Skip to main content

BYOiD: Bring Your Own Identity

BYOiD (Bring Your Own Identity) is TideCloak's zero-knowledge, decentralized authentication protocol. It allows users to prove their identity without revealing credentials to any single entity, not to TideCloak, not to the Cybersecurity Fabric nodes, and not to administrators.

The Authentication Problem

Traditional authentication systems have a fundamental vulnerability: centralized credential verification. They know too much about you in order to play the role of authenticator.

When you log in to a conventional IAM system:

  1. You send your password to the server (over TLS, so it's encrypted in transit)
  2. The server hashes your password and compares it to a stored hash
  3. If they match, you're authenticated

The vulnerabilities:

  • Stored hashes: Even with strong hashing (bcrypt, Argon2), attackers who breach the database can run offline attacks to crack passwords
  • Server compromise: If the server is compromised, malicious code can intercept passwords in plaintext before hashing
  • Admin access: Database administrators or anyone with privileged access can view, modify, or replace hashes
  • Vendor backdoors: The IAM provider (or a malicious insider) could log credentials, bypass verification, or inject authentication logic

Even Zero Trust architectures still trust the authentication server to verify credentials honestly.

The BYOiD Solution

BYOiD eliminates the centralized verification point by distributing authentication across the Cybersecurity Fabric using threshold cryptography and zero-knowledge proofs.

Core principles:

  1. No password storage: No password hashes exist anywhere in the system
  2. Credential blinding: Passwords are transformed before leaving the user's device so nodes process them without seeing the plaintext
  3. Threshold verification: Multiple independent Fabric nodes each verify a fragment of the authentication without any single node being able to verify alone
  4. Zero-knowledge proofs: Nodes prove verification succeeded without revealing anything about the password or authentication secret
  5. Ephemeral session keys: Successful authentication generates a unique, temporary key in the user's browser that never leaves the device, so that further actions can be bound to only work on the device the authentication was initiated

How BYOiD Works

1. User Registration

When a user first creates an account:

  1. Credential entry: User enters their password in the Secure Web Enclave (SWE)
  2. Distributed key generation: The password is used to derive key fragments that are distributed across Fabric nodes through a threshold cryptographic ceremony
  3. No storage: The password itself is never transmitted or stored. Only the derived key fragments exist, spread across independent nodes
  4. PRISM enrollment: The user's identity is enrolled in the PRISM protocol, which enables future zero-knowledge authentication
  5. Recovery sources: The user has the option of providing multiple account reconstruction sources (e.g., multiple email addresses) for future recovery scenarios

Result: No single node or system holds enough information to verify the password. The authentication "key" exists only as fragments across the Fabric.

2. User Authentication (Login)

Step 1: Credential blinding

  • User enters password in the SWE
  • SWE blinds the password using cryptographic transformation
  • Blinded credential is sent to Fabric nodes

Step 2: Threshold verification

  • Each Fabric node performs a partial verification using its key fragment in parallel, so there's no performance degradation compared to centralized authentication
  • Nodes return partial responses (without revealing their fragments)
  • No single node can determine if authentication succeeded

Step 3: Zero-knowledge proof

  • Each partial response includes a zero-knowledge proof that:
    • The node performed the verification correctly
    • The result is valid (without revealing the result itself)
  • The SWE verifies these proofs to ensure no node misbehaved

Step 4: Response assembly

  • SWE collects partial responses from the threshold number of nodes
  • SWE combines the responses to produce the final authentication result
  • If successful, an ephemeral session key is generated in the user's browser

Step 5: Session key binding

  • The session key is unique to this login session
  • It exists only in browser memory (never transmitted or stored)
  • All subsequent operations in this session are cryptographically bound to this key
  • When the session ends, the key is destroyed

Technical Implementation: PRISM Protocol

BYOiD is built on Tide's PRISM protocol, which implements:

Threshold Oblivious Pseudorandom Function (TOPRF)

  • A cryptographic primitive that allows multiple parties to jointly compute a pseudorandom function (PRF) on a password without any party learning the password
  • Each Fabric node holds a share of the PRF key
  • To evaluate the PRF on a user's password, the user sends blinded password shares to each node
  • Each node computes a partial PRF evaluation on its share
  • The user combines the partial evaluations to get the final PRF output
  • Security guarantee: No single node (or even a minority of nodes) learns anything about the password

Zero-Knowledge Authentication

  • After computing the PRF output, the user proves to TideCloak that they know the correct password without revealing it
  • This proof is verified against the distributed key fragments in the Fabric
  • The verification confirms identity without exposing credentials

Privacy Guarantees

  • Anonymity: User identity is obfuscated during authentication, even Fabric nodes don't know which user is authenticating
  • Unlinkability: Different authentication sessions cannot be correlated, preventing tracking
  • Credential privacy: No information about the password is leaked to any party

Academic validation: The TOPRF protocol has been cryptanalyzed by researchers at Deakin University and found to be secure against known attacks.

Security Properties

BYOiD provides several security guarantees that traditional authentication cannot:

1. No Offline Attacks

Traditional IAM: Attackers who steal the password hash database can perform offline brute-force attacks at their leisure.

BYOiD: There is nothing to brute force. No password hashes exist to steal. The authentication "secret" exists only as distributed fragments. An attacker would need to compromise a threshold of independent Fabric nodes simultaneously, and even then, they couldn't extract passwords, only verify authentication attempts (which are rate-limited and monitored).

2. No Admin Impersonation

Traditional IAM: Database administrators or those with root access can:

  • Reset user passwords
  • Modify password hashes
  • Bypass authentication checks
  • Impersonate any user

BYOiD: Even TideCloak administrators cannot:

  • Bypass authentication (the Fabric enforces it, and no single party controls the Fabric)
  • Reset passwords without user participation (password reset requires the user's registered recovery sources)
  • View or access user credentials (they don't exist in any single place)

3. Breach Containment

Traditional IAM: A server compromise means:

  • All password hashes are exposed
  • Malicious code can intercept future logins
  • Attackers can modify authentication logic

BYOiD: A TideCloak server compromise reveals:

  • No credential material (it doesn't exist on the server)
  • No session keys (they exist only in user browsers)
  • No ability to forge authentication (that requires Fabric cooperation, which uses threshold signatures)

4. Transparent Verification

Traditional IAM: Users must trust that the server verified their password correctly and didn't log it.

BYOiD: Users receive cryptographic proofs that:

  • Authentication was performed correctly by honest nodes
  • No node saw the plaintext password
  • The session key was generated securely and bound to this session

These proofs can be independently verified by the user's browser or a third-party auditor.

User Experience

Despite its cryptographic sophistication, BYOiD maintains a familiar authentication experience:

  1. Standard login flow: Users enter username/email and password as usual
  2. No new devices: No hardware tokens or additional apps required (though Tide 2FA app is available as an option)
  3. No behavior change: The cryptographic operations happen transparently in the background

Comparison to Passkeys

FeaturePasskeysBYOiD
Phishing resistanceYesYes
No shared secretsYes (public-key crypto)Yes (distributed secrets)
Single point of failureDevice-bound key (can be stolen)No single key exists
Admin bypassPlatform provider controlsNo entity can bypass
Vendor independenceTied to device/platformFully decentralized
Offline attacksN/A (no password)No (nothing to brute force)
Self-sovereign identityNo (platform-dependent)Yes (user controls authentication)

Multi-Factor Authentication (MFA)

BYOiD can be combined with additional authentication factors:

  • TOTP (Time-based One-Time Passwords): Traditional 6-digit codes from authenticator apps
  • WebAuthn/FIDO2: Hardware security keys or biometric authentication
  • SMS/Email codes: For account recovery flows

These factors are evaluated in addition to BYOiD's zero-knowledge password authentication, providing defense-in-depth.

Tide 2FA App

For users who prefer a passwordless experience, Tide offers the Tide 2FA app. This mobile app provides:

  • Fully decentralized authentication: Uses the same distributed protocol as BYOiD
  • No passwords required: Users can register and authenticate using the app instead
  • Same security guarantees: Built on the same threshold cryptography and zero-knowledge proofs

End users can choose to register or authenticate with the Tide 2FA app as an alternative to passwords, while maintaining the same decentralized security model.

Password Reset and Recovery

Traditional IAM: Password reset is simple: an admin or automated system sends a reset link, and the user creates a new password. The server stores the new hash.

BYOiD: Password reset requires re-enrolling with a new password. Since no password hashes are stored, the system cannot "replace" a hash. It must perform a new distributed key generation ceremony.

Recovery options:

  1. User-initiated reset: User proves ownership of one of their registered recovery sources (e.g., email addresses provided during registration), then enrolls a new password through the Fabric
  2. Multi-party recovery: During registration, users can provide multiple account reconstruction sources (e.g., multiple email addresses). Recovery requires verification through these registered sources

Security guarantees:

  • Even during recovery, no single party gains the ability to set the user's password unilaterally
  • A compromised password does not compromise the user's ability to reclaim their identity, as long as they have access to their registered recovery sources

Summary

BYOiD represents a fundamental shift in authentication security:

Traditional AuthenticationBYOiD
Passwords sent to serverCredentials blinded before transmission
Hashes stored in databaseNo hashes stored anywhere
Server verifies credentialsFabric verifies via threshold crypto
Admins can reset passwordsNo unilateral password reset
Trust the IAM providerVerify cryptographically
Single point of failureDecentralized across independent nodes

The bottom line: BYOiD makes authentication provably secure by eliminating the central point of trust. No single entity, not even TideCloak or Tide, can authenticate as a user, bypass verification, or access credentials. It's the first true implementation of self-sovereign identity in a practical, developer-friendly IAM system.