![[object Object] Logo](/auth_icon_no_margins.png){kind=icon}
Security Architecture
Your identity is the key to your digital life. At Ciphera, we protect that key with rigorous security standards and a privacy-first architecture.
Secure Credential Storage
We never store your passwords in plain text. All user passwords are hashed using **Argon2id**, a state-of-the-art memory-hard password hashing algorithm. This ensures that even in the unlikely event of a database breach, your passwords remain computationally resistant to cracking.
Transport Security
All communications between your browser and Ciphera Auth are encrypted using **TLS 1.3** (Transport Layer Security). We enforce strict transport security policies (HSTS) to prevent downgrade attacks and ensure that your connection is always secure.
Multi-Factor Authentication
We support Time-based One-Time Passwords (TOTP) for Two-Factor Authentication. This adds a critical second layer of defense, requiring not just something you know (your password), but something you have (your authenticator device).
Session Management
Our session management is designed to minimize risk. Access tokens are short-lived (15 minutes) and automatically refreshed, limiting the window of exposure if a token is ever compromised. When you navigate between Ciphera apps, we use single-use authorization codes instead of passing tokens directly, so your credentials never appear in URLs, browser history, or server logs.
Content Security Policy
Every page served by Ciphera Auth includes a strict Content Security Policy that limits which domains the browser may load scripts, styles, and network requests from. External scripts are blocked entirely. Network connections are restricted to Ciphera's own backend services, preventing injected code from exfiltrating data to third-party servers. Additional headers disable browser features like camera and microphone access, prevent clickjacking, and enforce HTTPS via HSTS.
Privacy by Design
We collect only the absolute minimum data required to provide our service. We do not sell your data, and we do not track your activity across the web. Our business model is based on providing secure services, not on monetizing your privacy.