docs: explain zero-knowledge architecture and no user authentication

teycir · teycir · commit b8986c0d7e4f · 2025-12-22T18:14:42.000+01:00
- Added FAQ entry in README.md clarifying why authentication is absent by design
- Added "Zero-Knowledge Architecture" section to security page explaining cryptography-only security
- Enhances user understanding of security model to build trust and reduce concerns
diff --git a/README.md b/README.md
@@ -178,6 +178,9 @@ sequenceDiagram
 ### "Can I bypass rate limits by rotating IPs or using VPNs?"
 **⚠️ HARDER.** Rate limiting uses browser fingerprinting (IP + User-Agent + Language), making simple IP rotation ineffective. You'd need to change your entire browser signature.
 
+### "Why is there no user authentication?"
+**✅ BY DESIGN.** Authentication adds attack vectors (credential theft, phishing, password breaches, session hijacking). TimeSeal uses cryptography-only security: possession of the vault link (Key A) is the authentication. No passwords to steal, no accounts to hack.
+
 ### "Can I replay old API requests to trick the server?"
 **❌ NO.** Pulse tokens include nonces and timestamps. Replay attacks are detected and rejected.
 
diff --git a/app/security/page.tsx b/app/security/page.tsx
@@ -71,6 +71,10 @@ export default function SecurityPage() {
             <ShieldCheck className="w-6 h-6" /> Security Guarantees
           </h2>
           <div className="space-y-4 text-neon-green/60 text-sm">
+            <div>
+              <p className="text-neon-green font-bold mb-2 flex items-center gap-2"><CheckCircle2 className="w-4 h-4" /> Zero-Knowledge Architecture</p>
+              <p>No user accounts, no passwords, no authentication. Security is enforced through cryptography alone. This eliminates credential theft, phishing, and password database breaches.</p>
+            </div>
             <div>
               <p className="text-neon-green font-bold mb-2 flex items-center gap-2"><CheckCircle2 className="w-4 h-4" /> Time-Lock Enforcement</p>
               <p>The server will not release Key B before the unlock time. Server-side validation using Date.now() prevents client-side time manipulation.</p>
