How UNS Authentication Works

The UNS network consists of Identity Guardian nodes representing user, Gateway nodes representing services and a UNS control node keeping them in sync. Guardian and Gateway combine direct and out of bounds communication to verify the user and the service.Together, the UNS nodes form a chain of trust between the user and any service.



  • The user initiates login / registration on a service

  • The service establishes a secure connection with the gateway and requests a signed token

  • The Gateway generates a token with nonce for the Service to send to the user

  • The user signs the token with their private key and sends to the Identity Guardian

  • The Guardian verifies the user and sends the service specific UNS Identify to the Gateway

  • The Gateway provides the Service with the user’s account identifier

UNS Overview

UNS Works for Users

  • Each user chooses a Guardian they trust.1

  • User installs the UNS authenticator app which generates a self-signed security certificate when a user registers for an account.2

  • UNS authentication demonstrates that the users satisfies 3 factors.

    • Possession of trusted device(s)
    • Inherent biometrics to unlock device
    • Knowledge to unlock UNS Application3
  • The Guardian and Gateway combine direct and out of bounds communication to verify User and Service.

UNS Works for Services

  • Each Services chooses a Gateway they trust. The Gateway is a member of the UNS network and is recognized and able to communicate securely with all UNS Guardians.

  • Services register their namespace with their Gateway, where the namespace is the set of all possible account identifiers for that Service.

  • The Gateway issues unique tokens that allow a Service to authenticate the identity of its Users. Gateway perform authentications with the Users’ Guardians.

  • When a user registers for an account on a namespace using UNS, the Gatekeeper associates the user’s unique account identifier with an anonymous hash provided by the user’s Guardian.4

  • Gateway retain a cryptographically signed record of each authentication. These records provide proof that each authentication was correct.

1. Unlike federated login systems, UNS does not require Users and Services to agree on a common mediation agent. Each party can choose who they want to work with and importantly, which legal jurisdiction their mediation agent is located.

2. Unlike other public key infrastructure, UNS never transmits the private key from one device to another because each user acts as their own certificate authority. Each security certificate is generated onboard each device, preferably in the device’s secure enclave.

3. The user may choose require a unique pin or password for the UNS application if they require additional security beyond possession and the biometric/passcode lock for their device.

4. The hash could be based on the namespace and the user’s first public key