Credential Harvesting (or Account Harvesting) is the use of MITM attacks, DNS poisoning, phishing, and other vectors to amass large numbers of credentials (username / password combinations) for reuse. Attackers use a variety of these tools to aggregate vast quantitites of credentials and make them available for sale on the dark web and through other clandestine channels.
Organizations are under increasingly sophisticated and constantly evolving attack from attackers that purchase these massive databases of stolen credentials to exploit weaknesses in authentication and API security. The unfortunate tendency that most users have to reuse credentials across multiple online relationship compounds the problem and leaves you vulnerable to attack even if your site and your users’ credentials haven’t been compromised per se. An attacker can replay your customers’ known credentials from other sites against you on the reasonable chance that those credentials will also allow them access to your applications.
The exposure with credential harvesting is multi-faceted giving attackers access to a broad array of methods with which to attack you with harvested credentials from both the mobile channel and the browser channel.
By most reports there are anywhere from 5 billion to 7 billion credentials that have already been compromise that we know of. Coupled with common user behavior of reusing credentials across multiple services, there's an excellent chance that the password some of your customers are using for your site have been compromised elsewhere and are waiting to be tried on you.
REL-ID's strong and passwordless authentication eliminates the use of those credentials, rendering them completely ineffective against you and your services. You get strong authentication and no vulnerability to credentials that have been pwned elsewhere.
Attackers can't go after what they can't see. REL-ID completely cloaks your services and APIs so that they are not even visible, much less accessible, to illegitimate users. Specifically, they are only accessible to trusted users that are using your untampered app on a trusted and trustworthy device. Your service will never even see a request from any source that doesn't meet those criteria. This goes beyond helping thwart attacks -- it helps prevent attacks in the first place.
REL-ID combats against having your customers' mobile devices being used as an attack vector against your sites and applications using a multi-layered approach. An attacker would have to compromise all three layers to even be able to attempt to connect with you:
All of these security mechanisms will funnel attackers to the browser channel from which to use their library of harvested credentials, and REL-ID protects you there as well. Even assuming that the attacker has a customer's legitimate credential that could be used to compromise their account with you, REL-ID now adds an extra layer of security -- it uses the secure channel to your app on the legitimate customer's mobile device to inform them that a web login is being attempted and asks them to confirm. If the customer doesn't confirm, the attacker is thwarted from replaying the customer's legitimate credential and will never even know that they had a legitimate credential in the first place.