MusiKey Authentication Developed Originally by Graham Hartridge

Check out MusiKey on: github

Musikey - Music Auth - musikey - tough musical authentication for accessibility | Product Hunt

contact me:

Updated on Feb 27 , 2026
Core concept:Your password is a song. MusiKey turns musical compositions into cryptographic keys — play your own melody on a MIDI keyboard or let the system compose one for you. Audible, recognizable, and carrying 40-100+ bits of entropy.The Problem:Passwords are weak, reused, and forgettable. Hardware tokens are expensive and losable. Biometrics can't be changed if compromised. Authentication shouldn't require choosing between security and usability.How It Works:Enroll — Enter a passphrase and choose a musical scale. Play your melody on a MIDI keyboard or let MusiKey generate a unique composition. Your song is encrypted with cascaded key derivation and double-layer AES-256-GCM.Authenticate — Enter your passphrase. MusiKey decrypts your song, verifies musical integrity across four dimensions, and plays it back through an animated piano and frequency visualizer.Protect — Exponential rate limiting locks out attackers. Five failed attempts permanently destroy the credential. No recovery, no reset.Features:MIDI keyboard input — plug in any USB MIDI controller and play your own melody as your cryptographic key
ECDSA P-256 challenge-response authentication via the MusiKey Protocol
WebAuthn/FIDO2 multi-factor authentication — fingerprint, face, or security key
Time-based one-time passwords (TOTP) and musical challenge-response MFA
Visual fingerprint — unique visual hash of your composition for manual verification
Cascaded KDF: PBKDF2 (600,000 iterations) + Argon2id (128MB memory-hard)
Double AES-256-GCM encryption with machine-bound keys
Tamper-detected audit logging with cryptographic chain integrity
Self-destruct after 5 failed attempts with random overwrite
Seven musical scales with configurable composition length (32-256 notes)
Real-time piano keyboard and frequency bar visualizer
Encrypted-at-rest storage with HMAC verification and key splitting
Passphrase strength enforcement with entropy calculation
Automatic memory zeroing of sensitive data
Credential export, import, and encrypted cross-device sync
In-app onboarding walkthrough, help panel, and contextual tooltips
Zero runtime dependencies — all via native platform APIs
Dark-themed interface
Security:25+ layered security mechanisms including: cascaded key derivation (PBKDF2 + Argon2id), double AES-256-GCM encryption, ECDSA P-256 asymmetric authentication, WebAuthn/FIDO2, zero-knowledge proof commitments, encrypted-at-rest credential storage, machine-bound key derivation with deep hardware fingerprinting, HMAC tamper detection, key splitting across isolated stores, monotonic signature counters for clone detection, sandboxed renderer with navigation blocking, localhost-only CORS on protocol server, constant-time cryptographic comparisons, IPC input validation, credential import schema validation, exponential backoff rate limiting, passphrase strength enforcement, credential integrity hashing, automatic memory zeroing, and permanent self-destruct.Built With:Electron, TypeScript, Web Crypto API, Web Audio API, Web MIDI API, Node.js Argon2id