🔐 PrivexaGuard
Proprietary Passkey-Based Zero-Knowledge Authentication System Core Innovation: Device-bound passkey authentication without passwords, emails, or centralized identity
⸻
🔍 Project Summary
PrivexaGuard is a proprietary, passkey-based authentication framework designed to replace traditional password/OTP/email-based login flows with a cryptographically secure, privacy-preserving mechanism.
Originally developed for PrivexaMail, it’s been architected as a standalone, reusable component for identity-free authentication across other zero-trust applications.
Key Goals:
- ✅ Server has zero knowledge of user secrets
- ✅ No traditional identifiers (email, phone, username) are required
- ✅ Seamless UX—comparable to WebAuthn or password managers but without browser/platform dependency
⸻
🛠 Why I Built This
- Eliminate the largest attack surface: user credentials and identity leakage
- Make authentication feel invisible but secure, without UX compromises
- Store no linkable metadata about users on the server side
- Create a drop-in alternative to WebAuthn with better control and privacy
⸻
🔑 How PrivexaGuard Works (High-Level)
- Device generates asymmetric passkey pair on first use
- Public key registered with backend (proof-of-possession required)
- Private key stored locally, optionally encrypted with secure storage
- On login:
- Server issues a signed challenge
- Client signs the challenge with private key
- Server verifies signature using the registered public key, and issues session
No passwords, no recoverable secrets, no identity-linked recovery.
ℹ️ Implementation details are proprietary and intentionally omitted.
⸻
🧠 Security & Privacy Advantages
- No stored passwords, OTPs, recovery questions
- No email/phone/username collected or stored
- Resistant to:
- 🪤 Phishing
- 🔐 Credential stuffing
- 🧱 Brute-force attacks
- 🔓 Database breaches (no credentials to steal)
- Designed for:
- 🔄 Forward secrecy
- 🧩 Per-device unlinkability
⸻
🏗️ Architecture Snapshot
[Client (React + OpenPGP.js + PrivexaGuard)] | Passkey Registration / Challenge-Response | [Auth Service (FastAPI)] | [Redis (Sessions)] + [PostgreSQL (Public Keys Only)]
- Public keys are stored in non-identifiable, unlinkable format
- Sessions are issued only on verified cryptographic challenge-response
- No user identifiers or recoverable secrets ever stored server-side
⸻
📈 Outcome & Impact
- Integrated and tested in PrivexaMail production beta
- Proved seamless, device-bound login with no onboarding friction
- Currently being modularized into a standalone library
- Received positive feedback on UX speed and simplicity
⸻
🧠 Skills Demonstrated
- 🔐 Cryptographic protocol design (asymmetric key auth, challenge-response)
- 🧱 Zero-trust, zero-knowledge system architecture
- 🛠 Backend engineering (FastAPI, replay protection, rate limiting)
- 👁 Privacy-by-design thinking
- 🧩 Modular, reusable component development
⸻
📎 Notes
- 📦 Standalone PrivexaGuard Library: In development (private repo)
⸻
💬 TL;DR for Hiring Teams
PrivexaGuard™ is a proprietary passkey-based authentication system eliminating passwords, identity collection, and server-stored secrets. I designed and built the full stack, applying advanced cryptographic design and privacy engineering to deliver a seamless, secure, and scalable authentication layer.
It showcases my ability to drive security innovation, architect resilient systems, and rethink the fundamentals of user authentication.
⸻