Technology Overview

The infrastructure that makes
identity verifiable,
and trust computable.

A look at how Blerify's four-component stack, five cryptographic identity properties, and hardware-bound delegation model work together to make digital identity persistent, portable, and provable — in production, at national scale, on open standards.

01 · The Platform 02 · Five Properties 03 · In Production 04 · Post-Quantum
Scroll to explore
01 · Platform Architecture

A four-component modular stack.
Each decoupled by design.

A trusted issuer — a government, a bank, a certificate authority — uses the Issuance Platform to sign and deliver credentials. The holder carries those credentials in the ID Wallet on their device. A verifier — a financial institution, a platform, a service — integrates the Verification Platform to check them. Trust flows between all three via the Trust Registry, without any bilateral agreement between issuers and verifiers.

Component 01
Issuance Platform
Builds, signs, and delivers verifiable credentials compliant with ISO/IEC 18013-5 and W3C VC.
ISO 18013-5 · W3C VC
Component 02
ID Wallet
Holder-facing iOS & Android app. Generates hardware-bound keys, stores credentials, manages presentations.
Secure Enclave · StrongBox
Component 03
Verification Platform
API and portal for enterprises. Returns signed JWT responses. No biometric infrastructure required on verifier's side.
OpenID4VP · DC API
Component 04 — Trust Registry · Decentralized Root of Trust (DRoT)
On-chain anchored registry of issuer public keys. Any verifier resolves and validates independently — no issuer contact required. Cross-border recognition without bilateral agreements.
···
Click any component to explore
The architecture is decoupled by design. Each component can be deployed independently — a government deploying only the Issuance Platform, a bank integrating only the Verification Platform, or a new market joining via the Trust Registry without any bilateral agreements between issuers and verifiers.
ISO/IEC 18013-5 OpenID4VP W3C VC NIST SP 800-63 eIDAS 2.0
02 · Cryptographic Identity Properties

Five mutually reinforcing properties
that separate persistent identity from single-use biometrics.

Traditional biometric verification answers one question at one point in time. Blerify's five mutually-reinforcing properties turn identity into a persistent, recoverable, hardware-bound object that works across every interaction — without re-verifying from scratch.

Property 01
Uniqueness
One active digital identity per person across the entire Blerify network. Not a usage restriction — an issuance restriction. The same document cannot produce two simultaneously active credentials on two devices.
The same person cannot verify simultaneously at five different institutions using five different identities. Impossible by construction — not by policy.
Property 02
Ownership
Only the holder can use their identity. The private key lives in the device's secure hardware — Secure Enclave on iOS, StrongBox on Android. It never leaves. Signing requires physical possession plus local biometrics.
A stolen credential without the physical device and biometrics is worthless. Any new biometric registered on the device automatically destroys the key.
🔒
Property 03
Custody
The credential resides on the holder's device — and only there. Blerify does not store copies. No central server holds the credential. A full breach of Blerify's infrastructure cannot expose a single credential.
No central honeypot to attack. A compromise of Blerify's servers cannot produce a valid credential presentation, because the signing key never transits Blerify's systems.
🪪
🏦
✈️
🏥
Property 04
Verifiability
Any authorized party verifies the credential in real time — without contacting the original issuer and without re-capturing biometrics. Issued once, verifiable everywhere. The credential is not re-done for each institution.
Each verification checks issuer signature, device binding proof, real-time revocation status, and a unique cryptographic nonce — all without capturing a single image of the holder.
♻️
Property 05
Recoverability
Under any circumstance — device loss, theft, or unauthorized identity — the holder can regain full control. Identity is an object with a lifecycle, and that lifecycle includes explicit recovery transitions.
Traditional biometrics has nothing to recover. Blerify can revoke the old credential, re-enroll to the new device, and notify every institution that previously verified the old credential — retroactively.
← drag to explore →
Traditional remote biometrics
New biometric capture on every transaction
No credential to revoke — once stolen, always usable
Same person can create 5 identities at 5 institutions today
Biometric templates stored server-side — breach = permanent loss
Blerify cryptographic credential
Local cryptographic signature — no image, no server call
Credential is revocable; verifiers notified retroactively
One active identity per person — impossible by construction
Credential on device only — no server breach can expose it
03 · Credential Presentation Flow

From browser to wallet
to verified — in seconds.

The holder presents a cryptographic proof via OpenID4VP. The verifier receives a signed JWT confirming validity, assurance level, and revocation status. No document upload. No biometric re-capture. No shared secret.

Initializing…
🔒
nationalbank.com/login
Access your account
Email
Password
or
1
Browser initiates request — User clicks "Log in with ID Wallet." The verifier fires an OpenID4VP credential request with a unique session nonce to Blerify's Verification Platform.
2
Wallet displays consent screen — The ID Wallet receives the request via DC API and shows exactly which attributes are being requested, who is requesting, and that the verifier is registered in the Trust Registry.
3
Holder consents and biometric signs — One tap. The Secure Enclave or StrongBox releases the hardware-bound private key after local biometric confirmation. The key signs the verifiable presentation. No image, no password, no OTP leaves the device.
4
Blerify validates and responds — Issuer signature checked. Device binding proof verified. Revocation status confirmed in real time. Presentation deleted. Signed JWT returned to verifier.
5
Bank session established — The verifier receives the signed JWT, assurance level achieved, and cryptographic evidence record. The holder is authenticated. No biometric data was ever transmitted to the bank.
04 · Forward Security
Post-Quantum Cryptography
Designed to survive
the next generation of compute.
Current public-key cryptography — RSA, ECDSA, the algorithms that secure every credential on the internet today — is vulnerable to sufficiently powerful quantum computers running Shor's algorithm. The timeline is debated, but the outcome is not: any credential infrastructure built on classical cryptography will need to be replaced.

Blerify's architecture incorporates post-quantum cryptographic primitives aligned with NIST's post-quantum standardization process (CRYSTALS-Dilithium for signatures, CRYSTALS-Kyber for key encapsulation). The credential format — ISO/IEC 18013-5 — was designed to be algorithm-agnostic, meaning the transition to post-quantum algorithms does not require replacing the credential infrastructure. The stack is already being prepared.

Read the research paper — Nature Scientific Reports
Lattice-based
cryptography