Differentiators

UNIFIED DEFENSE IN DEPTH

True defense in depth, a must-have for enterprises in today’s ever-changing and expanding threat environment, remains elusive. It’s expensive, requires implementing and integrating multiple point solutions, is hard to maintain and, perhaps most importantly, it is nearly impossible to verify that it is working correctly without any vulnerabilities at the seams.

By integrating authentication and channel security on the foundation of a mutual and simultaneous cryptographic solution, the REL-ID platform creates a single seamless solution that protects different layers in the stack in a way that cannot be teased apart, making it impossible to break any one of them.

And with no need to integrate multiple products to get those protections, we eliminate one of the biggest sources of an enterprise's vulnerabilities - incompatibilities and mistakes made during the integration process. All for pennies per user.

SECURITY REDESIGNED:

FROM CONNECT-THEN-VERIFY TO VERIFY-THEN-CONNECT

One reason the attack surface for any online business is so large goes back to one of the foundational flaws in our internet architecture. Services online today allow anyone to connect before authenticating who they are and granting access. They may then add behavioral analytics to further strengthen the verification, but this is usually done after the authentication step as well, much like additional authentication factors get added onto the flow after the fact. This Connect-then-Verify model is fundamentally flawed. It is like letting a stranger into your house before you ask them who they are. Attackers exploit this by scanning your APIs and websites for weaknesses to exploit. Recognizing that the security of their channel is incomplete and weak, businesses try to compensate by adding more and more authentication challenges, which upsets users and diminishes the effectiveness and value of your digital strategy. 

REL-ID changes the paradigm, ensuring that all endpoints attempting to access your infrastructure are validated for trustworthiness and authenticated in full context (a known user on a trusted app employing an associated and trustworthy device) prior to being able to access any services. This Verify-then-Connect architecture vastly reduces the attack surface for an organization by hiding business services and network resources from unauthorized or unauthenticated users. Your business APIs can go dark, hidden from everyone except users whose context is fully validated and verified to a high degree of certainty. This model also significantly reduces the impact of DDoS attacks. REL-ID protection overcomes the constraints of traditional tools by creating a dynamic, identity-based security perimeter for each authorized user, greatly simplifying the user experience while simultaneously increasing the security behind the scenes. Or in business speak, a win-win.

A STRONGER MODEL FOR MULTI-FACTOR AUTHENTICATION

Today’s multi-factor authentication relies on the use of absolute identities (username + a known factor like a password) and a set of distinct technologies (second factors like tokens or behavioral heuristics). All a priori authentication knowledge is distinct to the user, but susceptible because of the user or the infrastructure it depends. Also, it often introduces friction into the user experience.

REL-ID transcends reliance on any single authentication technology as the first factor and expands the MFA framework by including mutual resources at the enterprise (i.e. the Split Identity Model). It also issues credentials invisibly to the user, removing human error, the risk of social engineering vulnerabilities, and the need for burdensome hard tokens.

CONSISTENT OMNICHANNEL EXPERIENCE

Customers today have many options when it comes to interacting with businesses - mobile, web, call center, kiosk, and even old-fashioned in-person interactions. Customers like having the flexibility of being able to choose the way they connect with you depending on their needs. They do not like that each channel imposes a different way of verifying that they are indeed your customer. They do not like that it relies on sensitive personal information. They also do not like that, in many cases, they have no way of knowing if they are interacting with the actual website or a genuine employee.

With REL-ID, you can leverage your mobile app and the strong authentication we add to it as a global authenticator across every one of your channels. It doesn’t matter which channel the user comes through, they can authenticate themselves with a simple approval done on a device you trust. This allows you to eliminate passwords and 3rd party authenticators, stop using PII, make interactions faster and more consistent, provide your customers the assurance that they are safe, and increase customer satisfaction.

ELIMINATE 3RD PARTY VULNERABILITIES

The state of technology and IT has evolved rapidly while the architecture of security has not. Parts of that architecture that were once assets have now become liabilities. We’ve seen this play out recently in attacks that went not after the infrastructure of the business, but the 3rd party solutions and services that the security infrastructure relied on. We’ve seen Certificate Authorities issue certificates without doing the necessary level of due diligence be used in successful phishing attacks. DNS providers have been compromised, resulting in businesses losing control of their digital properties that led to credentials being harvested and transactions being altered. And, CDN providers by necessity compromise the end-to-end integrity of TLS, which can have disastrous consequences.

By introducing a 1:1 cryptographic trust element that is fully under the control of the business, REL-ID can block these kinds of attacks on 3rd party infrastructure from successfully compromising the business. The RMAK protocol does not depend on certificates for its trust model, and because the key is split between the client (user device) and the server, it isn’t possible to compromise the connections by attacking any one side. With REL-ID's defense in depth approach baked into the security model, there is no way for attackers to bypass the protections it provides by attacking those 3rd parties.

PRIVACY PRESERVING

Businesses are increasingly concerned about protecting the privacy of their customers, and the regulatory burden it puts on them. This is especially "top of mind" in the wake of newer regulations like GDPR, and continues to be an issue for businesses subject to PCI and HIPAA. REL-ID can help businesses dramatically improve their privacy posture for very little investment.

First, using REL-IDverify in the call center and for new device onboarding allows the business to eliminate the use of PII for authentication. This removes the business reliance on untrustworthy personal information, takes personal data out of the hands of call center operators, and removes the need for businesses to hold onto personal information they don’t need. You can now tell your customers that you will never again ask them for sensitive personal information when they are connecting with someone at your company.

Second, REL-ID's multi-factor authentication does not rely on the business having to share personal and behavioral information about their customers with a 3rd party threat network, eliminating concerns about tracking and inadvertent data leaks. It also future-proofs the organization against any potential disruption to the business when regulations block this kind of data sharing or add a significant compliance burden to its usage.

Third, using REL-IDs man-in-the-middle proof encrypted tunnel for all data exchanged between your app and your backend services protects the privacy of any sensitive information you will exchange with your customers. And the REL-IDSDK's data privacy APIs further protect data on the device by encrypting local data, only making it available after the user fully authenticates using our strong but friction-free multi-factor mechanism.

Finally, with REL-IDverify, you can get full, contextually rich transaction verification from your users without ever having to send any sensitive information over SMS or Google and Apple’s push notification networks. This solves one of the major constraints on doing full out-of-band transaction verifications today, as all data that needs to be presented to the user so that they can make an informed (and in the case of regulated transactions, fully compliant) decision is protected by the secure channel and only visible after the user has authenticated with a high level of assurance.