What if a breach
exposed nothing?

Watch a ZeroAuth authentication flow — from biometric scan to SSO access — where no secret ever touches a server.

Step 1 — Device Authentication

Employee opens laptop

Step 2 — Zero-Knowledge Proof

Proof generated on-device

Private Input (never leaves device)

biometric_hash =
0x7a3f...e91b

→

ZK-SNARK Circuit

Verifying...

→

Proof (sent to server)

π =
—

Verify(π, pub_input) = ?

Step 3 — Enterprise SSO

Access granted — zero credentials transmitted

Salesforce

✓ Pending

Slack

✓ Pending

GitHub

✓ Pending

Jira

✓ Pending

AWS Console

✓ Pending

Step 4 — Server-Side Storage

What does the server store?

zeroauth-server — production

[09:41:03] INFO ZKP: Groth16 proof received (288 bytes, protocol: groth16, curve: bn128)

[09:41:03] INFO ZKP: Off-chain verification... PASS

[09:41:03] OK Session created: {sessionId: "a7f2...d91e", provider: "zkp", expiresAt: "+1h"}

[09:41:03] AUDIT PostgreSQL INSERT: NONE (no auth table exists by design)

[09:41:03] AUDIT Redis WRITE: sess:a7f2...d91e → ephemeral token only

[09:41:03] AUDIT Biometric template stored: NULL (garbage collected after hash)

[09:41:03] AUDIT Private keys stored: NULL (never leave client device)

[09:41:04] AUDIT Poseidon commitment on-chain: 0xC68c...3A73 (hash only, irreversible)

[09:41:04] ──── dataStored: false — Zero biometric data stored. Ever. ────

Step 5 — Breach Simulation

An attacker compromises the database

attacker@kali — db_exfiltrate.py

$ psql -h zeroauth-postgres -U zeroauth -d zeroauth

-- Attacker enumerates all tables...

zeroauth=# \dt

Schema	Name	Type	Owner
public	leads	table	zeroauth

-- Only 1 table. No users table. No credentials table. Searching for auth data...

zeroauth=# SELECT * FROM leads;

id	type	name	company	email	size	created_at
1	pilot	Jane D.	Acme Corp	j***@acme.com	1000+	2026-03-12

-- Trying to find password hashes, biometric data, private keys, sessions...

zeroauth=# SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%password%' OR column_name LIKE '%biometric%' OR column_name LIKE '%secret%' OR column_name LIKE '%private_key%';

table_name
( 0 rows )

$ redis-cli -h zeroauth-redis KEYS "*"

-- Checking Redis for session secrets or cached credentials...

Key	Type	Value
sess:a7f2...d91e	string	{sessionId, provider: "zkp", expiresAt, biometricData: undefined}

$ cast call 0xC68c...3A73 "verifyIdentity(bytes32)" 0x7a3f...e91b --rpc-url https://sepolia.base.org

-- Querying on-chain DIDRegistry for stored identity data...

On-Chain Field	Value	Exploitable?
biometricIDHash	0x7a3f...e91b (SHA-256, irreversible)	NO
DID mapping	did:zeroauth:base:8f3a...c2d1	NO
Raw biometric	NEVER STORED	N/A
Private key / secret	NEVER STORED	N/A

EXFIL REPORT: PostgreSQL → 0 credentials | Redis → 0 secrets | Blockchain → irreversible hashes only

⚠ Total exploitable records across all datastores: 0

A breach exposes nothing.

No passwords. No biometrics. No keys. The vault was always empty.

What if a breachexposed nothing?

What if a breach
exposed nothing?