SoftQuantus Quantum-Safe Auth (QSA) is an enterprise Identity and Access Management (IAM) platform combining world-class functionality with a cryptographic posture prepared for quantum threats.
The first European IAM platform prepared for the post-quantum era.
Executive Summary
What is QSA?
QSA is an enterprise-grade IAM platform that combines world-class functionality with a cryptographic posture prepared for quantum threats. It provides authentication, authorization, and identity governance with post-quantum cryptography built-in.
Why QSA?
| Current Challenge | QSA Solution |
|---|---|
| Quantum computers will threaten current crypto in 5-10 years | Post-quantum cryptography (ML-DSA-65) already implemented |
| European regulations require crypto-agility (NIS2, CRA) | Crypto-agile architecture with transparent migration |
| Traditional IAM solutions lack quantum-safe posture | First European PQC-ready IAM platform |
| Audit trails can be falsified retroactively | Audit proofs with quantum-resistant signatures |
Key Metrics
┌─────────────────────────────────────────────────────────────────┐
│ │
│ 🔐 15 min ⚡ <50ms 👥 100K+ 🏢 Multi-tenant │
│ Token TTL P99 Latency MAU Support Isolation │
│ │
│ 🛡️ ML-DSA-65 📊 99.99% 🌍 GDPR 🔑 Zero-Trust │
│ PQC Signer Uptime SLA Compliant Architecture │
│ │
└─────────────────────────────────────────────────────────────────┘The Problem
Quantum Threat: "Harvest Now, Decrypt Later"
Malicious actors are collecting encrypted data today to decrypt when quantum computers become available. Long-validity data (contracts, trade secrets, identities) is at risk.
TODAY 2030+ FOREVER
───── ───── ───────
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Attacker │ │ Quantum │ │ Data │
│ harvests │──────────►│ Computer │──────────►│ exposed │
│ traffic │ │ decrypts │ │ !!!! │
└──────────┘ └──────────┘ └──────────┘Regulatory Pressure
| Regulation | Requirement | Deadline |
|---|---|---|
| NIS2 | Crypto-agility, risk management | 2024 (in force) |
| Cyber Resilience Act | Security by design, updates | 2027 |
| DORA | Digital financial resilience | 2025 |
| ETSI QSC | Post-quantum preparation | Recommended now |
Limitations of Current Solutions
| Solution | Problem |
|---|---|
| Azure AD/Entra | No PQC support, vendor lock-in, data outside EU |
| Okta | Classical cryptography only, elevated pricing |
| Keycloak | Open-source but no PQC, requires expertise |
| Auth0 | Not EU-first compliant, no PQC |
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ QUANTUM-SAFE AUTH (QSA) │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ AUTHENTICATION │ │ AUTHORIZATION │ │ GOVERNANCE │ │
│ │ │ │ │ │ │ │
│ │ • OIDC/OAuth2 │ │ • Conditional │ │ • PIM (JIT) │ │
│ │ • SAML 2.0 │ │ Access │ │ • Access Review │ │
│ │ • WebAuthn │ │ • RBAC/ABAC │ │ • Lifecycle │ │
│ │ • TOTP MFA │ │ • Risk Engine │ │ • Break-Glass │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ QUANTUM-SAFE LAYER │ │
│ │ │ │
│ │ 🔐 ML-DSA-65 🔑 X25519+MLKEM768 📜 Evidence Proofs │ │
│ │ Signatures Key Exchange Signed Auditing │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ SESSIONS │ │ AUDIT LOG │ │ COMPLIANCE │ │
│ │ │ │ │ │ │ │
│ │ • Redis Cluster │ │ • Chain Hash │ │ • NIS2 │ │
│ │ • Rate Limit │ │ • PQC Proofs │ │ • GDPR │ │
│ │ • Device Bind │ │ • SIEM Export │ │ • SOC2/ISO27001 │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘Core Features
🔐 Authentication
Supported Protocols
| Protocol | Description | Status |
|---|---|---|
| OIDC/OAuth 2.1 | Authorization Code + PKCE, Client Credentials, Device Flow | ✅ |
| SAML 2.0 | IdP and SP, SSO/SLO, signed assertions | ✅ |
| WebAuthn | Passkeys, FIDO2, passwordless authentication | ✅ |
| LDAP/AD | Active Directory integration | ✅ |
Multi-Factor Authentication (MFA)
┌─────────────────────────────────────────────────────────────┐
│ SUPPORTED FACTORS │
├─────────────────────────────────────────────────────────────┤
│ │
│ 📱 TOTP 🔑 Passkeys 📧 Email OTP │
│ Apps: Hardware: Secure │
│ • Google Auth • YubiKey Fallback │
│ • Authy • Titan │
│ • MS Auth • Solo Keys │
│ │
│ 📲 Push 🔒 SMS 🧬 Biometric │
│ Mobile (not recommended) Via device │
│ Notification but available passkeys │
│ │
└─────────────────────────────────────────────────────────────┘Password Management
| Feature | Specification |
|---|---|
| Hashing | Argon2id (OWASP: 64MB RAM, 3 iterations) |
| Policies | Length, complexity, breach detection |
| Self-Service | Reset via email/SMS with MFA |
| History | Prevents reuse (last N passwords) |
🛡️ Authorization
Conditional Access
Enterprise policy engine for granular control:
# Example: Require MFA for admins outside corporate network
policy:
name: "Admin MFA Enforcement"
conditions:
include_roles: ["admin", "security_admin"]
exclude_locations: ["corporate_network"]
grant_controls:
- mfa
- compliant_device| Condition | Options |
|---|---|
| Users | IDs, groups, roles, guests |
| Applications | App IDs, categories |
| Locations | IPs, countries, trusted networks |
| Devices | Compliance, management, platform |
| Risk | Sign-in risk, user risk |
| Control | Description |
|---|---|
| MFA | Requires second factor |
| Compliant Device | Managed devices only |
| Managed Device | MDM enrollment |
| Approved App | Authorized app list |
| Block | Denies access |
Role-Based Access Control (RBAC)
┌─────────────────────────────────────────────────────────────┐
│ ROLE HIERARCHY │
├─────────────────────────────────────────────────────────────┤
│ │
│ Global Admin ──► Tenant Admin ──► Security Admin │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ All Tenants Single Tenant Security Settings │
│ │
│ User Admin ────► App Admin ────► Audit Admin │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ User CRUD App Config View Logs │
│ │
└─────────────────────────────────────────────────────────────┘👔 Identity Governance
Privileged Identity Management (PIM)
Just-In-Time elevation for privileged roles:
┌─────────────────────────────────────────────────────────────┐
│ PIM WORKFLOW │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. ELIGIBILITY 2. ACTIVATION 3. USE │
│ ────────────── ────────── ───── │
│ │
│ Admin assigns ──► User requests ──► Temporary │
│ eligibility • Justification access │
│ for role • Ticket # (max 8h) │
│ • Duration │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ APPROVAL FLOW │ │ AUTO-EXPIRE │ │
│ │ │ │ │ │
│ │ Approver 1 ──┐ │ │ Timer active │ │
│ │ Approver 2 ──┼──┼────►│ Role revoked │ │
│ │ Any/All ─┘ │ │ automatically │ │
│ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘| Feature | Description |
|---|---|
| Eligibility | Pre-assignment without active access |
| JIT Activation | On-demand access with justification |
| Approval | Multi-approver workflow |
| Max Duration | Configurable limits (1h-8h) |
| Ticketing | ServiceNow/Jira integration |
| Break-Glass | Emergency access with alerts |
Access Reviews
Periodic access reviews:
| Type | Frequency | Reviewer |
|---|---|---|
| App Access | Quarterly | App Owner |
| Group Membership | Monthly | Group Owner |
| Privileged Roles | Weekly | Security Team |
| Guest Access | Bi-weekly | Sponsor |
📊 Audit & Compliance
Tamper-Evident Audit Log
┌─────────────────────────────────────────────────────────────┐
│ CHAIN HASH AUDIT │
├─────────────────────────────────────────────────────────────┤
│ │
│ Event 1 Event 2 Event 3 │
│ ┌───────┐ ┌───────┐ ┌───────┐ │
│ │ Data │───────►│ Data │───────►│ Data │ │
│ │ Hash₀ │ H() │ Hash₁ │ H() │ Hash₂ │ │
│ └───────┘ └───────┘ └───────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ EVIDENCE BUNDLE (PQC Signed) │ │
│ │ │ │
│ │ Hash: abc123... │ │
│ │ Signature: ML-DSA-65 + Ed25519 │ │
│ │ Timestamp: RFC 3161 │ │
│ └─────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘Evidence Authority
Evidence bundle generation for audits:
| Framework | Controls Covered | Coverage |
|---|---|---|
| NIS2 | RM-1 to RM-3, AC-1 to AC-3, IR-1/2, SC-1/2 | 80% |
| GDPR | Art. 5, 25, 30, 32, 33 | 90% |
| SOC2 | CC1, CC6, CC7 | 75% |
| ISO27001 | A.9, A.12, A.16 | 70% |
🔑 Quantum-Safe Cryptography
Implemented Algorithms
| Use | Classical Algorithm | PQC Algorithm | Mode |
|---|---|---|---|
| JWT Signing | Ed25519 | ML-DSA-65 | Dual-stack |
| Key Exchange | X25519 | ML-KEM-768 | Hybrid |
| Audit Proofs | ECDSA P-256 | ML-DSA-65 | Dual-stack |
| Password | Argon2id | N/A | Classical |
Crypto-Agility Layer
┌─────────────────────────────────────────────────────────────┐
│ CRYPTO-AGILITY LAYER │
├─────────────────────────────────────────────────────────────┤
│ │
│ Application Layer │
│ ───────────────── │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ ABSTRACTION LAYER │ │
│ │ │ │
│ │ Sign(data) ──► Algorithm Router │ │
│ │ Verify(sig) ──► Version Detector │ │
│ │ Encrypt(data) ──► Mode Selector │ │
│ └─────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Ed25519 │ │ ML-DSA │ │ ECDSA │ │ Future │ │
│ │ │ │ -65 │ │ P-256 │ │ Algos │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ Transparent migration without API changes │
│ │
└─────────────────────────────────────────────────────────────┘Competitive Advantage
QSA vs. Competition
| Feature | QSA® | Entra ID | Okta | Keycloak |
|---|---|---|---|---|
| PQC Signatures | ✅ ML-DSA-65 | ❌ | ❌ | ❌ |
| Hybrid Key Exchange | ✅ X25519+MLKEM | ❌ | ❌ | ❌ |
| Crypto-Agility | ✅ Abstraction layer | ❌ | ❌ | ❌ |
| Evidence Authority | ✅ Signed bundles | ❌ | ❌ | ❌ |
| Chain Hash Audit | ✅ Tamper-evident | ⚠️ Basic | ⚠️ Basic | ⚠️ Basic |
| EU Data Residency | ✅ Guaranteed | ⚠️ Optional | ⚠️ Optional | ✅ Self-hosted |
| Open Standards | ✅ 100% | ⚠️ Partial | ⚠️ Partial | ✅ 100% |
| Multi-tenant Native | ✅ RLS | ✅ | ✅ | ⚠️ Realms |
| PIM JIT | ✅ | ✅ P2 | ⚠️ Add-on | ❌ |
| Conditional Access | ✅ | ✅ P1 | ✅ | ⚠️ Basic |
The 5 Key Differentiators
1. 🔐 Quantum-Safe Now
"Don't wait for the quantum threat to materialize. QSA protects your data TODAY against TOMORROW's attacks."
- ML-DSA-65 signatures (NIST FIPS 204)
- Hybrid key exchange (X25519 + ML-KEM-768)
- Transparent migration when new standards emerge
2. 📜 Evidence Authority
"Compliance is not a checkbox. It's verifiable proof."
- PQC-signed evidence bundles
- Coverage reports by framework
- Third-party cryptographic verification
3. 🇪🇺 EU-First
"European data on European infrastructure, managed by a European company."
- Datacenters exclusively in the EU
- GDPR compliance by design
- No international transfers
4. 🔗 Chain Hash Audit
"A log that cannot be altered retroactively. Each event proves the integrity of all previous ones."
- Chained hash (H(prev || event))
- Periodically signed checkpoints
- Real-time verification
5. 💰 Predictable TCO
"Price per MAU, no surprises. All features included."
- No upsell for "premium" features
- PIM, Conditional Access, MFA included
- 24/7 support on all enterprise plans
Use Cases
🏦 Financial Services
Challenge: Bank needs to protect customer data for 30+ years, comply with DORA, and prepare for PQC regulations.
QSA Solution:
- PQC-signed evidence bundles for auditors
- PIM for critical system access
- Risk-based Conditional Access
- Integration with existing HSM
Result:
- ✅ Demonstrable DORA compliance
- ✅ "Harvest now, decrypt later" protection
- ✅ 60% reduction in audit time
🏥 Healthcare
Challenge: Hospital needs to protect PHI, comply with HIPAA/GDPR, and ensure emergency access.
QSA Solution:
- Adaptive MFA (low friction for emergencies)
- Break-glass with complete audit trail
- Evidence Authority for continuous compliance
- SCIM sync with HR system
Result:
- ✅ Verifiable HIPAA compliance
- ✅ Emergency access < 30 seconds
- ✅ Zero PHI breaches
🏭 Manufacturing / OT
Challenge: Industrial company needs to protect ICS/SCADA, comply with NIS2, and support air-gapped environments.
QSA Solution:
- On-premises deployment (Kubernetes or VMs)
- Conditional Access by network/device
- Offline audit log with periodic sync
- PQC for long-term protection
Result:
- ✅ NIS2 compliance
- ✅ Zero cloud dependency
- ✅ 20+ year protection
🏛️ Public Sector
Challenge: Government agency needs to comply with national + EU regulations, data sovereignty.
QSA Solution:
- Deployment on sovereign cloud or on-prem
- SAML federation with eIDAS
- Evidence bundles for audits
- Crypto-agility for future mandates
Result:
- ✅ Digital sovereignty maintained
- ✅ eIDAS ready
- ✅ Prepared for PQC mandates
🚀 B2B SaaS
Challenge: SaaS startup needs enterprise IAM to sell to large customers.
QSA Solution:
- Native multi-tenant
- SAML/OIDC SSO out-of-the-box
- SCIM provisioning
- Audit logs for customers
Result:
- ✅ Enterprise-ready in weeks
- ✅ Closed Fortune 500 deals
- ✅ SOC2 compliance for customers
Integration
SDKs & APIs
┌─────────────────────────────────────────────────────────────┐
│ DEVELOPER EXPERIENCE │
├─────────────────────────────────────────────────────────────┤
│ │
│ Official SDKs │
│ ───────────── │
│ • JavaScript/TypeScript (npm) │
│ • Python (pip) │
│ • Go (module) │
│ • Java (Maven) │
│ • .NET (NuGet) │
│ │
│ APIs │
│ ──── │
│ • REST API v1 (OpenAPI 3.1) │
│ • GraphQL (in development) │
│ • Webhooks (real-time events) │
│ • Admin API (programmatic management) │
│ │
└─────────────────────────────────────────────────────────────┘Python SDK Example
from qsa import QSAClient, Policies
client = QSAClient(
tenant_id="your-tenant",
api_key="your-key"
)
# Create a user
user = client.users.create(
email="user@example.com",
roles=["viewer"],
require_mfa=True
)
# Configure conditional access policy
policy = client.policies.create(
name="Admin MFA Enforcement",
conditions=Policies.Conditions(
include_roles=["admin", "security_admin"],
exclude_locations=["corporate_network"]
),
controls=["mfa", "compliant_device"]
)
# Request PIM elevation
elevation = client.pim.request_elevation(
user_id=user.id,
role="admin",
justification="Emergency maintenance",
duration_hours=2
)
# Generate evidence bundle for audit
evidence = client.evidence.generate(
framework="nis2",
date_range=("2025-01-01", "2025-12-31"),
sign_with_pqc=True
)CLI
# Authenticate
qsa login --tenant your-tenant
# List users
qsa users list --filter "role:admin"
# Create conditional access policy
qsa policy create --file policy.yaml
# Request PIM elevation
qsa pim elevate --role admin \
--justification "Incident response" \
--duration 2h
# Generate evidence bundle
qsa evidence generate --framework nis2 \
--output evidence-2025.zip \
--sign-pqcTechnical Stack
| Layer | Technology | Justification |
|---|---|---|
| Backend | Go 1.22+ | Performance, security, compilation |
| Database | PostgreSQL 16 | ACID, RLS, extensibility |
| Cache | Redis 7 Cluster | Sessions, rate limiting, HA |
| Queue | NATS JetStream | Events, audit streaming |
| Crypto | liboqs, Go crypto | PQC + classical |
Deployment Options
SaaS (Cloud Hosted)
- Region: Frankfurt (eu-central-1) / Dublin (eu-west-1)
- Certifications: ISO27001, SOC2 Type II
- Uptime SLA: 99.99%
- Managed infrastructure, automatic updates, 24/7 monitoring
On-Premises / Private Cloud
- Kubernetes (Helm charts)
- Docker Compose (dev/small)
- VM packages (air-gapped)
Minimum Requirements: 4 vCPU, 16GB RAM, 100GB SSD per node
Hybrid
Combines cloud control plane with on-premises data plane for maximum flexibility and compliance.
Ecosystem Integration
QSA integrates with the complete SoftQuantus® stack:
┌──────────────────────────┐
│ SynapseX® (AI) │ ← AI decision routing
└───────────┬──────────────┘
│
┌───────────▼──────────────┐
│ QCOS® Core │ ← Quantum execution
└───────────┬──────────────┘
│
┌───────────▼──────────────┐
│ QuantumLock® Core │ ← Integrity verification
└───────────┬──────────────┘
│
┌───────────▼──────────────┐
│ QSA │ ← Identity & Access
└──────────────────────────┘Compliance & Certifications
Current Certifications
| Certification | Status | Validity |
|---|---|---|
| ISO 27001:2022 | ✅ Certified | Dec 2026 |
| SOC 2 Type II | ✅ Certified | Jun 2026 |
| GDPR | ✅ Compliant | Continuous |
| NIS2 | ✅ Compliant | Continuous |
In Progress
| Certification | Status | ETA |
|---|---|---|
| Common Criteria | 🔄 In evaluation | Q3 2026 |
| BSI C5 | 🔄 In evaluation | Q2 2026 |
| eIDAS 2.0 | 📋 Planned | Q4 2026 |
Resources
- Product Page: softquantus.com/products/qsa
- Documentation: docs.softquantus.com
- Contact Sales: softquantus.com/contact
QSA — Protecting identities today for tomorrow's world.