Accounts — Minimalist, Cryptographically Sound Local Authentication System

The simplest secure local account system possible — designed for single-app, single-machine use cases where you want maximum security with zero bloat.

Used as the foundation for AccountsWithSessions and as a standalone lightweight auth layer.

Design Philosophy

Zero dependencies beyond your core crypto stack
No sessions — logout = zero the returned SecureData
No public key by default — optional encryption of the user list
Recovery key = full offline password reset
Everything encrypted, nothing in plaintext

Security Model

Password → Argon2id (8 MiB, 4 iterations, 64-byte salt)
Data Encryption Key (256-bit random) → encrypted under password
Recovery Key (256-bit random) → encrypted under Data Encryption Key
Optional: Entire Users.json encrypted under a static PublicKey

Types

AccountData

public class AccountData
{
    public string Username { get; set; }
    public PasswordCheckData Password { get; set; }           // Argon2id hash
    public string DataEncryptionKey { get; set; }             // Encrypted under password
    public string RecoveryDataKey { get; set; }               // Encrypted under old DataEncryptionKey
}

DataHandler.Accounts

Accounts — Minimalist, Cryptographically Sound Local Authentication System

Design Philosophy

Security Model

Types

AccountData