BIACS logo

BIACS

Sovereign Cryptographic Identity — Authentication the Customer Fully Owns

BIACS — the BicDroid Identity Authentication Cryptographic System — provides strong cryptographic identity authentication for users, devices, and services, cutting off AI-assisted credential attack chains at the point of initial access. Its single architectural commitment: the cryptographic identity that authenticates users into your systems must be entirely owned and controlled by you.

How it works
Tap to enlargeBIACS architecture — Cryptographic Code Server, BicDroid Authentication Server, the cryptographic QR credential, the Authentication Client, and the Integrated Authentication Module embedded into web, OS, and database login paths.
Credential issuance, challenge, and verification resolve across customer-owned, HSM-anchored servers; the Integrated Authentication Module embeds into existing login paths with no application source-code changes.

Sovereign cryptographic identity

BIACS is anchored in hardware the customer owns, free of cloud dependency, and uniform across the user population regardless of device security. Key generation, challenge issuance, and verification all run on the customer’s own infrastructure, anchored in certified hardware security modules the customer operates. No external authentication cloud sits between the user and the customer’s systems, and authentication strength does not vary with the security of any individual user’s device.

Architecture

Server

Cryptographic Code Server (CCS)

The credential-issuing platform. Generates cryptographic QR-code credentials and manages registration; a certified HSM anchors all key generation from true random numbers inside its tamper-resistant boundary.

Server

BicDroid Authentication Server (BAS)

The decision platform. Issues challenges and verifies responses in a second HSM. Key material for a given authentication is derived dynamically, so advance compromise of the server side is cryptographically unproductive.

Client

BicDroid Authentication Client (BAC)

Runs on the user’s device. By protocol design, no long-term secret capable of authenticating the user is stored on the device — so a rooted or exfiltrated device yields nothing usable.

Credential

Cryptographic QR Code

Binds identity simultaneously to a specific user and a specific device. It carries no usable material on its own and can be kept separately — printed, in a password manager, anywhere convenient.

Integration

Integrated Authentication Module

Embeds verification into the existing authentication path — PAM on Linux, the Windows credential provider, web-framework filters, database auth interfaces — with no source-code modification.

Five properties that define sovereign identity

  • Customer-owned hardware throughout — no vendor holds master keys; no third party approves a login.
  • Independence from any vendor cloud — runs on-premises or air-gapped for the most sensitive deployments.
  • Independence from device security variability — strength comes from customer-side infrastructure and the QR code, not the device.
  • Source-code-free integration — strong cryptographic authentication added with no SDK, redesign, or user retraining.
  • Unified authentication across system types — one deployment covers web apps, Linux, Windows, and databases.

How BIACS differs from FIDO2 & passkeys

The prevailing passkey standard depends on the user’s device having certified cryptographic hardware — an assumption that fails across heterogeneous fleets and weakens when deployments fall back to synced credentials routed through a third-party cloud. Consumer passkeys also generally lack an enterprise-controlled chain binding enrollment to a verified real-world identity. BIACS removes both limitations by design.

What BIACS protects against

Compromise of the user’s deviceNo long-term secret resides there; the dual-bound QR code is not stored on it.
Compromise or outage of a third-party cloudNo third-party cloud sits in the authentication path at all.
Authentication-bypass through architectural seamsVerification embeds inside the system’s own auth path — there is no seam to bypass.

BIACS supports internationally standardized public-key cryptography and Chinese national standards where regulatory contexts require them, and is licensed as a cryptographic product the customer owns rather than subscribed as a per-seat cloud service.

The BicDroid family

Each product enforces its guarantee without depending on perimeter trust, host integrity, or the correct behaviour of the software it protects. Deploy one, or combine them for the complete cryptographic lifecycle.

PACSACQDocSELineageCryptLightNet
Talk to BicDroid

Own the identity that guards your systems.

Deploy sovereign cryptographic identity — anchored in hardware you control, uniform across every user and login surface.

Talk to us →Contact details