What platforms does REL-ID support?
On the client side, our REL-ID software development kit (SDK) currently supports iOS and Android for mobile apps and Windows, OSX, and Linux for our REL-ID desktop product. REL-ID web authentication supports the popular browsers (Chrome, Firefox, Edge, and Safari) on Windows and Mac computers. The core of the REL-ID SDK is built in endian-neutral ANSI-C, making it easily deployable and portable to almost any operating system. Because of the nature of our device-fingerprinting process and endpoint threat detection capabilities, the SDK core is wrapped in a device-specific binary for each operating system.
On the server side, the REL-ID components are horizontally scalable software appliances that can be deployed on-premises or in your private or public cloud on the major Linux and Windows operating systems.
How does REL-ID integrate with an organization's existing security tools and infrastructure?
REL-ID was built to provide absolute flexibility for choice around security infrastructure. The REL-ID SDK can be integrated with different authentication toolkits (using OpenID Connect) and can support any FIDO-certified biometric authenticator. The REL-ID gateway can also integrate with identity stores like Lightweight Directory Access Protocol (LDAP) and Active Directory for authentication.
How easy is it to develop a REL-ID-secured app?
REL-ID has been built from the ground up with developers in mind. App developers can take the device-aware REL-ID SDK and easily embed it into any mobile or desktop application with a common set of API definitions and functions. The REL-ID server APIs provide easy and simple interfaces to integrate your existing identity management and security backend processes.
What is included in the REL-ID solution?
When you become a REL-ID customer, you get the following components (though not all components must be used; it depends on your use cases and deployment requirements):
- REL-ID SDK: An embeddable client library that enables app developers to implement the security capabilities that REL-ID provides in their own native app.
- REL-ID gateway: Our edge-server is a horizontally scalable soft-appliance that can be deployed within your on-premises or cloud environment that protects your infrastructure and enables authenticated secure communications to it from the SDK using our REL-ID Mutual Authentication and Key Exchange (RMAK) protocol.
- REL-ID server: This server provides built-in support for various policy controls based on the information gathered by the REL-ID SDK on the client. It can integrate with existing authentication services and authentication stores, as well as third-party risk engines to dynamically drive authentication policy. It also supports the various API services offered by the REL-ID platform which adds the capability for enterprises to initiate push notifications and then subsequent, on-device transaction approval requests to the user over the secure authenticated channel.
- REL-ID biometrics server: This server supports our best-in-class server-side face biometrics capabilities, which support liveness detection as well as 1:1 biometric matching capabilities that are used in various features of the REL-ID platform.
- REL-ID document verification server: This server supports our industry-leading identity document identification, reading, and verification capabilities that are used in the identity verification features of the REL-ID platform.
How scalable is REL-ID?
REL-ID has been built for performance and speed, designed for consumer and government scale deployments. Our REL-ID gateway has been scaled to support millions of users by large financial institutions over the past decade.
How is REL-ID multifactor authentication different from other MFA solutions?
There are a number of different multifactor authentication (MFA) solutions on the market. You could classify them as either active or passive. Most of the active MFA solutions require downloading a separate standalone app, and all of them still require your clients to remember and enter a password or PIN, adding friction to the customer experience. Passive MFA solutions operate by gathering environmental information and feeding that into a common database (sharing your client information with other subscribers) and using algorithmic techniques that are non-deterministic and operate on a blocklist model.
REL-ID operates entirely within your app using cryptographic techniques tied to your identity model. The result is an authentication experience that is easy and simple, does not require a different app, and is entirely deterministic. That means no more false positives or missed attackers because of device masking. There is also no need to put your client information into a third-party operations center or database, or share sensitive PII with third-party services.
What is REL-ID identity verification?
Businesses today need to be able to verify the real-world identity of their clients with a high degree of assurance, especially during remote interactions. Identity verification (or IDV, also sometimes called identity proofing) is the process of performing such verification of a person’s identity using digital technology, in a way that prevents identity fraud, impersonation attacks, automated bot attacks, and more. Common mechanisms for identity verification use specialized hardware that can scan ID documents, or mobile apps that allow potential clients to verify their identity in a remote setting.
REL-ID identity verification provides software-based solutions that can perform remote identity verification without the need for specialized hardware, usually embedded into a mobile app. With REL-ID identity verification, businesses can ask clients to verify their identity using their own mobile phone. Using the businesses own mobile app (with the REL-ID SDK embedded in it) or web app (integrated with REL-ID web IDV and authentication), the client can take a photo of their ID document (e.g., driver’s license, passport, national ID), which will be identified, analyzed for authenticity, and used to provide identity data for origination or onboarding purposes. Face biometrics (through a user-friendly selfie capture process) is then used to determine if a live person is using the process and is the same person whose profile picture is on the ID document that was scanned.
With the use of advanced machine learning algorithms and deep knowledge of both ID documents, and best-in-class biometrics liveness detection and face matching, the process is quick and intuitive, and much better at preventing identity fraud than a manual process.
What identity documents does REL-ID support?
REL-ID identity verification is the most comprehensive remote identity verification solution on the market, being able to fully automate reading and verification of personal data in over 12,000 identity documents, including passports, national ID cards, and driver’s licenses from over 247 countries.
What capabilities for identity documents does REL-ID identity verification include?
REL-ID identity verification provides a comprehensive list of capabilities to help streamline and organize an enhanced identity verification process on mobile and web platforms.
- Document capture: Get the ideal image with advanced document capture capabilities that greatly improve the usability and accuracy of ID verification. Features such as advanced image preprocessing techniques, edge detection and autocapture, analysis of lighting conditions, and NFC reading of biometric passports and ID cards deliver better results no matter how IDs are captured: with mobile devices or web cameras.
- Automatic document type detection: REL-ID IDV can greatly enhance the usability of your identity verification flows with its passive document identification capability. By automatically recognizing the type of identity document and country of origin presented in a matter of seconds, REL-ID IDV can eliminate additional steps (and the need for your client to scroll through seemingly endless dropdowns) by providing the country, document type or series ahead of time, and avoid mistakes and user frustration.
- Visual zone reading: REL-ID IDV includes advanced OCR technology that reads all the typed, printed, or embossed data.
- MRZ reading: Find, read, and verify machine-readable zones (MRZs) in various IDs. REL-ID IDV will automatically read the MRZ lines, divide them into separate fields, and validate the MRZs with all the data they contain in accordance with ICAO 9303 and ISO 18013 standards.
- Barcode reading: Find, read, and verify the data encoded in barcodes for the biggest possible variety of barcodes in the world.
- NFC reading and authenticity check: REL-ID IDV ensures the integrity and authenticity of electronic documents (such as e-Passports, e-ID, e-DL) with NFC technology for identity verification. REL-ID can automatically identify if a document is an electronic document, and perform an NFC scan of the document (on capable smartphones), followed by an extra check with a complete server-side verification of RFID chips where the session is re-verified on a server for both chip and data authenticity.
- Accurate data verification: Once document scanning and analysis is complete, REL-ID IDV will automatically cross-validate data extracted from all sources of information on the ID document — visual zone, MRZs, barcodes, and RFID chip.
What capabilities for biometrics does REL-ID support?
The REL-ID security platform is designed to provide not only the most easy-to-use but also the most comprehensive identity verification and strong authentication functionalities to our customers. In order to do this, it supports both on-device as well as server-side biometric capabilities and automatically orchestrates the usage of these as appropriate and needed.
- On-device biometrics: Also known as platform biometrics or local-device authentication (LDA), this is the use of the biometrics capabilities built into the mobile or desktop OS: Touch ID or Face ID on iOS, Fingerprint or Face Recognition on Android, Touch ID on Mac OS, Windows Hello on Windows OS. The use of on-device biometrics is tied to the actual device being used and does not transfer over to other devices the customer might use. REL-ID incorporates on-device biometrics as one component of its passwordless, invisible multifactor authentication capability.
- Server-side biometrics: REL-ID includes face biometrics that operate independently of the specific device being used. This relies on REL-ID storing an encrypted biometric template as part of the customer profile, which can be used in high-risk use cases that require additional identity verification capabilities beyond strong authentication.
What are the capabilities of REL-ID server-side biometrics?
REL-ID server-side biometrics include advanced face biometrics capabilities that can be used for 1:1 biometric matching against identity documents or encrypted biometric templates as a means of verifying a person’s real-world identity. REL-ID server-side biometrics feature:
- Highly configurable user experience and security functions.
- Liveness detection: Also known as presentation attack detection, REL-ID IDV features best-in-class facial image analysis, including liveness and spoof detection. The liveness detection is compliant with ISO 30107-3 Level 1 as well as the more advanced ISO 30107-3 Level 2 standards (as tested by iBeta).
- Mobile face capture with passive liveness detection: REL-ID IDV features advanced and user-friendly face capture capabilities that capture and analyze high-quality facial images in real-time for biometric usage. Passive liveness detection ensures a simple, easy-to-use experience for clients without asking them to perform unnatural and unusual actions that increase chances of errors. Real-time analysis of lighting conditions, background, and other environmental conditions with on-screen user guidance increases the quality and success of biometric capture.
- Face authentication: REL-ID IDV features face biometric authentication (1:1 matching) using NIST-tested algorithms that meet the security and usability requirements of our customers.
- Privacy-preserving biometric templates: REL-ID IDV provides facial template storage where it stores only a biometric template as part of the client user profile, for use in high-risk identity verification scenarios where more than strong authentication is required (or is not possible). The template is stored encrypted. The actual image or selfie of the customer that the template was derived from is never stored.
What is a biometric template, and how secure is it?
Every biometric authentication system performs four major functions: (1) capture, (2) feature extraction, (3) template creation and storage, and (4) matching.
The capture function is how the system captures the biometric data itself — the fingerprint image or the selfie image of a face. A biometric template is not this biometric data. Instead, it is a mathematical representation of this biometric data calculated as the result of performing some kind of analysis and summary (this is called the biometric algorithm) of the features extracted from this biometric data.
The biometric algorithm is designed to encode the biometric features in the template as a one-way calculation. What this means is that presenting the same biometric data (through a new capture process) can result in the same template, but the template can never be used to reconstruct the biometric pattern. In other words, you can use a selfie to create a new template that could match up with the previous one, but you can never use the template to recreate the selfie itself. Think of it like a cryptographic hash.
As such, the biometric template cannot be stolen by an imposter and reused to authenticate into the system. This is very different from a password, which once stolen, can be reused by bad actors. This provides a level of assurance and security for businesses. Furthermore, by not storing the original selfie that the template was derived from, the REL-ID system eliminates the ability for a malicious actor to steal the selfie and use it to bypass the biometric authentication system (impersonation attack). Not storing the selfie, and only making the template available for authentication (1:1 matching) use cases also means that the REL-ID system cannot be used for tracking purposes, preserving customer privacy.
How long does it typically take to perform identity verification using REL-ID?
While time can vary depending on a multitude of factors — such as document type, lighting and connectivity conditions, the type of identity verification method being performed, the number of checks being performed, etc. — most customers receive responses in a matter of seconds.
What advantage does REL-ID's direct API integration approach have over other methodologies?
When building secure apps that can support digital business, there are a number of considerations that only an embedded SDK approach can address:
- As a business, you want full control of the customer experience with security integrated, something post-development solutions tend to break.
- Direct integration into the app ensures that all data leaving the app process space is encrypted, even before it hits the OS provided transport layer such as TLS or the OS provided storage layer.
- Direct integration allows for techniques that provide for validation of the app itself to ensure it hasn’t been tampered with, is running on a non-jailbroken or rooted device, and is not being impacted by malware.
- Direct API integration combined with static linking of libraries such as the REL-ID API toolkit ensure that apps can’t have their libraries swizzled (replaced), blocking additional threat vectors.
- If you are distributing your app through the app stores provided by Apple, Google, and the various Android handset providers, you must comply with their publication rules. Those rules and how they tie into the OS platforms require that the security be integrated directly into the application before publication to the app store, and in a way that does not open the app to abuse.
Why is REL-ID's embedded SDK approach better than app wrapping?
App wrapping is a convenient way to add security to an already developed application, but it has its limitations. For one, this type of solution only works for apps that are not distributed through platform app stores (like Apple’s App Store or Google’s Play Store) because of the rules these stores have in place to block the spread of malicious apps. This makes app wrapping problematic for consumer apps. Secondly, app wrapping modifies the app binary in a way that makes app fingerprinting and app modification detection ineffective, removing a critical protection and increasing your attack surface.
More importantly, decoupling security from the app development process means your app developers no longer have visibility into the security layer and its protections. That means they are limited in how they can use that security and find it more difficult to build a user-friendly app that can gracefully handle scenarios that can be addressed with user involvement, a critical factor in consumer-facing apps.
Why is REL-ID's embedded SDK approach better than app infusion/injection?
App injection is the process of introducing external code into or around an existing app, often replacing linked libraries within the code. While decoupling security from app development, it makes apps brittle because app injection can make it difficult to keep pace with OS changes (any change to a linked address space at the OS level often requires a change to the injection bridge). And injection techniques typically work on dynamically linked (e.g., linked at runtime) libraries used by the app for services within the OS layer.
Like app wrapping, this technique ends up modifying the app binary in a way that makes app fingerprinting and app modification detection ineffective, removing a critical protection and increasing your attack surface.
More importantly, decoupling security from the app development process means your app developers no longer have visibility into the security layer and its protections. This limits their ability to use that security and makes it more difficult to build a user-friendly app that can gracefully handle scenarios that can be addressed with user involvement, a critical factor in consumer-facing apps.
Why is TLS not good enough?
The way Transport Layer Security (TLS) was designed to provide end-to-end data integrity and privacy is insufficient for organizations trying to do business over the internet. Modern reality has forced organizations to adopt authorized adversary-in-the-middle (AITM) services in the form of content delivery networks (CDNs) and value-added networks (VANs), accept the use of public, vulnerable, and often malicious Wi-Fi networks by consumers, and see the foundation of TLS security get compromised due to rising issues with DNS providers and certificate authorities. All these realities exacerbate the AITM issues and exposed threat surface TLS has. As a result, TLS just isn’t up to the task anymore.
As your mobile app becomes central to your digital strategy and your security model, you must take channel security into your hands. That means ensuring data is encrypted end-to-end and that the channel is AITM proof, only accepts connections from known endpoints, is mutually authenticated, and is managed from within the app itself. REL-ID’s RMAK protocol gives you all this and more.
Does SSL pinning solve TLS vulnerabilities?
Not entirely. Done correctly, Secure Sockets Layer (SSL) pinning can address a number of TLS vulnerabilities. But doing it correctly at scale is difficult and introduces a great deal of complexity into your DevOps model. The use of SSL pinning is frequently at odds with your CDN model — introducing rigidity into your environment that clashes with your agile digital strategy. Additionally, pinning isn’t a complete answer. It only identifies the server but says nothing about the client. By its nature, it is unidirectional, and therefore, inadequate in the face of current threat vectors.
REL-ID integrates directly and transparently into your DevOps model, eliminating the operational overhead and complexity that SSL pinning introduces. RMAK is also a mutual and simultaneous security protocol, which addresses some of the more dangerous threat vectors organizations face.
What open standards does REL-ID support?
How does REL-ID fit in with open standards like FIDO and OpenID Connect?
At Uniken, we are standards enthusiasts. That’s why we work diligently to ensure that adding REL-ID to your security infrastructure not only allows continuation down a standards-based authentication path but also helps improve security and usability.
Both FIDO and OpenID Connect rely on TLS, which is known to have vulnerabilities. Combining REL-ID’s adversary-in-the-middle and mutually authenticated secure channel with these standards allows us to close one of the biggest vulnerabilities that both these standards have — exposure to TLS hacks and structural vulnerabilities.
While OpenID Connect has made it easy to standardize the authentication process, using MFA with OpenID Connect is still challenging. REL-ID makes it easy to simplify the MFA experience in an OpenID Connect flow. It also makes it easier for an OpenID Connect identity provider to leverage transaction verification as a way of ensuring authentication grants are verified.
While FIDO is an excellent solution to eliminate passwords, it does not address all business needs related to making connecting safe, leaving that up to the app developer. As such, it is just one part of the whole security canvas. Using the REL-ID security platform combined with FIDO allows you to get the benefits of standardization (like a whole range of FIDO-compliant authenticators) while also getting the protection you need to reduce your attack surface — protection such as device root/jailbreak/malware detection, device fingerprinting, mutual and simultaneous authentication, and end-to-end data security.