Toqen.app is now live on the App Store.
This is an attempt to rethink authentication from an access-first perspective: instead of managing identities and credentials, focus on granting access in real time, per request.
Why rethink authentication
Most systems still rely on reusable credentials:
- passwords
- session tokens
- API keys
These introduce predictable problems:
- credential leaks
- replay attacks
- uncontrolled sharing
Even with MFA, the core model remains static.
Core idea
Each access request should be:
- short-lived
- single-use
- bound to a device
- cryptographically verifiable
Instead of storing secrets, the system verifies a signed challenge.
Flow
User opens login page
↓
Server generates request
↓
QR code is displayed
↓
Mobile app scans QR
↓
User confirms access
↓
Device signs challenge
↓
Server verifies signature
↓
Access granted
QR format
QR does not contain secrets.
Example:
toqen://auth?request_id=91f2d&challenge=8fa92c1a&expires=1710000000
Properties:
- expires in 30–60 seconds
- single-use
- cannot be replayed
Device model
On first launch:
- device generates key pair
- private key → stored in secure storage
- public key → registered on server
Signing:
signature = sign(challenge, device_private_key)
Verification:
verify(signature, device_public_key)
Security properties
- no reusable credentials
- no secrets in QR
- replay protection via TTL + single-use
- device-bound authorization
- server stores only public keys
Vault model
Sensitive data is encrypted client-side:
- encrypted_vault
- AES-256-GCM
- vault_key stored in secure storage
Server never has decryption capability.
Where this fits
- admin access
- internal tools
- high-risk operations
- temporary access flows
Current status
- iOS app is live on the App Store
- Android version is in testing
Open for feedback
If you are working on authentication, security, or access control systems — feedback is welcome.
Contact: https://www.toqen.app/about#contacts
Android early access: https://forms.gle/f9FcbHyHJiajmFWV7
Building continues.
Top comments (0)