ScrambleID Proof: Humans

Passkeys closed the front door. The helpdesk is still wide open. We close both.

Phishing-resistant passkeys are the new floor. They don't stop helpdesk impersonation. They don't fix KBA on the call. They don't help when somebody calls Bob to verify. ScrambleID is one signed identity that holds across every surface a human reaches you through. Web. Voice. Floor. Video. App. No fallback to phish.

The signature

One person signs in across four surfaces. The signing key underneath never changes.

Web, voice, frontline, people. Four different surfaces, four different moments, one person. The same private key signs every one of them, so the signature a verifier checks is identical whether someone taps into a workstation, takes a verified call, authenticates at a shared terminal, or vouches for a stranger in person.

Web

9:41

Voice

9:41

Frontline

Register #12 - ACME POS v3.2
File Edit View Help
⚠ SHARED ACCOUNT

Multiple employees share this terminal. ScrambleID authentication enforced.

STORE_EMPLOYEE[Shared]
7X4K9P
ACCESS GRANTED
SC
Sarah Chen
Session bound to cryptographic identity • Audit trail active
ReadyStore #1247 | Lane 12

People

9:41
Waiting for someone to enter your code

Verify Someone

Tell them this code

or

One signed identity

3f9a08c1 b7e24d56 90fa1c3e 8b2d7e41

Same person. Same key. Same signature.

ONE IDENTITY . ONE SIGNING KEY . EVERY SURFACE A HUMAN ACTS ON

What passkeys leave open

Phishing-resistant primary auth was the easy part. The post-passkey ATO surface is everything else.

Three surfaces passkeys don't reach. The recovery flow on the web surface. The verification stack on the voice surface. The peer-trust call on the people surface. Each one already has commodity attacker tooling against it. None of them gets fixed by adding more passkeys.

THREAT . 01

USERLOSTHELPDESK+ KBAATTACKERRESET

The helpdesk is the new attack surface

Phishing-resistant passkeys closed the front door. The recovery door stays open. When the user loses their device, the recovery flow falls back to the helpdesk. The helpdesk runs knowledge-based authentication against records that have been in breach data for years. The helpdesk resets the credential. Whoever answered the KBA owns the account. Public reporting through 2025 and 2026 has documented the shift: vishing the helpdesk has overtaken phishing the user as the primary account-takeover vector.

THREAT . 02

CALLERCALLKBA + VOICE// breach dataBYPASSDEEPFAKE

KBA and voice biometrics on the call

Knowledge-based authentication asks for records that breach data already contains. Voice biometrics check against a waveform a public-cloud deepfake API can generate in seconds. Both have been documented to fail in the field. The contact center inherits both. Every call where the agent has to verify the caller before acting runs through a stack the attacker has commodity tools against.

THREAT . 03

PEERVIDEODEEPFAKE// real-timeSPOOFEDTRUST

The peer verification you trusted no longer holds

Real-time video deepfakes have crossed the credibility threshold for in-person verification and video calls. A peer confirms a vendor's identity over Zoom and the call itself is the attack. A new hire onboards a contractor by reviewing a government ID over video and the ID was generated for the meeting. The people surface had no technical control for this. Now it does, and it doesn't depend on the verifier's ability to spot the deepfake.

Four surfaces every human reaches you through

One signature primitive. Every surface a human acts on.

Workforce signing into apps. Callers verified before the contact-center agent picks up. Clinicians and associates at shared workstations. One person verifying another in person or across a video call. Four surfaces. Same cryptographic primitive. Same origin-bound signature. Same cross-surface recovery path.

WEB SURFACE

Five modes. One signature. Every device.

Passwordless web auth across One Tap, QR, code, biometric, PIN. Federates into Okta, Entra ID, Auth0. Closes the cross-device sign-in and shared-terminal gaps passkeys alone don't reach.

VOICE SURFACE

Cryptographic caller verification before the agent picks up.

One tap from a registered phone replaces KBA, voice biometrics, and OTP. Deployed across NICE, Twilio, Google CCAI. Defeats vishing and voice-cloning at the call.

FRONTLINE SURFACE

Per-user identity at shared devices. No personal phone.

Overlays your shared-account POS, EHR, and workstation systems without migration. Cleanroom-safe modalities, per-user attribution, PCI 8.4.2 + HIPAA + EPCS compliance by construction.

PEOPLE SURFACE

Verify a stranger in 5 seconds. Cryptographic.

Selective-disclosure peer-to-peer ID for in-person identity verification, callback verification, and deepfake-resistant trust between two people. The technical control for human-to-human social engineering.

ROLLOUT MODELS

Same primitive. Three ways to deploy it.

The four surfaces are how people reach you. The rollout model is how you turn it on. The cryptographic identity underneath never changes as the audience does.

B2B

Vendor and partner staff authenticate into your tenant. Federated trust roots between organizations, no shared secrets crossing the boundary.

D2C

Consumer-facing passwordless. One Tap on mobile, QR on desktop, biometric on workstation, a code path when there's no phone.

Enterprise

Your own workforce on internal IAM. Phishing-resistant primary auth plus signed cross-surface recovery, federated with Okta, Entra ID, and Auth0.

Human auth today

Every method that closed primary auth left recovery wide open. One closes both.

PASSWORDS + MFA

Phishable both ways. Bolt-on second factor. Recovery falls back to KBA.

PUSH + PASSKEYS

Origin binding closes phishing. Recovery is the residual ATO surface.

KBA + VOICE BIOMETRICS

Records sit in breach data. Waveforms a deepfake can generate. The contact-center surface stays open.

Phishing-resistance was the first floor. Cross-surface signed recovery is the second. ScrambleID for humans is the row that delivers both.

Five methods . four leave recovery open . one doesn't

Swipe sideways to compare. ScrambleID is the highlighted row.

MethodPhishing resistanceHelpdesk recovery coveredCross-surface coverageNative MFA-by-designSelective disclosure
Passwords + MFAShared secret plus a bolt-on second factorNoCredentials and OTPs both phishable. Reverse-proxy phishing kits relay both in real time.NoResets fall back to KBA against records already in breach data.NoWeb-surface primitive. Voice and frontline need their own stacks.NoSecond factor bolted on, not designed in. Architecturally separable.NoAll-or-nothing credential model. No per-attribute disclosure.
TOTP / SMS OTPTime-based codes plus SMS-delivered codesNoSMS interception via SIM swap. TOTP phishable via real-time proxy.NoSame KBA-driven recovery path. Resets phone numbers and shared secrets.NoWeb-surface only. No voice, frontline, or people coverage.PartialIs the second factor, but bolted on at the protocol layer.NoSingle shared secret. No attribute granularity.
Push MFAMobile app push notifications for second-factor approvalPartialOrigin not bound. Users approve illegitimate prompts under fatigue.NoRecovery still KBA-driven and helpdesk-mediated.NoWeb and native-app coverage only. No voice, frontline, or people surfaces.PartialPush notification is the second factor, not part of the auth primitive.NoYes-or-no approval. No attribute-level granularity.
Passkeys (alone)Device-bound origin-scoped private keysYesOrigin-bound private key. Replaced password phishing as a primary vector.NoLost device falls back to KBA, voice biometrics, or both. The post-passkey ATO surface.NoWebAuthn plus native app only. Voice, frontline, people surfaces unaddressed.YesDevice biometric plus cryptographic key is two-factor by design.NoFull credential presented. No per-attribute scope on the people surface.
ScrambleID for HumansCross-surface device-bound signed identity primitiveYesOrigin-bound device signature. Same primary-auth strength as passkeys.YesRecovery routes through signed voice and signed people events. Helpdesk never authoritative.YesOne signature primitive across web, voice, frontline, people.YesCryptographic key plus biometric or PIN required at every authentication event.YesPer-attribute disclosure on the people surface. Verifier sees only what's necessary.

Architectural questions

Common questions from IAM and security teams.

How does this integrate with our existing IdP (Okta, Entra ID, Auth0)?

ScrambleID for humans federates with your IdP via OIDC. It doesn't replace it. Your IdP keeps owning the principal model, group membership, and SSO entitlements. ScrambleID adds the cross-surface signature your IdP can't deliver: the same identity primitive that signs the web event signs the voice event, the workstation event, and the recovery event. Existing federation between your IdP and your downstream apps stays in place.

How does this co-exist with passkeys we already deployed?

Passkeys close primary auth on the web surface. ScrambleID extends past that. The primary-auth event can be a passkey if you've already standardized on one. The signature on the recovery event, the voice event, the workstation event, and the peer-verification event is ScrambleID's. Customers running deployed passkeys keep them and add cross-surface coverage on top. New deployments can use ScrambleID end-to-end.

What does cross-surface recovery actually look like?

User loses every web-surface device. Recovery starts: a signed challenge goes to the user's registered phone (voice surface). The user answers, and the contact-center system verifies the signed event before any agent picks up. A second signed challenge goes to a designated peer at the organization (people surface) for in-person or video peer-verification. Two signed events, neither involving the helpdesk and neither falling back to KBA. New device gets enrolled, old keys revoked, account restored. The entire recovery is cryptographic, not narrative.

What does 'native MFA-by-design' mean specifically?

Multi-factor authentication is part of the primitive, not bolted on at the protocol layer. Every signed event is a cryptographic key plus a second factor (biometric, PIN, or hardware token) verified locally on the device. The signature only generates if both factors verify. There's no separate TOTP enrollment, no separate push notification flow, no separate SMS gateway. The MFA is the auth, not a layer above it.

How broad is the surface coverage?

Workforce web auth (passwordless across One Tap, QR, code, biometric, PIN). Voice and contact center (caller verification before the agent picks up, deployed across NICE, Twilio, Google CCAI). Frontline (per-user identity at shared workstations and POS without requiring a personal device). People (peer verification with selective attribute disclosure). Four surfaces. One primitive. Consumer-facing passwordless (One Tap on mobile, QR on desktop, biometric on workstation, a code path with no phone) is that same primitive deployed for D2C, not a separate surface.

What does deployment actually look like?

Pilot: integrate the signing SDK on one surface (typically workforce web), federate against your IdP, sign the first recovery event in days. Production: extend across the surfaces you want covered, federate recovery flows into your helpdesk and contact-center stacks, route the signed event log to your SIEM. Pilot in days. Production in weeks. No PKI re-architecture. No enclave provisioning.

Does this work for B2B, D2C, and consumer-facing customer auth?

Yes. ScrambleID for humans is one primitive across all three. Workforce uses it for internal IAM (web surface plus the recovery, voice, frontline, and people surfaces). B2B uses it for vendor and partner staff authenticating into your tenant (same primitive, federated trust roots between organizations). D2C and consumer-facing customer auth use it as the consumer passwordless layer (One Tap mobile, QR desktop, biometric workstation, no-phone fallback). The primitive doesn't change as the audience does.

What happens if the user loses every device?

The recovery flow runs across the surfaces they still have access to. Cross-surface signed recovery: the user's registered phone is challenged (voice surface) and verified by signed event, not by KBA. A designated peer at the organization is challenged (people surface) and verifies in person or via video with the selective-disclosure peer-verification primitive. Both events sign cryptographically. New device enrolled. Old keys revoked. The helpdesk never has to vouch for an unknown caller.

How does this interact with deepfakes on voice or video?

Voice biometrics fail against deepfakes that public-cloud APIs can produce. Real-time video deepfakes fail visual identity confirmation. ScrambleID doesn't authenticate the waveform or the face; it authenticates the device-bound signed event. The caller's phone signs a cryptographic challenge. The peer's phone signs a verification event. A deepfake of the voice or the face doesn't produce a signature. Deepfake-resistance comes from the cryptographic primitive, not from voice or video forensics.

What's the per-authentication latency budget?

Signing and verification fit inside the existing auth-event latency budget. Local device signing is sub-100ms on modern phones and workstations. Server-side verification is sub-10ms. The full signed event lands in your IdP's existing auth-event timing window without adding visible delay to the user.

Proof of person

These four are one gate, not four logins.

Voice, Web, People, and Frontline are how a real human stays in the loop when agents act: consenting to what's consequential, signing exactly what runs. The rail keeps the proof.

How the rail gates an action

Where to go next

One cryptographic primitive. Across humans, non-humans, and the actions both take.

NON-HUMANS

Per-agent identity. Per-call signature. Zero static secrets.

The other side of the trust chain. Every AI agent, RPA bot, M2M service, and service account gets the same cryptographic primitive humans get.

ACTIONS

Every action signed. Every signer named. The chain is the proof.

Per-action signature, policy-bound cosign, customer-verifiable hash chain. The action-layer accountability that sits on top of human identity.

ARCHITECTURE

How the trust spine fits behind your IdP.

Reference architecture: the cryptographic primitive, the trust roots, the verifier topology, the audit ledger model. End-to-end.

FOR IAM ARCHITECTS

The IAM Architect's view: federation, recovery, audit.

How ScrambleID composes with your existing identity stack: OIDC federation, IdP integration, cross-surface recovery, signed audit trail.

Human access is broken at the accountability layer. We're here to fix it.

Pilot in days. Production in weeks. One identity primitive across every surface every human in your enterprise reaches you through.

Pilot ScrambleID →