A secure login where the user's private key is never hosted on servers or the user's online devices ( this project can also be used as a form of two-factor authentication ( 2FA ) where the user's private key is never hosted on servers )
To ensure absolute cryptographic integrity and protect the user from modern digital threats, this project adheres to the following strict principles:
- Absolute Private Key Isolation: No private key (or any fragment of it) should ever be stored, copied, typed, or dragged onto any device with an active internet connection. This eliminates risks from keyloggers, clipboard sniffers, and remote access trojans.
- Air-Gapped Interaction: We strongly discourage the use of physical connections (USB, cables, or data ports) which can carry hardware-level malware. Communication must be strictly visual through QR code scanning.
- Dedicated Offline Hardware: We recommend repurposing older mobile devices as "Cold Vaults." These devices must remain permanently disconnected (WiFi, Bluetooth, GPS, and Cellular disabled or hardware-removed), running only specialized security software.
- The Server's Responsibility: Infrastructure providers must evolve to support these sovereign tools. Users are often the "weakest link" only because the industry has failed to provide systems that do not rely on human memory or exposure to dangerous online environments.
This model serves as a foundational blueprint for:
- Secure User Login & Passwordless Authentication.
- True Two-Factor Authentication (2FA) without server-side secrets.
- Account Recovery & Identity Confirmation.
- Secure Transaction Signing for Banking, Fintech, and Cryptocurrencies.
1 ) Using an online device ( D1 ) the user goes to the server's login page ( S1 )
2 ) The user simply enters his username in the form, and this data is submitted to the server ( login.php )
3 ) If the user's username exists in the server's database ( code.php ) then the server creates a 12-digit random code, this random code is encrypted with the user's public key, and a QR code containing the encrypted random code is sent to the user ( code.php )
4 ) Using an offline device ( D2 ) the user scans the QR code, the QR code data is decrypted with the user's private key, and this decrypted data is submitted to the server ( code.php )
5 ) If the 12-digit code submitted by the user is correct ( test.php ) then the user will be able to access the user's home page ( home.php )
6 ) And the user will also be able to access the user's profile page ( profile.php )
» Philosophy : Never-Never
-
Private Keys : ( Never on servers ) and ( Never on online devices )
-
Therefore, public keys only on ( online or offline ) servers and private keys only on offline devices.
-
This philosophy only applies when using asymmetric encryption algorithms ( RSA, ECDSA, EdDSA, etc. )
» Philosophy : Only-Only
-
Private Keys : ( Only on offline servers ) and ( Only on offline devices )
-
Therefore, private keys : never on online servers and never on online devices.
-
This philosophy only applies when using symmetric encryption algorithms ( AES, 3DES, etc. )