Frequently Asked Questions

Out-of-band verification confirms someone's identity through a separate, independent channel from the one they originally used. For example, if an employee contacts your helpdesk by phone, you verify them via email, SMS, or ID upload - not over the same phone call. This prevents social engineering attacks because an attacker would need to compromise multiple independent channels.

You can select any combination of the six methods (email, SMS, government ID, selfie, custom question, manager) per case. Use more methods for higher-risk situations and fewer for routine checks.

Cases have an expiration window. If the subject doesn't complete all steps within that time, the case is marked as expired. You can create a new case if needed.

Yes. The REST API and Slack integration let you create and manage cases programmatically or from Slack without logging into the console.

No. Credits remain on your team's balance until they're used for verification cases. They don't expire on a monthly or annual basis.

You won't be able to create new cases until you top up your balance. In-progress cases will continue to work. Consider enabling auto-replenish to prevent this.

Yes. You can change your plan at any time from the billing dashboard. If you downgrade, you'll retain your existing credit balance but may lose access to features exclusive to higher plans (like API access or Slack integration).

Yes. All data is encrypted in transit (TLS) and at rest (AES-256). Government ID documents and selfies are processed by Stripe Identity and are not stored on AuthDuty servers - Stripe handles PII isolation.

No. Government ID and selfie verification is handled entirely by Stripe Identity. AuthDuty receives only the verification result (pass/fail) - not the documents or images themselves.

We recommend passkeys (strongest - phishing-resistant, passwordless). If your device doesn't support passkeys, use TOTP with an authenticator app. Email 2FA is available but less secure.