Diligence

Trust & security

A compact page for evaluators. Canonical technical documentation will ship with the public repository; until then, see Source code & evaluation for the private-repo posture and what is available on this site.

Trust model (plain language)

Ezkey is backend-first cryptographic MFA: your integration backend and the mobile app participate in an explicit chain of enrollment and authentication. The browser is not the center of the ceremony.

What Ezkey claims — and what it does not

The project aims to be materially stronger than passwords and classic TOTP-style flows for some self-hosted, backend-oriented contexts. It is not a WebAuthn / FIDO2 implementation and does not claim formal equivalence to those ecosystems.

Security posture reflects deliberate, opinionated trade-offs. For the maintainer’s framing of limits and ambition, see Why Ezkey exists.

Open source & visibility

License: MIT (planned for the public tree). The main repository is private until the planned public opening around September 2026; timelines and visibility notes are on Product updates. There are no public GitHub URLs for Ezkey until that opening.

Report a security issue

Use security@ezkey.org. Do not use public vendor issue trackers for suspected vulnerabilities. A published security policy will accompany the public repository.

Technical documentation

Until the repository is public, use this site for high-level material:

• Source code & evaluation (private repo posture, evaluation paths)
• Product updates and Articles & notes (progress and selected technical context)
• Exp1 preview (technology-preview program framing, where applicable)