Security Overview

BlokSec is a passwordless authentication platform that replaces shared secrets (passwords) with public-key cryptography and device-bound credentials. This section explains the security architecture for teams evaluating BlokSec’s trust model.

Platform architecture

BlokSec consists of three components that work together:

1. BlokSec API — The authentication server that implements OIDC, SAML, and WS-Federation protocols. Hosted on AWS (Lambda + API Gateway), with MongoDB for data storage and Redis for session management.

2. BlokSec Authenticator — A mobile app (iOS and Android) that stores the user’s cryptographic identity. The app generates and secures key material, receives push notifications, and presents authentication requests for user approval.

3. BlokSec Admin Console — A web application where IT administrators configure applications, manage users, and monitor authentication requests.

Trust boundaries

BlokSec’s security model distributes trust across three parties so that no single party can authenticate on behalf of a user:

Party	What it holds	What it can’t do alone
Server (BlokSec API)	Encrypted private key envelope, server salt, public key	Decrypt the private key (needs device salt + PIN)
Device (QR code / mobile app)	Device salt (embedded in QR)	Sign anything (needs server envelope + PIN)
User	PIN or passphrase	Access any key material (needs device + server)

All three factors must be present simultaneously to complete an authentication. The private key exists in memory only during the signing operation and is discarded immediately after.

Note

Even if an attacker compromises the database, they cannot forge an authentication. The encrypted key envelope requires a device salt (not stored in the database) and the user’s PIN to decrypt.

Security properties

• No shared secrets — BlokSec never stores or transmits passwords. Authentication uses Ed25519 digital signatures.
• Phishing-resistant — Users approve sign-ins on their own device. There is no password to type into a fake login page.
• Device-bound credentials — Cryptographic keys are generated on the server, encrypted with the user’s PIN, and can only be unlocked when all three factors are present.
• Tenant isolation — Each organization (tenant) has fully isolated data. A compromise of one tenant has no effect on others.

Learn more

Authentication Model

Deep dive into the three-factor model, key lifecycle, and cryptographic operations.

Security FAQ

Answers to common security questions from CISOs and security architects.