Account Recovery

Keyless helps organizations securely recover accounts and enroll new devices when users lose access to their originally enrolled device. These flows leverage the Keyless Mobile SDK.

Keyless offers two services that can be used as part of a device/account recovery experience.

• Enroll a new device

• Managing multiple enrolled devices

Enroll a new device

For customers who have already established trusted alternative second factors such as passwords, SMS One-Time Passwords (OTPs), or email magic links. Keyless' face matching is typically used in combination with the existing factors to enroll the new device.

How it Works

1. The user downloads the app on a new device, enters their username and authenticates via a first factor (e.g., password, SMS OTP, email magic link).

2. Customers invoke the Keyless Mobile SDK, retrieve the KeylessID associated with the user and the client state generated during enrollment and send this to the SDK to enable secure account recovery.

3. This triggers the recovery flow via the Mobile SDK, which captures a selfie and authenticates that the originally enrolled user is genuinely present, without revealling or processing the biometric data outside of the users' device.

4. If successful, the new device is bound to the user’s identity, enabling ongoing authentication for login, step-up, or payment use cases.

5. Optional: Users can review and delete previously bound devices.

Find out more → Account Recovery (Mobile SDK)

Find out more → Retrieve and delete devices via API

Managing multiple enrolled devices

Customers can use our API to retrieve and delete devices bound to their users' identities. This allows users to have multiple devices, reducing both costs and security risks associated with device loss.

Customers use our GET and DELETE apis to create a “device management” experience, allowing users to:

• View and manage their bound devices

• Delete any device listed

• Add a new device when needed

Find out more → GET and DELETE user devices

Find out more → Add user device

Keyless Client Devices

Finally, of relevance to the account recovery flow, the concept of Keyless Client Devices and Client States which are subset of these entities. Keyless Client Devices represent the user profiles that contain the necessary non-pii data which allow a user to authenticate on a new device or channel (Mobile or Web apps).

Within this category Keyless allows customers to generate a Client State during enrollment which is the for these device types prior to them being activated or bound for on-going two factor authentication. Once that binding takes place a new "SDK" Device is generated. Each of these devices is given a DeviceID and can be one of the following Device Types:

1. Backup - this is the Client State typically stored by the Keyless customer in preparation for a user to then authenticate on a new camera enabled physical device. Generated either via IDV Bridge or Live Enrollment, and then leveraged during an account recovery flow at a later date

2. Temporary - identical to the above however recommended where the customer doesn’t need to store the client state beyond the flow they are executing such as where the enrolment is immediately followed-up by the activation or binding process.

3. SDK - this device type is applied where a user profile has now been activated via a mobile or Web app to support ongoing authentication via a Mobile SDK. It contains additional keys and meta data to support both physical device and facial authentication in privacy-preserving manner.