Dynamic Digital Identity: Device-Bound Ephemeral Authentication with Proof of Possession

Dynamic Digital Identity: Device-Bound Ephemeral Authentication with Proof of Possession

This preprint introduces Dynamic Digital Identity (DDI), an authentication mechanism that issues a short-lived, device-bound identity at each login after cryptographic proof of possession of a hardware-protected private key. Unlike SMS OTP or other fragile MFA channels, DDI combines WebAuthn/FIDO2 with ephemeral session tokens signed by KMS/HSM and channel-bound to prevent replay attacks.

We present the following contributions:

• Protocol design with proof of possession, optional attestation, and issuance of ephemeral identities.

• Threat mapping showing how DDI mitigates phishing, SIM swap, replay, and credential cloning.

• Evaluation plan with security, usability, and reliability metrics in lab and field pilot studies.

• Adoption readiness with alignment to W3C, FIDO2, NIST SP 800-63B-4, and CISA/GSA guidance.

The approach reduces the attack surface of current MFA methods, while maintaining good usability. It has potential applicability in financial services, fintech, and digital government, supporting zero-trust strategies.

A reference prototype and reproducibility artifacts are available at: https://github.com/LuizRMSilva1973/Seguranca.