Zero-Knowledge Auth Across 7 Platforms: One Protocol
Research Source
Products that run across multiple platforms (web, desktop, mobile, extensions, plugins) typically implement authentication differently on each platform. Web uses session cookies, desktop uses stored tokens, extensions use OAuth, plugins use API keys. Each implementation has different security properties, different attack surfaces, and different vulnerability profiles. A single authentication protocol across all platforms eliminates implementation-specific vulnerabilities.
Executive Summary
Multi-platform products implement authentication differently per platform, creating inconsistent security and multiple attack surfaces. Each platform-specific implementation introduces platform-specific vulnerabilities.
anonym.legal uses identical Argon2id + XChaCha20-Poly1305 zero-knowledge authentication across all 7 platforms. The same protocol, same parameters, same security properties — web app, desktop, Office Add-in, Chrome Extension, LibreOffice, MCP Server, and REST API.
The Problem: N Platforms x N Authentication Implementations = N-Squared Attack Surface
Each authentication implementation is an attack surface. Web session cookies can be hijacked (XSS). Desktop stored tokens can be extracted (malware). Extension OAuth tokens can be phished. API keys can be leaked. When each platform uses a different auth mechanism, security teams must audit N different implementations, each with different vulnerability patterns. A flaw in one platform's auth does not necessarily exist in another — but discovering flaws requires auditing each separately.
Irreducible truth: Authentication is only as secure as its weakest implementation across all platforms. Using one zero-knowledge protocol everywhere means one security audit covers all platforms. The attack surface is constant regardless of platform count.
The Solution: How anonym.legal Addresses This
Argon2id Key Derivation
All platforms use identical parameters: 64MB memory, 3 iterations, 1 parallelism, 16-byte salt, 32-byte output. HKDF-SHA256 derives two keys: Auth Key (sent to server) and Encryption Key (stays on device). The password never leaves the device on any platform.
XChaCha20-Poly1305 AEAD
All platforms use XChaCha20-Poly1305 for data-at-rest encryption with 256-bit keys and 24-byte random nonce per operation. The same cipher suite on web (libsodium.js WebAssembly), desktop (Rust native), Office Add-in (JavaScript), Chrome Extension (JavaScript), and LibreOffice (PyNaCl).
24-Word BIP39 Recovery
All platforms use the same 24-word BIP39 recovery phrase (256-bit entropy). A recovery phrase generated on the web app works on the desktop app, Office Add-in, and every other platform. One recovery mechanism, zero platform lock-in.
Constant-Time Verification
All platforms use constant-time comparison (crypto.timingSafeEqual or equivalent) for auth proof verification. Timing attacks are prevented regardless of which platform processes the auth request.
Compliance Mapping
This architecture supports GDPR Article 32 (security of processing — consistent security across all access points), ISO 27001 Annex A.9 (access control — unified authentication policy), and simplifies security audits by requiring one protocol review instead of seven.
anonym.legal's GDPR, HIPAA, PCI-DSS, ISO 27001 compliance coverage, combined with Hetzner Germany, ISO 27001 hosting, provides documented technical measures organizations can reference in their compliance documentation.
Product Specifications
| Specification | Value |
|---|---|
| Entity Types | 320+ |
| Detection | 3-layer hybrid: Presidio + NLP + Stance classification |
| Test Coverage | 100% (419/419 tests) |
| Languages | 48 |
| Anonymization Methods | Replace, Redact, Mask, Hash (SHA-256/512), Encrypt (AES-256-GCM) |
| Platforms | Web App, Desktop, Office Add-in, Chrome Extension, MCP Server, REST API |
| Pricing | Free €0, Basic €3, Pro €15, Business €29 |
| Hosting | Hetzner Germany, ISO 27001 |
| Compliance | GDPR, HIPAA, PCI-DSS, ISO 27001 |