Architecture
The mobile app communicates directly with both auth-svc and duo-server — auth-svc is not a proxy. When an MPC operation runs, duo-server calls auth-svc hooks server-to-server to authorize it.
| Component | Role |
|---|---|
| Identity Provider | Issues JWTs (Auth0, Firebase, or any OIDC provider). Runs in your own infrastructure. |
| Auth-svc REST API | User and device registration, keyshare backup/recovery, key listing |
| Auth-svc Hooks | Server-to-server endpoints called by duo-server to authorize keygen and signing operations |
| duo-server | MPC node — runs keygen, sign etc. Verifies device signatures. |
| FaceTec | Biometric step-up auth for backup and recovery |
| Google Drive | Stores the user's encryption key Ek — kept client-side so no single party holds the full backup |