Introducing AVIK: Adaptive Verified Identity Keys — Closing the Full Account-Takeover Lifecycle

The Problem Beyond Login

The security industry has spent decades improving login. We have passkeys, WebAuthn, hardware tokens, biometrics. And yet, account takeover incidents continue to grow.

Why? Because login is only the front door. The real vulnerabilities are everywhere else:

• Session replay: Steal a bearer token, become the user
• Unbound operations: A valid session can initiate a $50,000 wire transfer with no additional proof
• Recovery downgrade: "Forgot your key?" flows that bypass the very security they're supposed to protect

These aren't edge cases. They're the primary mechanisms of modern account takeover.

What is AVIK?

AVIK (Adaptive Verified Identity Keys) is a protocol architecture that closes the full account-takeover lifecycle by composing four cryptographic controls into a single enforceable model.

Control 1: Passwordless Identity Proof

AVIK eliminates passwords entirely. Identity is established through Ed25519 challenge-response signatures. The server issues a random challenge; the client signs it with their identity key. No password is ever transmitted, stored, or hashed.

Server → Challenge (random nonce)
Client → Signature(challenge, identityPrivateKey)
Server → Verify(signature, identityPublicKey) → Authenticated

This is not new by itself — FIDO2/WebAuthn does something similar. What's new is how AVIK extends this foundation to cover the entire session lifecycle.

Control 2: Per-Request Proof-of-Possession

Most systems issue a bearer token after login. Anyone who possesses that token is the user. AVIK eliminates bearer tokens entirely.

Every API request carries a cryptographic proof header — a signature over the request path, timestamp, and session context using the session key. The server verifies this proof on every single request.

// Every request includes:
avik-proof: base64(path + timestamp + sessionId)
avik-signature: base64(sign(proof, sessionPrivateKey))
avik-timestamp: 1708012345

Result: Intercepting a request gives you nothing. The signature is bound to the specific request path and timestamp. Replay is structurally impossible.

Control 3: Identity-Signed Intent

High-risk operations (payouts, role changes, account deletion) require more than session-level authentication. AVIK requires the user to sign the specific intent with their identity key — not just prove they have a session.

// For high-risk operations:
{
  "action": "transfer",
  "amount": 50000,
  "target": "account-xyz",
  "intentSignature": sign(action + amount + target, identityPrivateKey)
}

This means a stolen session cannot authorize high-risk actions. The attacker would need the identity private key itself.

Control 4: Recovery Without Assurance Downgrade

The Achilles' heel of strong authentication is weak recovery. "Lost your security key? Here's an SMS code." AVIK's recovery ceremony requires:

1. Token possession: A pre-generated recovery token
2. Signed challenge: The recovery request must be signed, proving the requestor controls the recovery token's key material
3. Key rotation: Successful recovery generates a new identity key, revoking the old one
4. Anti-replay memory: Recovery tokens are single-use with durable state that survives server restarts

AVIK + KAVI: The Full Stack

AVIK and KAVI Protocol are complementary:

Layer	KAVI	AVIK
Identity derivation	Behavioral (Surprise Signature)	Cryptographic (Ed25519)
Key storage	Zero (ephemeral Ghost Keys)	Client-side identity key
Session security	Trinity Binding (user × data × time)	Per-request proof-of-possession
High-risk ops	Behavioral re-verification	Identity-signed intent
Recovery	Guardian Network (Shamir 3-of-5)	Token + signed challenge + rotation

Together, they cover the entire authentication lifecycle from identity establishment through session management, authorization, and recovery — with no passwords, no bearer tokens, and no downgrade paths.

Working Prototype

AVIK includes a fully functional prototype — a zero-dependency Node.js server with:

• Browser-based demo client
• CLI demonstration tools
• Attack-oriented integration tests (replay rejection, tamper detection, intent enforcement, recovery rotation)
• Durable anti-replay state across server restarts

The source code and whitepaper are published on Zenodo (DOI: 10.5281/zenodo.18652925) and GitHub.

Read the Papers

• AVIK Whitepaper: Zenodo — DOI: 10.5281/zenodo.18652925
• KAVI Whitepaper: Zenodo — DOI: 10.5281/zenodo.18652605

Conclusion

Login is largely a solved problem. Account takeover is not. AVIK addresses the gap — the session, the intent, the recovery — with four composable cryptographic controls that can be deployed incrementally on existing infrastructure. Combined with KAVI's behavioral identity model, the result is authentication that is passwordless, tokenless, and resistant to the full spectrum of takeover attacks.