βœ… Recommended Version: This demo uses V2 with HMAC-based zero-knowledge authentication. The master_secret never leaves your browser.
πŸ§ͺ Interactive Demo V2

Zero-Knowledge Authentication

Passwordless Authentication Β· The master secret never leaves your browser.

Authentication proven cryptographically via HMAC-SHA256. The server verifies without knowing your secret.

# V2 Zero-Knowledge Flow
1. Client derives user_id from master_secret
   # PBKDF2-SHA512, 100k iterations

2. Server generates random challenge
   # 64-char hex string

3. Client computes HMAC(challenge, user_id)
   # HMAC-SHA256, client-side only

4. Server verifies HMAC
   # Constant-time comparison

# Result: Authenticated βœ…
# Server knows: NOTHING about your secret
Security Model

How V2 Works

️ Client-Side

Derives user_id from master_secret using PBKDF2-SHA512 (100k iterations).

Web Crypto API

πŸ” HMAC Computation

Computes HMAC-SHA256(challenge, user_id) locally. The secret never leaves the browser.

RFC 2104

🌐 Server-Side

Stores only user_id (derived). Generates random challenges. Verifies HMAC.

Zero-knowledge

πŸ›‘οΈ Breach-Resistant

If the database is leaked, there's nothing to exploit. No hashes, no emails, no secrets.

Nothing to steal
πŸ§ͺ Try it Now

Interactive Demo V2

Create an account in 2 seconds. One master secret. No personal data.

πŸš€ Ready to start
0/32
πŸ”’ This secret is used locally to derive your user_id. It never leaves your browser.

πŸ’‘ How it works (V2 - Real Flow)

1. Your secret is used locally to derive a user_id (via Web Crypto API).
2. The server only sees the user_id and generates a random challenge.
3. Your browser computes HMAC-SHA256(challenge, user_id).
4. The server verifies the HMAC without knowing your secret.

The master secret NEVER leaves your browser.

⚠️ Important

If you lose your master_secret, you cannot recover your account. There is no "Forgot Password" because the server doesn't know your secret. This is the trade-off for zero-knowledge security.