• 

GhostPIN — The Invisible Handshake

Inspiration

Every online payment starts with trust — but that trust is one-sided.
Face ID, OTPs, and YubiKeys prove who is paying… but not where they’re paying. So we asked: What if authentication worked both ways — like a handshake?

A handshake where both you and the merchant page prove authenticity before a single cent moves.
That idea became GhostPIN.

What It Does

GhostPIN replaces static PINs and one-way MFA with a two-way cryptographic handshake between the user, merchant, and payment gateway.

When a user clicks “Pay”:

1. The GhostPIN SDK generates a one-time Visual Nonce — a cryptographic watermark invisibly embedded into the checkout button (via sub-pixel HTML Canvas pattern).
2. The user’s device signs {visualNonce + paymentIntentHash} using biometrics, hardware keys, or device proofs.
3. That signature is verified by the payment gateway — confirming that the transaction came from a legitimate, untampered merchant page.

The Result? No PINs to steal.
No fake pages to trick you.
Just a silent, mutual cryptographic handshake that guarantees both sides are real.

How We Built It

We built GhostPIN as a drop-in JavaScript SDK that fuses biometrics, browser cryptography, and web rendering into a single verification layer.

• Visual Nonce Generator: Computes a domain-bound SHA-256 hash, renders it as a sub-pixel pattern via HTML Canvas, and binds it to the current merchant ID.
• Adaptive MFA Engine: Invokes WebAuthn, Face ID, hardware keys, or OTP depending on device capabilities.
• Verification Layer: The backend validates the signed payload, cross-checks the merchant signature, and forwards proof to Visa/Stripe for gateway attestation.
• Dashboard + Demo Pages: Two nearly identical checkout pages — one real, one cloned — to visualize the difference between genuine and spoofed handshakes.

Challenges We Ran Into

This project was much harder than we expected.

• Making the authenticator demoable meant fighting with WebAuthn,and CORS a lot.
• Building two “identical” yet cryptographically distinct webpages tested our precision; no Agentic AI could do it, so we traced every pixel manually.
• Coordinating the SDK, visual nonce, and backend validator required tight synchronization across asynchronous layers.

There were moments when the handshake just refused to resolve as well, so we had to debug.

Accomplishments We’re Proud Of

• Built a fully functional proof-of-origin system that validates merchant authenticity before checkout. That's pretty awesome.
• Integrated biometric MFA directly into the web flow using WebAuthn and hardware keys.
• Achieved real-time verification with low latency (<200ms last time we tried) end-to-end.
• Deployed two live environments (real vs. clone) to demo phishing detection in action.

But most of all, we’re proud we made it work. It took several Red Bulls and lot of hours.

What We Learned

Hackathons teach you that innovation isn’t just building — it’s also a lot of teamwork.
We started with completely different ideas and somehow met in the middle on GhostPIN.

Technically, we learned:

• How multi-factor authentication actually operates under the hood.
• How to embed cryptographic signatures into front-end UX.
• And that real security doesn’t have to feel like friction — it can feel invisible.

Collaboratively, we learned how to sync multiple threads into one coherent handshake.

What’s Next for GhostPIN

GhostPIN is ready for its next evolution:

• Merchant SDKs: React, Shopify, and Next.js plug-ins for instant adoption.
• Gateway Integration: APIs for Visa, Stripe, and Plaid to verify GhostPIN proofs natively.
• Merchant Dashboard: Real-time proof logs, replay protection, and origin integrity analytics.

Our long-term vision is to make GhostPIN the new trust layer of online commerce, where every payment carries proof that both sides are genuine.

Because in the digital world, trust shouldn’t be assumed.
It should be proven.

Built With

• css
• html
• javascript
• typescript