u/attitudy

You already know this is happening to you right now.

Every website you visit builds a profile on you. Your login is not just a login — it's a data point. Your email, your device fingerprint, your location, your behavior patterns, your biometric if you use Face ID — all of it collected, stored, sold, and eventually leaked.

This is not a conspiracy. It is the business model. The entire identity industry is built on the premise that to verify you are you, someone has to store something about you.

I built a protocol that makes that premise architecturally impossible.

Not harder. Not better encrypted. Impossible.

What TAP actually is — plain English first:

TAP stands for Temporal Authentication Protocol.

Your heartbeat is not a steady tick. The gaps between beats vary in a pattern unique to you — this is called HRV (heart rate variability). Think of it like a fingerprint, except it lives inside your chest, changes slightly with every session, and cannot be lifted off anything.

TAP takes those gaps, runs them through a mathematical function with the current time and two random numbers that only live on your device, and produces a cryptographic private key. That key is used to sign a challenge. The answer — yes or no — goes on the blockchain. Then the key is thrown away.

Next session, your heartbeat re-creates it. Nothing is stored. Nothing can be stolen because there is nothing to steal.

But here is the part everyone misses when they ask about heartbeat stability — heartbeat is just one biometric. It is the strongest one, but TAP works with any consistent physical biometric. Voice. Fingerprint. Iris. Whatever your body produces consistently. The protocol is biometric-agnostic. What is novel is not what biometric you use — it is what is done to it.

What is actually new here — because this question will come up:

Every existing system does one of these things:

• Stores a copy of your biometric or password (Face ID template, password hash, fingerprint scan)
• Derives a key from hardware, not from your body (WebAuthn, YubiKey)
• Uses time as a factor but not biology (TOTP, Google Authenticator)

Nobody has combined all three: biometric + time variable + local-only storage = ephemeral private key that re-derives from your body each session and is never stored anywhere.

The time variable is the thing that makes this categorically different from every biometric system that exists. Your fingerprint on your phone is a static check against a stored template. TAP uses your fingerprint — or heartbeat, or voice — as the seed to a key that is mathematically unique to this exact moment. The same biometric at a different time produces a completely different key. Yesterday's session is cryptographically dead. Always.

The nine patent claims — what is actually being protected:

Claim 1 — Biometric KDF Identity Primitive Any consistent biometric signal combined with a time-variable floor and locally stored salts fed into Argon2id to produce an ephemeral Ed25519 keypair. The private key is never stored. This is the core primitive. Nothing like it exists.

Claim 2 — Biological Continuity Verification Without Biometric Storage Range-band indicators derived from but never storing raw biometric data. The system verifies you are still you without keeping any representation of you. Bands update via exponential moving average — 90% existing model, 10% new reading — so the identity ages with you without storing who you were.

Claim 3 — Probabilistic Morphology Signature from R-R Sequences A statistical model of your heart's waveform shape built from timing data alone. Gets more accurate every session. After 50 sessions it is a near-unique probabilistic fingerprint. Never stores raw morphology. Gets harder to fake the longer you use it.

Claim 4 — Encrypted Cardiac Deltas On-Chain Each session produces a tiny encrypted mathematical update — not raw biometric data, just a delta — stored on the blockchain encrypted with your private key. Meaningless to anyone without your key. Allows cross-device identity reconstruction after device loss without ever putting biometric data on chain.

Claim 5 — Session-Bound Liveness Verification Rate-of-change continuity check. A living heart drifts. A recording does not. Any frozen signal — replay attack, synthetic generator, pre-recorded audio — fails this check automatically because it has zero biological drift.

Claim 6 — Cryptographic Device Continuity Location plausibility cross-referencing as clone detection. Not tracking where you are — checking whether it was physically possible for your device to move between sessions. Two simultaneous authentications from the same public key at impossible locations flags a clone attack.

Claim 7 — Magnetocardiographic Proximity Verification The heart generates a magnetic field. MCG sensing captures that field. The field drops off with the inverse square of distance — meaning the sensor must be within centimeters of your chest to capture anything usable. Physical proximity is enforced by physics, not software. Cannot be defeated remotely. Cannot be replayed. The cardiac magnetic field is generated by ionic current in your specific heart muscle tissue and cannot be reproduced synthetically.

Claim 8 — Existing Smartphone Hardware as MCG Sensor Three implementations using hardware already in your phone: (a) the compass magnetometer chip at direct chest contact, (b) a phone case with a dedicated magnetometer communicating via NFC, (c) the wireless charging coil repurposed as a cardiac field detector. Zero new hardware required for the most accessible implementation.

Claim 9 — Biometric-Agnostic Temporal KDF Framework The entire protocol generalized. Any consistent biometric as the seed input. All security properties — temporal uniqueness, replay resistance, liveness verification, temporally increasing attack cost — are inherited automatically by any biometric that satisfies the framework's four conditions.

Hardware claims — separate patent track:

Hardware Claim A — NV-Center Diamond Magnetometer Device A wearable device using nitrogen-vacancy center diamond quantum sensing for cardiac magnetic field capture at room temperature. Achieves ~1 picotesla sensitivity. Transmits only extracted feature vectors via NFC during active sessions. Raw signal never leaves the device.

Hardware Claim B — MCG Phone Case Peripheral A smartphone case with an integrated magnetometer array. Session-gated NFC communication — data only transmits during active TAP authentication. Powers itself from the phone's NFC field. On-case preprocessing — raw signal stays in the case hardware.

Hardware Claim C — Wireless Charging Coil MCG Tap Method of accessing the wireless charging coil's magnetic field sensing for cardiac signal extraction. Novel application — first described use of charging coil for biometric authentication. Requires manufacturer integration at chipset level as the long-term path.

The blockchain layer — this is where it gets interesting for this community:

Your public key gets written to the blockchain at enrollment. That is the only thing on chain about you. No name. No biometric. No email. Just a math address pointing to a math key with a timestamp.

Every session, your device re-derives the private key from your fresh biometric capture, signs a challenge, and the smart contract confirms three things: public key is enrolled, signature matches, challenge is fresh and unexpired. Returns yes or no. That is the entire integration surface.

The encrypted cardiac deltas accumulate on chain over time — session by session, each one a tiny mathematical update encrypted with your private key. Anyone looking at the chain sees meaningless encrypted numbers. You pull them down to a new device, decrypt locally, reconstruct your identity model. Device loss solved without a recovery database.

The smart contract is two functions. 50 lines of Solidity. Anyone can read it. Anyone can verify it does exactly what it claims. The transparency is the trust.

The open source network effect — why more implementations make it stronger:

This is open source by design and the security model depends on it.

Every company or developer that implements TAP as an authenticator adds signal to the network. The protocol convergence works like this: as implementations proliferate, the noise introduced by slightly different implementations forces convergence to the mathematically correct version — the one with the strongest properties — because any deviation is detectable and rejectable by the network.

A proprietary version of this with a backdoor cannot survive in an open ecosystem because the open implementations provide a reference that exposes any deviation. The more people build on it the harder it becomes to corrupt it.

If you run a website, a forum, a DAO, a marketplace — you can add TAP as an authenticator with two API calls. Your users get a yes or no. You never see their biometric. You never store anything about them. Your compliance surface is zero because you are architecturally incapable of holding personal data.

What this disrupts:

Identity providers — Auth0, Okta, Ping — their entire value proposition is managing the database of who your users are. TAP eliminates the database. There is nothing left to manage.

Data brokers — their supply chain starts at identity. No stored identity means no data exhaust to harvest, aggregate, and sell. The profiling industry requires a record to build a profile on. TAP produces no record.

Biometric authentication companies — every system that stores a biometric template (FaceID templates, fingerprint databases, iris scans) is a breach waiting to happen. You cannot change your face. You cannot change your fingerprint. TAP never stores the template so there is nothing to breach and nothing permanently compromised if a device is lost.

KYC infrastructure — banks and financial institutions spend billions annually verifying identity and storing the results. TAP provides proof of humanity — same person, living, present — without the institution ever holding the underlying biometric. GDPR, CCPA, HIPAA, BIPA compliance becomes architectural rather than procedural.

CAPTCHA and bot detection — the entire industry exists because there is no reliable way to prove a human is on the other side. TAP is that proof. A bot cannot press a phone to its chest and produce a living heartbeat. The physics of liveness detection is the filter.

New industries this creates:

Human-only networks — social platforms, forums, marketplaces where every participant is provably a living human. Not verified by a company. Not checked against a list. Proven locally by math and biology.

Temporal identity markets — because TAP identity strengthens over time, early enrollment has value. The first million enrolled identities have a longer track record of biological continuity than anyone who enrolls later. This creates a new kind of digital seniority that cannot be faked or purchased.

Biometric hardware manufacturing — the NFC case, the MCG wearable, the NV-center sensor device. None of these exist as consumer products today. TAP gives them a protocol to build to.

Proof-of-humanity as infrastructure — DAOs, voting systems, content platforms, financial systems that need human verification without identity disclosure. TAP is the missing primitive that makes human-only digital spaces possible at scale.

What is built right now:

Working prototype — enrollment and verification operational. Voice biometric pipeline alongside heartbeat. Ed25519 keypairs generating from real captures. TAP server running with public API endpoints that any relying party can call.

Formal paper — 17 pages, full proofs of temporal uniqueness, replay resistance, biological continuity, temporally increasing attack cost, MCG spoofing impossibility. Nine patent claims, two hardware claims. Pre-print published.

Research landing page lmk if u wanna see i just wanna get this to people

The open research question I am actively solving: getting the acoustic signal consistent enough to hit 80% same-person key match rate across captures. Two-pass peak detection fix built, consistency trial pending.

What I need from this community:

If you are working on cryptography, HRV biometrics, signal processing, or blockchain identity — I want your critique. The formal proofs are in the paper. Break them if you can.

If you implement wallets, dApps, or authentication systems — the TAP API is two endpoints. I want early implementers.

Karan Bedi · Dallas TX · May 2026 · Patent Pending

You already know this is happening to you right now.

Every website you visit builds a profile on you. Your login is not just a login — it's a data point. Your email, your device fingerprint, your location, your behavior patterns, your biometric if you use Face ID — all of it collected, stored, sold, and eventually leaked.

This is not a conspiracy. It is the business model. The entire identity industry is built on the premise that to verify you are you, someone has to store something about you.

I built a protocol that makes that premise architecturally impossible.

Not harder. Not better encrypted. Impossible.

What TAP actually is — plain English first:

TAP stands for Temporal Authentication Protocol.

Your heartbeat is not a steady tick. The gaps between beats vary in a pattern unique to you — this is called HRV (heart rate variability). Think of it like a fingerprint, except it lives inside your chest, changes slightly with every session, and cannot be lifted off anything.

TAP takes those gaps, runs them through a mathematical function with the current time and two random numbers that only live on your device, and produces a cryptographic private key. That key is used to sign a challenge. The answer — yes or no — goes on the blockchain. Then the key is thrown away.

Next session, your heartbeat re-creates it. Nothing is stored. Nothing can be stolen because there is nothing to steal.

But here is the part everyone misses when they ask about heartbeat stability — heartbeat is just one biometric. It is the strongest one, but TAP works with any consistent physical biometric. Voice. Fingerprint. Iris. Whatever your body produces consistently. The protocol is biometric-agnostic. What is novel is not what biometric you use — it is what is done to it.

What is actually new here — because this question will come up:

Every existing system does one of these things:

• Stores a copy of your biometric or password (Face ID template, password hash, fingerprint scan)
• Derives a key from hardware, not from your body (WebAuthn, YubiKey)
• Uses time as a factor but not biology (TOTP, Google Authenticator)

Nobody has combined all three: biometric + time variable + local-only storage = ephemeral private key that re-derives from your body each session and is never stored anywhere.

The time variable is the thing that makes this categorically different from every biometric system that exists. Your fingerprint on your phone is a static check against a stored template. TAP uses your fingerprint — or heartbeat, or voice — as the seed to a key that is mathematically unique to this exact moment. The same biometric at a different time produces a completely different key. Yesterday's session is cryptographically dead. Always.

The nine patent claims — what is actually being protected:

Claim 1 — Biometric KDF Identity Primitive Any consistent biometric signal combined with a time-variable floor and locally stored salts fed into Argon2id to produce an ephemeral Ed25519 keypair. The private key is never stored. This is the core primitive. Nothing like it exists.

Claim 2 — Biological Continuity Verification Without Biometric Storage Range-band indicators derived from but never storing raw biometric data. The system verifies you are still you without keeping any representation of you. Bands update via exponential moving average — 90% existing model, 10% new reading — so the identity ages with you without storing who you were.

Claim 3 — Probabilistic Morphology Signature from R-R Sequences A statistical model of your heart's waveform shape built from timing data alone. Gets more accurate every session. After 50 sessions it is a near-unique probabilistic fingerprint. Never stores raw morphology. Gets harder to fake the longer you use it.

Claim 4 — Encrypted Cardiac Deltas On-Chain Each session produces a tiny encrypted mathematical update — not raw biometric data, just a delta — stored on the blockchain encrypted with your private key. Meaningless to anyone without your key. Allows cross-device identity reconstruction after device loss without ever putting biometric data on chain.

Claim 5 — Session-Bound Liveness Verification Rate-of-change continuity check. A living heart drifts. A recording does not. Any frozen signal — replay attack, synthetic generator, pre-recorded audio — fails this check automatically because it has zero biological drift.

Claim 6 — Cryptographic Device Continuity Location plausibility cross-referencing as clone detection. Not tracking where you are — checking whether it was physically possible for your device to move between sessions. Two simultaneous authentications from the same public key at impossible locations flags a clone attack.

Claim 7 — Magnetocardiographic Proximity Verification The heart generates a magnetic field. MCG sensing captures that field. The field drops off with the inverse square of distance — meaning the sensor must be within centimeters of your chest to capture anything usable. Physical proximity is enforced by physics, not software. Cannot be defeated remotely. Cannot be replayed. The cardiac magnetic field is generated by ionic current in your specific heart muscle tissue and cannot be reproduced synthetically.

Claim 8 — Existing Smartphone Hardware as MCG Sensor Three implementations using hardware already in your phone: (a) the compass magnetometer chip at direct chest contact, (b) a phone case with a dedicated magnetometer communicating via NFC, (c) the wireless charging coil repurposed as a cardiac field detector. Zero new hardware required for the most accessible implementation.

Claim 9 — Biometric-Agnostic Temporal KDF Framework The entire protocol generalized. Any consistent biometric as the seed input. All security properties — temporal uniqueness, replay resistance, liveness verification, temporally increasing attack cost — are inherited automatically by any biometric that satisfies the framework's four conditions.

Hardware claims — separate patent track:

Hardware Claim A — NV-Center Diamond Magnetometer Device A wearable device using nitrogen-vacancy center diamond quantum sensing for cardiac magnetic field capture at room temperature. Achieves ~1 picotesla sensitivity. Transmits only extracted feature vectors via NFC during active sessions. Raw signal never leaves the device.

Hardware Claim B — MCG Phone Case Peripheral A smartphone case with an integrated magnetometer array. Session-gated NFC communication — data only transmits during active TAP authentication. Powers itself from the phone's NFC field. On-case preprocessing — raw signal stays in the case hardware.

Hardware Claim C — Wireless Charging Coil MCG Tap Method of accessing the wireless charging coil's magnetic field sensing for cardiac signal extraction. Novel application — first described use of charging coil for biometric authentication. Requires manufacturer integration at chipset level as the long-term path.

The blockchain layer — this is where it gets interesting for this community:

Your public key gets written to the blockchain at enrollment. That is the only thing on chain about you. No name. No biometric. No email. Just a math address pointing to a math key with a timestamp.

Every session, your device re-derives the private key from your fresh biometric capture, signs a challenge, and the smart contract confirms three things: public key is enrolled, signature matches, challenge is fresh and unexpired. Returns yes or no. That is the entire integration surface.

The encrypted cardiac deltas accumulate on chain over time — session by session, each one a tiny mathematical update encrypted with your private key. Anyone looking at the chain sees meaningless encrypted numbers. You pull them down to a new device, decrypt locally, reconstruct your identity model. Device loss solved without a recovery database.

The smart contract is two functions. 50 lines of Solidity. Anyone can read it. Anyone can verify it does exactly what it claims. The transparency is the trust.

The open source network effect — why more implementations make it stronger:

This is open source by design and the security model depends on it.

Every company or developer that implements TAP as an authenticator adds signal to the network. The protocol convergence works like this: as implementations proliferate, the noise introduced by slightly different implementations forces convergence to the mathematically correct version — the one with the strongest properties — because any deviation is detectable and rejectable by the network.

A proprietary version of this with a backdoor cannot survive in an open ecosystem because the open implementations provide a reference that exposes any deviation. The more people build on it the harder it becomes to corrupt it.

If you run a website, a forum, a DAO, a marketplace — you can add TAP as an authenticator with two API calls. Your users get a yes or no. You never see their biometric. You never store anything about them. Your compliance surface is zero because you are architecturally incapable of holding personal data.

What this disrupts:

Identity providers — Auth0, Okta, Ping — their entire value proposition is managing the database of who your users are. TAP eliminates the database. There is nothing left to manage.

Data brokers — their supply chain starts at identity. No stored identity means no data exhaust to harvest, aggregate, and sell. The profiling industry requires a record to build a profile on. TAP produces no record.

Biometric authentication companies — every system that stores a biometric template (FaceID templates, fingerprint databases, iris scans) is a breach waiting to happen. You cannot change your face. You cannot change your fingerprint. TAP never stores the template so there is nothing to breach and nothing permanently compromised if a device is lost.

KYC infrastructure — banks and financial institutions spend billions annually verifying identity and storing the results. TAP provides proof of humanity — same person, living, present — without the institution ever holding the underlying biometric. GDPR, CCPA, HIPAA, BIPA compliance becomes architectural rather than procedural.

CAPTCHA and bot detection — the entire industry exists because there is no reliable way to prove a human is on the other side. TAP is that proof. A bot cannot press a phone to its chest and produce a living heartbeat. The physics of liveness detection is the filter.

New industries this creates:

Human-only networks — social platforms, forums, marketplaces where every participant is provably a living human. Not verified by a company. Not checked against a list. Proven locally by math and biology.

Temporal identity markets — because TAP identity strengthens over time, early enrollment has value. The first million enrolled identities have a longer track record of biological continuity than anyone who enrolls later. This creates a new kind of digital seniority that cannot be faked or purchased.

Biometric hardware manufacturing — the NFC case, the MCG wearable, the NV-center sensor device. None of these exist as consumer products today. TAP gives them a protocol to build to.

Proof-of-humanity as infrastructure — DAOs, voting systems, content platforms, financial systems that need human verification without identity disclosure. TAP is the missing primitive that makes human-only digital spaces possible at scale.

What is built right now:

Working prototype — enrollment and verification operational. Voice biometric pipeline alongside heartbeat. Ed25519 keypairs generating from real captures. TAP server running with public API endpoints that any relying party can call.

Formal paper — 17 pages, full proofs of temporal uniqueness, replay resistance, biological continuity, temporally increasing attack cost, MCG spoofing impossibility. Nine patent claims, two hardware claims. Pre-print published.

Research landing page is in my bio

The open research question I am actively solving: getting the acoustic signal consistent enough to hit 80% same-person key match rate across captures. Two-pass peak detection fix built, consistency trial pending.

What I need from this community:

If you are working on cryptography, HRV biometrics, signal processing, or blockchain identity — I want your critique. The formal proofs are in the paper. Break them if you can.

If you implement wallets, dApps, or authentication systems — the TAP API is two endpoints. I want early implementers.

Karan Bedi · Dallas TX · May 2026 · Patent Pending · Pre-print Full paper: