Your personal security identity - a unique phrase, avatar, and optional audio signature that prove you're logging in to the real WIGGWIGG, not a fake phishing site.
Most authentication is one-way: you prove your identity to the website. But how does the website prove its identity to you?
Our anti-phishing protection works both ways. Before you enter your full password, we show you a security identity (visual phrase and avatar, plus optional audio signature) that only the real WIGGWIGG can display.
We ask for only the first 3 characters of your password
We use those to retrieve your unique security phrase and avatar
We display them to you before you enter your full password
If you don't see your exact phrase and avatar, you know you're on a fake site - and you haven't given away your full password.
Here's exactly what you'll see when you log in - your personal security identity
This phrase is unique to you and proves you're on the real WIGGWIGG site
(Audio playback available in the web app)
⚠️ If this doesn't match what you remember
You may be on a phishing site. Do not enter your full password.
Note: This is a visual example. When you register, you'll receive your own unique phrase, avatar, and colors that will be completely different.
A five-step verification that protects you from phishing attacks
Start by entering your Account ID. This is your public identifier, so no risk yet.
Enter only the first 3 characters of your password. We use these to verify partial authentication and retrieve your security identity.
We show your unique security phrase and avatar, and play your personal audio signature (if enabled). Recognize them? You're on the real site. Don't recognize them? Close the page immediately.
After confirming your security identity, enter your full password to complete authentication. Safe and verified.
Once authenticated, you gain full access to your account knowing you're on the legitimate WIGGWIGG platform.
Phishing sites can look identical to the real site. They can copy our design, colors, and logo perfectly. But they typically cannot display your unique security identity because they don't have access to our servers. However, advanced real-time proxy attacks can relay your credentials and show your real identity - always verify the exact domain in your address bar. This verification step stops most phishing attacks before you expose your full credentials.
Your unique phrase and avatar are generated server-side from your personal security seed using cryptographic processes. Additionally, you can enable an optional audio signature - a unique musical pattern that plays during login. Some people remember sounds better than visual elements, making this a valuable multi-sensory verification option.
Always verify you're on an official WIGGWIGG domain (wiggwigg.ca, app.wiggwigg.ca) before entering any credentials. Your security identity helps confirm you're on the real site, but always check the address bar as your primary verification.
We only ask for the first 3 characters initially, stored as a cryptographic hash (HMAC-SHA256). Even if intercepted, these 3 characters can't complete login - they only unlock your security identity display. Your full password stays protected.
We require HTTPS connections for all authentication. Always verify you see the padlock icon and the correct domain in your browser's address bar before entering credentials.
Memorize your security phrase and avatar during registration
Verify you see them before entering your full password
Type wiggwigg.ca directly into your address bar
Check for HTTPS and valid SSL certificate
Use bookmarks instead of clicking email links
Enter your full password if security identity is wrong
Click login links in unsolicited emails
Ignore security warnings or certificate errors
Log in from embedded frames or pop-ups
Trust similar-looking domains without checking
1. Close the browser tab immediately - don't click anything
2. Open a new browser window and type wiggwigg.ca directly
3. Change your password immediately if you entered it
4. Report the phishing site to our support team
5. Check your account activity for any suspicious logins
Our anti-phishing system combines multiple cryptographic and security techniques to verify both you and us.
Generated server-side from your unique security seed using cryptographic hash functions
Unique phrase created from word list (3-4 words, high entropy)
Avatar generated using deterministic algorithms (consistent per user)
Optional audio signature: unique 6-note musical pattern using a sound synthesizer
Audio uses pentatonic scales, varied rhythms, and waveforms for pleasant, recognizable sounds
Stored securely in database, never exposed until partial auth succeeds
First 3 characters hashed using HMAC-SHA256
Hash compared against stored partial password hash
Success triggers security identity retrieval
Full password never transmitted until identity confirmed
Important: Treat all password characters as sensitive - use a strong, unique password
HTTPS-only enforcement (TLS 1.2+)
Always verify the padlock icon in your browser
Check the domain matches wiggwigg.ca or app.wiggwigg.ca exactly
Content Security Policy (CSP) headers prevent XSS
Your security identity provides a second layer of verification
While our anti-phishing protection is strong, it's important to understand its limitations:
The most sophisticated phishing attacks act as a live proxy between you and WIGGWIGG. These attacks can show your real security identity (visual and audio) while stealing your full password in real-time. This is why you must always verify the exact domain in your address bar: wiggwigg.ca or app.wiggwigg.ca. No exceptions.
If an attacker intercepts your connection using compromised certificates or network-level attacks, they could relay your credentials in real-time. Always verify SSL certificates and avoid untrusted networks.
If an attacker convinces you to share your full password directly (phone call, in person, fake support), anti-phishing can't protect you. Never share your password with anyone - not even WIGGWIGG support staff.
If your device is infected with malware that captures keystrokes or screenshots, anti-phishing cannot prevent credential theft. Keep your devices secure and updated.
Malicious browser extensions or compromised software on your device could manipulate what you see, including your security identity display. Only install extensions from trusted sources and keep your software updated.
Anti-phishing protection is one layer of defense. Combine it with strong passwords, two-factor authentication, and careful verification of domains for maximum security.
Experience the confidence of knowing you're always on the real site.