Zero-knowledge
encryption.
ZeroAuth enforces architectural isolation. Your decryption keys are derived inside sandboxed RAM, utilized transiently, and scrubbed from device memory. We can't read your vault — ever.
Cryptographic Bridge
The encryption transformation
Plaintext Vault
Transient Client Memory
Your raw passwords, usernames, and secret seeds are entered into the app. At this stage, the data is transient and resides purely within the secure runtime state of the application. It is never written to disk or sent over any network in this state.
{
"label": "Work Access",
"username": "admin",
"secret_totp": "JBSWY3DPEHPK3PXP"
}Cryptographic Core Simulation
Security Core Lab Workbench
Parameter config
Configure your key stretching details. Every calculation occurs locally inside your browser's sandboxed RAM.
Architectural Isolation
Data persistence boundaries
What We Store (Encrypted)
Client ciphertext payload only
- ✓Encrypted vault block payload arrays (AES-256-GCM)
- ✓Symmetric nonce parameters generated per vault entry
- ✓Opaque, encrypted TOTP parameters and labels
- ✓Encrypted device details and metadata timestamps
What We Never Store
Zero plaintext variables retained
- ✗Your local system PIN or raw vault master passwords
- ✗Derived symmetric vault decryption keys
- ✗Plaintext credentials, usernames, or parameters
- ✗Plaintext TOTP generation codes and outputs
Technical specs
System Specifications Sheet
Secured by design
Our zero-knowledge status is a mathematical fact, enforced directly in client-side code structures. We have no backend master keys because your device owns the encryption bridge.