Introduction#
Devices are third-party software or applications that register as storage and authentication components on behalf of a user. Each device operates as an independent profile within Privicore, maintaining its own cryptographic identity and participating in the multi-layer encryption architecture.What Are Devices?#
A Device is an external software application registered under a user's profile that:Runs independently outside the Privicore environment (desktop, mobile, server, etc.)
Has its own profile with unique username, password, and public/private key pair
Can function as Storage, Authenticator, or both
Requires public key registration to receive encrypted communications from Privicore
Device Types#
Devices register for specific roles within the Privicore ecosystem. A single device can serve multiple roles simultaneously.Storage Device#
A Storage Device receives and stores encrypted data associated with data tokens. When an application exchanges data for a token, Privicore:1.
Encrypts the data with its own key
2.
Routes the encrypted data to all registered Storage devices under the user's profile
3.
Each Storage device encrypts the data again with its own key and stores it locally
1.
Receiving data requests from Privicore
2.
Decrypting locally stored data with their private key
3.
Sending decrypted data back to Privicore for further decryption
Distributed data storage across multiple devices
Offline data access on local devices
Data redundancy without centralized coordination
Device-specific data isolation
Authenticator Device#
An Authenticator Device participates in voting and approval workflows triggered by policy-based decisions within Privicore. Authenticators enable interactive authorization for asynchronous operations.Voting Mechanism#
Privicore operations are asynchronous and can be interrupted by voting mechanisms triggered by policies. When a policy determines that an operation requires approval:1.
Poll Creation: System creates a poll for the operation
2.
Ballot Distribution: Ballots are sent to registered Authenticator devices
3.
User Response: User or automated software responds to ballot with approval (yes) or rejection (no)
4.
Poll Resolution: Once ballots are collected, the poll is resolved according to the configured strategy
Voting Strategies#
Polls can use different resolution strategies:Unanimous: All authenticators must approve
Majority: More than 50% must approve
Single approval: At least one authenticator must approve
Threshold: A specific number or percentage must approve
Authentication Use Case Example#
Authenticator devices can function as a second authentication factor. For example:Login Flow with Authenticator:2.
Policy triggers based on user profile
3.
System identifies user's registered Authenticator devices
4.
Ballot is sent to Authenticator devices: "Approve login from [location] at [time]?"
5.
User confirms on their phone (Authenticator device)
6.
Login proceeds after confirmation
Multi-factor authentication workflows
Transaction approval for sensitive operations
Administrative action confirmation
Time-sensitive authorization requests
Automated approval based on device-specific rules
Device Profile Requirements#
For Privicore to communicate with a device, the device must:1.
Register as a device under a user's profile
2.
Have its own profile with username and password
3.
Generate and register a public key for encrypted communication
4.
Specify device type (Storage, Authenticator, or both)
5.
Be approved by the user (device registration requires approval)
Device Lifecycle#
Device Requests Registration → Unique Identifier Issued
↓
Device Registers Public Key → Profile Activated
↓
Device Specifies Type (Storage/Authenticator/Both)
↓
User Approves Device → Device Becomes Active
↓
[Storage Path] [Authenticator Path]
Device Receives Data | Device Receives Ballots
Stores Encrypted Data | User Responds to Polls
Provides Data on Request| Participates in Voting
↓
Device Removed (optional) → Access Revoked
Multi-Layer Encryption with Storage Devices#
Storage devices participate in the encryption chain:Application encrypts data
↓
Privicore encrypts data
↓
Storage Device encrypts data → Stored locally
Storage Device decrypts data
↓
Privicore decrypts data
↓
Application decrypts data → Original plaintext
Device Management Features#
Device Configuration#
Configure Metadata: Set device name, description, and type (Storage/Authenticator/Both)
Retrieve Configuration: View device settings and capabilities
Update Settings: Modify device metadata and operational parameters
Device Approval Workflow#
Approve Device: Activate a pending device registration
Reject Device: Deny a device registration request
Retrieve Devices: List all devices (pending and active) for the profile
Device Removal#
Remove Device: Deactivate and unregister a device from the profile
Removal prevents Storage devices from receiving new data
Removal prevents Authenticator devices from receiving new ballots
Existing data on Storage devices remains encrypted but inaccessible without the full decryption chain
Security Considerations#
Each device has its own profile and cryptographic identity
Devices must be approved before participating in storage or authentication workflows
Device public keys are required for Privicore to send encrypted communications
Removing a device revokes its ability to participate in future operations
Storage devices can operate offline and sync when connectivity is available
Authenticator devices require connectivity to receive and respond to ballots
Multiple Storage devices under one profile receive identical encrypted data for redundancy
Use Cases#
Multi-Device Data Access (Storage)#
User registers multiple Storage devices (laptop, phone, server) to access data from different locations. Each device receives encrypted data independently.Distributed Storage#
Data is automatically distributed to all registered Storage devices, providing redundancy without centralized coordination.Offline Operation (Storage)#
Storage devices store encrypted data locally and can operate without continuous connection to Privicore. Data requests are fulfilled when devices come online.Multi-Factor Authentication (Authenticator)#
User configures their phone as an Authenticator device. Critical operations require approval via ballot sent to the phone before proceeding.Automated Approval Workflows (Authenticator)#
Automated Authenticator devices respond to ballots based on predefined rules, enabling policy-driven approval without manual intervention.Hybrid Devices (Storage + Authenticator)#
A single device functions as both Storage and Authenticator, storing encrypted data while also participating in voting workflows for authorization decisions.