Built for the quantum era
UniAuth is designed from the ground up with security as the default — not bolted on later. Every hash, every token, every session is protected with cryptography that resists both today's and tomorrow's attacks.
Cryptographic foundations
AES-256-GCM encryption at rest
Every sensitive value — TOTP secrets, OAuth access tokens, PQC private keys, LDAP bind passwords — is encrypted with AES-256-GCM before it touches the database. Format: iv:tag:ciphertext.
The encryption key is a separate 256-bit secret (ENCRYPTION_KEY), not derived from the JWT secret. Rotating one doesn't compromise the other.
ML-DSA-44 session signatures
Every session carries a post-quantum digital signature (FIPS 204 ML-DSA-44, formerly CRYSTALS-Dilithium). On each request, touchSession() verifies the signature; a mismatch immediately revokes the session and logs the event.
Even if a classical ECDSA or RSA signature were broken by a quantum computer, ML-DSA sessions remain secure.
Argon2id password hashing
New passwords use Argon2id (OWASP recommended: 64 MB memory, 3 iterations, 4 parallelism). Legacy bcrypt hashes are transparently migrated on login. Password strength is scored with zxcvbn (score ≥ 2 required) and checked against HaveIBeenPwned's k-anonymity API.
Pairwise subject identifiers
Connected apps never see your real UUID. Each app receives a unique, deterministic, app-specific identifier: HMAC-SHA256(userId:clientId, secret). Apps cannot correlate users across services — your privacy is structural, not policy-based.
Runtime protection
Adaptive threat detection
Statistical login-risk scoring across 6 factors: new IP, new user-agent, unusual hour, failed-attempt burst, geo anomaly, and device trust. High-risk logins trigger step-up 2FA or CAPTCHA automatically.
Progressive account lockout
5 failures = 1 min, 10 = 5 min, 15 = 15 min, 20+ = 1 hour. Returns generic 401 (no account enumeration). Resets on successful auth. Lockout applies equally to password, passkey, and magic-link flows.
Session lifecycle
24-hour inactivity timeout + 30-day absolute lifetime. SHA-256 fingerprint (IP + UA) verified on every request; mismatch terminates the session immediately. Max 10 concurrent sessions per user, oldest evicted.
SSRF-safe outbound
Every outbound HTTP request (webhooks, OIDC discovery, backchannel logout) goes through safeFetch — DNS-resolved, IP-pinned to the validated address. DNS rebinding between the check and the socket connect is impossible.
CORS + CSP + rate limiting
Strict same-origin CORS on all API routes. CSP with frame-ancestors 'none'. Dual-layer rate limiting (in-memory + Redis sliding window). Per-route thresholds tuned to each endpoint's risk profile.
Timing-safe everything
Every hash comparison, token verification, backup-code check, and SCIM-token lookup uses crypto.timingSafeEqual. No timing side channels, anywhere.
Compliance & audit
Every action is logged, every chain is verified, every export is redacted.