ZeroAuth
HomeSecurityPrivacyTermsSign in
Back to Security Center
Security Trust Center

Encryption Model

ZeroAuth relies on industry-standard authenticated encryption to protect your vault. We avoid proprietary cryptography in favor of vetted, battle-tested primitives, ensuring that your data remains indecipherable without the correct local keys.

Decryption Pipeline & Key Derivation

1. Input Auth

Master PIN / PassUser entered passphrase
Biometric VerifyFace ID / Touch ID challenge

2. Key Derivation

PBKDF2-HMAC-SHA256Up to 310,000 work iterations
Secure Enclave GateHardware key isolation

3. Decryption

AES-256-GCM ProcessAuthenticated decryption block
Memory ZeroizationRAM wiped instantly on lock

Core Cryptographic Principles

Minimizing Cloud Exposure

Cryptographic operations occur on-device. The device processor performs key derivation, encryption, and decryption locally, ensuring plaintext credentials never cross the network boundary.

Local Trust Boundaries

We treat the local device as the root of trust, leveraging hardware-backed storage (Secure Enclave / Keystore) where supported to bind cryptographic material to the physical hardware.

Offline Survivability

Authentication must not fail when network coverage drops. The vault's cryptographic integrity is designed to be fully verifiable and decryptable offline, eliminating server-side authentication lockouts.

Defense-in-Depth

We combine robust key derivation (PBKDF2), strong authenticated ciphers (AES-GCM), and memory protection routines to ensure that compromising one layer does not grant access to the vault.

Core Cryptographic Specifications

Local Vault Encryption

ARCH-ENC-01

The contents of a ZeroAuth vault are sealed using AES-256-GCM. Any external modification to the encrypted vault payload—whether through hardware corruption or malicious tampering—causes decryption to fail instantly, preventing cryptographic ciphertext manipulation.

Key Derivation Standards

ARCH-ENC-02

User PINs or passphrases are never used directly as encryption keys. Input is stretched via PBKDF2 with HMAC-SHA256, adding a high CPU workload threshold that thwarts offline brute-force and dictionary attacks on captured vault files.

Biometric & Device Protection

ARCH-ENC-03

Decryption keys can be bound directly to the hardware's Secure Enclave or Keystore system. The operating system verifies biometrics and triggers key release under hardware protection; ZeroAuth never stores or reads raw biometric templates.

Encrypted Export Design

ARCH-ENC-04

Since ZeroAuth is offline-capable, backups are managed by users. Exported vaults are sealed with a unique derived key derived specifically for that backup archive, ensuring backup files are securely encrypted before saving to disk or secondary devices.