Angga.
← Back to all works

VIA

Software Developer II

Nov 2024 — Present

Post-quantum passwordless identity platform

VIA's core authentication platform — passwordless, credential-based identity built on W3C verifiable credentials, WalletConnect, and post-quantum cryptography, used across VIA's products.

Identity & authPost-quantum cryptoWalletConnectVerifiable credentials
Registration: the browser pairs with the VIA Wallet over WalletConnect, and a verifiable credential is issued to the wallet.

The project

VIA builds decentralized data protection for government, defense, and critical-infrastructure customers — the principle of protecting data independently of the systems that store and move it. I work on the horizontal platform team that builds the core authentication technologies the rest of VIA's products depend on.

The platform replaces passwords with verifiable credentials held in the user's own wallet. Registration issues a W3C Verifiable Credential (VC) to the wallet; login verifies a Verifiable Presentation (VP) the wallet returns. Both run over a real-time WalletConnect v2 channel established by scanning a QR code, with identity anchored on Decentralized Identifiers (DIDs).

The cryptography is secure-by-design for the post-quantum era: a hybrid model that pairs classical algorithms with NIST-standardized post-quantum schemes (Dilithium for signatures, Kyber for key exchange), so credentials and sessions stay secure even against a future quantum adversary running Shor's algorithm.

What I shipped

  • Built the browser-side registration (credential issuance) and login (presentation verification) flows, coordinating a real-time WalletConnect v2 session between the web app and the VIA Wallet via QR pairing.
  • Implemented a WebAuthn / FIDO2-style credential-creation path for post-quantum-capable wallets, with a clean fallback to the legacy path for older wallets — capability is negotiated at session approval.
  • Wired encrypted credential delivery: credentials are AES-GCM encrypted under a key derived from a user-entered PIN (PBKDF2), so the credential is never transmitted in the clear.
  • Integrated the flows with Keycloak as the identity provider and connected Okta for enterprise single sign-on.
  • Built the real-time login channel with Server-Sent Events, so the browser is notified the instant the backend verifies the presentation — no polling.
  • Worked across the Istio / Envoy service-mesh boundary between the web front-end, the authentication backend, the credential-issuer backend, and the wallet.

How it works

Registration — issuing a Verifiable Credential

Login — verifying a Verifiable Presentation

Challenges worth talking about

Going post-quantum without a flag-day migration

Not every wallet supports post-quantum keys. Wallets advertise multi-key (PQ-safe) capability at session approval; the flow takes the post-quantum path when it's available and falls back cleanly to the classical path otherwise. That let the platform adopt PQC incrementally instead of forcing every client to upgrade at once.

Delivering a secret credential over an untrusted relay

The credential has to reach the wallet through a public relay. It's encrypted with AES-GCM under a key derived from a randomly generated PIN (PBKDF2); the PIN is shown out-of-band on the browser screen, and the user types it into the wallet to decrypt. The relay only ever sees ciphertext.

Coordinating three parties across two devices in real time

Browser, wallet, and backend are three actors split across a laptop and a phone. I used WalletConnect for the browser-to-wallet channel and Server-Sent Events for the backend-to-browser channel, so login completes the moment the backend validates the presentation — with no polling and no refresh.

An identity model that survives the quantum transition

Anchoring authentication on DIDs and verifiable credentials — rather than shared secrets — and signing with post-quantum algorithms means the trust model doesn't rest on the very math (RSA / ECC) that a quantum computer would break.

Stack

Identity & auth

  • Keycloak
  • Okta SSO
  • WebAuthn / FIDO2
  • W3C Verifiable Credentials & Presentations
  • DIDs

Cryptography

  • Post-Quantum (NIST Dilithium, Kyber)
  • AES-GCM
  • PBKDF2
  • Hybrid classical + PQ

Connectivity

  • WalletConnect v2
  • Server-Sent Events

Platform & mesh

  • Istio / Envoy
  • Authentication backend
  • Credential-issuer backend

Mobile

  • VIA Wallet (WalletConnect)

Outcomes

  • Delivered the high-fidelity MVP that served as the technical proof-of-concept behind a major funding round.
  • Replaced passwords with credential-based, passwordless authentication (FIDO2 / WebAuthn + DIDs), cutting onboarding drop-off and eliminating credential-stuffing risk.
  • Made the authentication stack quantum-resistant by integrating NIST-standardized post-quantum cryptography in a hybrid model.
  • Cut SDK maintenance overhead (~80%, ~12 engineering hours/week) by consolidating five UI variants into a unified parent-theme architecture.