Ciphera ID

One identity. Complete privacy.

The identity layer behind every Ciphera service. Zero-knowledge password authentication, passkeys, two-factor authentication, and OAuth 2.0 — all on Swiss infrastructure.

Zero-knowledgePasskeys2FA + recovery codesOAuth 2.0 + PKCE

01 · Authentication

Your password never leaves your device.

With OPAQUE (RFC 9807), your password is stretched on your device with Argon2id and proven to our servers without ever being sent. We store only an opaque credential record that can't be reversed into your password — so even a full database breach gives attackers nothing usable.

  • OPAQUE (RFC 9807) — your password is never sent to our servers
  • On-device Argon2id key stretching
  • We store only an opaque credential record — no password, hash, or verifier
  • No password reset: recovery uses your 24-word phrase, which we never hold
Your device

Your password

••••••••••

Scrambled

a7f3c8e1b9d2...

Encrypted in transit
Our server

Received

a7f3c8e1b9d2...

Opaque record

9f2c4e8a…b1d7

Stored in database

opaque credential · 9f2c4e8a…b1d7

Unreadable — even to us

Create Ciphera ID

One account for all Ciphera services

you@example.com
How you'd like to be called
Minimum 12 characters
I am human
Secured byCipheraCiphera

Already have an account? Sign in

02 · SSO

Passwords optional. Security mandatory.

Sign in with passkeys (FIDO2/WebAuthn) using your fingerprint, face, or hardware security key — no password needed. For password-based logins, add TOTP two-factor authentication with recovery codes as a safety net.

  • Passkeys via WebAuthn — phishing-resistant by design
  • TOTP 2FA with any authenticator app
  • 8 single-use recovery codes for account access
  • Escalating lockout (15 min → 1 hour → 24 hours)
  • CAPTCHA after 3 failed attempts

03 · Features

Everything in Ciphera ID.

One account, all services

Log in once and reach every Ciphera service via OAuth 2.0 with mandatory PKCE (S256), short-lived access tokens with refresh rotation, and revoked-token reuse detection.

Security visibility

A full audit log of every login, password change, and 2FA event. Revoke any session remotely, get new-device alerts, and keep IPs HMAC-hashed — never stored raw.

Zurich, Switzerland — where Ciphera data is hosted

Data residency

Switzerland (FADP protected)

Token lifetime

15 min access, 30 day refresh

Compliance

GDPR, FADP, privacy by design

04 · Swiss privacy

Swiss infrastructure. Swiss privacy laws.

All identity data is stored on Swiss infrastructure, protected by the Swiss Federal Act on Data Protection (FADP). Passwords use zero-knowledge OPAQUE auth, IPs are HMAC-hashed, and audit logs are batched asynchronously — privacy at every layer.

  • Self-hosted — no third-party vendor has your user data
  • IP addresses HMAC-hashed before storage
  • Minimal metadata: no behavioral tracking
  • Automatic token cleanup and session expiration
  • Security alerts rate-limited to 1 per hour per user

05 · Compare

How Ciphera ID compares.

Most auth providers are SaaS platforms that store your users' credentials on their infrastructure. Ciphera ID is different.

Ciphera ID

Ciphera ID

Self-hosted identity provider

  • Zero-knowledge password auth (OPAQUE, RFC 9807)
  • Self-hosted on Swiss infrastructure
  • Passkeys (FIDO2/WebAuthn)
  • Mandatory PKCE (S256 only)
  • Stateless token verification
  • HMAC-hashed device fingerprints
  • Escalating account lockout
  • Argon2id key stretching (client-side)
  • Built-in organization management

SaaS Auth Providers

Auth0, Clerk, Firebase Auth

  • Single-hashed passwords (bcrypt/scrypt)
  • Cloud-hosted (US infrastructure)
  • Passkeys support
  • PKCE optional
  • Network call for token validation
  • Raw IP logging
  • Fixed-duration lockout
  • Unbounded hash concurrency
  • Organization management via extensions

06 · Get started

Interested in Ciphera ID?

Ciphera ID is currently an internal service powering the Ciphera ecosystem. Reach out if you're interested in the technology for your platform.