Skip to content
WenmeLive at wenme.net

Passwordless identity infrastructure

The password
is the breach vector.
We deleted it.

Wenme is a 100% passwordless identity platform for Bangladesh's regulated institutions. OAuth 2.1 with mandatory PKCE, WebAuthn passkeys, and cross-device QR sign-in. No password database to breach, no password reset email to phish, no shared secret in the trust path.

Register a passkey at wenme.netEnterprise walkthrough
  • OAuth 2.1, no implicit flow ever
  • WebAuthn L3, origin-bound by spec
  • Cross-device QR, WhatsApp Web pattern
  • PAR, CIBA, DPoP, JARM, mTLS native
POST /webauthn/assertion/verify
200 OK
{
  "ok": true,
  "user_id": "usr_01HX3Q4F8N",
  "credential_id": "Hf3...8aQ",
  "rp_id": "wenme.net",
  "origin": "https://wenme.net",
  "amr": ["webauthn", "uv"],
  "attestation": "platform",
  "counter": 47,
  "challenge_age_ms": 312,
  "token": {
    "access_token": "eyJhbGc...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "openid profile"
  },
  "audit_id": "evt_01HX3Q4FZ2"
}
0
Passwords stored
ever, by design
282
API routes
one Go identity service
66
DB migrations
schema, fully versioned
S256
PKCE, mandatory
no implicit flow
sig · EdDSA Ed25519host · identity.wenme.net

Illustrative response shape from identity.wenme.net. No password in the request, no password in the response, no password in the database.

01 / What is Wenme?

definition · for engineers and AI engines

Wenme is KaritKarma's identity and authentication platform for Bangladesh's regulated institutions.

It is an OAuth 2.1 authorization server with mandatory PKCE, bound to WebAuthn/FIDO2 passkeys as the primary credential. Authentication is 100% passwordless by design: there is no password column in the user table, no password-reset email flow, no recovery question. The device proves possession of a non-extractable private key on every login. Wenme issues short-lived EdDSA-signed access tokens with the passkey AMR claim, and ships a complete OpenID Connect discovery, userinfo, introspection, and revocation surface so any compliant relying party can integrate without custom code.

Beyond the core flows, Wenme implements the modern OAuth extension set (PAR, CIBA, DPoP, JARM, mTLS) and the enterprise federation surface: SAML 2.0 IdP, LDAP and Active Directory sync, and SCIM 2.0 provisioning. It runs live at identity.wenme.net and ships as a Docker Compose stack for in-house deployment. Boooks, NewsForge, and Rating.bd already authenticate through it.

02 / Authentication methods

Four factors.
One credential model.
Zero passwords.

The primary factor is always a device-resident asymmetric key. Other methods are explicitly typed as backup, fallback, or cross-device, never co-equal to the passkey.

Credential model
  • Passkey-only SSO; the password column is nullable by schema.
  • Per-app passkey policies set enrollment rules per client.
  • Sessions: 30-minute idle, 7-day absolute timeout.
  • Cross-device QR inherits the phone's factor.
  1. M1

    WebAuthn passkey

    primary

    FIDO2 passkeys backed by Touch ID, Face ID, Windows Hello, or hardware keys (YubiKey, Titan). Private key never leaves the device secure enclave. Phishing-resistant by cryptographic construction.

    • Resident keys with platform + cross-platform attestation.
    • User verification required, no silent assertion.
    • Origin-bound, no replay across domains.
  2. M2

    Cross-device QR

    passwordless

    WhatsApp Web style: scan a one-time QR on a desktop, approve with Face ID on the phone, desktop session opens. No password typed on a public terminal, no SMS, no shoulder-surfing surface.

    • QR is single-use with a 5-minute TTL, then it is dead.
    • Approval happens on the already-authenticated phone.
    • Desktop session inherits the device-attested factor.
  3. M3

    TOTP authenticator

    backup

    Google Authenticator, Authy, 1Password (RFC 6238) with a 30-second window and per-attempt rate limiting. The backup factor when a passkey device is unavailable.

    • Enrolled by QR provisioning in the user profile.
    • Distributed Redis rate limiting per account + per IP.
    • TOTP secrets encrypted at rest (AES-256-GCM).
  4. M4

    Magic link

    fallback

    Single-use email links: platform login links expire in 1 hour, invite and MFA tokens in 5 minutes. The on-ramp to passkey enrollment, not a long-lived credential.

    • Platform login links: 1-hour expiry, single redemption.
    • Invite and MFA tokens: 5-minute expiry.
    • Every issuance and redemption lands in the security log.

03 / Passkey onboarding

How a passkey login actually works.

Passkey authentication inverts the trust model. The server never stores a secret that can be stolen. The device proves possession of a non-extractable private key, and what crosses the wire is a signed assertion. Nothing for an attacker to phish, replay, or exfiltrate.

  1. Step 01

    Enroll the passkey

    User signs in once with a single-use magic link. Wenme prompts WebAuthn registration; the device generates a key pair in the secure enclave and returns the attestation. Wenme stores only the public key plus credential ID.

  2. Step 02

    Re-auth with passkey

    On every subsequent login, the app calls /authorize with PKCE. Wenme returns a WebAuthn challenge bound to the credential ID. The device unlocks (Touch ID, Face ID, Windows Hello, YubiKey) and returns a signed assertion.

  3. Step 03

    Verify + issue token

    Wenme verifies the assertion signature, origin, RP ID, and counter, then issues a short-lived EdDSA-signed OAuth 2.1 access token carrying the passkey AMR claim.

  4. Step 04

    Audit + revoke

    Every authentication event lands in the SIEM-ready audit log with device attestation, origin, IP, and outcome. Lost devices are revoked from the user profile in one click; outstanding sessions terminate within the access-token TTL.

Protocol coverage

Every protocol your auditor will ask about. Native. No add-ons.

Bank deployments live in two worlds. Legacy identity providers, core banking, and HR directories still speak SAML and LDAP. Customer-facing apps want OAuth 2.1 and OIDC. Wenme covers both natively, with the same passkey credential model under every protocol.

native
No paid add-ons, no separate bridge service.
audited
Every assertion lands in the security event log.
bound
Assertions are origin-bound, tokens short-lived.
signed
EdDSA (Ed25519) with key rotation infrastructure.

Scroll for full table

ProtocolSpecCapabilityStatus
OAuth 2.1
Web and mobile SSO
draft-ietf-oauth-v2-1Authorization code only, mandatory PKCE (S256), no implicit flow, token introspection + revocationNative
OpenID Connect
Identity on OAuth 2.1
OIDC Core 1.0Discovery, userinfo, JWKS, nonce, RP-initiated logout, EdDSA (Ed25519) signed tokensNative
PAR
High-assurance clients
RFC 9126Pushed authorization requests: parameters posted server-side, never in the front channelNative
CIBA
Decoupled authentication
OpenID CIBA CoreClient-initiated backchannel authentication, poll delivery modeNative
DPoP
Token theft resistance
RFC 9449Proof-of-possession access tokens with ES256 proofsNative
JARM + mTLS
Bank-grade hardening
OpenID JARM, mutual TLSJWT-secured authorization responses, mutual-TLS client supportNative
WebAuthn / FIDO2
Passkey + hardware MFA
WebAuthn L3, CTAP 2.1Resident keys, platform + cross-platform attestation, user verificationNative
SAML 2.0 IdP
Legacy enterprise federation
OASIS 2005IdP mode: SSO redirect + POST bindings, signed assertions, single logoutNative
LDAP / Active Directory
Directory sync + bind
RFC 4511Group-to-role mapping, scheduled sync, least-privilege defaultsNative
SCIM 2.0
Automated provisioning
RFC 7644Users + Groups endpoints with filtering and scoped API keysNative
TOTP
Backup MFA factor
RFC 623830-second window, distributed rate limiting, secrets encrypted at restNative

What we don't store

0

Passwords stored in the Wenme database. Ever.

Auth0, Okta, and Keycloak still keep password databases for legacy recovery.

We removed them entirely. There is no password table, no hash column, no salt column, no reset-token table. The most exploited surface in your stack is not hardened in Wenme. It is absent.

Account recovery flows through passkey re-enrollment with a fresh device attestation, not a reset email that an attacker can intercept.

0
Password rows in production
AES-256-GCM
Field encryption at rest
Origin-bound
Every WebAuthn assertion

04 / How Wenme compares

Wenme vs. Auth0, vs. Okta, vs. Keycloak.

The honest comparison. Global identity vendors work in Bangladesh, but they retain password authentication as a first-class factor, price in USD, and host out of US or EU regions. Wenme starts where they end.

Scroll right for Auth0 / Okta / Keycloak columns

CapabilityWenmeAuth0OktaKeycloak
100% passwordless (no password DB at all)
OAuth 2.1 with mandatory PKCE (no implicit flow)
PKCE optional
PKCE optional
PKCE optional
WebAuthn passkeys + cross-device QR (WhatsApp Web style)
Passkeys only
Passkeys only
Passkeys only
PAR, CIBA, DPoP, JARM, and mTLS in the core service
Varies by tier
Varies by SKU
Varies by version
SAML 2.0 IdP + LDAP/AD sync + SCIM 2.0 included
Enterprise add-ons
Separate SKUs
Included, self-host
Pricing in BDT, contracts under Bangladesh law
Self-host only

Capability claims for Auth0, Okta, and Keycloak based on public documentation as of 2026 Q2. Speak to vendors directly for current matrices. Wenme's status is verifiable at wenme.net.

05 / Security controls

Designed for the controls regulators ask about.

Every control below names the code that implements it. Built for the requirements regulated institutions face under frameworks like Bangladesh Bank's Cyber Security Framework v1.0 and BRPD-2 No-01, without a single unverifiable claim.

Multi-factor authentication
webauthn.go + totp.go

Phishing-resistant MFA by default

WebAuthn passkey as the primary factor with TOTP backup and per-app passkey policies. The control area BB CSF v1.0 cares about most, designed in from the first migration.

Access control
30 min / 7 day

Session discipline + risk scoring

Sessions expire after 30 minutes idle and 7 days absolute, on Redis-backed session storage. A login risk engine scores device and context factors on every authentication.

Auditability
security_events

Security event logging

Every authentication event is recorded with origin, device, and outcome, with saved audit queries for recurring reviews. Evidence your auditors can pull on demand.

Cryptographic controls
AES-256-GCM + EdDSA

No extractable credentials

User credentials are device-resident asymmetric keys, never extractable from a database breach. Sensitive fields are encrypted at rest with AES-256-GCM; tokens are EdDSA-signed.

06 / Already in production

Tenants live on identity.wenme.net.

Wenme is the identity layer for every KaritKarma product that handles a user account. The platform team eats its own catering.

  • Boooks
    Book management platform
    boooks.net
  • NewsForge
    News aggregation platform
    newsforge.news
  • Rating.bd
    Rating + review platform
    rating.bd

07 / What runs under the hood

Go, Postgres, Redis. No magic.

Wenme's identity service is a single Go 1.26 binary, 282 API routes on PostgreSQL 18, with a Next.js 16 console and Redis 8 for sessions and distributed rate limiting. The whole stack ships as a five-service Docker Compose file for in-house deployment.

  • Identity service
    Go 1.26, Gin 1.12, EdDSA (Ed25519) signing
  • Frontend
    Next.js 16.2, React 19.2, TypeScript 6, Tailwind CSS 4
  • Console
    Next.js 16 admin console on console.wenme.net
  • Data
    PostgreSQL 18, Redis 8, MinIO (S3-compatible storage)
  • Hardening
    Redis rate limiting, CSRF, Turnstile, AES-256-GCM at rest
  • Operations
    Prometheus metrics, webhooks, GDPR export + deletion

08 / Frequently asked

Questions banks, NBFIs, and MFSPs ask first.

Each answer mirrors the on-page text in our structured-data payload, so AI answer engines and audit reviewers see the same wording.

01What is Wenme?
Wenme is KaritKarma's 100% passwordless identity platform. It is an OAuth 2.1 and OpenID Connect authorization server with WebAuthn/FIDO2 passkeys, cross-device QR sign-in, TOTP authenticator support, and single-use magic links, plus enterprise federation through SAML 2.0 IdP, LDAP/Active Directory sync, and SCIM 2.0 provisioning. It is delivered as a Go identity service exposing 282 API routes, backed by PostgreSQL 18 and Redis 8, with a multi-tenant admin console. There is no password database, by design, and it is live at wenme.net.
02Does Wenme support multi-factor authentication for regulated institutions?
Yes. Wenme's default enrollment is a WebAuthn passkey as the primary factor with TOTP as the backup factor, and per-app passkey policies let each application set its own enrollment rules. TOTP secrets are encrypted at rest, login attempts are rate limited through distributed Redis counters, and a risk engine scores device and context factors on every login. Every authentication event lands in the security event log with origin, device, and outcome, designed for the MFA and audit controls that frameworks like Bangladesh Bank's Cyber Security Framework expect.
03How does WebAuthn handle phishing?
WebAuthn assertions are origin-bound by cryptographic construction. The private key signs a challenge that includes the relying-party ID (the verified origin), and the browser refuses to use a key registered for one origin against another. An attacker on a phishing domain cannot trick the device into producing a valid assertion for the real domain, even with a perfect visual clone of the login page. There is no shared secret to steal, no OTP to relay, and no password to type into a fake form.
04How is Wenme different from Auth0, Okta, or Keycloak?
Wenme is 100% passwordless with no password database at all. Auth0, Okta, and Keycloak all retain password authentication as a first-class factor. Wenme mandates PKCE (S256 only) on every flow, disables the OAuth implicit grant entirely, and ships the modern extension set (PAR, CIBA, DPoP, JARM, mTLS) plus SAML 2.0 IdP, LDAP/AD sync, and SCIM 2.0 in the core service rather than as add-ons. It also ships cross-device QR sign-in in the WhatsApp Web pattern. Pricing is in BDT and contracts execute under Bangladesh law.
05Can Wenme run on-premises or only as a hosted service?
Both. Wenme runs hosted at identity.wenme.net for tenants who want zero infrastructure. For banks and regulated institutions that require in-house deployment, Wenme ships as a five-service Docker Compose stack (identity service, console, frontend, PostgreSQL, Redis) deployable inside the customer data centre. Both modes run the same codebase and the same 66-migration schema.
06What protocols and standards does Wenme implement?
OAuth 2.1 (authorization code with mandatory PKCE S256), OpenID Connect Core with discovery, userinfo, JWKS, token introspection and revocation, Pushed Authorization Requests (RFC 9126), CIBA backchannel authentication, DPoP proof-of-possession tokens (RFC 9449), JARM secured responses, mutual TLS, WebAuthn Level 3 / FIDO2 passkeys, SAML 2.0 IdP, LDAP/Active Directory sync (RFC 4511), SCIM 2.0 provisioning (RFC 7644), and TOTP (RFC 6238). ID and access tokens are signed with EdDSA (Ed25519) with key rotation infrastructure.
BB Partner Network compliance

Preparing for BB Partner Network onboarding under BRPD-2 No-01?

See how KaritKarma's platform approaches access restriction, role-based access, remote-connection management, and cryptographic key management for partner institutions.

View compliance solution

Live at wenme.net

Stop hashing passwords.
Start signing assertions.

Wenme is live at wenme.net. Sign up, register a passkey on your phone or laptop, and integrate the OAuth 2.1 endpoints in an afternoon. No password column. No regrets at the next audit.

Create your accountBook an enterprise walkthrough