Tessera Codes · one-time-code login

The engineer's phone instead of a token

The engineer scans a QR code from the device screen, confirms identity on your corporate sign-in page, and receives a short one-time code. The device verifies the code without a network — offline semantics are fully preserved.

No token no certificates to issue or hand out — the engineer's phone is enough
SSO / 2FA identity is confirmed by your corporate sign-in — offboarding means instant loss of access
Offline the device verifies the code locally: the network is for the phone, not the device

01 · How it works

QR on the device, code on the phone — only the phone is online

Every code is single-use, short-lived and bound to a specific device, role and login attempt.

FLEET OWNER'S PERIMETER Device any device · Linux / Astra QR: device, nonce, level VERIFIED OFFLINE Engineer only the phone is online Tessera Codes sign-in site · SSO / 2FA one-time code issuance server record: who, where, when Tessera Control roles, policies, revocation (CRL) device keys · inventory audit intake for the whole fleet ① scan the QR ② sign in engineer's SSO / 2FA ③ short code ④ enter the code code verified offline, no server call push approval (roadmap) ← background sync: roles · CRL · device keys audit upload when connectivity exists →
fig. 1 — code login: at most the engineer's phone needs a network; login itself never waits for connectivity

02 · Security and accountability

The code is short because it carries no rights

The code only references a role

Roles and policies are already delivered to the device — the code merely points at one of them. It is cryptographically bound to the device, the login attempt and the chosen level — it cannot be repurposed.

rights live on the device beforehand

Dual accountability

The server records each issuance: who, for which device, when, at what level. The device keeps its own hash-chained login journal — offline. The records correlate with each other.

server + device

Access lives in your SSO

Before issuing a code the server checks: may this engineer have this level on this device. An engineer offboarded or blocked in SSO gets no more codes, immediately.

issuance is a server decision

One platform with Tessera Access

Codes is enabled on the same open-source Tessera agent — nothing to reinstall on the devices. Shared roles, shared Tessera Control, shared audit journal.

the same agent on the device

Need certificate login with contractor delegation, fully server-free? That's Tessera Access, already in production across bank ATM fleets. Learn more →

Next step — a pilot on your fleet

We connect your SSO, take a few devices and run through real field-maintenance scenarios.