt, the FIDO2 Server determines whether access should be granted and provides the necessary assurance for secure, passwordless authentication within the system.

PowerAuth Cloud

In addition to other functions, PowerAuth Cloud can be used as a FIDO2 Server. To operate passkeys, it provides a private API that is called by trusted customer backend systems. The primary function of this API is to manage user registrations and initiate operations such as device registration or authentication requests.

  • Management API:
    • Create registration challenge
    • Verify registration challenge
    • List FIDO2 devices
  • Operation approval API:
    • Create Assertion challenge
    • Verify Assertion challenge

System Architecture

System Architecture

FIDO2 is an open authentication standard that enables users to log into desktop or mobile applications without using passwords.

FIDO2 uses two communication protocols:

  • CTAP (Client to Authenticator Protocol), which defines how a client communicates with external authenticators, such as a hardware security key or a smartphone. There is no need to deal with CTAP, as the Talisman implements it itself.

  • WebAuthn (Web Authentication API), which enables applications to authenticate users with possession-based and biometric authentication.

See webauthn.guide for basic overview and demo app or W3C specification Web Authentication: An API for accessing Public Key Credentials Level 2 for details.

When used as a FIDO2 server, PowerAuth Cloud contains a private REST API:

  • Passkeys API, which offer endpoints for device management and operations approval

Core Functions

The functionalities of Talisman are grouped into three main areas:

Core Functions Description  
Device Setup Device Setup consists of initial setup of the Talisman and adding a service. During this process, the device is configured, personalized, and protected by a user-defined PIN, which serves as an authentication factor for confirming operations. The Talisman settings enables users to modify device settings, remove services, or erase the device entirely.  
Operation Approval Enables users to verify business transactions, whether a login attempt, payment, or any other sensitive operation.  
Configuration Configuration refers to the setup and customization of the device, including localization, system integration, and personalization options.  
View product
On this page:

develop

Talisman Hard Token (FIDO2)