The diagrams below show how the Keyless SDK, which runs within your mobile app on the user’s device, interacts with your application server and with the Keyless network.

Enrollment

During enrollment, your mobile app invokes the enroll method from the Keyless SDK, and then:

1. Guides the user through capturing a biometric signal with the device camera.

2. Interacts with Keyless to generate a new user identifier (Keyless ID), which is then returned to your mobile app.

Authentication

Authentication involves your application server, your mobile app, and the Keyless network, as depicted in Figure 2:

1. This process starts when the user performs an action that requires authentication using your mobile app.

2. The app provides the details of this action to your application server, which generates a challenge. The challenge is sent to the mobile app, which uses the Keyless SDK to compute the corresponding authentication token using the authenticate method.

3. The Keyless SDK authenticates the user by capturing the user’s biometrics using the mobile device’s camera.

4. The Keyless SDK connects to the Keyless network, and runs a secure multi-party computation protocol that authenticates the user and generates the authentication token in response to the challenge provided in Step 2. The Keyless SDK returns the authentication token to the mobile app.

5. The app sends the token to your application server, which verifies it.

6. If the authentication token is valid, the application server completes the transaction and notifies your mobile app.

Account Deletion

Account deletion is similar to authentication. First, your mobile app performs authentication steps 1-6, then it notifies your application server that the user wants to delete the account. Next, your mobile app invokes the deEnroll method from the Keyless SDK. This method issues a deletion request to the Keyless network (Step 7). The request removes all data associated with the user from the Keyless network.