Back to Documentation
Security

Security Architecture

Understanding ECURTIY's multi-layer approach to human verification.

Defense in Depth

ECURTIY uses six layers of security that work together to distinguish humans from bots with high accuracy. Each layer contributes signals to the risk scoring system, providing robust protection without frustrating legitimate users.

Proof of Work
Behavioral Analysis
Fingerprinting
Risk Scoring
Rate Limiting
Token Security

Security Layers

Proof of Work (PoW)

Computational challenge that's trivial for single users but costly for attackers at scale.

How It Works

The widget receives a random prefix and difficulty level. It must find a nonce where SHA256(prefix + nonce) starts with N zero bits. Legitimate users solve this in ~2 seconds, while attackers need significant compute resources to spam.

Key Features

  • SHA-256 hashing algorithm
  • Adjustable difficulty (14-18 bits)
  • Web Worker computation (non-blocking)
  • ~100k hashes/second in browser
  • Challenge TTL: 5 minutes

Behavioral Analysis

Real-time analysis of user interaction patterns to detect bot-like behavior.

How It Works

The widget tracks how users interact with the page—mouse movements, clicks, timing. Bots typically show unnatural patterns: perfectly linear movements, instant clicks, or no interaction at all. This data contributes to the risk score.

Key Features

  • Mouse movement tracking
  • Entropy calculation
  • Interaction counting (clicks, keys)
  • Session duration monitoring
  • Velocity analysis

Browser Fingerprinting

Device identification using browser characteristics, hashed client-side for privacy.

How It Works

The widget collects browser/device characteristics and creates a SHA-256 hash locally before transmission. This identifies devices without collecting personal data. Inconsistent fingerprints across requests raise the risk score.

Key Features

  • Screen resolution & color depth
  • Timezone and language
  • Platform and plugins
  • Canvas fingerprint
  • WebGL vendor/renderer

Risk Scoring

Intelligent scoring system that combines all signals into a single 0-1 score.

How It Works

All security signals feed into a risk score. Suspiciously fast solves, missing fingerprints, abnormal behavior—each adds to the score. Verification fails if score ≥ 0.7. You can also use the score for additional verification steps.

Key Features

  • Score range: 0.0 to 1.0
  • Threshold: Fails at ≥0.7
  • Very fast solve: +0.3
  • Fast solve: +0.1
  • Missing fingerprint: +0.2

Rate Limiting

Per-endpoint request throttling to prevent abuse and DDoS attacks.

How It Works

Each endpoint has rate limits that prevent excessive requests from single IPs. This stops brute force attacks, credential stuffing, and general abuse without affecting legitimate users.

Key Features

  • IP-based tracking
  • Per-endpoint limits
  • Automatic cleanup
  • Configurable windows
  • Timing-safe comparison

Token Security

One-time tokens with cryptographic signing and short expiration.

How It Works

Verification tokens are cryptographically signed and can only be used once. They expire after 5 minutes. Validation requires your secret key, which should never be exposed to clients.

Key Features

  • HMAC-SHA256 signing
  • Single-use validation
  • 5-minute expiration
  • Server-side verification
  • Secret key isolation

PoW Difficulty Levels

LevelBitsEst. TimeUse Case
Easy14 bits~0.5sLow-risk forms, newsletters
Medium16 bits~2sStandard forms, comments
Hard18 bits~8sHigh-value actions, payments
Adaptive15-18 bits~1-8sRisk-based adjustment

Risk Score Components

The risk score (0.0 to 1.0) is calculated from multiple signals:

Very Fast Solve
+0.30

Solving faster than 10% of expected time suggests automation.

Fast Solve
+0.10

Solving faster than 50% of expected time is slightly suspicious.

Missing Fingerprint
+0.20

No browser fingerprint suggests headless browser or tampering.

Low Mouse Entropy
+0.15

Minimal or robotic mouse movement patterns.

Threshold

Verification fails if the total risk score reaches 0.7 or higher. You can implement additional verification for scores between 0.5-0.7.

Privacy by Design

Security shouldn't come at the cost of privacy. ECURTIY is designed with privacy at its core:

No Personal Data

We don't collect names, emails, or any PII from end users.

Client-Side Hashing

Fingerprints are hashed locally before transmission. Irreversible.

No Tracking Cookies

No cookies are set on end-user browsers.

Cloud Hosted

Secure, managed infrastructure with enterprise-grade protection.

Data Handling

What We Store

  • • Hashed browser fingerprint (irreversible)
  • • IP address (for rate limiting)
  • • User agent string
  • • Verification metadata (solve time, risk score)

What We Don't Store

  • • Personal information (names, emails)
  • • Raw fingerprint data
  • • Form submission content
  • • Tracking identifiers

Retention

  • • Challenges: 5 minutes
  • • Tokens: 5 minutes
  • • Verification logs: 30 days
IntegrationFAQ