Overview
Problem
What I Built
Technical Approach
What I Learned

Adaptive MFA with Cryptographic Transaction Verification

C2Pay

Role

Product Designer
Developer

Timeline

36 hours
October 2024

Stack

React Native ยท Expo
Stripe API ยท C2PA

Recognition

Finance Track Winner

๐Ÿ† HackHarvard 2024
Overview

People lie. Cryptography doesn't.

C2Pay is an adaptive MFA SDK my team built in 36 hours at HackHarvard. It scores payments in real time using device signals, motion patterns, and biometrics. It only asks for extra verification when something actually looks off. Clean sessions see nothing; suspicious ones hit a biometric check and get a cryptographically signed receipt.

36h
Built end-to-end at HackHarvard
548
Bits of combined security
2332
Operations to break the system
The Problem

Static auth treats every payment the same. That's the problem.

Most MFA is all-or-nothing: add friction everywhere, or nowhere. Low-risk purchases get the same hoops as fraud attempts. It's not a security strategy, it's just annoyance at scale.

"If a transaction looks exactly like you from your usual device at your usual time, why are we making you prove it twice?"

C2PA receipt

A C2PA-signed transaction manifest, machine-verifiable proof of device, user, and timestamp

What I Built

An SDK that scores the risk, then decides how much auth is needed

It sits between the checkout UI and the payment processor. Signals go in, a risk score comes out, and the SDK decides whether to pass the transaction through or escalate. All through a single C2Pay.verify() call.

Adaptive Risk Scoring

Location, motion, and tap cadence feed a real-time score. Auth only kicks in past a configurable threshold.

Biometric + Behavioral MFA

Face ID adds 20 bits; behavioral patterns add 64 more. Harder to spoof than a static password.

TEE-Backed Keys

Keys live in the Trusted Execution Environment, isolated from the OS. Signing never leaves the secure enclave.

C2PA Receipts

Every payment generates a signed manifest: device, user, timestamp. Anyone with the public key can verify it.

Demo: low-risk purchase passes through; high-risk purchase triggers biometric verification and generates a C2PA receipt

Risk Scoring Dashboard

Real-time risk scoring dashboard

Verification Success State

Verification success state with C2PA receipt

Technical Approach

The decisions that actually mattered

Why C2PA? It was designed for media provenance, not payments. But a C2PA manifest is just a JSON-LD document signed with an asymmetric key. We repurposed it for transactions: same format, same verifiability, completely different context.

Why Ed25519? Fast signing on mobile. Under 1ms, tiny keys, 128-bit equivalent security. RSA-2048 would have been slower and overkill for the demo.

The pivot: We started with AI image detection. Four hours in we realised the core primitive, cryptographic attestation, was more directly useful for payments. Narrower scope, cleaner demo, won the track.

System Architecture

System architecture: signal collection โ†’ risk score โ†’ conditional escalation โ†’ C2PA manifest generation

Security bit breakdown

We checked that stacking factors actually added independent entropy, not just redundancy:

20
bits / Face ID
(1-in-1M FAR)
64
bits / Behavioral
patterns
80
bits / TEE device
attestation
128
bits / Ed25519
signature
256
bits / SHA-256
hash

Combined: 548 bits total, effective attack complexity of 2332 operations (more than atoms in the observable universe)

What I Learned

What I took away from 36 hours of cryptography

Cut scope, not corners. The pivot made the submission better, not worse. We could explain exactly what it did and why the math held. I've seen a lot of hackathon projects die from trying to demo everything.

Standards are free engineering. C2PA saved us hours. We didn't design a manifest format. We just used the one Adobe, Microsoft, and Google already agreed on. In a hackathon, building on established protocols is the move.

Auth is a spectrum. Not every action needs the same friction. Since C2Pay, I think about security UX in tiers: what's the action, what's the risk, what's proportionate?

C2Pay HackHarvard Finance Track Winner

Winning the HackHarvard 2024 Finance Track