The MIRACL Trust authentication employs a PIN-based, single-step, multi-factor, zero-knowledge proof protocol. For successful authentication, two factors must be presented simultaneously by the user. Authentication can begin only if all factors are present at the same time. This is essential for multi-factor protocols and distinguishes them from inferior multi-step protocols. All authentication factors are established directly on the end user’s device and are never transmitted through the network. The platform has no knowledge about them, and they cannot be derived from the communication between the client and the platform. This is the essence of a zero-knowledge proof system.
The PIN serves as a knowledge factor of the protocol. When the end user chooses the PIN during registration, it is immediately discarded and never leaves the device. It is valid only on the enrolled device from which it was chosen and not stored anywhere on the platform or client. These features of the PIN distinguish it from a password.
The end user enters the PIN for every authentication. For devices with a biometric sensor that unlocks a secure vault, it is possible to allow the user to select in the application a preference for biometrics instead of the PIN. In this instance, the biometric sensor will release the PIN from the respective device’s vault.
To authenticate, end users need a device enrolled with the platform. This can be any device - desktop, mobile, smart TV, wearable, etc. Users usually go through an identity verification flow that establishes trust and allows the platform to use this trust to authenticate them in front of third-party systems later. The identity verification process usually precedes the device registration process, but it doesn’t need to.
The system can accommodate many different ways in which a user’s identity may be verified, but the best option will typically depend on the use case. It can be as simple as email verification or as complex as required for a particular use case.
End users can have multiple enrolled devices at once and enrol a device from another one that has already been registered. They can also use enrolled mobile devices to authenticate unregistered desktop devices using a QR code.
The secret used in the authentication protocol is established during the device registration process. This secret is immediately cryptographically “subtracted” with the PIN chosen by the user. The PIN chosen by the user is cryptographically subtracted from the secret, and then both the secret and the PIN are discarded. The token is the result of this operation and is stored on the device. The secret can be recreated only by cryptographically combining the token and the PIN. This operation happens during authentication, after which the secret is discarded again. The token is the possession factor of the protocol. Once the device is enrolled, it can authenticate the user multiple times until it is revoked either manually or under a configurable policy. MIRACL Trust automatically revokes a device after three invalid authentication attempts. An admin of the MIRACL Trust project can also manually revoke a device from the MIRACL Trust Portal. When a device is revoked, the end user must go through the identity verification process before enrolling the device again.
At its core, the platform utilises a multi-factor zero-knowledge authentication protocol called M-PIN. For more information about it, see M-PIN Authentication Protocol.
