AuthLess

Inspiration

Passwords were invented in 1961. Older than hip hop, older than the internet, older than most of our parents — and we're still using them to protect our bank accounts. Wild.

The problem isn't just that they get stolen. It's that they're binary. Type it right, you're in. Fully trusted. Forever. The system doesn't care if someone else sits down at your laptop five minutes later — it already said yes.

That's like a bouncer checking your ID and then going home for the night.

That's what inspired Authless. Not just stronger passwords — a fundamentally different approach to authentication altogether.

What It Does

Authless replaces the password with something you can't fake — your patterns.

Four signals run quietly in the background: how you type, where your devices are, your environment, and your session behavior. Together they form a live trust score that keeps confirming it's you — not just at login, but the whole time you're working.

$$\text{Trust Score} = w_1(B) + w_2(D) + w_3(E) + w_4(S)$$

Where $B$ = behavioral patterns, $D$ = device proximity, $E$ = environment context, $S$ = session behavior, and $w_1 + w_2 + w_3 + w_4 = 1$.

Something feels off? We don't lock you out. We just tap you on the shoulder.

How We Built It

We built Authless using React on the frontend, Node.js on the backend, and MongoDB to store behavioral profiles. Frontend is hosted on Vercel, backend on DigitalOcean.

The frontend captures behavioral signals in real time — keystrokes, timing, patterns — and sends them continuously to the backend through WebSockets. Node.js processes those signals, updates the trust score, and fires alerts when something shifts. MongoDB stores each user's evolving behavioral baseline so the model gets smarter over time.

No passwords stored. No sensitive data exposed. Just patterns.

Challenges We Ran Into

The biggest one was the threshold problem — how strict is too strict?

$$\text{Flag if Trust Score} < \theta$$

Set $\theta$ too high and you're locking out the real user every time they're tired or typing fast. Set it too low and you're letting attackers through. Finding that balance was harder than we expected.

Beyond that, handling behavioral drift was tricky — users don't type the same way every day and the model had to learn when to adapt versus when to raise a flag.

False positives were also a real headache early on. The system kept second-guessing legitimate users in edge cases like new networks or slow typing sessions. That pushed us to build a smarter layered response instead of a hard cutoff.

Accomplishments We're Proud Of

This is our first hackathon together as a team — and we shipped a working demo. That alone we're proud of.

But more than that, we're proud that the core concept actually works. Real time trust scoring, continuous session monitoring, behavioral pattern detection — it's live, it's functional, and it's something we built from scratch under pressure in a weekend.

First hackathon. Full demo. No passwords. Not bad.

What We Learned

We stumbled onto this idea early Saturday morning and hit the ground running. What surprised us most was how quickly the right research and the right team dynamic can turn a concept into something real. We learned that the hardest problems in security aren't always technical — sometimes they're about understanding human behavior well enough to model it. Building Authless taught us that.

What's Next for Authless

We're just getting started.

Next step is refining the trust scoring model — making it smarter, more adaptive, and more accurate across different user behaviors. We also want to bring in multi-device proximity detection properly, so your phone and watch become part of your authentication layer.

Long term we want to package Authless as an SDK — so any developer can drop passwordless continuous authentication into their app without building it from scratch. The goal is to make this accessible, not just for enterprise companies with big security budgets, but for every app, every user, every device.

And that rPPG heartbeat detection we mentioned? That's on the roadmap too. Future state — but we're coming for it.

The world where logging in feels like nothing? We're building it.