PASSWORDLESS • POST-QUANTUM SECURE

Passwordless Authentication With Encrypted Biometrics

Replace passwords with quantum-safe biometric authentication. Users verify with their face, fingerprint, or voice — encrypted end-to-end via fully homomorphic encryption. Verified with zero-knowledge proofs. No secrets to steal, phish, or forget.

Get Free API Key → View Docs Biometrics Deep Dive
38.5µs
Per Auth
1.7M/sec
Sustained Throughput
Zero
Passwords
PQ
Quantum-Safe
HOW IT WORKS

Three Steps to Passwordless

A single API call replaces the entire password lifecycle — no hashing, no salting, no reset emails. The biometric never leaves the encrypted domain.

🔒
Step 1
Enroll Biometric via FHE
The user captures their biometric on-device. The client SDK extracts a 128-dimensional embedding, encrypts it with BFV fully homomorphic encryption, and sends the ciphertext to H33. The plaintext biometric never leaves the device.
🔍
Step 2
Verify via Encrypted Matching
H33 computes an FHE inner product between the fresh encrypted biometric and the stored encrypted template. The match runs entirely on ciphertexts — the server never decrypts. 32 users verified per batch in 939µs.
Step 3
Prove via ZK Proof
A zero-knowledge proof attests the match result without revealing the biometric data or the encrypted templates. A Dilithium signature seals the attestation for a cryptographic, post-quantum audit trail.
THE PASSWORD PROBLEM

Why Passwords Need to Die

Passwords are the single largest attack surface in enterprise security. The numbers are unambiguous.

80%
Breaches Involve Credentials
Four out of five data breaches involve stolen or weak passwords. Credential stuffing attacks test billions of leaked password combinations against live systems every day.
$4.88M
Average Breach Cost
The global average cost of a data breach reached $4.88 million in 2024. Stolen credentials are the most common initial attack vector and take the longest to identify and contain.
15B+
Credentials Leaked
Over 15 billion username-password pairs circulate on dark web markets. Every password your users create has likely already been compromised in a previous breach elsewhere.
PERFORMANCE

Technical Specifications

Production benchmarks from Graviton4 (c8g.metal-48xl, 192 vCPUs). Every operation is post-quantum secure.

939µs
FHE Biometric Match
32 users / batch
2.0µs
ZK Proof Generation
SHA3-256 based
0.2µs
ZK Proof Verification
In-process DashMap
291µs
Dilithium Attestation
ML-DSA sign + verify
INTEGRATION

Passwordless Auth in 10 Lines

Enroll and verify users with a single API call. The SDK handles FHE encryption client-side and returns a ZK-attested match result.

Passwordless Verification JavaScript 
// 1. Initialize the H33 client
const h33 = new H33Client({ apiKey: "h33_pk_..." });

// 2. Capture biometric & encrypt client-side (FHE)
const embedding = await h33.biometric.capture("face");
const encrypted = await h33.fhe.encrypt(embedding);

// 3. Verify passwordless — returns ZK-attested result
const result = await h33.auth.verifyPasswordless({
  userId:    "user_abc123",
  biometric: encrypted,  // FHE ciphertext, never plaintext
});

// result.match = true | false
// result.zkProof = "0x..." (verifiable ZK attestation)
// result.dilithiumSig = "..." (post-quantum audit trail)
COMPARISON

H33 Passwordless vs. Passkeys (FIDO2)

Passkeys are a step forward from passwords, but they inherit device-binding limitations and lack post-quantum security. H33 goes further.

Capability H33 Passwordless FIDO2 / Passkeys
Authentication factor Encrypted biometric (FHE) Device-bound private key
Device independence Yes — any camera/sensor No — key tied to device
Post-quantum secure Yes — lattice FHE + Dilithium No — ECDSA/RSA broken by QC
Phishing resistant Yes — no secret to intercept Yes — origin-bound
Server breach exposure Zero — FHE ciphertexts only Public keys only
Lost device recovery Re-scan biometric on new device Requires backup key or re-enrollment
Cryptographic proof of match ZK proof + Dilithium attestation Signature only (no match proof)
Verification latency 38.5µs per user ~50-200ms (network + TPM)
FAQ

Frequently Asked Questions

How does passwordless authentication work with encrypted biometrics?

The user presents their biometric (face, fingerprint, or voice) on their device. The client SDK extracts a 128-dimensional embedding, encrypts it with BFV fully homomorphic encryption, and sends the ciphertext to H33. The server computes an encrypted distance against stored encrypted templates using FHE arithmetic, then generates a zero-knowledge proof of the match result. The server never sees any plaintext biometric data. No password is involved at any step.

Is passwordless authentication with H33 more secure than passwords?

Yes, dramatically. Passwords can be phished, brute-forced, stuffed from breached databases, or forgotten. H33 passwordless authentication eliminates all of these attack vectors. Biometrics cannot be forgotten or phished, and because H33 stores them encrypted with FHE, they cannot be stolen from the server even in a breach. The zero-knowledge proof ensures the match result is cryptographically verifiable without revealing the underlying biometric data.

How fast is passwordless biometric verification?

H33 performs FHE biometric matching for 32 users in 939 microseconds (under 1 millisecond). The ZK proof generation takes 2.0 microseconds and verification takes 0.2 microseconds. End-to-end, a single passwordless authentication completes in approximately 38.5 microseconds per user. At production scale on Graviton4, this translates to over 2.1 million passwordless authentications per second.

How does H33 passwordless compare to FIDO2 passkeys?

FIDO2 passkeys store a private key on the device and authenticate via challenge-response signatures. If the device is lost, the passkey is gone. H33 passwordless authentication stores encrypted biometric templates server-side, so authentication works from any device with a camera or sensor. H33 is also post-quantum secure (lattice-based FHE + Dilithium), whereas FIDO2 relies on ECDSA or RSA which will be broken by quantum computers.

What biometric types are supported for passwordless auth?

H33 supports any biometric modality that produces a 128-dimensional normalized embedding vector: face recognition (ArcFace, FaceNet), fingerprint minutiae encoders, and voice print embeddings. The FHE matching is modality-agnostic because it operates on the embedding vectors, not the raw biometric data. Multi-modal fusion (combining face + fingerprint scores) is also supported for higher security scenarios.

What happens if the biometric database is breached?

An attacker gets only ciphertexts. Every stored biometric template is encrypted with BFV FHE, and the decryption key never leaves the client side. Without the secret key, the ciphertexts are computationally infeasible to break, even with a quantum computer (lattice-based, NIST PQC security). This is fundamentally different from hashed passwords or hashed biometrics, which can be attacked with rainbow tables or dictionary attacks. FHE ciphertexts are semantically secure.
GET STARTED

Kill the Password. Ship Passwordless Today.

Free tier includes 10,000 passwordless authentications per month. No credit card required. Full FHE + ZK pipeline from day one.

Get Free API Key → Read the Docs