Technical architecture

Local-first authentication
device-sovereign credential storage.

Local-first authentication is an architectural principle: all credential data is stored, encrypted, and processed on the user's device as the default. There is no server dependency for core operations. ZeroAuth is built on this model — your vault exists on your hardware, encrypted with keys only your device holds.

Technical Stack

Local-first storage layers

L1 — Hardware EnclaveiOS Keychain / Android Keystore

The derived encryption key lives here. Hardware enclaves are physically isolated from the main processor and software stack. Keys stored here cannot be extracted by software-level attacks.

L2 — Key DerivationPBKDF2 + HMAC-SHA256 · 100,000–310,000 iterations

Your PIN is stretched into a strong symmetric key using PBKDF2. High iteration counts increase the computational cost of brute-force attacks. The derived key is passed to L1 and never stored in plaintext.

L3 — Encrypted VaultAES-256-GCM

Credentials and TOTP seeds are encrypted in GCM mode, which provides both confidentiality and integrity verification. Tampered ciphertext will fail authentication and be rejected.

L4 — Application LayerZeroAuth app process

Decrypted data is held in memory only for the duration of active use. Keys are zeroized (cleared from RAM) immediately after the session ends or the app is backgrounded.

Questions

Frequently asked questions

What does "local-first" mean in authentication?

Local-first authentication means all credential data is stored, encrypted, and processed on the user's device as the primary and default behavior. The application does not require a server connection to function. Any optional cloud or network features are additive, not foundational.

How does ZeroAuth implement local-first storage?

ZeroAuth encrypts all credentials and TOTP seeds with AES-256-GCM before writing them to device storage. The encryption key is derived from the user's PIN using PBKDF2 with HMAC-SHA256 and is stored exclusively in the device hardware enclave (iOS Keychain, Android Keystore). No unencrypted credential data is written to disk.

Does ZeroAuth work without cloud sync?

Yes. All core functions — TOTP generation, vault access, autofill, backup — operate without any cloud connectivity. Local-first architecture is the foundation, not an optional mode.

What is the advantage of local-first over cloud-first authentication?

Local-first eliminates server-side attack surface for credential data. There is no central server storing your TOTP seeds that can be breached. The trade-off is that backup and recovery are the user's responsibility, which ZeroAuth addresses through AES-256 encrypted local backup files.

Is local-first compatible with enterprise environments?

Yes. Local-first architecture is particularly well-suited to enterprise environments with restricted network access, air-gapped systems, or compliance requirements that prohibit cloud credential storage. ZeroAuth's offline TOTP generation works in these environments without modification.

Zero-Knowledge Spec →Offline Authenticator →Enterprise Architecture →

Written by the Optional Labs Security Team · Published May 2025 · Updated May 2025

Local-first authenticationdevice-sovereign credential storage.