
Ciphera ID
One identity.
Complete privacy.
The identity layer behind every Ciphera service. Zero-knowledge password authentication, passkeys, two-factor authentication, and OAuth 2.0 — all on Swiss infrastructure.
01 · Authentication
Your password never leaves your device.
With OPAQUE (RFC 9807), your password is stretched on your device with Argon2id and proven to our servers without ever being sent. We store only an opaque credential record that can't be reversed into your password — so even a full database breach gives attackers nothing usable.
- OPAQUE (RFC 9807) — your password is never sent to our servers
- On-device Argon2id key stretching
- We store only an opaque credential record — no password, hash, or verifier
- No password reset: recovery uses your 24-word phrase, which we never hold
Your password
••••••••••
Scrambled
a7f3c8e1b9d2...
Received
a7f3c8e1b9d2...
Opaque record
9f2c4e8a…b1d7
opaque credential · 9f2c4e8a…b1d7
Unreadable — even to us
Create Ciphera ID
One account for all Ciphera services
Already have an account? Sign in
02 · SSO
Passwords optional. Security mandatory.
Sign in with passkeys (FIDO2/WebAuthn) using your fingerprint, face, or hardware security key — no password needed. For password-based logins, add TOTP two-factor authentication with recovery codes as a safety net.
- Passkeys via WebAuthn — phishing-resistant by design
- TOTP 2FA with any authenticator app
- 8 single-use recovery codes for account access
- Escalating lockout (15 min → 1 hour → 24 hours)
- CAPTCHA after 3 failed attempts
03 · Features
Everything in Ciphera ID.
One account, all services
Log in once and reach every Ciphera service via OAuth 2.0 with mandatory PKCE (S256), short-lived access tokens with refresh rotation, and revoked-token reuse detection.
Security visibility
A full audit log of every login, password change, and 2FA event. Revoke any session remotely, get new-device alerts, and keep IPs HMAC-hashed — never stored raw.

Data residency
Switzerland (FADP protected)
Token lifetime
15 min access, 30 day refresh
Compliance
GDPR, FADP, privacy by design
04 · Swiss privacy
Swiss infrastructure. Swiss privacy laws.
All identity data is stored on Swiss infrastructure, protected by the Swiss Federal Act on Data Protection (FADP). Passwords use zero-knowledge OPAQUE auth, IPs are HMAC-hashed, and audit logs are batched asynchronously — privacy at every layer.
- Self-hosted — no third-party vendor has your user data
- IP addresses HMAC-hashed before storage
- Minimal metadata: no behavioral tracking
- Automatic token cleanup and session expiration
- Security alerts rate-limited to 1 per hour per user
05 · Compare
How Ciphera ID compares.
Most auth providers are SaaS platforms that store your users' credentials on their infrastructure. Ciphera ID is different.
Ciphera ID
Self-hosted identity provider
- Zero-knowledge password auth (OPAQUE, RFC 9807)
- Self-hosted on Swiss infrastructure
- Passkeys (FIDO2/WebAuthn)
- Mandatory PKCE (S256 only)
- Stateless token verification
- HMAC-hashed device fingerprints
- Escalating account lockout
- Argon2id key stretching (client-side)
- Built-in organization management
SaaS Auth Providers
Auth0, Clerk, Firebase Auth
- Single-hashed passwords (bcrypt/scrypt)
- Cloud-hosted (US infrastructure)
- Passkeys support
- PKCE optional
- Network call for token validation
- Raw IP logging
- Fixed-duration lockout
- Unbounded hash concurrency
- Organization management via extensions

06 · Get started
Interested in Ciphera ID?
Ciphera ID is currently an internal service powering the Ciphera ecosystem. Reach out if you're interested in the technology for your platform.