Infrastructure Security
Auth1 runs on Amazon Web Services (AWS) with enterprise-grade infrastructure protections:
- Hosting: AWS Elastic Beanstalk with auto-scaling and health monitoring
- Database: Amazon RDS PostgreSQL with automated backups and encryption at rest (AES-256)
- Caching: Amazon ElastiCache Redis with in-transit encryption
- CDN: Amazon CloudFront with TLS 1.3 termination
- Secrets: AWS Secrets Manager for all credentials — zero hardcoded secrets
- Network: VPC isolation, security groups, and private subnets for databases
Authentication Security
Every authentication mechanism in Auth1 is hardened against known attack vectors:
- Password Hashing: Argon2id via compiled Rust — the winner of the Password Hashing Competition. Passwords are never stored in plaintext.
- Timing-Safe OTP Verification: All secret comparisons use constant-time algorithms to prevent timing attacks
- 3-Layer Rate Limiting: IP-based, account-based, and global rate limits to prevent brute-force and credential-stuffing attacks
- Session Security: Secure, HttpOnly cookies with configurable expiration and rotation
Application Security
- BotShield: Integrated bot detection that identifies automated attacks, headless browsers, and scripted abuse
- VOIP Detection: Filters disposable and VOIP phone numbers to prevent SMS OTP abuse
- Circuit Breakers: Automatic protection against cascading failures across downstream services
- Structured JSON Logging: Immutable, structured audit logs for every authentication event
- Webhook Security: HMAC-SHA256 signed webhook payloads with automatic retries and delivery verification
Post-Quantum Cryptography
Quantum-resistant today. Auth1 supports NIST-standardized post-quantum algorithms to protect against future quantum computing threats.
- ML-DSA-65 (Dilithium): Post-quantum digital signatures on audit records, consent logs, and webhook payloads for tamper-proof evidence
- ML-KEM-768 (Kyber): Post-quantum key encapsulation available for Enterprise customers requiring quantum-resistant key exchange
Compliance
- SOC 2 Type II: Audit in progress via Drata
- HIPAA: Business Associate Agreement (BAA) available on Enterprise plans. Includes session timeouts, PII encryption, and audit logs.
- GDPR: Data Processing Agreement available. Right to deletion supported.
- CCPA: California consumer rights supported
- TCPA: SMS consent tracking with Dilithium-signed audit records
For more details, see our Compliance page, Terms of Service, and Privacy Policy.
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:
Please include a detailed description of the vulnerability, steps to reproduce, and any potential impact. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.
We do not pursue legal action against researchers who report vulnerabilities responsibly and in good faith.