Your private key lives in your device's secure chip and never leaves. Critical actions need sign-off from multiple people. No passwords. No shared secrets. Just proof.
Push arrives. Biometric gate. Cryptographic signature. Mutual authentication — both sides prove identity, every time.
Your app calls the SDK. Server generates a random challenge, signs it with its private key, pushes to the device.
Device verifies the server signature — phishing sites can't fake it. User sees what they're approving and confirms with Face ID or fingerprint.
Hardware chip signs with the private key that never leaves. Server verifies the signature against the stored public key. Done.
import { sigil } from '@sigilauth/sdk';
// Create a challenge bound to an action
const challenge = await sigil.auth.createChallenge(({
userId: 'user_123',
action: 'Sign in to acme-corp.com',
ttl: 120,
});
// Push arrives on user's device
// User approves with Face ID
// Hardware signs with key that never leaves the chip
const { verified, pictogram } = await
sigil.auth.verify(challenge.id);
// verified: true
// pictogram: ['🍎','🍌','✈️','🚗','🐕']Private keys generated in Secure Enclave or StrongBox. Stateless service. Native multi-party quorum. Open source from day one.
Private keys are generated inside the Secure Enclave (iOS) or StrongBox (Android). The chip signs; it doesn't export. A server breach yields only public keys — which are, by definition, public.
No TOTP seeds sitting in databases. No SMS codes to intercept. No shared secrets to steal.
The auth service stores nothing. No user database. No key table. Identity is mnemonic-derived and deployed as a single Docker image. Your app keeps its own user → device_public_key mapping.
Nothing to breach. Nothing to migrate. Nothing to pay per-seat for.
The CLI tool simulates an iOS/Android device for integration testing. Perfect for CI pipelines, local dev loops, and smoke tests. No phone required.
Destructive operations shouldn't hinge on a single compromised credential. Sigil supports native M-of-N quorum — delete the production database? That's going to need sign-off from 2-of-3 admins first.
Every method has trade-offs. Here are the ones that matter.
| Method | Secret | Hardware | Push | M-of-N | License | Self-host |
|---|---|---|---|---|---|---|
| Sigil Auth | None | Yes | Yes | Native | AGPL-3.0 | Yes |
| WebAuthn / Passkeys | None | Yes | No | No | Spec only | Yes |
| TOTP (Authy, Google Auth) | Yes — seed | No | No | No | Various | Yes |
| Duo / Okta MFA | None | Optional | Yes | Enterprise only | No | No |
| YubiKey (hardware token) | None | Yes | No | No | Firmware closed | N/A |
Every device and server gets a 5-emoji pictogram deterministically derived from its public key. Speak it over the phone. Compare it with your admin. Confirm you're paired with the right endpoint before any trust is established.
256-emoji speakable set. Skin-tone-free. Flag-free. Compound-free. Derived from SHA-256(public_key).
Sigil Auth is an open source push authentication system that uses ECDSA P-256 keys stored in device hardware. Authentication is cryptographic challenge-response — no passwords, no TOTP seeds, no shared secrets. The private key lives in the Secure Enclave (iOS) or StrongBox (Android) and never leaves the chip.
Sigil Auth provides push-based authentication and multi-party authorization (M-of-N approval) — capabilities WebAuthn doesn't offer. Both use asymmetric cryptography; Sigil adds the push channel and group approval workflows.
Yes. Sigil Auth is open source under AGPL-3.0 (code) and Apache-2.0 (API specs). No per-seat licensing, no commercial plans. Use it, modify it, deploy it at any scale without paying licensing fees.
Authentication requires network connectivity to deliver push notifications and verify signatures. The cryptographic keys remain in device hardware regardless of network state — once a challenge is delivered, the device can sign it without internet access, but the response must be transmitted back to the server for verification.
Each device has its own keypair. If you lose a device, the admin can revoke that device's public key from the server. Your other registered devices continue to work. For account recovery, the admin registers a new device using the pairing flow (QR code or 8-digit code).
Native apps for iOS (Secure Enclave) and Android (StrongBox). Desktop apps for macOS, Windows, and Linux. The auth service runs in Docker and works with Go and Node SDKs for integration into your application.
Yes. Sigil is designed as Tier 2/3 — step-up authentication and multi-party approval, not initial login. Use passwords or passkeys for sign-in, then use Sigil to gate sensitive operations that deserve stronger proof.
Read the docs. Clone the repo. Self-host in an afternoon. Or ask a question — the protocol spec is public.