One identity. Complete privacy.

The identity layer behind every Ciphera service. Double-hashed passwords, passkeys, two-factor authentication, and OAuth 2.0 — all on Swiss infrastructure.

Contact Sales Learn More
Double-hashed|Passkeys|2FA + recovery codes|OAuth 2.0 + PKCE

Your password never leaves your device.

Your raw password is transformed in your browser before it's sent anywhere. Even if someone intercepts the connection, they don't get your actual password. On our end, we hash it again — so even a full database breach gives attackers nothing usable.

  • Client-side PBKDF2-SHA256 with email as salt
  • Server-side Argon2id (64 MiB memory, 3 iterations)
  • Constant-time comparison prevents timing attacks
  • Hash pool limits concurrent operations to prevent DoS
Your device

Your password

••••••••••

Scrambled

a7f3c8e1b9d2...

Encrypted in transit
Our server

Received

a7f3c8e1b9d2...

Scrambled again

$argon2id$v=19...

Stored in database

$argon2id$v=19$m=65536,t=3,p=2$kR7x...

Unreadable — even to us

Create Ciphera ID

One account for all Ciphera services

you@example.com
How you'd like to be called
Minimum 12 characters
I am human
Secured byCipheraCiphera

Already have an account? Sign in

Passwords optional. Security mandatory.

Sign in with passkeys (FIDO2/WebAuthn) using your fingerprint, face, or hardware security key — no password needed. For password-based logins, add TOTP two-factor authentication with recovery codes as a safety net.

  • Passkeys via WebAuthn — phishing-resistant by design
  • TOTP 2FA with any authenticator app
  • 8 single-use recovery codes for account access
  • Escalating lockout (15 min → 1 hour → 24 hours)
  • CAPTCHA after 3 failed attempts

One account, all services.

Log in once and access every Ciphera service — Pulse, Relay, and more. Built on OAuth 2.0 with mandatory PKCE, so authorization codes can't be intercepted. Tokens are verified locally by each service using a shared secret — no network roundtrip needed.

  • OAuth 2.0 Authorization Code flow with PKCE
  • S256 challenge method enforced (no plaintext)
  • Short-lived access tokens (15 min) + refresh rotation
  • Reuse detection: if a revoked token is reused, all sessions are invalidated
  • CSRF protection via double submit cookie pattern

Your Apps

Access your secure services

Relay
RelayEmail infrastructure
Pulse
PulseTraffic analytics
OrganizationsCreate and manage teams

One account for all Ciphera services

Recent Activity

Signed in from Chrome on macOS2 hours ago
2FA enabled3 days ago
Failed sign-in attempt5 days ago
Password changed2 weeks ago

Trusted Devices

Chrome on macOS

This device

Active now

Safari on iPhone

Last seen 3 days ago

Full visibility into your account.

Every login, every password change, every 2FA event — logged and visible. See which devices have access, revoke sessions you don't recognize, and get alerts when a new device signs in. Device fingerprints are HMAC-hashed — we track activity without storing raw IPs.

  • Comprehensive audit log with event details
  • Trusted device management with browser/OS detection
  • New device alerts via email
  • Session revocation — sign out any device remotely
  • Privacy-respecting: IPs hashed with HMAC-SHA256

How Ciphera ID compares.

Most auth providers are SaaS platforms that store your users' credentials on their infrastructure. Ciphera ID is different.

Ciphera ID

Ciphera ID

Self-hosted identity provider

  • Double-hashed passwords (PBKDF2 + Argon2id)
  • Self-hosted on Swiss infrastructure
  • Passkeys (FIDO2/WebAuthn)
  • Mandatory PKCE (S256 only)
  • Stateless token verification
  • HMAC-hashed device fingerprints
  • Escalating account lockout
  • Hash pool concurrency limits
  • Built-in organization management

SaaS Auth Providers

Auth0, Clerk, Firebase Auth

  • Single-hashed passwords (bcrypt/scrypt)
  • Cloud-hosted (US infrastructure)
  • Passkeys support
  • PKCE optional
  • Network call for token validation
  • Raw IP logging
  • Fixed-duration lockout
  • Unbounded hash concurrency
  • Organization management via extensions
Zurich, Switzerland

Data residency

Switzerland (FADP protected)

Token lifetime

15 min access, 30 day refresh

Compliance

GDPR, FADP, privacy by design

Swiss infrastructure. Swiss privacy laws.

All identity data is stored on Swiss infrastructure, protected by the Swiss Federal Act on Data Protection (FADP). Passwords are double-hashed, IPs are HMAC-hashed, and audit logs are batched asynchronously — privacy at every layer.

  • Self-hosted — no third-party vendor has your user data
  • IP addresses HMAC-hashed before storage
  • Minimal metadata: no behavioral tracking
  • Automatic token cleanup and session expiration
  • Security alerts rate-limited to 1 per hour per user

Interested in Ciphera ID?

Ciphera ID is currently an internal service powering the Ciphera ecosystem. Reach out if you're interested in the technology for your platform.

Contact Us About Ciphera