Detailed technical diagrams and explanations of the QuantumPass zero-credential authentication system. These flows demonstrate the cryptographic and architectural foundations that eliminate persistent credentials and ensure breach-resilient security.
New user registers device with secure hardware-bound identity creation.
Application detects available secure hardware (TEE/Secure Enclave) and generates device-bound Ed25519 key pair directly in hardware using react-native-biometrics.
Private keys never leave secure hardware and are bound to successful biometric authentication, creating a tamper-resistant identity root.
Device proves its security capabilities and integrity to the QuantumPass server.
Attestation data from secure hardware is collected and verified, including security level, patch status, and integrity measurements.
Prevents registration from compromised or emulated devices by validating genuine secure hardware presence.
Anonymous account is created with zero personally identifiable information.
Public key from hardware-generated key pair is registered with QuantumPass server, creating a pseudonymous identity without usernames or passwords.
No credentials exist to be stolen - authentication is based solely on hardware possession and biometric proof.
User links their anonymous QuantumPass identity with service provider accounts.
Service provider initiates linking process via API, generating a unique linking token displayed as QR code that users scan with the QuantumPass app.
Service providers never see user credentials and receive only a cryptographic proof of successful authentication.
Strict controls on what information service providers can access.
OAuth 2.0-style scoped access tokens with fine-grained permissions define exactly what user data can be accessed.
Users maintain complete control over what information is shared, with transparent consent workflows and revocation capabilities.
Users can register multiple devices securely to access their accounts.
Primary device generates cryptographically signed authorization for new device registration using hardware attestation and biometric verification.
Each device maintains its own hardware-secured keys, preventing extraction even if another registered device is compromised.