Core Features

Authentication and Authorization

Auth-svc manages who can use duo-server and for which keys.

User and device registration

Before a device can perform any MPC operation, it must register with auth-svc. Registration binds the device's public key (from the secret enclave or TEE) to a user identity (via JWT from your auth provider, eg Auth0).

Access control

Auth-svc tracks which user and device owns each MPC key, and enforces that only the owning device can use a the key.

Face registration

Users can register their face (via FaceTec) as a step-up authentication factor, required for backup and recovery operations.

Backup and Recovery

Auth-svc provides encrypted user's keyshare backup so users can recover their MPC key if they lose their device.

The keyshare is encrypted with an AES key Ek. The encrypted ciphertext is stored in the auth-svc backend, while Ek is stored in third party service (Google Drive). Recovery requires both face biometric verification and access to the user's Google Drive, ensuring no single party can reconstruct the keyshare alone.