Security & Threat Model
We assume the network is hostile and the server will be compromised. Our architecture minimizes the blast radius.
Server Compromise
PROTECTEDThe server stores only cryptographic verifiers. Attackers cannot reverse these to recover passwords or impersonate users.
Network Eavesdropping
PROTECTEDNo passwords are transmitted. Challenge-response with fresh nonces prevents replay attacks.
Client Device Compromise
USER AT RISKIf attackers gain root access to the device, they can extract session keys or keylog passwords. ZKAuth does not protect compromised endpoints.
What ZKAuth Does NOT Do
No Permissions
ZKAuth does not manage roles, permissions, or access control lists (RBAC/ABAC).
No User Data
ZKAuth does not store user profiles, emails, or application-specific settings.
No App Sessions
ZKAuth issues tokens but does not track or maintain client application sessions.