Ezkey at a glance — trust zone, mobile, and core flows

Context

Ezkey is an open-source cryptographic MFA platform for teams that want strong authentication without reducing it to a browser-centric story or a stack of complex, general-purpose protocols. The product is deliberately backend-first: trust rests on clear APIs, explicit server-side state, and cryptographic continuity across participants — with a mobile client that joins the chain in a concrete, verifiable way.

The chain of trust: two foundations

At the highest level, trust in Ezkey rests on two complementary anchors:

The organization as the trust anchor
This is your Ezkey deployment running inside the organization’s environment (on-premises or equivalent). It defines where policy applies, who operates the service, and which back end holds operational and cryptographic truth for integrations. In short, the institutional foundation: the team relies on its instance, under its control, not on opaque or external mediation.
Trust tied to each participant and device
Each user relies on a cryptographic key bound to their device, protected by the security mechanisms the mobile platform provides (hardware-backed or strongly isolated storage, depending on the device). That is not cosmetic: it is the user-side foundation of the chain — the assurance that identity and proofs presented from the phone remain tied to hardware and context the user can reasonably treat as trustworthy.

These two foundations do not replace each other: they interlock. The Ezkey back end verifies and orchestrates; the phone holds and uses keys in an environment built to protect them — so the mobile client is a full participant in the trust zone, not a mere “screen” next to the server.

Organization side: one deployment, one trust zone

One Ezkey deployment = the organization’s trust zone: the server-side foundation for state, verification, and policy — under the organization’s control.

Mobile side: platform security and shared truth

The Ezkey mobile app builds on the security APIs and abstractions native to mobile platforms — in particular protected key storage (including, when hardware allows, stronger paths such as dedicated cryptographic hardware). Without vendor jargon, the idea is simple: participants can trust that using the phone in this model adds real protection — the kind operating systems and devices attach to secret handling and controlled use.

That choice is part of Ezkey’s DNA: the product reuses what platforms already do well for on-device identity, instead of pretending the UI alone is enough. The phone is not a weak middle layer: it is where the user’s proof gains meaning inside a hardened environment, consistent with a back end that validates that proof in the overall flow.

Many “authenticator” apps stop at a code to copy or a tap to confirm: security then depends on the human channel (reading, copying, dictation), not on a cryptographically bound proof for the current attempt. The Ezkey app is different: responses follow the protocol and keys protected on the device — not a rotating six-digit code you can copy outside the flow like a typical generator, nor a “yes” detached from server context.

Essential flows

Enrollment / device binding

bind then verify: establish a cryptographically linked relationship among the integration context, the back end, and the device.

Authentication

pending then respond: create an attempt on the server, notify the phone, return an appropriate proof; the back end verifies and resolves the final state.

Logical diagram (high-level view):

Trust zone Ezkey deployment (organization) Ezkey back end — state, verification, policy

↔
bind → verify ↔
pending → respond

Mobile device Participants Ezkey app — keys protected by the platform

Why this approach

Simple, well-documented REST APIs for teams integrating them.
Two clear trust levels: organizational anchor (the Ezkey instance) and user/device anchor (keys protected by native mobile mechanisms).
Cryptographic continuity: bind/verify and pending/respond establish proof links that are signed and formally validated by the cryptographic process — not mere labels.
Control and transparency: deploy inside the organization’s zone, product you can inspect (open source).

Conclusion — positioning

Ezkey positions itself as a backend-first alternative to MFA centered on browsers, generic mediators, or one-size-fits-all standards: API-first, self-hosted, cryptographically continuous — a server that carries the organizational anchor, a mobile client that uses platform guarantees for keys. This is not a UI promise: it is a two-foundation model (organization + participant/device), pragmatic for understanding, integrating, and operating without the weight of an imposed ecosystem.

Français : Same article in French