# Component interoperability Keyless currently consists of three main product components:
ComponentFacilitates User EnrollmentEnables authentication
IDV Bridge (OnPremise or Saas)
Mobile SDK
Web SDK
### **Interoperability between Keyless components** All these components can now operate in an interconnected manner. A user can complete the enrollment process on any of these components and later authenticate on a different component without needing to re-enroll. The technology enabling this seamless interoperability is called the **Keyless Client State**. #### **How Keyless Client State Works** The Keyless Client State can be generated by any of the components listed above. * It can then be consumed by either the Web SDK or Mobile SDK to enable cross-platform authentication. Client state is then used to authenticate: * On **Mobile SDK**, where a new client state will then be created on this device and for this specific UserID to allow for on-going authentication of that user from that device. * On **Web SDK** where a new client state will be stored on the Keyless server for this specific UserID to allow for on-going authentication from any browser where the customer chooses to initiate Keyless as a 2nd factor for authentication. This interoperability opens up various use cases for Keyless authentication. #### **Possible Scenarios relating to interoperability** 1. **Live Enrollment -> cross-platform authentication** Users enroll into Keyless by taking a selfie via a Keyless UI deployed by our customers into their own Mobile or Web apps via our SDKs. * [Enroll users through the Web SDK](https://docs.keyless.io/web-sdk/web-sdk-guide/enrollment) and then activate them in your Mobile app at a later stage to authenticate there without the need to re-enroll. * [Enroll users on the Mobile SDK](https://docs.keyless.io/consumer/mobile-sdk-guide/enrollment) and authenticate them in your web application (again without any re-enrollment). 2. **IDV Bridge -> cross-platform authentication** Customers have captured a selfie, typically during KYC/Onboarding flows, and enroll this image into Keyless via: * **On-Premise** - enroll user selfies via the "Keyless Agent” component installed inside their own infrastructure, and subsequently allow them to authenticate via your web or mobile app at a later date using client state. * This option ensures that the selfies stay within your own infrastructure and therefore the entire process remains 100% privacy preserving. * **SaaS** - enroll user selfies via our [authentication service api](https://docs.keyless.io/idv-bridge/readme/idv-bridge-saas), whereby the UserID is created instantly and client state can be stored to subsequently authenticate via your web or mobile app. * The selfie is sent to a Secure Enclave in Keyless and instantly transformed into a cryptographic key. No biometric data or Pii is then stored. #### **Further technical resources** 1. **Enroll via IDV Bridge On-Premise -> authenticate via Web SDK** We have created a [tutorial for integrators](https://docs.keyless.io/idv-bridge/readme/idv-bridge-on-premise/keyless-on-premise-enrollment-greater-than-web-sdk-authentication-tutorial) who want to enroll user selfies captured outside of Keyless using IDV Bridge On-Premise and then allow those same users to authenticate on their web app/SDK. 2. **Enroll via Web SDK or IDV Bridge** **(On-Premise or SaaS) -> authenticate via Mobile SDK** Where customers have enrolled via Web SDK or IDV Bridge, then they must [export the Client State](https://authentication-service.eks.core-production.keyless.technology/redoc#tag/client-state/operation/export_client_state_v1_users__customer___username__export_client_state_post), and then leverage this when the customer attempts to authenticate on a new device via the Mobile SDK. Use the [account recovery](https://docs.keyless.io/consumer/mobile-sdk-use-cases/guide-account-recovery) for guidance on authenticating users on a new device, thus enabling on-going authentication.