Security Architecture
The platform is designed with the defense-in-depth principle. Each layer applies independent security controls.
Security Layers
Four main security layers work in sequence:
Authentication Mechanism
User authentication is performed as two-factor (2FA). The first factor is username/password, the second factor is an OTP code sent via SMS or email.
Authorization Matrix
| Role | Connection | Schema | Credential | Revoke | Proof |
|---|---|---|---|---|---|
| Admin | CRUD | CRUD | CRUD | Yes | CRUD |
| Issuer | CR | R | CR | Yes | R |
| Verifier | R | R | - | - | CR |
| Holder | R | - | R | - | R |
Wallet Security
| Feature | Implementation |
|---|---|
| Encryption | AES-256-GCM |
| Key Derivation | Argon2id |
| Storage | Aries Askar |
| Biometric | Device-level auth |
Critical Security Note
The wallet master key is never sent to the server. All encryption/decryption operations are performed on the device.
Biometric Integration
On mobile devices, fingerprint or face recognition is used as a second factor for wallet access. This feature is provided through iOS (Face ID/Touch ID) and Android (BiometricPrompt) APIs.