This paper presents ExoAuth, a cryptographic protocol that replaces the password entry screen on workstations with a hardware-bound, proximity-verified authentication mechanism requiring no human-memorized secret. ExoAuth pairs a mobile device's certified Secure Element (Apple Secure Enclave, Google Titan M2, Samsung Knox Vault) with the workstation's discrete Trusted Platform Module (dTPM) over a one-time USB trust anchor. Subsequent daily authentication proceeds over Bluetooth using the Noise IK handshake pattern, ensuring the identity proof transits only inside an encrypted channel with forward secrecy. Physical proximity is enforced via Ultra-Wideband (UWB) distance bounding to prevent relay attacks. Per-session biometric verification is enforced at the hardware level on the mobile device, independent of its lock state. The protocol is composed of five validated cryptographic primitives — Ed25519 (identity), X25519 ephemeral ECDH (channel), ChaCha20-Poly1305 (encryption), HKDF-SHA256 (key derivation), and Shamir Secret Sharing with BIP39 mnemonics (offline recovery) — each verified against official RFC test vectors. Offline recovery requires no server infrastructure and introduces no backup password. Security analysis demonstrates that no identified attack class succeeds without simultaneous physical access to both the workstation and the paired mobile device. The protocol is derived from the Exo-OS research initiative and is presented here as a general-purpose authentication layer applicable to any operating system exposing a credential provider interface
kouadio Eric xavier Oria (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: