DEVICEBOUND

Security

How DeviceBound protects every verification, end to end.

Encryption in Transit

All traffic between your device and DeviceBound is encrypted with HTTPS/TLS. There are no unencrypted endpoints anywhere on the platform.

Device-Generated Cryptographic Key Pairs

During verification, the user's device generates a public/private cryptographic key pair using the platform authenticator built into the device (Face ID, Touch ID, or Windows Hello).

The private key never leaves the user's device. DeviceBound receives and stores only the public verification information.

Local Biometric Authentication

Face ID, Touch ID, and device PIN checks are performed entirely on the user's device by the operating system. DeviceBound never sees, collects, or stores biometric data of any kind.

Replay Attack Protection

Every verification request is bound to a single-use, server-generated cryptographic challenge. A completed verification cannot be replayed, reused, or transferred to another request. Verification links are one-time and expire automatically.

Tamper Detection

Verification responses are cryptographically signed by the device and validated on our servers. Any modification of the response in transit invalidates the verification.

Secure Cloud Storage

Verification records are stored in secure, access-controlled cloud infrastructure with row-level security. Sensitive operations run only on the server side with least-privilege credentials.

Verification Logging

Every verification produces an audit record: a unique DeviceBound ID, timestamps, and the verification outcome. Records are retained to support dispute resolution and fraud prevention.

Identity Verification Workflow

A verification is only marked complete when the recipient finishes a live biometric ceremony on their own device, against a challenge minted for that specific request. Payment, request creation, and verification are separate, auditable steps.

Reporting a Vulnerability

If you believe you have found a security issue, contact us at support@devicebound.us. We review every report.

Powered by DEVICEBOUND™