A new approach to authentication combines RSA, AES, typing biometrics, and steganography — all within your smartphone — to eliminate passwords without sacrificing security or usability.
Who This Is For
- AppSec engineers designing secure login flows
- Mobile developers exploring passwordless systems
- Security architects evaluating FIDO2 alternatives
- Privacy researchers and cybersecurity enthusiasts
Why It Matters (2025+)
Passwords are dying — and that’s a good thing. But while passwordless sounds futuristic, real-world implementations often trade usability for security. Hardware tokens break, SMS codes get intercepted, and biometrics alone can’t recover lost accounts.
Sesame Auth, a research-backed prototype, shows it’s possible to combine cryptography, biometrics, and steganography into a single scalable passwordless system — without new hardware or shared secrets.
What You’ll Learn
- How hybrid cryptography and steganography can enable secure passwordless login
- How typing biometrics replace security questions for account recovery
- How Sesame Auth achieves sub-2-second authentication — rivaling passwords
What Is Project Sesame?
Project Sesame is a passwordless authentication framework built using RSA (asymmetric) and AES (symmetric) cryptography, fingerprint/face biometrics, and keystroke dynamics (behavioral biometrics).
It also uses LSB steganography to embed encrypted credentials inside images — a creative twist that eliminates the need for storing secrets or hashes.
Imagine logging into your e-commerce account by:
- Confirming a push prompt with your fingerprint, and
- Uploading an image that secretly contains your authentication data — all processed in under two seconds.
Architecture Overview
[User Device]
├── Front-End (React Native)
│ ├─ Biometric check (fingerprint/face)
│ ├─ Keystroke pattern capture
│ ├─ Account import / recovery
├── Secure Local Storage (RSA & AES keys)
└── HTTPS Communication with Backend
[Backend]
├── Node.js Server (API)
├── Firebase Database (public keys only)
├── TypingDNA API for behavioral verification
└── Steganography engine for image embedding
Each account gets a unique key pair, and public keys are stored server-side — not passwords, not hashes. Even if the database is breached, attackers gain nothing useful.
Step-by-Step: How It Works
Device Setup
- On first launch, the app generates:
- A 2048-bit RSA key pair
- A 256-bit AES key
- A Device Notification ID (DN-ID) for push-based authentication
- The app’s public key and DN-ID are registered with the backend; the private key stays securely inside Android Keystore or iOS Keychain.
User Registration
- The user provides an email address and types it three times — this trains the keystroke dynamics model using TypingDNA.
- Fingerprint or Face ID verifies the user locally.
- The app links the typing profile (Typing ID) with the app’s public key.
Account Creation
- When adding a new service (like “Ecom”), the app generates a separate RSA key pair for that account.
- The app embeds the account public key and encrypted Typing ID inside an image using LSB steganography — the user keeps this image for recovery.
- The server only stores the account public key and username — no password, no secret.
Authentication
- The user visits the service and enters their username.
- The service fetches the corresponding public key from the server.
- The server sends a challenge string, displayed to the user.
- The user enters that string on the app → biometric verification occurs.
- If valid, the server authorizes login.
Average time: 825 ms — faster than typing a password.
Success rate: 100% during prototype testing.
Account Recovery
Lost your phone? Just reinstall the app and:
- Upload your stego image,
- Type your email (your typing pattern is verified), and
- Authenticate via fingerprint or Face ID.
If everything matches, your account is restored — no password reset links, no security questions.
Performance Snapshot
| Operation | Avg. Duration | Description |
|---|---|---|
| Account Creation | 3.6 s | Includes key gen + stego embed |
| Authentication | 0.8 s | Challenge/response cycle |
| Account Recovery | 1.6 s | TypingDNA + image validation |
| Registration | 1.6 s | Typing pattern capture |
These results show that passwordless doesn’t have to mean slow or complex.
Security Highlights
| Attack Vector | Mitigation |
|---|---|
| Phishing | No shared secrets or reusable tokens |
| Malware on Device | Keys stored in hardware-backed keystores |
| MITM (Man-in-the-Middle) | End-to-end TLS + hardcoded cert pinning |
| Device Theft | Requires biometric confirmation |
| Server Breach | Only public keys stored, no passwords |
| Replay/Injection | Random challenge codes with 1-in-a-million probability |
Technical Foundations
- Cryptography: RSA (2048/4096-bit), AES-256, HTTPS (TLS from Let’s Encrypt)
- Steganography: LSB (Least Significant Bit) embedding via Jimp library
- Biometrics: Fingerprint / Face ID (Android/iOS)
- Behavioral biometrics: TypingDNA keystroke profiles
- Storage: Firebase + Secure Enclave / Keystore
Limitations & Future Work
- LSB steganography is detectable by advanced steganalysis — future versions will adopt adaptive or transform-domain hiding.
- Trusted backend dependency — compromising the Sesame server could disrupt authentication. Future iterations could decentralize validation using blockchain or distributed ledgers.
- Mobile crypto constraints — native encryption libraries and certificate signing modules will improve robustness.
Why It’s Different
While FIDO2, SIM-based, and iris-scan systems all tried to replace passwords, they usually require specialized hardware or multiple backup tokens.
Sesame Auth proves you can:
- Go passwordless without new devices
- Recover accounts without helpdesk tickets
- Avoid shared secrets entirely
It’s not just a theoretical framework — it’s an operational proof of concept tested on Android and iOS.
Final Thoughts
Project Sesame hints at a near future where authentication is both invisible and secure by design.
By merging cryptography, biometrics, and digital hiding, it builds trust without friction — a rare balance in cybersecurity.
Passwords may have survived 60 years, but their replacement just found its magic words: “Open, Sesame.”
Stay ahead of the curve — subscribe to SecureBytesBlog.com for more deep dives into emerging authentication frameworks, security innovations, and AI-driven defenses.
You’ll get research-backed insights, practical guides, and early access to our next analysis before anyone else.
