Component interoperability

This page outlines how customers can allow users to authenticate on different platforms (web/mobile) regardless of which component they initially enroll from by leveraging client state.

Keyless currently consists of three main product components:

Component

Facilitates User Enrollment

Enables authentication

IDV Bridge (OnPremise or Saas)

✅

❌

Mobile SDK

✅

Web SDK

✅

Interoperability between Keyless components

All these components can now operate in an interconnected manner. A user can complete the enrollment process on any of these components and later authenticate on a different component without needing to re-enroll.

The technology enabling this seamless interoperability is called the Keyless Client State.

How Keyless Client State Works

The Keyless Client State can be generated by any of the components listed above.

It can then be consumed by either the Web SDK or Mobile SDK to enable cross-platform authentication. Client state is then used to authenticate:
- On Mobile SDK, where a new client state will then be created on this device and for this specific UserID to allow for on-going authentication of that user from that device.
- On Web SDK where a new client state will be stored on the Keyless server for this specific UserID to allow for on-going authentication from any browser where the customer chooses to initiate Keyless as a 2nd factor for authentication.

This interoperability opens up various use cases for Keyless authentication.

Possible Scenarios relating to interoperability

Live Enrollment -> cross-platform authentication

Users enroll into Keyless by taking a selfie via a Keyless UI deployed by our customers into their own Mobile or Web apps via our SDKs.

Enroll users through the Web SDK and then activate them in your Mobile app at a later stage to authenticate there without the need to re-enroll.
Enroll users on the Mobile SDK and authenticate them in your web application (again without any re-enrollment).

IDV Bridge -> cross-platform authentication

Customers have captured a selfie, typically during KYC/Onboarding flows, and enroll this image into Keyless via:

On-Premise - enroll user selfies via the "Keyless Agent” component installed inside their own infrastructure, and subsequently allow them to authenticate via your web or mobile app at a later date using client state.
- This option ensures that the selfies stay within your own infrastructure and therefore the entire process remains 100% privacy preserving.
SaaS - enroll user selfies via our authentication service api, whereby the UserID is created instantly and client state can be stored to subsequently authenticate via your web or mobile app.
- The selfie is sent to a Secure Enclave in Keyless and instantly transformed into a cryptographic key. No biometric data or Pii is then stored.

Further technical resources

IDV Bridge On-Premise -> Web SDK
We have created a tutorial for integrators who want to enroll user selfies captured outside of Keyless using the Keyless agent and then allow those same users to authenticate on their web app/SDK.
IDV Bridge On-Premise -> Mobile SDK authenticate
Customers using Keyless agent to enroll user selfies will need to export the Client State, and then use the account recovery APIs to enroll the new device and authenticate the user on that device on an on-going basis.
Web SDK / IDV Bridge Saas <-> Mobile SDK
For the mobile sdk and web sdk interoperability the same principles as described for IDV Bridge OnPremise still apply. In this case however the client state will either be generated by the mobile SDK using the account recovery APIs, or by the web SDK / IDV Bridge SaaS and the same account recovery APIs will be required in order to enroll and authenticate a user via the mobile SDK.

Last updated 1 day ago

Was this helpful?

Component interoperability

This page outlines how customers can allow users to authenticate on different platforms (web/mobile) regardless of which component they initially enroll from by leveraging client state.

Keyless currently consists of three main product components:

Component

Facilitates User Enrollment

Enables authentication

IDV Bridge (OnPremise or Saas)

✅

❌

Mobile SDK

✅

Web SDK

✅

Interoperability between Keyless components

The technology enabling this seamless interoperability is called the Keyless Client State.

How Keyless Client State Works

The Keyless Client State can be generated by any of the components listed above.

It can then be consumed by either the Web SDK or Mobile SDK to enable cross-platform authentication. Client state is then used to authenticate:
- On Mobile SDK, where a new client state will then be created on this device and for this specific UserID to allow for on-going authentication of that user from that device.
- On Web SDK where a new client state will be stored on the Keyless server for this specific UserID to allow for on-going authentication from any browser where the customer chooses to initiate Keyless as a 2nd factor for authentication.

This interoperability opens up various use cases for Keyless authentication.

Possible Scenarios relating to interoperability

Live Enrollment -> cross-platform authentication

Users enroll into Keyless by taking a selfie via a Keyless UI deployed by our customers into their own Mobile or Web apps via our SDKs.

Enroll users through the Web SDK and then activate them in your Mobile app at a later stage to authenticate there without the need to re-enroll.
Enroll users on the Mobile SDK and authenticate them in your web application (again without any re-enrollment).

IDV Bridge -> cross-platform authentication

Customers have captured a selfie, typically during KYC/Onboarding flows, and enroll this image into Keyless via:

On-Premise - enroll user selfies via the "Keyless Agent” component installed inside their own infrastructure, and subsequently allow them to authenticate via your web or mobile app at a later date using client state.
- This option ensures that the selfies stay within your own infrastructure and therefore the entire process remains 100% privacy preserving.
SaaS - enroll user selfies via our authentication service api, whereby the UserID is created instantly and client state can be stored to subsequently authenticate via your web or mobile app.
- The selfie is sent to a Secure Enclave in Keyless and instantly transformed into a cryptographic key. No biometric data or Pii is then stored.

Further technical resources

IDV Bridge On-Premise -> Web SDK
We have created a tutorial for integrators who want to enroll user selfies captured outside of Keyless using the Keyless agent and then allow those same users to authenticate on their web app/SDK.
IDV Bridge On-Premise -> Mobile SDK authenticate
Customers using Keyless agent to enroll user selfies will need to export the Client State, and then use the account recovery APIs to enroll the new device and authenticate the user on that device on an on-going basis.
Web SDK / IDV Bridge Saas <-> Mobile SDK
For the mobile sdk and web sdk interoperability the same principles as described for IDV Bridge OnPremise still apply. In this case however the client state will either be generated by the mobile SDK using the account recovery APIs, or by the web SDK / IDV Bridge SaaS and the same account recovery APIs will be required in order to enroll and authenticate a user via the mobile SDK.

Last updated 1 day ago

Was this helpful?