Implementation Get Started Guide

GSG doodles-01.png
ABOUT: The Implementation Get Started Guide is a 30,000 ft, bite-size overview of the Trusona system relevant to teams implementing #NoPasswords in their organization. It focuses on the Trusona Essential B2C product.


Bad news for hackers. Great news for the rest of us.

The Internet was not designed with security in mind. This should come as a shock to absolutely no one. What is shocking is that we conduct almost every aspect of our lives online, yet rely on a security solution that is anything but secure: passwords.

We’re here to change that. And the fact that you’re reading this means you are, too.

Why #NoPasswords?

Simply put, hackers can’t steal something that doesn’t exist. By eliminating passwords we’re removing their way in—and making password-related security breaches a thing of the past. Simultaneously, we’re vastly improving the customer experience. Never again will your customers need to enter a password on your site, or worse, reset one they forgot. The world is about to become a better, safer, happier place.

Welcome to the #NoPasswords Revolution.

Table of contents

GSG doodles-02.png



There are two ways to do this.

Option A

Registration requires a password.

Option B

Registration uses #NoPasswords. 

Step in the Identity Experience (iX)

Option A

Option B

New user registration

Username / passwords


Password reset

Username / password

#NoPasswords login

Users that chose
#NoPasswords reset

You craft the strategy to roll-out
the #NoPasswords option.

You can start with Option A and evolve to B.

Option ARegistration requires a password.

Not ready to jump in with both feet just yet? No problem. This option allows you to add #NoPasswords while still offering a username/password option for your customers.

In this instance, new user registrations still use usernames and passwords.

You then add a #NoPasswords option to your “password reset” flow so customers have the option of selecting it rather than resetting their password. All they have to do is use your app to scan the code. And just like that, their password reset pain is gone.

Users who haven’t opted into the #NoPasswords experience will see no changes to your homepage.

To avoid the password reset, users simply open your app and scan the code.

Frictionless password reset like never before.

No typing.

No usernames.

No passwords.

No remembering.

No calls to the contact center.

No knowledge based authentication

No “cognitive overload” (as the tech-y UX folks call it.)


See the #NoPasswords login option.


Scan the code.


Accept or reject.

Your customers just experienced #NoPasswords.  

When users log in with #NoPasswords for the first time through password reset, we recommend setting a browser cookie that triggers the #NoPasswords login button to be shown on the screen as an option. 

Now this browser has a #NoPasswords shortcut—simple.

When your user clicks the button, they’re taken to the Gateway to scan the code.

NOTE: Our UX best practices explain how this all works in a mobile browser.

How to throttle #NoPasswords deployment

To throttle deployment create two versions of your password reset flow.

  1. Version 1: remains the same as it does today.
  2. Version 2: give users a choice between resetting their password or going #NoPasswords from here on out. 

You can then throttle the number of users sent to Version 2 by either: 

  • number of users per day, e.g. 1,000 users a day experience Version 2
  • or, percent of all users, e.g. 10% of all users experience Version 2

Option BRegistration uses #NoPasswords. 

Your current users will have a choice but new registrations will never know anything other than #NoPasswords—a hassle-free existence from the get-go. 

Give only existing users a #NoPasswords option. New users will never have a password. 

Change can be scary. Rather than a mandatory shift to #NoPasswords, this option gives your users a choice to adopt #NoPasswords on their own—or keep their password if that makes them more comfortable. But new registrations will never know anything other than #NoPasswords. Those people will never have to worry about a lost password, or worse, an identity breach. 

New users

A simple, consistent experience leads to loyalty. With #NoPasswords, when registering new users in your app on a new device, all they need to do is provide an email. That’s it. 

Notice the simplicity of this Get Started scene? It’s not by accident. 

Copious research (and common sense) has shown that reducing the number of form fields during registration increases the total registrations.

With #NoPasswords, the password/repeated password fields and associated friction are completely removed from your registration process. 

Naturally, you can add your Terms and Conditions approval to the Get Started scene.


Get Started scene

Existing users

If your app has a long session, your existing users are still logged in. This makes things super easy. 

#NoPasswords features are automatically enabled for them when your app auto-updates. Like magic. 

We recommend you encourage users to use the new “#NoPasswords Login” scanner that’s now in the app menu.

See the UX best practices in this Guide for priming details.


App home scene.

Priming for the #NoPasswords experience.

#NoPasswords Login menu item


Scan the code.

(NOTE: Our UX best practices explain how this all works in a mobile browser.)

GSG doodles-03.png


Ops guidelines

Sample deployment schedule

- 12 wks Pre-kick off 

- 11 wks Kick off

- 11 wks Production keys

- 10 wks Refined customer experience plan

- 9 wks Refined technical deployment plan

- 8 wks Comms planning 

- 7 wks Readiness check-in

- 5 wks Stakeholder review

- 4 wks Send 1st wave comms

- 2 wks Stakeholder review

- 1 wk Send 2nd wave comms

- As needed Syncs 

0 Soft launch

+ 0-1 wks Launch state

+ 2 wks Stakeholder review and GA launch plan

+ 3 wks Send 3rd wave comms

+ 4 wks GA Launch

+ 4-5 wks Launch state

+ 6-8 wks Weekly syncs

+ 3 mo Quarterly syncs and first NPS with Trusona

+ 6 mo NPS with Trusona

Relying party internal FAQs

No need to start from scratch. 

Use this Q&A as a starting point to build your own internal FAQ for your implementation team. 

Send it in email to your team or post it to your intranet. 


Why should my company join the #NoPasswords revolution?

You already know passwords are not secure and password rage is real. 30% of customers who forget their password won’t come back to your site. And, according to Gartner, “UX is the only durable competitive advantage.” #NoPasswords increases security and decreases friction.


How do we let our customers know this is coming?

Email, social media and print ads (if applicable) are your best friends. We even have templates and suggestions to help you out. Refer to the communications section for more. 


Is #NoPasswords more secure for us and our customers?

Extraordinarily so. People re-use their passwords across platforms all the time. Even if you haven’t been exposed to a breach, chances are your customers’ passwords are already in the wrong hands. Plus, bad guys can’t steal what doesn’t exist. 


Who owns the project at [company]? 

[Individual’s name or group name] at [email]


What if I have questions?

Contact [Individual’s name or group name] at [email].


What are the best practices for the #NoPasswords user experience?

Refer to the user experience guidelines. (Hint: focus on the human and keep it simple.) 


What are the technical details? 

We can explain them all. Please refer to the Tech guidelines and Tech assets.


What’s our program timeline?

Roughly 12-16 weeks from kickoff to finish of implementation. Refer to the [deployment schedule] for timelines. 


How can I try this out so I know what it’s all about?

It’s a snap. Simply download the Trusona app from the App Store or Google Play Store then go to and click on “#NoPasswords Login.” Voilà! 


Does Trusona store our customers’ personal identifiable information (PII)?

Trusona only stores a unique user identifier, such as an email address or its one-way hash. Trusona Executive also stores our users’ names.


What changes can our users expect?

Users will see an option to go #NoPasswords at different parts of their journey with us. In mobile browsers they’ll “deep link” into our app and approve the login. On desktop browsers, they’ll use our app to scan a code that lets them in.


Does Trusona offer ID proofing, other than email verification?

Yes. For ID verification check out Trusona Executive. 


Do our users need a smartphone to use Trusona #NoPasswords?

Yes but Trusona also has a “magic link” option where no phone is needed.


User experience guidelines

#NoPasswords Design Principles


People are at the core of what we do. Take pride in having the most robust security catered to how people live today. You’re helping to make cybersecurity a seamless part of life, not an annoyance or cumbersome afterthought.


Take opportunities to positively influence users’ behavior with their best interest in mind. Eliminating passwords will seem foreign at first. Explain how #NoPasswords is more simple and secure. This is a great thing for everyone involved. 


The nature of #NoPasswords is omni-channel. Design experiences, not screens.


Take the difficulty out of cybersecurity. Simplifying language, experiences and processes will lower the barrier of entry, increase usage, decrease errors, and grow confidence in users of all digital proficiency levels.


Usernames and passwords have been handed down from one generation to another, twice! This has massive implications. Be mindful of this radical shift to end-user behavior when designing the #NoPasswords experience.


We love what we do (we’re visionary crime fighters!) and we want to make that love contagious by throwing out the boringness and unnecessary formality that accompanies most auth solutions. 

Trusona’s core loops

The core loop is the three to four-steps in an app that creates the most value for the user.

The core loop of Instagram is: Take photo > add filter > share

The core loop of Trusona’s verification is: Scan or Tap > Accept > You’re in!

Some auth scenarios require different core loops and it’s helpful to use the core loop concept to talk about them.

#NoPasswords micro-copy

Micro-copy are the words in a user interface.

Confusing micro-copy was the number one mobile app customer experience pain point in the 2017 Banking CX Benchmark behavioral test with Wells Fargo, Chase and Bank of America conducted by 

It may sound small, but it’s HUGE because it can be the difference between engagement and abandonment.

These examples are based on observational and behavioral tests conducted with end users from around the world during the development of the Trusona app.

  • Scan in the Acme Bank app”, not “Scan in the app”.
  • Accept” / “Reject”, not “Yes” / “No”.
  • Acme Bank would like to verify your login to
  • What’s your email?”, not “Please enter your email”.
  • To complete registration, follow the link we sent to:
  • Allow fingerprint access
  • I don’t want to be notified

Do A-B testing with your target market to understand the words they use and the words they don’t. 

Also consider the following recommendations:

  • Adhere to your brand’s voice and tone
  • Keep it simple and positive!
  • Place the outcome first, e.g. “To complete registration, follow the link we sent …”, not "Follow the link we sent to complete ..."
  • Ask yourself, “can this be worded more simply”
  • Use the #NoPasswords hashtag sparingly but prominently
  • Present imagery congruent with the message and feel

Keep an eye out for common grammar and spelling mistakes in auth lingo.

  • Login as one word is a noun, e.g. "Tap the login link".
  • Log in as two words is the verb, e.g. "Log in to the Secure Portal".
  • See the Glossary for other relevant definitions.

The Trusona "Get Started" experience

If you choose Option B, onboarding new users (formerly known as “signing up”) and existing users (formerly known as “signing in”) are one and the same — we call it “Get Started.”

In the examples below, Trusona only requires an email address (or other user-identifier).

The other data is not required by Trusona.


No password is needed.


Get Started scenes

Simplicity is key here. Don’t forget that.

Change “Registration” to “Get Started”

Delete “log in” or ”sign in” language.

Get rid of username and password form fields for good.

Remove unnecessary noise, words, lines, images and graphics.


If you require only an email to Get Started, combine the Continue button in the email field.

Activate the Continue button when the email field is completed to prevent errors.

Eliminate form redundancy by asking for email once.


Ask the user to confirm they entered the right email by showing them what they entered in a modal alert.

If you included other login methods, place the #NoPasswords login option first on screen and clearly delineate the #NoPasswords login from other methods.


The confirmation of a user’s intent to perform an action, such as a login or transaction, is a verification. 

There are three parts to a verification: 

  1. Invoke
  2. Notification
  3. Accept or Reject 


Verifications can be invoked by users in three ways:

  • Scan a code
  • Tapping a “#NoPasswords Login” button
  • A relying party can invoke a verification (for example, from a call center) 


If the user has allowed your app to send push notifications, they will get one for each verification.


Use push notifications if the user allows it.

Accept or Reject 

To verify the user’s intent and approval to complete a verification, we recommend requiring the user to Accept or Reject it.

In some cases (such as scanning a code to invoke a verification) you may opt to not show the Accept or Reject options. 

Verification syntax

The verification syntax for the push notification and Accept or Reject is:

"[Company] would like to confirm your [transaction] to [asset]"

The bold items are customizable per verification. 


Accept reject scene.


To make it easy for users to tap the buttons with one hand, we recommend placing the Accept and Reject buttons near the bottom of the screen.

The Accept or Reject verification step can also be removed. See the Tech guidelines. 

Confirming verifications

We suggest that you follow the Accept or Reject scene with a full-screen confirmation of their selection, including: 

  • Audio
  • Motion
  • Bold color





Timed out

    Mobile information architecture 

    Make sure the #NoPasswords scanner is easy to find because your users will need it for all logins from a computer or other secondary screen (not a mobile device). 

    Here’s an example of how to make the #NoPasswords Login option prominent and easily accessible. 


    #NoPasswords Login option in the main nav



    Tech guidelines

    Tech guidelines

    Three account and device states

    To access the #NoPasswords world, the Trusona SDK links a user with their device during the “Get Started” experience. 

    We call this “binding.”

    After binding, we know the True Persona—their device identifier—and they have the option to go #NoPasswords. 

    1. New account, new device 

    New account, new device occurs when a new user is using a device that hasn’t been bound. 

    If you choose to onboard new users with a password, you’ll still bind the user with Trusona so they have the option to scan a code to log into a second screen or scan a code to go #NoPasswords rather than resetting a forgotten password. 

    2. Existing account, new device

    Existing account, new device occurs when a user already has an account and wants to bind the account to a new device via “Get Started.”

    3. Existing account, existing device

    Existing account, existing device occurs when a user already has an account and has been through the “Get Started” process. Once their app is updated with the Trusona SDK these users can use #NoPasswords. No extra steps are needed. 

    See the Communications section outlined in this guide so that users know about the new #NoPasswords features. 

    Mobile hardware encryption 

    So who is Trusona and how do we make this sorcery happen? At our core, we are a security company. Prior to creating #NoPasswords, we developed the world’s first and only insured authentication system. 

    Because we are fanatical about security, we recommend that mobile devices support hardware encryption when using the Trusona SDK. 

    If your user’s device doesn’t support hardware encryption, they can continue to use passwords.

    Hardware encryption for dummies

    Hardware encryption helps ensure that the data stored on the device can’t be stolen by malware or other attack vectors. 

    Apple iOS hardware encryption support 

    As of January 2018, approximately 90% of global iOS devices support hardware encryption. 

    • iPhone 5S and later
    • iPad Mini 2 and later
    • iPad Air 

    Android hardware encryption support

    As of January 2018, approximately 80% of global Android devices support hardware encryption.

    • Android API level 21 and later

    Deep linking

    Some integrations (such as integrations with Okta) require URLs to be whitelisted. 

    To ensure deep linking works properly, check your identity provider’s requirements. 



    Marketing guidelines

    Priming through email, print and social media 

    By now you already know that a #NoPasswords login reduces friction, increases happiness and eliminates password rage. You can spread this joyous message to your customers and/or employees via your favorite communication channels. Considering that most people juggle dozens of usernames and passwords every day, you’re about to become a hero. 

    See the sample communications in this guide.

    GSG doodles-04.png




    Tech assets

    Now that you’ve joined the revolution, you have some powerful tools at your disposal, like the many sets of key/secret pairs your dev team will use to connect with Trusona. 

    Because your Trusona production keys grant access to your core system at Trusona they should be treated with the same security sensibility and protocols you use with your most secure internal systems. 

    Have your Trusona project coordinator set up a conference with our integrations team so we can walk you through the steps to ensure key security.

    Design assets

    Design assets


    These are the core design assets for the Trusona system.

    Design assets



    Login Buttons

    Three options off the shelf

    Trusona app




    Colors and images

    Verify email

    Colors and images


    Colors and images

    Accept / Reject

    See the Trusona app

    #NoPasswords Login buttons

    We have three off-the-shelf #NoPasswords buttons #NoPasswords buttons for use on your site. 

    Trusona app

    To get a feel for the #NoPasswords experience you can use the Trusona app (Apple App Store or Google Play Store) and log in now at

    Motion design source files

    The motion design Trusona uses can be delivered natively in iOS and Android with Lottie. We’ve done all the grunt work in After Effects and Bodymovin’ so you can use our Lottie files. 

    You can change the color of the Lottie files using the links below and never need to open After Effects yourself. Easy peasy. 

    Visit the links, edit the colors and download your updated JSON file.

    Trusona web template

    No heavy lifting for you here. The Trusona web template Sketchapp file contains all the elements your design and marketing teams need to mockup your gateway web page, verify email web page and login web page.

    The gateway is the only web page that is hosted by Trusona and the only page we must have defined by you.

    The verify email and login pages are not hosted by Trusona but are included in the template file so you can see how these experiences should be consistent. 


    Sketchapp symbols page


    Gateway web page template

    This is important. Most of your users experience the Trusona Gateway each time they login to your desktop or mobile website. 

    NOTE: If you’d like to create an experience that doesn’t use the Gateway, you can do that with the Trusona SDKs. Talk with your Trusona program coordinator to get the technical details.

    On desktop, the Gateway is designed to be customized for your brand because it’s a core part of the user experience. You define the template variables and Trusona creates your branded Gateway. 

    On mobile, the vast majority of your users “deep link” directly to your app and won’t experience the Trusona Gateway. On some old devices or when universal links are not set up, the user will experience this screen below. The colors on this screen are not yet customizable.


    Deep link Gateway web page

    Verify email web page template

    When you verify user emails during registration, you can use our email verification design template. This template matches the Gateway, login and in-app styles we also provide for accepted, rejected and timed out verifications. 

    Login web page template

    Trusona doesn’t host your login page. But because consistency is vital to the customer experience, we’ve included a login layout, should you choose to use it.

    Even if you don’t, we suggest you look through the login template and note the UI word choices and overall simplicity. There may be elements of this that you can leverage in your login.

    Template variables

    The colors used for your code must have a high contrast with the background. Generally, if your colors pass WCAG AA and AAA for large text, you’ll have a high enough contrast to make the code scan quickly. 

    You can also use the Trusona app to test that the colors will scan quickly. 

    Although you can specify six code colors we recommend that you list your primary brand color in at least three of your six open slots. This will weight your primary brand color more heavily so that it’s shown more prominently in the code. 

    We also recommend you stick with two to three main hues. Using too many hues can make the code look like camouflage. 

    • Code color #1 and button color (format: hex)
    • Code color #2 (format: hex)
    • Code color #3 (format: hex)
    • Code color #4 (format: hex)
    • Code color #5 (format: hex)
    • Code color #6 (format: hex)
    • Code color #7 (format: hex)
    • Code color 1x1 dots (format: hex)

    Foreground color

    The foreground color is applied to the user assistance, “Scan in your Acme Bank app” and applied to the three waiting dots. 

    • Foreground color (format: hex)

    Background color

    The background color is applied to the entire body of the Gateway. 

    • Background color (format: hex)

    Body text

    The body text color is controlled in a “style” in the sketch file. 

    • Body text color (format: hex)


    The hero image is applied to the left side of the Gateway and is a full bleed on the top, left and right sides of the image. 

    • trusona-gateway-hero.jpg (format: jpeg)

    Hero alignment 

    The hero jpeg image is resized and cropped at various browser sizes and is aligned to your choosing. 

    • Centered, top, bottom, left or right (format: choose)

    TIP: If you want a smooth transition from the hero image to the background color, you can make the right side of the hero image fade to the background color then choose to align “right”. See the HBO example below.


    Your logo is shown on the right side of the image.

    • trusona-template-logo (format: jpeg)

    Working with the template

    The design source file uses the industry standard SketchApp format

    Follow the instructions inside the SketchApp file to mock up and review your Gateway look and feel with your internal stakeholders. 

    When ready, send us your Gateway variables (hex values, choices and jpegs). 


    Gateway template examples

    Subway Gateway (sample only)

    HBO Gateway (sample only)

    Bain Capital Gateway (sample only)

    Trusona Gateway (sample only)



    Communications assets

    Social media announcement 

    Guess what? Now you never have to remember your [Company] password ever again. Yes, you read that right. We have just joined the #NoPasswords Revolution. Forgetting your password is now a thing of the past. Check it out at [] using your [Company] app. 

    Coming soon email 

    Subject: Say hi to #NoPasswords, lucky you!

    [Customer name],

    “I love entering a username and password every time I log into my account,” said no one ever. 

    Now that annoyance is a thing of the past. 

    We’re taking #NoPasswords for a spin and you’re one of the lucky few selected to try it out first. 

    How does it work?

    Starting [month] [date] on the “I forgot my password” page you’ll see a #NoPasswords Login button. 

    You can use this button to login without passwords!

    #NoPasswords on a desktop browser

    After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use the #NoPasswords Scanner in the [Company] mobile app to scan the code. 

    #NoPasswords in a mobile browser

    After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use your Company mobile app to approve. 

    Are you as excited about #NoPasswords Login as we are? 

    After you try it out let us know how your experience was by replying to this email.

    Looking forward to a [Company] without passwords,

    The [Company] team

    Coming soon email (GA) 

    Subject: Hello, #NoPasswords! — We’re joining the Revolution

    [Customer name],

    “I love entering a username and password every time I log into my account,” said no one ever. 

    Now that annoyance is a thing of the past. We are extremely excited to announce that [Company] has joined the #NoPasswords Revolution, so you can get to what you need faster and more securely.

    What does this mean for you?

    You no longer need to remember a password to log into []. Yes, you read that right. 

    Starting [Month], [date] you’ll see a #NoPasswords Login button on our homepage. 

    #NoPasswords on a desktop browser

    After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use the #NoPasswords Scanner in the [Company] mobile app to scan the code. 

    #NoPasswords in a mobile browser

    After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use your Company mobile app to approve. 

    Bye bye, password rage. Hello, seamless existence. 

    When it’s available, take #NoPasswords for a spin and let us know what you think.


    [Company] team

    App store “new release” copy 

    Bye bye, password rage. Hello, safety and security. With #NoPasswords you log in effortlessly using nothing more than the [Company] app. No password necessary. If it weren’t real, you’d think it was magic. 

    In the app, go to Menu and choose #NoPassword Login. 

    GSG doodles-05.png





    Deep link

    A link from a mobile browser that triggers a mobile app to open.

    OS security

    Authentication method embedded in the operating system of a device. It may be hardware-dependent and used at different points during a verification.

    Relying party

    Company implementing the Trusona #NoPasswords solution (A.K.A. you!)

    Trusona Essential

    #NoPasswords solution which confirms the True Persona through email verification. Users require a verified email and access to the relying party app to complete a verification and includes Trusona Anti-Replay.

    Trusona Executive

    #NoPasswords solution which confirms the True Persona through email verification and ID proofing and includes Trusona Anti-Replay. Users require a verified email, access to the relying party app, OS security, and government-issued ID scan to complete a Verification. 

    Trusona Elite

    #NoPasswords solution which confirms the True Persona through in-person identity proofing with multiple forms of authentication including ePassport and driver’s license and includes patented Trusona Anti-Replay. Also, the world’s first insured authentication.

    User presence

    An end user confirms their “user presence” when they use a biometric or other OS-level security method (passcode, swipe pattern, etc). 


    A sequence of cryptography and user experience events between the relying party’s systems, end user and end user’s device.


    About Trusonauts

    We are a highly motivated group of cybersecurity veterans who decided to get together and do something about all-too-frequent security breaches. We value family, friends, fellow Trusonauts, customers, investors and our community—in that order. 

    We’re professional music players and choir singers; bike riders and former pilots; paintball players and chess enthusiasts; we surf waves and browse the web; we’re desert hikers and ice hockey players; gym rats and binge watchers; we’re painters and napkin doodlers; we’re golfers and action figure collectors. We build beach cabins and Lego sets. Why not fix the fundamental problem of online identity while we’re at it?

    Our common vision is a safer world with #NoPasswords. We show up every morning, resort casual, to make it happen. 

    About Trusona

    Trusona enables organizations to provide their customers frictionless #NoPasswords login across any channel ensuring the True Persona behind every digital interaction. Not only are passwords the weakest link in cybersecurity, but people hate them and they negatively impact the customer experience. 

    Trusona is leading the #NoPasswords Revolution where there are no passwords to be created, remembered, stolen, or compromised. With #NoPasswords, everyone is who they say they are. Period. 

    Trusona was founded in 2015 by CEO and cybersecurity expert Ori Eisen and is funded by Kleiner Perkins, Microsoft Ventures, Seven Peaks Ventures and 2M. To find out more about us, visit

    As you read through all of this, you may have a few questions. No worries. We have answers. Please don’t hesitate to contact us at or 1-888-Trusona.