WenmeLive at wenme.net

Passwordless identity infrastructure

The password
is the breach vector.
We deleted it.

Wenme is a 100% passwordless identity platform for Bangladesh's regulated institutions. OAuth 2.1 with mandatory PKCE, WebAuthn passkeys, and cross-device QR sign-in. No password database to breach, no password reset email to phish, no shared secret in the trust path.

Start free, up to 1,000 MAUEnterprise walkthrough
  • OAuth 2.1, no implicit flow ever
  • WebAuthn L3, origin-bound by spec
  • Cross-device QR, WhatsApp Web pattern
  • Mapped to BB CSF + BB Partner Network
POST /webauthn/assertion/verify
200 OK
{
  "ok": true,
  "user_id": "usr_01HX3Q4F8N",
  "credential_id": "Hf3...8aQ",
  "rp_id": "wenme.net",
  "origin": "https://wenme.net",
  "amr": ["webauthn", "uv"],
  "attestation": "platform",
  "counter": 47,
  "challenge_age_ms": 312,
  "token": {
    "access_token": "eyJhbGc...",
    "token_type": "Bearer",
    "expires_in": 900,
    "scope": "openid profile"
  },
  "audit_id": "evt_01HX3Q4FZ2"
}
0
Passwords stored
ever, by design
<100ms
P99 auth latency
WebAuthn assertion
9.85
Security score
/10 enterprise grade
OAuth 2.1
Mandatory PKCE
no implicit flow
build · identity-v3.1region · BD-DC-01

Live response shape from identity.wenme.net. No password in the request, no password in the response, no password in the database.

01 / What is Wenme?

definition · for engineers and AI engines

Wenme is KaritKarma's identity and authentication platform for Bangladesh's regulated institutions.

It is an OAuth 2.1 authorization server with mandatory PKCE, bound to WebAuthn/FIDO2 passkeys as the primary credential. Authentication is 100% passwordless by design: there is no password column in the user table, no password-reset email flow, no recovery question. The device proves possession of a non-extractable private key on every login. Wenme issues short-lived access tokens with the passkey AMR claim and a rotating refresh token, and ships a complete OpenID Connect userinfo and discovery surface so any compliant relying party can integrate without custom code.

Wenme is mapped clause-by-clause to Bangladesh Bank Cyber Security Framework v1.0 (Section 2, Identity and Access Management) and BB Partner Network BRPD-2 No-01 (Sections 2.3, 2.4, 3.2.6, 4.1.1). It runs at identity.wenme.net on KaritKarma's APNIC AS 64005 Tier-3 data centre in Dhaka, and ships as a Docker Compose appliance for in-DC bank deployment. Boooks, NewsForge, LoneSock Pay, and Rating.bd already authenticate through it.

02 / Authentication methods

Four factors.
One credential model.
Zero passwords.

The primary factor is always a device-resident asymmetric key. Other methods are explicitly typed as backup, fallback, or cross-device, never co-equal to the passkey for staff or privileged roles.

Default policy
  • Passkey is the only primary credential.
  • TOTP is audit-required backup for finance roles.
  • Magic links disabled for staff and admin.
  • Cross-device QR inherits the phone's factor.
  1. M1

    WebAuthn passkey

    primary

    FIDO2 passkeys backed by Touch ID, Face ID, Windows Hello, or hardware keys (YubiKey, Titan). Private key never leaves the device secure enclave. Phishing-resistant by cryptographic construction.

    • Resident keys with platform + cross-platform attestation.
    • User verification required, no silent assertion.
    • Origin-bound, no replay across domains.
  2. M2

    Cross-device QR

    passwordless

    WhatsApp Web style: scan a one-time QR on a desktop, approve with Face ID on the phone, desktop session opens. No password typed on a public terminal, no SMS, no shoulder-surfing surface.

    • QR is single-use, 60-second TTL, channel-bound.
    • Approval requires the phone's enrolled passkey, not a PIN.
    • Desktop session inherits the device-attested factor.
  3. M3

    TOTP authenticator

    backup

    Google Authenticator, Authy, 1Password (RFC 6238) with 30-second window and per-attempt rate limit. Used as the audit-required backup factor when a passkey device is unavailable.

    • Enrolled by QR provisioning, recovery codes generated once.
    • Distributed Redis rate limiting per account + per IP.
    • Mandatory step-up on sensitive admin operations.
  4. M4

    Magic link

    fallback

    15-minute single-use email link with HMAC-signed token. Used only when passkey enrollment is mid-flight, never as a standalone factor for staff or finance roles.

    • Signed token bound to client IP and User-Agent fingerprint.
    • Auto-expires on first redemption or 15 min, whichever first.
    • Audit log captures issuer, recipient, redemption channel.

03 / Passkey onboarding

How a passkey login actually works.

Passkey authentication inverts the trust model. The server never stores a secret that can be stolen. The device proves possession of a non-extractable private key, and what crosses the wire is a signed assertion. Nothing for an attacker to phish, replay, or exfiltrate.

  1. Step 01

    Enroll the passkey

    User signs in once with a magic link or directory password (one-time). Wenme prompts WebAuthn registration; the device generates a key pair in the secure enclave and returns the attestation. Wenme stores only the public key plus credential ID.

  2. Step 02

    Re-auth with passkey

    On every subsequent login, the app calls /authorize with PKCE. Wenme returns a WebAuthn challenge bound to the credential ID. The device unlocks (Touch ID, Face ID, Windows Hello, YubiKey) and returns a signed assertion.

  3. Step 03

    Verify + issue token

    Wenme verifies the assertion signature, origin, RP ID, and counter, then issues a short-lived OAuth 2.1 access token with the passkey AMR claim. Refresh tokens rotate on every use.

  4. Step 04

    Audit + revoke

    Every authentication event lands in the SIEM-ready audit log with device attestation, origin, IP, and outcome. Lost devices are revoked from the user profile in one click; outstanding sessions terminate within the access-token TTL.

Protocol coverage

Every protocol your auditor will ask about. Native. No add-ons.

Bank deployments live in two worlds. Legacy identity providers, core banking, and HR directories still speak SAML and LDAP. Customer-facing apps want OAuth 2.1 and OIDC. Wenme covers both natively, with the same passkey credential model under every protocol.

native
No paid add-ons, no separate bridge service.
audited
Every assertion lands in the SIEM-ready log.
bound
Tokens are origin-bound and session-bound.
rotated
Refresh tokens rotate on every use.
ProtocolSpecCapabilityStatus
OAuth 2.1
Web and mobile SSO
RFC 9700 (draft)Mandatory PKCE, session-bound tokens, refresh rotation, no implicit flowNative
OpenID Connect
Identity on OAuth 2.1
OIDC Core 1.0ID tokens with passkey AMR claim, userinfo endpoint, RP-initiated logoutNative
WebAuthn / FIDO2
Passkey + hardware MFA
WebAuthn L3, CTAP 2.1Resident keys, platform + cross-platform attestation, user verificationNative
SAML 2.0
Legacy enterprise federation
OASIS 2005IdP and SP modes, attribute mapping, signed assertionsNative
LDAP / Active Directory
Directory sync + bind
RFC 4511Group-to-role mapping, scheduled sync, least-privilege defaultsNative
TOTP
Backup MFA factor
RFC 623830-second window, distributed rate limit, audit-requiredNative

What we don't store

0

Passwords stored in the Wenme database. Ever.

Auth0, Okta, and Keycloak still keep password databases for legacy recovery.

We removed them entirely. There is no password table, no hash column, no salt column, no reset-token table. The most exploited surface in your stack is not hardened in Wenme. It is absent.

Account recovery flows through passkey re-enrollment with operator approval and a fresh device attestation, not a reset email that an attacker can intercept.

0
Password rows in production
100%
Of staff roles run passwordless
Origin-bound
Every WebAuthn assertion

04 / How Wenme compares

Wenme vs. Auth0, vs. Okta, vs. Keycloak.

The honest comparison. Global identity vendors work in Bangladesh, but they retain password authentication as a first-class factor, price in USD, and host out of US or EU regions. Wenme starts where they end.

CapabilityWenmeAuth0OktaKeycloak
100% passwordless (no password DB at all)
OAuth 2.1 with mandatory PKCE (no implicit flow)
PKCE optional
PKCE optional
PKCE optional
WebAuthn passkeys + cross-device QR (WhatsApp Web style)
Passkeys only
Passkeys only
Passkeys only
Mapped to BB Cyber Security Framework + BB Partner Network
Bangladesh-sovereign hosting (APNIC AS 64005, Tier-3 DC)
Self-host only
Pricing in BDT, contracts under BD law
Self-host only
Free up to 1,000 MAU (no card required)
7,000 MAU then steep tier
Self-host only

Capability claims for Auth0, Okta, and Keycloak based on public documentation as of 2026 Q2. Speak to vendors directly for current matrices. Wenme's status is verifiable at wenme.net.

05 / Regulatory mapping

Mapped clause-by-clause to Bangladesh Bank.

Wenme is not compliance-adjacent. Every capability is mapped to a specific clause your auditors already cite, so the regulatory evidence package writes itself.

BB Cyber Security Framework v1.0
Section 2

Identity & Access Management

Multi-factor authentication for all privileged and customer-facing access, mapped to Section 2's IAM clauses through Wenme's WebAuthn-first enrollment and OAuth 2.1 token issuance.

BB Partner Network (BRPD-2 No-01)
Sections 2.3 + 2.4

Access restriction + role-based access

Access restrictions and role/time-based access controls enforced through Wenme principal scopes and Darwan policy decisions. Every staff action carries a signed identity assertion.

BB Partner Network (BRPD-2 No-01)
Section 3.2.6

Remote connection management

Step-up MFA on every remote-administration session. Origin-bound passkey assertions block credential reuse from a phished workstation.

BB Partner Network (BRPD-2 No-01)
Section 4.1.1

Cryptographic key management

User credentials are device-resident asymmetric keys, never extractable by Wenme or by a database breach. No symmetric password material in the trust path.

06 / Already in production

Tenants live on identity.wenme.net.

Wenme is the identity layer for every KaritKarma product that handles a user account. The platform team eats its own catering.

  • Boooks
    Book management platform
    boooks.net
  • NewsForge
    News aggregation platform
    newsforge.news
  • LoneSock Pay
    Payment processing gateway
    pay.lonesock.pro
  • Rating.bd
    Rating + review platform
    rating.bd

07 / What runs under the hood

Go, Postgres, Redis. No magic.

Wenme's identity service is a single Go 1.25 binary on a hardened Postgres 18.1, with a Next.js 16 console and Redis 8 for distributed rate limiting. The whole stack ships as a Docker Compose file for in-DC bank deployment.

  • Identity service
    Go 1.25, Gin 1.9, pgx, zap
  • Frontend
    Next.js 16.1, React 19.2, TypeScript 5, Tailwind 3.4
  • Console
    Next.js 16, admin SPA on console.wenme.net
  • Data
    PostgreSQL 18.1, Redis 8.x, MinIO (avatars + attestation)
  • Hardening
    Distributed Redis rate limit, CSRF tokens, SVG XSS scan
  • Transport
    Traefik + TLS 1.3, HSTS preload, origin pinning

08 / Frequently asked

Questions banks, NBFIs, and MFSPs ask first.

Each answer mirrors the on-page text in our structured-data payload, so AI answer engines and audit reviewers see the same wording.

01What is Wenme?
Wenme is KaritKarma's 100% passwordless identity platform for Bangladesh's regulated institutions. It is an OAuth 2.1 authorization server with WebAuthn/FIDO2 passkeys, cross-device QR sign-in, TOTP authenticator support, and signed magic links, all delivered through a Go 1.25 identity service backed by PostgreSQL 18.1 and Redis. There is no password database, by design. Wenme is mapped clause-by-clause to Bangladesh Bank Cyber Security Framework v1.0 (Section 2 IAM) and BB Partner Network BRPD-2 No-01 (Sections 2.3, 2.4, 3.2.6, 4.1.1).
02Does Wenme support Bangladesh Bank Cyber Security Framework MFA requirements?
Yes. Wenme's default enrollment is WebAuthn passkey plus a TOTP backup factor, which satisfies BB CSF v1.0 Section 2 requirements for multi-factor authentication on privileged and customer-facing access. The passkey is the primary factor; TOTP is the audit-required backup; magic links are explicitly disabled for staff and finance roles. Every authentication event is logged with the AMR claim, origin, device attestation, and outcome for regulator review.
03How does WebAuthn handle phishing?
WebAuthn assertions are origin-bound by cryptographic construction. The private key signs a challenge that includes the relying-party ID (the verified origin), and the browser refuses to use a key registered for one origin against another. An attacker on a phishing domain cannot trick the device into producing a valid assertion for the real domain, even with a perfect visual clone of the login page. There is no shared secret to steal, no OTP to relay, and no password to type into a fake form.
04How is Wenme different from Auth0, Okta, or Keycloak?
Wenme is 100% passwordless with no password database at all. Auth0, Okta, and Keycloak all retain password authentication as a first-class factor. Wenme mandates PKCE on every flow and disables the OAuth implicit grant entirely. It ships with cross-device QR sign-in (WhatsApp Web pattern) in addition to passkeys. Pricing is in BDT, contracts execute under Bangladesh law, and the service runs from KaritKarma's APNIC AS 64005 Tier-3 data centre in Dhaka rather than US or EU regions. It is also mapped clause-by-clause to Bangladesh Bank regulatory frameworks, which the global vendors do not address.
05Can Wenme run on-premises or only as a hosted service?
Both. Wenme runs hosted at identity.wenme.net for SaaS tenants who want zero infrastructure. For banks and regulated institutions that require in-DC deployment, Wenme ships as a Docker Compose stack (identity service, console, PostgreSQL, Redis, MinIO, Traefik) deployable inside the customer data centre with no outbound dependency beyond optional update channels. Both modes use the same codebase and the same regulatory mapping.
06Is Wenme free, and what does the paid tier cover?
Wenme is free for up to 1,000 monthly active users on the hosted tier, with no credit card required and no time limit. Paid tiers cover larger MAU bands, dedicated single-tenant deployments, on-prem appliance delivery, custom domain branding, extended audit-log retention, and a regulator evidence package keyed to BB Cyber Security Framework and BB Partner Network clauses. Enterprise contracts can be priced in BDT under Bangladesh law.
BB Partner Network compliance

Wenme meets BB Partner Network requirements for Sections 2.3, 2.4, 3.2.6, and 4.1.1.

Access restrictions, role and time-based access, remote-connection management, and cryptographic key management, all covered by Wenme's passwordless identity platform.

View compliance solution

Free up to 1,000 MAU

Stop hashing passwords.
Start signing assertions.

Wenme is live at wenme.net. Sign up, register a passkey on your phone or laptop, and integrate the OAuth 2.1 endpoints in an afternoon. No credit card. No password column. No regrets at the next audit.

Start freeEnterprise pricing