A two-factor authentication , authorisation and access, Identity as a Service system, with inherent single sign-on capability. Passwords and other data-at-rest information is protected by virtual encryption keys, known only to the system, and otherwise inaccessible. Password entry is obfuscated and secure against direct observation, network snooping, keystroke loggers and frame buffer readers. Second factor is a device ID unique to a combination of device type, CPU, O/S and version, browser and version, graphics card and version, obtained without interrogation of the device, and without cookies or client software.