Security Architecture
ZeroAuth enforces a local-first architecture. Vault storage, key generation, and biometric verification occur exclusively on-device to isolate credential databases from external server risks.
Trust Boundaries & Data Flow
Local Device Boundary
Outside Device
Core Architectural Specifications
Local Storage Boundaries
ZeroAuth stores your data exclusively on-device. Vault files are written directly to secure system partitions, shielding secrets from remote database exploits. Your vault is never cached or stored on external servers, eliminating cloud-based data breaches.
Encryption & Unlock
Enforces AES-256-GCM encryption. Biometric flows gate access keys via the hardware-backed secure enclave. The decryption key exists solely in application memory, which is immediately zeroized (wiped) when backgrounded or locked.
Autofill Isolation Model
Integrates directly with native OS autofill APIs. ZeroAuth does not inject custom scripts, browser overlays, or third-party keyboards, neutralizing keylogging and tapjacking risks during credential insertion.
Passkey Workflows
Passkeys are generated and isolated inside hardware-backed storage. By keeping keys strictly local, ZeroAuth prevents account recovery vulnerabilities where a hijacked cloud login might compromise synchronized passkeys.
Enterprise Isolation
Designed to operate 100% offline. System administrators can restrict all network access through firewalls or MDMs without degrading key generation, mathematically preventing credential exfiltration.