Verify your phone and email once. Set up a passkey once. Then open Doorcta, OneHealth, or FastCredits without typing a password again — anywhere in Nigeria.
FastLogin is your single Fastclinic account — verified, multi-factor protected, and yours to control.
Sign in once and Doorcta, OneHealth, and FastCredits stay open in tabs. No per-product passwords. No re-typing your phone number every time a new app launches.
Touch ID, Face ID, Windows Hello, and hardware keys are the primary sign-in method. Passwords are a backup for the rare device that doesn't support passkeys. Phishing campaigns that steal passwords steal nothing useful.
Every sign-in, MFA event, consent grant, and consent revoke is logged with the IP, device, and AAL of the session. You can scroll back seven years. NDPA 2023 §25 says the record is yours.
If you sign in on a friend's phone and forget to sign out, you end the session from any other device in one click. The token stops working within seconds.
Telehealth signs patients and doctors in via FastLogin. Consult start requires AAL2 within the last fifteen minutes. Doorcta never sees the user's password.
Health-record access requires AAL2 plus an explicit scope on the consent screen. Provider identity is the MDCN-verified FastLogin identity — there is no separate clinical login.
The shared credits ledger trusts FastLogin's identity for both individual and organisation accounts. Hold, capture, and refund actions all carry the FastLogin user ID and write to the same audit chain.
Open-source identity store. We run pinned releases and edit configuration at fastlogin/ory/kratos/. Container restarts are part of every config change.
Open-source OAuth2 / OIDC server. Tokens are signed with rotating keys; the public key set is cached by every relying party for five minutes. Hydra never sees user passwords.
External KYC processor for liveness, MDCN licence OCR, and NIN verification. Signed agreement under NDPA 2023; selfie data deleted after thirty days on Didit's side.
FastLogin processes personal data under contract, consent, legal obligation, and legitimate-interest bases per NDPA 2023 §25. Every dataset and processor is recorded in the data-processing record kept by the Fastclinic Limited data controller (RC 1919428).
NDPA 2023 (NDPC)Every authentication event is hashed into a Postgres-side chain. Tampering with any historical row breaks the chain. We export the chain daily to write-once-read-many S3 storage; the seven-year retention satisfies records-of-processing requirements.
Identities, sessions, KYC artefacts, and audit logs are hosted in a Nigerian-region AWS account. Cross-border transfer is limited to the named Didit liveness flow under signed processor agreement.
Every FastLogin account holds both a passkey credential and a TOTP secret. Passkeys carry the phishing-resistance properties NIST 800-63 names as AAL2-eligible without an authenticator-app fallback. We require both factors so a lost device is recoverable.
NIST 800-63BAccess tokens last fifteen minutes. Refresh tokens last twenty-four hours and rotate on every use. JWKS caches expire every five minutes. Compromise windows are measured in minutes, not weeks.
Open Doorcta, OneHealth, FastCredits, and every partner app with one verified identity, phishing-resistant MFA, and an audit feed you can actually read.