# FAQs
## General
What is Peig?
Peig is a device-bound access security platform. It ensures that access to your business applications is tied to a specific, authorised device — replacing passwords entirely with cryptographic device identity. See \[What is Peig?]\(introduction/README.md) for a full explanation.
Does Peig replace my identity provider?
For Microsoft 365 and Google Workspace, Peig becomes the identity provider for your domain through SAML federation — replacing password-based authentication entirely. It is better understood as an alternative to credential-based authentication rather than a layer added on top of it.
Do users still need passwords?
No. After federation is set up, users no longer use passwords to access connected services. Their registered device handles authentication. There is nothing to remember, reset, or share.
Is Peig the same as MDM?
No. MDM manages and controls devices. Peig controls which devices can access your workspace — without managing those devices. It works on personal and BYOD devices without installing management software or giving IT visibility into the device itself. See \[Why Not MDM?]\(introduction/why-not-mdm.md) for a full comparison.
## Devices
What devices are supported?
Peig is available on macOS, Windows, iOS, and Android.
Can a user have more than one registered device?
Yes. Users can register additional devices using the device sync flow — both devices must be physically present. The user authorises the new device from their already-registered one. The Access Admin is notified when a new device is added.
What happens if a user loses their device?
If the user has another registered device, they can sync their new device from it without admin involvement. If they have no other devices, they initiate a re-approval request from their new device. The Access Admin verifies their identity and approves the request — access is re-established from the new device and all previous device records are removed. See \[Managing Devices]\(admin-guide/managing-devices.md).
Can I suspend a single device without blocking the user entirely?
Yes. Devices can be suspended individually without affecting the user's other registered devices or their account.
## Security
What happens if a registered device is stolen?
Suspend the device immediately in Users & Access. Access from that device is revoked instantly. The user's other devices are unaffected. If the user has no other devices, they can initiate a re-approval request from a new device.
Can someone access Peig-protected services by stealing a session token?
No. Session tokens issued by Peig are bound to the device that initiated the session. Replaying a token from a different, unregistered device will not grant access.
Does Peig work if the user is on a different network or location?
Yes. Peig's access model is not based on network location. Access is verified based on device identity regardless of where the user is connecting from.
Can a device's cryptographic identity be copied to another device?
Peig includes static and dynamic anti-copy mechanisms to detect and prevent this. Static mechanisms use hardware-level device identifiers. Dynamic mechanisms use cryptographic registers that change with every use and must align between the Peig client and server — if a key were extracted and replayed from another device, the registers would fall out of sync and the attempt would be detected. The Access Admin is notified immediately. See \[Cryptography and Protocol]\(security/cryptography-and-protocol.md).
## Microsoft 365
What Microsoft 365 license is required?
The admin account must have a Microsoft 365 Business Premium license, which includes Azure AD Premium P1 required for SSO and user provisioning. Other users can use lower-tier licenses such as Microsoft 365 Business Basic.
Can users still use Outlook, Teams, and other desktop apps?
Yes. For native desktop applications, Peig generates a short-lived authentication code that is automatically copied to the clipboard. The user pastes it into the application when prompted.
What if a user's email address is different in Peig and Microsoft 365?
This is handled through the MS365 Identifiers tool, which allows you to manually link accounts across the two systems even when their identifiers do not exactly match. See \[Managing MS365 Identifiers]\(deployment/microsoft-365/managing-identifiers.md).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.peig.io/welcome-to-peig-documentation/faqs.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.