Enterprise offline deployment

Enterprise authenticator
offline deployment architecture.

ZeroAuth's local-first architecture is designed to operate in environments where cloud connectivity is restricted, prohibited, or unavailable. TOTP generation, vault access, and secure autofill function entirely on-device — making ZeroAuth suitable for air-gapped networks, compliance-controlled infrastructure, and restricted enterprise environments.

Contact for Enterprise →Security Architecture →

Architecture Properties

Enterprise-ready properties

No cloud dependency

All TOTP generation and vault operations function without network access. Deployable on air-gapped and isolated networks without modification.

Local-first storage

Credentials are stored in an AES-256-GCM encrypted vault on the device hardware enclave. No data is written to external servers or cloud storage by the authenticator engine.

Controlled backup architecture

Backup files are AES-256 encrypted and can be written to any storage location the organization controls — local file systems, MDM-managed storage, or encrypted enterprise NAS.

Zero server breach surface

There is no Optional Labs server holding credential data to breach, exfiltrate, or subpoena. The attack surface for credential compromise is limited to the device itself.

MDM compatibility

ZeroAuth operates as a standard iOS/Android application and is compatible with Mobile Device Management (MDM) systems for deployment and policy enforcement.

Compliance-aligned architecture

Local-first, no cloud credential storage aligns with data residency and storage requirements in compliance frameworks requiring on-premises credential management.

Questions

Enterprise questions

Does ZeroAuth support enterprise deployments?

ZeroAuth's local-first architecture is well-suited for enterprise environments. All core functions — TOTP generation, vault access, autofill, backup — operate without cloud connectivity. This makes it deployable in restricted, air-gapped, or compliance-controlled network environments. Dedicated enterprise licensing and support is under development.

Does ZeroAuth work on air-gapped networks?

Yes. TOTP code generation and vault access require no network connectivity. The application functions fully in environments where internet access is restricted, including air-gapped systems and controlled production networks.

What compliance considerations does ZeroAuth address?

ZeroAuth's local-first architecture means no credential data transits to or is stored on external servers. This aligns with data residency requirements in many compliance frameworks (SOC 2, ISO 27001, FedRAMP environments) that restrict cloud storage of authentication secrets. Organizations should evaluate ZeroAuth against their specific compliance requirements.

How does ZeroAuth handle enterprise backup and recovery?

ZeroAuth generates AES-256 encrypted backup files that can be stored in any location the organization controls — local file systems, internal NAS, or encrypted enterprise storage. Backup keys are not held by Optional Labs.

Local-First Architecture →Security Model →Contact Us →

Written by the Optional Labs Security Team · Published May 2025 · Updated May 2025

Enterprise authenticatoroffline deployment architecture.