Knowledge Base
ScrambleID provides cryptographic authentication for humans and the agents they deploy. No shared secrets. No probability-based detection. Just proof.
A canonical guide to omnichannel authentication: why attackers route around single-channel MFA, how ScrambleID closes every surface gap (web, voice, people, frontline, agent, machine, bot, workload) with one proof rail, and how to roll it out and measure it.
Start here
How to build and deploy phishing-resistant web authentication: origin-bound WebAuthn/passkeys, session-bound QR(DID) flows, SAML/OIDC federation, and operational pitfalls (AiTM, session theft, quishing).
How ScrambleID Voice replaces knowledge-based authentication (KBA) on the phone with a cryptographic, app-confirmed flow using short-lived Dynamic Identifiers (DIDs), plus scripts, metrics, and integration guidance.
How one of the three major US credit bureaus deployed ScrambleID across five surfaces (voice, web, agent, people, frontline): the two-week deployment pattern, 90%+ fewer password reset tickets, and 34% faster caller verification.
How ScrambleID People works: verifier-initiated Trust Checks, consent-based sharing, Work/Personal/Minimal/Anonymous profiles, requirement pills, and a replay-resistant Unified ID Card renderer.
A canonical guide to authenticating AI agents and bots: non-human identity, least-privilege tokens, PoP (mTLS/DPoP), human-in-the-loop step-up (XFactor/Lockstep), and auditability that survives incident response.
A canonical definition of Dynamic Identifiers (DIDs) and QR Identifiers (QIDs): security properties, lifecycle, how they differ from OTPs, and how they bind user intent to the correct session across channels.
A canonical guide to omnichannel authentication: why attackers route around single-channel MFA, how ScrambleID closes every surface gap (web, voice, people, frontline, agent, machine, bot, workload) with one proof rail, and how to roll it out and measure it.
Passwordless authentication and multi-factor authentication (MFA) are different concepts that are often conflated. Learn how they overlap, where they diverge, and what 'phishing-resistant passwordless MFA' actually means.
A technical architecture overview of ScrambleID: shared identifiers (SUID/ZID), dynamic identifiers (DID/QID), session/origin binding, certificate/JWKS distribution, telemetry, and how all eight surfaces reuse the same rails.
Passwordless authentication eliminates reusable passwords in favor of cryptographic credentials, biometrics, and device-bound proofs. Learn the methods, standards, and enterprise deployment patterns that matter for CISOs and CTOs.
How to build and deploy phishing-resistant web authentication: origin-bound WebAuthn/passkeys, session-bound QR(DID) flows, SAML/OIDC federation, and operational pitfalls (AiTM, session theft, quishing).
A practical, implementation-grade guide to federate apps to ScrambleID via SAML 2.0 or OIDC (Auth Code + PKCE): exact config inputs, claim mapping, secure token validation, and QR(DID)/WebAuthn login states.
How ScrambleID Voice replaces knowledge-based authentication (KBA) on the phone with a cryptographic, app-confirmed flow using short-lived Dynamic Identifiers (DIDs), plus scripts, metrics, and integration guidance.
A head-to-head comparison of contact center authentication methods, knowledge-based authentication, voice biometrics, OTP/MFA, and device-bound cryptographic proof, scored on security, UX, cost, and compliance.
Step-by-step guidance for IVR engineers: endpoints, wait-loop design, intercept redirects, localization, idempotency, observability, and safe failure handling.
A detailed playbook to eliminate KBA for account recovery and high-risk call flows: threat model, migration steps, scripts, metrics, and how to avoid common fallback traps.
A forward-looking spec for ScrambleID's Context Picker: which device/environment/user-history signals to capture (with minimal permissions), how to preserve privacy, and how to use signals to suggest QR vs code vs link flows.
How ScrambleID People works: verifier-initiated Trust Checks, consent-based sharing, Work/Personal/Minimal/Anonymous profiles, requirement pills, and a replay-resistant Unified ID Card renderer.
How finance, treasury, and accounts payable teams use person-to-person cryptographic verification to defeat the executive-impersonation, vendor-impersonation, and authorized push payment (APP) fraud patterns that have driven nine- and ten-figure losses across enterprises in 2023-2024.
How corporate security, branch banking, healthcare facilities, and high-security sites use person-to-person cryptographic verification to confirm contractor, vendor, visitor, and counterparty identity in person, without depending on physical badges that can be forged or phone trees that can be social-engineered.
A detailed build + rollout guide for ScrambleID People: initiation modes (QR/code/link), consent UX, profile compliance (Work/Minimal/Anonymous), attribute provenance, default TTLs, APIs, and enterprise policies.
Help-desk impersonation has driven some of the largest breaches of the past three years (MGM, Caesars). Knowledge-based questions and callback-to-known-good no longer hold under AI-driven social engineering. This playbook covers how to use person-to-person cryptographic verification to lock down credential resets, MFA re-enrollment, device adds, and privileged access requests across the help desk.
A canonical guide to ScrambleID's Unified ID Card model: the attribute catalog, provenance rules (verified ✓ vs self-asserted •), rendering contexts, and how picker/guardrails prevent oversharing and replayable proofs.
How ScrambleID's ID Card Picker enforces verifier requirements (Work/Minimal/Anonymous), preserves presenter consent, and reduces friction using Accept/Reject and Filtered Picker states.
A canonical guide to authenticating AI agents and bots: non-human identity, least-privilege tokens, PoP (mTLS/DPoP), human-in-the-loop step-up (XFactor/Lockstep), and auditability that survives incident response.
A concrete operating model for AI agents: how to mint scoped tool tokens, bind them to agent identity, require step-up/dual control for irreversible actions, and instrument audit trails that stand up in incident response.
OAuth 2.0 supports several methods for authenticating a client to the authorization server. This guide compares client_secret_basic and client_secret_post (the original shared-secret methods) against private_key_jwt (RFC 7523 JWT client assertion) and tls_client_auth (RFC 8705 mTLS), with practical guidance on when each is appropriate and why production deployments are converging on the cryptographic methods.
A practical side-by-side comparison of cloud-native workload identity mechanisms (AWS IAM Roles for Service Accounts, GCP Workload Identity Federation, Azure Managed Identity, SPIFFE/SPIRE) for platform engineers and architects choosing the right pattern for service-to-service authentication without static secrets.
A discovery playbook for shadow AI agents: where unregistered agents hide (OAuth grants, service accounts, SaaS-embedded agents, MCP servers), the verified numbers on what shadow AI costs, and why per-agent identity is the durable fix.
How to eliminate long-lived cloud credentials from GitHub Actions workflows using OIDC federation. Covers the configuration for AWS (IAM with web-identity federation), GCP (Workload Identity Federation), and Azure (federated credentials), plus security pitfalls (subject-claim conditions, branch and environment scoping, attack patterns).
How to eliminate OAuth client secrets for service-to-service auth using JWT client assertions (RFC 7523), short-lived tokens, replay prevention, and optional sender constraints (mTLS/DPoP).
A practical guide to reducing bearer-token replay by binding access tokens to a client: when to use mTLS vs DPoP, claim mechanics (cnf/jkt), implementation pitfalls, and monitoring signals.
The hardest agent identity problem in production today is not authenticating a single agent. It is propagating authorization across a chain of agents, tools, and resources while preserving original-caller attribution and enforcing scope at every hop. This guide covers the standards (RFC 8693 OAuth 2.0 Token Exchange), the architectural patterns, and the threat model for delegation chains in agentic systems.
Long-lived service-account passwords and API keys are the dominant cause of non-human identity breach. This guide covers the practical sequence: inventory, classify by blast radius, migrate to cloud-native workload identity and sender-constrained tokens, address CI/CD pipelines, and decommission the old credentials. Includes an audit-ready KPI set and a 90-day target for ≥ 95% migration.
AI-generated voice and video are now commodity capabilities, and the Arup Hong Kong $25.6M deepfake fraud (2024) made the failure mode public. This guide explains why detection-based defenses (voice biometrics, liveness detection, behavioral analytics) lose the cat-and-mouse race against generative AI, and why cryptographic people verification is structurally immune.
Prompt injection cannot be eliminated by better prompts because the LLM cannot distinguish data from instruction at the input layer. The defense that works is moving consequential authority out of the agent's reasoning and into cryptographic authorization boundaries that the agent's compromised reasoning cannot reach. This guide covers the identity-control patterns: scope-per-tool tokens, dual-control on irreversible actions, human-in-the-loop step-up, and chain-aware delegation.
A canonical playbook for account recovery and fallback flows in a phishing-resistant deployment: warm-path recovery from an enrolled device, cold-path recovery via identity proofing, assisted recovery for users without the app, decision tree, SLAs, audit requirements, and the specific anti-patterns that turn recovery into the weakest link.
How ScrambleID's Circle of Trust (CoT) models trust relationships (enterprise tiers, verified brands, personal edges) and exposes low-latency trust signals to Online, Caller, People, and Desktop, without granting access.
A guide to dual control (four-eyes) using ScrambleID Lockstep: when to require it, default TTLs and SLAs, API patterns, UX design, and how to stop social engineering and single-actor failures.
A practical guide to ScrambleID Overwatch: cross-channel event ingestion, rule-based risk scoring, alerting, and action hooks that trigger step-up (XFactor), co-approval (Lockstep), or blocks.
How ScrambleID Verify-Me adds context-bound verification to email signatures, PDFs, social profiles, and websites - without prompting the publisher. Includes embedding examples, threat model, and comparisons to DMARC/BIMI.
A guide to designing phishing-resistant step-up chains across every surface: factor catalog, policy examples, UX patterns, anti-patterns, and measurable success criteria.
A citation-friendly mapping from common compliance language (AAL, phishing resistance, out-of-band, authenticator binding, audit) to ScrambleID primitives and Learn artifacts, extended to the agentic frameworks (OWASP Agentic Top 10, NIST NCCoE agent identity, CSA AICM).
A metrics-first playbook for ScrambleID deployments: what to measure (conversion, ATO reduction, AHT, containment), how to instrument events, and how to build a defensible ROI narrative for security and procurement.
A procurement-ready checklist to evaluate authentication vendors: omnichannel coverage, phishing resistance, voice/KBA replacement, device binding, M2M proof-of-possession, auditability, and measurable outcomes.
A layered map of the agentic identity market: agent directories and lifecycle governance (Okta for AI Agents, Microsoft Entra Agent ID), discovery and posture (Astrix, Oasis), and the per-action proof layer (ScrambleID). How the layers compose, what each answers for an auditor, and why you'll likely run more than one.
A neutral comparison of enterprise passwordless authentication platforms, HYPR, Ping Identity, Descope, Beyond Identity, and ScrambleID, scored on channel coverage, phishing resistance, federation, deployment model, and total cost of ownership.
An evidence-based comparison of person-to-person cryptographic verification against the traditional human-to-human verification methods enterprises rely on today: photo ID + signature, video calls, remote notary apps, knowledge-based questions, and 'call them back to verify.' Includes deepfake-era threat scoring and decision criteria.
A neutral, head-to-head technical comparison of ScrambleID and Beyond Identity across architecture, channel coverage, device trust, machine identity, deployment, and recovery. Built for CISOs, IAM architects, and procurement teams running an enterprise passwordless evaluation.
How ScrambleID layers on top of Microsoft Entra ID to add phishing-resistant primary authentication, voice/contact-center verification, AI agent identity, and shared-device login. External authentication methods integration, Conditional Access interplay, deployment timeline, and how the two systems share user identity through Entra ID as the system of record.
How ScrambleID layers on top of Okta to add phishing-resistant authentication, voice/contact-center verification, AI agent identity, and shared-device login without replacing your IdP. Integration architecture, federation flow, policy interplay with Okta Workflows and ThreatInsight, deployment timeline, and the questions buyers ask most.
A definitive explanation of NIST Authenticator Assurance Levels (AAL1, AAL2, AAL3) under SP 800-63B and the SP 800-63-4. Covers what each level requires, what authenticators qualify, how AAL relates to IAL and FAL, and how to determine the right AAL for an application.
A definitive technical explanation of passkeys: how they're a FIDO2 implementation, how syncing works, the difference between synced and device-bound passkeys, and how passkeys eliminate password and SMS-OTP-driven account takeover.
AI agents make runtime decisions about what to call, when, and on whose behalf. They cannot be authenticated like traditional service accounts. This guide defines AI agent identity: the cryptographic credential, the ownership mapping, the short-lived sender-constrained tokens, and the audit and revocation surface that distinguish a properly-architected agent from 'a service account with a chatbot in front.'
A definitive explanation of FIDO2: the W3C WebAuthn API and the FIDO Alliance CTAP protocol that together make phishing-resistant cryptographic authentication possible across browsers, operating systems, and devices.
A definitive technical explanation of identity proofing: how it differs from authentication, NIST IAL1/IAL2/IAL3 levels, the proofing-to-binding handoff, common methods (document verification, biometric matching, KBV, in-person), and why proofing is the foundation of any phishing-resistant identity architecture.
Model Context Protocol (MCP) servers are the new tool-broker layer between AI agents and enterprise APIs. Most production MCP servers ship with a single shared API key, which is the next breach class. This guide explains how to authenticate MCP servers as first-class identities, scope tool access, and bind the agent-server-resource path with cryptographic proof.
A definitive technical explanation of non-human identity (NHI): what it covers (service accounts, workloads, AI agents, MCP servers, devices, bots), why long-lived secrets are the dominant failure mode, and how cloud workload identity, sender-constrained tokens, and short-lived credentials replace them.
A definitive technical explanation of people verification: how two humans cryptographically prove identity to each other in seconds, the artifact types (QR/QID, Type Code, SMS deep link), the consent and attribute model, and why People verification is the only authentication channel that defeats AI-generated voice and video impersonation deterministically.
A definitive technical explanation of phishing-resistant multi-factor authentication: the formal definition, how it differs from regular MFA, what authentication ceremonies qualify (FIDO2/WebAuthn, PIV/CAC), what doesn't (push, SMS, TOTP), and the regulatory mandates that now require it.
How modern financial institutions deploy phishing-resistant, omnichannel authentication across online banking, contact centers, branches, wire authorization, and payment rails. Covers FFIEC, NYDFS Part 500, PCI DSS v4.0.1, GLBA, and PSD2/SCA requirements with concrete deployment patterns.
How federal, state, and local agencies and their contractors deploy phishing-resistant authentication aligned with OMB M-22-09, NIST SP 800-63-4, FIPS 201-3 PIV, FedRAMP, CISA Zero Trust, ICAM, and CJIS. Covers PIV/CAC, derived PIV, FIDO2, citizen-facing services, and the realities of legacy systems.
How healthcare organizations deploy phishing-resistant authentication across clinician workstations, EHR access, telehealth, contact centers, patient portals, prescribing, and medical-device identity. Covers HIPAA, HITECH, DEA EPCS, 42 CFR Part 2, and the practical realities of clinical workflow.
How retailers, restaurants, and hospitality brands deploy phishing-resistant authentication across associate POS access, store-back-office, contact centers, loyalty/CRM, e-commerce, payments, and franchisee networks. Covers PCI DSS v4.0.1, deepfake-driven gift-card fraud, and the realities of seasonal workforce.
How modern SaaS and cloud-services companies build phishing-resistant authentication for workforce, customer-facing apps, support, partner integrations, AI agents, and machine-to-machine, without slowing engineering velocity. Covers SOC 2, ISO 27001, FedRAMP, customer trust, and cloud-workload identity patterns.