How ScrambleID Proof composes with your identity stack.
Four trust zones. One cryptographic spine. Composes over Okta, Entra ID, Ping, and ForgeRock without replacing them.
The ScrambleID composition zone holds three principal-class products (Humans, Non-humans, Actions) over one cryptographic spine (the DID primitive). The platform federates to your existing identity stack.
USER
User
The person or agent that authenticates. Holds the device key; never holds a shared secret.
RELYING PARTIES
Customer relying parties
Your apps, services, IVRs, and workstations. They ask for proof; they never store credentials.
HUMANS
Humans
Identity primitive plus ceremonies for Frontline, People, and Customer. AI agents and machines authenticate through the Non-humans product.
NON-HUMANS
Non-humans
Identity primitive plus ceremonies for servers, services, AI agents, RPA bots, and IoT devices. RFC 7523 . OAuth 2.0 . OIDC.
ACTIONS
Actions
Per-action cryptographic authority layer that composes over Humans or Non-humans. Per-action signing, HITL co-sign, Cedar policy, audit ledger.
DID PRIMITIVE
Dynamic Identifier
Single-use, channel-bound or air-gapped, resists replay, relay, and AI deepfake. US 12,388,656 B2.
CUSTOMER IDENTITY
Customer identity
Your existing IdP, IGA, and PAM. ScrambleID composes over it through OIDC / SAML; it replaces nothing structural.
Four trust zones separated by three boundaries: user-controlled, customer relying parties, ScrambleID-controlled, and customer identity. The Dynamic Identifier (DID) is the patent-protected primitive (US 12,388,656 B2) that the Verification Service issues, binds, and verifies for every authentication request.Each section below walks through one part of this diagram.
What a ScrambleID identity actually is.
A cryptographic primitive, not a profile. A Dynamic Identifier, not a username.
Each ScrambleID identity is anchored on a Dynamic Identifier (DID): a short-lived, single-use cryptographic artifact issued by the Verification Service and bound to a hardware-held key on the user's device. The DID is the patent-protected primitive (US 12,388,656 B2). When a user enrolls, they get a long-lived hardware-bound key pair. The private key never leaves the device. The Verification Service holds the public key.
Each authentication starts when the Verification Service issues a fresh DID and binds it to the user's hardware key. The DID gets presented through whatever channel is active: web, voice, frontline, people, customer. AI agents and machines authenticate through the Non-humans product; their flow substitutes an mTLS handshake plus signed JWT assertion for the user-side biometric step. The user's device signs the DID with the hardware key. The Verification Service checks the signature. Identity proven, ceremony complete.
Selective disclosure ships with the primitive. The identity carries claims (employee role, account tier, regulatory clearance) that the user can disclose individually per ceremony. The verifier sees only what the policy needs; the rest stays on the device.
The overlay model.
ScrambleID does not replace the identity provider. It strengthens what runs in front of it.
The customer IdP (Okta, Microsoft Entra ID, Ping, ForgeRock) stays where it is. ScrambleID adds the cryptographic verification ceremony that runs upstream of it: one verification rail, every channel, federated to the IdP via OIDC or SAML 2.0.
The overlay placement is a deliberate architectural choice. Production deployment runs in two weeks instead of the multi-quarter migration of replacing an IdP. The platform inherits the customer's existing access policy, group structure, and audit trail. Phishing-resistant authentication added in front, without disturbing any federation work the application teams have already shipped.
See Principals for the three-product architecture this overlay composes for.
The WHAT layer.
Identity answers who. Intent answers what they're approving.
Authentication on its own answers "is this the right principal." That isn't always enough. For consequential actions (a wire transfer, a privilege grant, a production deploy), the principal also needs to approve the specific action, not just the session. The intent layer carries that approval.
ScrambleID's Actions product is the product surface for intent. It composes over Humans or Non-humans: the same DID + hardware-key primitive that proves the principal also signs the action description. Approval becomes a cryptographic artifact bound to the principal, the action, and the moment.
Per-action approval, per-action audit, optional human-in-the-loop above policy threshold. The Actions product page holds the implementation details; this layer holds the conceptual frame. Identity proves the caller. Intent proves what they meant.
How a verification proceeds.
The diagram below shows the canonical Web-channel WebAuthn ceremony. Voice, Frontline, People, and Customer variants substitute the challenge artifact (Type Code, JWT assertion, device-API token) without changing the cryptographic shape. Non-humans flows (AI agents, machines) substitute the user-side biometric step with mTLS plus signed JWT.
Canonical WebAuthn flow shown. Channel variants substitute the artifact at step 03 and the transport at step 07; the cryptographic shape is invariant.
- 01The user reaches an authentication boundary. A web app login screen, an IVR greeting, a Non-humans agent invoking a tool, a Frontline shared-device prompt, a People helpdesk verification, or a Customer login.
- 02The relying party requests a verification challenge from the Verification Service over REST, passing channel, intent, and origin context.
- 03The Verification Service issues a short-lived, single-use Dynamic Identifier bound to the session, the request origin, the channel, and the intent. Web challenges are
WebAuthn ceremoniesor QR-encoded DIDs. Voice challenges are spoken Type Codes. Non-humans challenges are JWT client assertions. Frontline challenges are device-API tokens. People and Customer challenges use the same WebAuthn or QR primitives, configured per ceremony policy. - 04The challenge returns to the relying party with the ceremony type the relying party should present.
- 05The relying party presents the challenge to the user. Browser displays the WebAuthn prompt; IVR speaks the Type Code; Non-humans presents the assertion request; in-person operator (People channel) displays a QR; Frontline shared device presents the device-API token.
- 06The user confirms via biometric unlock or hardware-key touch. The unlock happens entirely inside the device's secure enclave (Apple Secure Enclave, Android StrongBox, Windows TPM). The biometric template never leaves the enclave; the private key never leaves the enclave. Non-humans flows substitute an mTLS handshake plus signed JWT assertion for the biometric step.
- 07The signed assertion returns to the Verification Service over the channel-bound transport. Same-device web flows return via the WebAuthn ceremony itself; cross-device flows return out-of-band over the ScrambleID mobile app's authenticated channel.
- 08The Verification Service verifies the signature against the user's enrolled key and confirms the session, origin, channel, and intent bindings. Verification completes server-side in tens of milliseconds.
- 09The Verification Service federates the verified identity to the customer IdP via OIDC or SAML 2.0, or returns the assertion directly to the relying party via API for non-federated integrations.
- 10The IdP applies the customer's access policy and issues its session token back to the relying party. The user is authenticated.
Note on cross-cutting capabilities
What crosses what.
The overlay placement creates four trust zones with three boundaries between them. Data classification governs what may cross each boundary. Two categories (biometric templates and cross-channel risk signals) never cross any boundary by design.
| Data Category | Originates At | Terminates At | Crosses Boundaries | Never Crosses |
|---|---|---|---|---|
| WebAuthn assertions | User secure enclave | Verification Service | USER -> SCRAMBLEID | Private key stays in enclave. |
| Biometric templates | User device | User device secure enclave | None. | Any boundary, ever. Hard architectural property. |
| Identity claims | Customer IdP | Customer relying party | IDP -> SCRAMBLEID -> RP | The tenant boundary. Isolation is enforced at every layer. |
| IdP session tokens | Customer IdP | Customer relying party | IDP -> RP | ScrambleID never sees the IdP's session token. |
| Audit metadata | Verification Service | Customer SIEM (export); ScrambleID audit store | SCRAMBLEID -> CUSTOMER | Cross-tenant boundary. |
| Recovery state | Verification Service | User device on enrollment | SCRAMBLEID -> USER | Customer IdP. |
| Cross-channel risk signals | Verification Service | Overwatch risk engine (internal) | None outside ScrambleID. | Customer boundary. Aggregated tenant-level telemetry only. |
Reading this table
Principal-class neutrality
Three principal classes. One architecture.
Humans, Non-humans, and Actions. Each is a product; the architecture is one.
ScrambleID organizes around three principal classes. Humans authenticates human users across every channel they reach: Web SSO, Voice caller verification, Frontline shared-device access, People trust checks, Customer login. Non-humans authenticates every non-human caller: AI agents, machines, bots, RPA, service accounts, anything that holds a credential and acts on its own behalf. Actions authenticates specific intents: per-action signed approvals that compose over either a human or a non-human principal.
Three products. One identity primitive. One trust-zone model. One audit chain. The same Verification Service issues DIDs and validates signatures across all three. The same hardware-bound key model anchors trust. The same cryptographic ceremony proves the request.
This is what the rest of the page describes. Where Humans, Non-humans, and Actions appear in the request flow, in the trust boundaries, in the standards alignment, in the failure modes. Three products, same architecture, made legible.
Conformance against published specs.
Standards-based federation is the load-bearing requirement of the overlay model. Every protocol below has a published specification, a conforming implementation in the Verification Service, and an authored deployment pattern in the Learn hub.
| Standard | Spec Body / RFC | Implementation Scope |
|---|---|---|
| WebAuthn / FIDO2 | W3C . FIDO Alliance | Verifier-side conformance for L1/L2/L3 attestation. Passkey ceremonies. Cross-device QR. |
| OpenID Connect | OpenID Foundation | Authorization Code with PKCE. ID Token issuance via federation. OIDC Federation 1.0. |
| SAML 2.0 | OASIS | IdP-initiated and SP-initiated SSO. Signed assertions. Encrypted assertions. |
| OAuth 2.0 mTLS | RFC 8705 | Sender-constrained tokens for Non-humans flows. Certificate-bound access tokens. |
| OAuth 2.0 DPoP | RFC 9449 | Demonstrating Proof of Possession for non-mTLS Non-humans flows. |
| JWT Client Assertions | RFC 7521 . RFC 7523 | Non-humans identity binding: RFC 7523 JWT Profile for OAuth 2.0 Client Authentication. ScrambleID's Non-humans identity primitive conforms to the published spec. |
| SCIM 2.0 | RFC 7643 . RFC 7644 | User provisioning and deprovisioning sync from customer IdP. |
| NIST SP 800-63-4 | NIST | AAL2 and AAL3 designs supportable when configured per NIST guidance. |
| NIST SP 800-53 | NIST | Control mapping in compliance packet (IA, AC, AU control families). |
| FIPS 140-3 | NIST | Key operations in AWS KMS HSMs validated to FIPS 140-3 Security Level 3. |
Where ScrambleID plugs in.
Each integration has an authored deployment pattern in the Learn hub. Integration mode varies meaningfully by category; the table groups by mechanism, not by partner.
Identity Providers
Voice Platforms
HR & ITSM
Identity Providers
| Partner | Integration Mode | Protocol | Deployment Pattern |
|---|---|---|---|
| Okta | External authentication method | OIDC + SCIM 2.0 | okta-deployment-pattern→ |
| Microsoft Entra ID | External Authentication Method (EAM) | OIDC + Conditional Access hooks | entra-id-deployment-pattern→ |
| Ping Identity | Federated authenticator | OIDC or SAML 2.0 | sso-quickstart→ |
| ForgeRock | Federated authenticator | OIDC or SAML 2.0 | forgerock-pattern→ |
Voice Platforms
| Partner | Integration Mode | Protocol | Deployment Pattern |
|---|---|---|---|
| Five9 | Upstream-of-IVR caller verification | REST + Webhooks | ivr-integration-guide→ |
| Genesys | Upstream-of-IVR caller verification | REST API | ivr-integration-guide→ |
| NICE | Upstream-of-IVR caller verification | REST API | ivr-integration-guide→ |
| Google CCAI Platform | Upstream-of-IVR caller verification. Dialogflow CX integration. | REST + Webhooks | ivr-integration-guide→ |
HR & ITSM Workflows
| Partner | Integration Mode | Protocol | Deployment Pattern |
|---|---|---|---|
| Workday | High-risk workflow guard (identity changes, executive approvals) | SCIM 2.0 + REST | helpdesk-impersonation→ |
| ServiceNow | High-risk workflow guard (access requests, admin actions) | REST API | helpdesk-impersonation→ |
Custom (Direct API / SDK)
| Surface | Integration Mode | Protocol | Deployment Pattern |
|---|---|---|---|
| Web applications | Custom relying party | WebAuthn / REST | web-rp-quickstart→ |
| Non-humans (AI agents, M2M) | Custom relying party | mTLS + JWT assertion | non-humans-integration→ |
| Frontline shared devices | NCR, Zebra, Honeywell, custom | Device API | frontline-quickstart→ |
What production looks like.
Spec sheet. Items marked (Measured) reflect production performance. Items marked (Contractual) are commitments in the customer agreement. TBD entries are acknowledged gaps pending validation.
Latency
Availability
Deployment
Capacity
Interfaces
When things break, and how to recover.
Authentication is the most critical path on the relying party's site. Failure-mode design is therefore explicit and customer-controllable. The matrix below documents observed and designed-for failure modes; the three fallback patterns are configurable per flow.
| Component | Failure Scenario | User-Visible Behavior | Recovery Path | Operator Action |
|---|---|---|---|---|
| Verification Service | Single-region degradation | Latency increase. No functional impact. | Automatic regional failover | None required. |
| Verification Service | Multi-region outage | Authentication unavailable | Customer-controlled fallback per flow | Activate fallback per playbook (warm / cold / degradation) |
| User device | Lost or replaced | Enrolled device unavailable | Cold-path identity proofing | Helpdesk validates per customer policy |
| Channel SDK (Voice) | Webhook delivery failure | Caller cannot complete verification | Configurable retry. Pass-through to legacy IVR. | Configurable per flow |
| Channel SDK (Web) | Browser does not support WebAuthn | Browser-side fallback | Cross-device QR ceremony | Automatic. |
| Channel SDK (Non-humans) | mTLS handshake fails | Non-humans call rejected | Token-based fallback (DPoP) if configured | Non-humans configuration. Default fail-safe rejects. |
| IdP federation | Customer IdP unavailable | Login cannot complete (verification succeeds; session not issued) | Customer's IdP DR plan applies | Per customer's IdP runbook. ScrambleID does not bypass IdP. |
Note on fallback design
Certifications and evidence.
Audited frameworks list current status. Evidence packages are available to evaluators under NDA.
| Framework | Status | Evidence Available |
|---|---|---|
| SOC 2 Type II | Audited | Type II, unqualified opinion. Report on request. |
| HIPAA | Out of scope | No PHI flows through ScrambleID. Technical safeguards mapping available. |
| GDPR | Aligned | Article 28 DPA available. |
| NIST SP 800-63-4 AAL2 | Capable | Configuration guide |
| NIST SP 800-63-4 AAL3 | Capable | Configuration guide. Hardware-bound key requirement. |
| NIST SP 800-53 | Mapped | Control mapping in compliance packet |
| ISO 27001 | In progress | Target completion date available on request |
Don't see what you're looking for?
The PROOF layer.
Authentication that ships with verifiable evidence, signed by the customer's own key.
Every authentication leaves a record. Most identity systems leave you with a log line: "user X logged in at time Y." A log line is a claim, not evidence. If the log gets edited, deleted, or replayed, no math protects you. ScrambleID's proof layer closes that gap.
Each authentication record is signed twice: by the Verification Service (proving the ceremony happened as observed) and by the customer's own key (proving the customer's infrastructure accepted the ceremony's result). The records chain cryptographically. Any edit to a past record invalidates every record that follows. The chain is verifiable end-to-end, independently of ScrambleID.
The proof layer is what makes the audit chain customer-sovereign. The customer holds a key, signs every record, keeps the chain. ScrambleID can't quietly rewrite history; the customer's signature pins each record in place. Verifiability is structural, not a promise.
scramble-audit-verify CLI.
The cryptographic verifier for the audit chain. Customer-runnable.
scramble-audit-verify is a command-line tool that takes a ScrambleID audit chain (a sequence of signed records) and verifies it end-to-end. It checks every signature: the Verification Service's signature on each record, the customer's counter-signature, the chain linkage between records. If any signature fails to verify, or any chain pointer doesn't match, the tool reports the exact failure and exits non-zero.
The tool runs anywhere the customer wants. On a CI runner. On an auditor's laptop. In a SIEM pipeline. The cryptographic verification is deterministic and offline: given the audit chain bytes and the relevant public keys, the result is reproducible without contacting ScrambleID.
What it doesn't do: replace your SIEM, your IdP, or your intrusion-detection system. It doesn't make policy decisions. It doesn't deduplicate. It does one thing: prove that the audit chain you hold is the same chain ScrambleID issued, with the same records the customer counter-signed, in the same order.
Questions architects ask first.
The questions security architects, IAM engineers, and procurement teams ask before they sign. Expand any item to read the full answer.
Where does ScrambleID sit relative to the identity provider, and what gets replaced?
ScrambleID layers on top of the customer's existing IdP (Okta, Microsoft Entra ID, Ping Identity, ForgeRock). The IdP remains the system of record for identity, group membership, and access policy. The directory stays. The SSO stays. Sessions are still issued by the IdP. ScrambleID adds the cryptographic authentication ceremony itself: WebAuthn or QR-based Dynamic Identifiers for Web; spoken Type Codes for Voice; device-API tokens for Frontline; People helpdesk and verifier ceremonies; Customer login flows. Non-humans (AI agents and machines) authenticate through the same Verification Service via mTLS plus signed JWT. Federation happens via OIDC or SAML 2.0. What gets replaced is the password, the OTP, the KBA, and the helpdesk verification flow that an attacker can social-engineer.
How does ScrambleID's Customer channel differ from the employee-facing channels?
The Customer channel applies the same Verification Service primitive to consumer-facing flows: account creation, login, account recovery, high-risk transactions. The customer's IdP can be a customer-identity (CIAM) deployment of Okta, Entra External ID, Auth0, ForgeRock, or a custom CIAM stack. Federation is identical (OIDC or SAML 2.0); ceremony surfaces are identical (passkeys, WebAuthn, QR). The distinction is the IdP topology and the user-management policies, not the cryptographic shape.
How does ScrambleID coexist with existing MFA during migration?
The overlay placement supports gradual migration without a flag-day cutover. Customers configure ScrambleID as one of multiple authenticators in the IdP's authentication policy engine (Microsoft Conditional Access, Okta Authentication Policies, Ping Sign-On Policies, ForgeRock journeys), route specific user populations or specific applications to ScrambleID first, and progressively expand coverage. Legacy MFA continues to work for users not yet enrolled. Production cutover happens per the customer's deployment schedule, not per a ScrambleID timeline. The deployment patterns in the Learn hub document phased rollout strategies for each major IdP.
How is the platform deployed?
Managed cloud service. Multi-tenant by default. Dedicated single-tenant instances are available for regulated customers (financial services, healthcare, government). On-prem and air-gapped deployments are not currently offered; the platform's value depends on shared infrastructure for cross-tenant signal correlation (Overwatch risk monitoring) and rapid security updates. SDKs for iOS, Android, and Web. RESTful APIs for server-side integration. Federation via SAML 2.0 and OIDC. Sandbox tenants are available to evaluators.
Are user biometrics stored?
No. ScrambleID never receives, stores, or processes biometric templates. Biometric unlocks happen entirely on the user's device, inside the secure enclave provided by the operating system. The biometric event releases a cryptographic key that signs an assertion. Only the signed assertion leaves the device. ScrambleID sees proof that authentication happened; it never sees the face, fingerprint, or biometric template that produced it. This is a hard architectural property, not a policy commitment.
What happens when a user loses or replaces their device?
The user re-enrolls a new device through the warm path (recovery from another enrolled device, if the customer policy allows) or the cold path (identity proofing with documented evidence per customer policy). At re-enrollment, the lost device's enrolled key is revoked; subsequent authentication attempts from the old device fail. Customer policy controls the proofing evidence required, the helpdesk involvement, and the cooling-off period before the new enrollment becomes active. The recovery and fallback playbook in the Learn hub covers the design patterns and the anti-patterns that turn re-enrollment into a new attack surface.
What is the typical authentication latency?
End-to-end authentication time is dominated by user actions (unlocking the device, tapping confirm) rather than network round-trips. Server-side verification of a WebAuthn assertion or signed Dynamic Identifier completes in tens of milliseconds. The full flow, including user interaction, typically resolves in under one second for same-device passkey login and a few seconds for cross-device QR or Voice channel verification. Customers see authentication time drop relative to prior KBA or password-plus-OTP flows; the time savings show up directly in contact center handle-time numbers and employee login completion rates.
What happens if the Verification Service is offline?
Service availability and user-facing failure recovery are two separate concerns. Service availability: ScrambleID runs as a managed cloud service with active-active deployment across seven regions and a 99.95% contractual SLA. Failure of a single region does not take down authentication for tenants in other regions; routing shifts automatically. For the unlikely scenario of total service unavailability: customers configure graceful-degradation policies in advance, defining which authentication methods to allow during a ScrambleID outage. The recovery and fallback playbook in the Learn hub covers the threat model, the design patterns, and the anti-patterns that turn fallback into a new attack surface.
How does multi-region failover work?
ScrambleID runs as a managed cloud service with active-active deployment across seven geographic regions (US East, US West, Canada, EU, UK, Australia/NZ, Latin America). Authentication requests route to the nearest healthy region. Tenant data is replicated across regions with strong consistency for the authentication state machine and eventual consistency for non-critical metadata. Regional failure does not require tenant action; routing shifts automatically in sub-minute time.
How is service health communicated, and what's the incident response process?
A public status page reports service health per region in real time. Major incidents trigger customer notifications via email and webhook to the configured incident contact. Postmortems for major incidents are published; specific timing is in the contract. SLA credits, where applicable, are applied automatically; customers do not need to claim them. The incident response process is documented in the security packet under NDA.
What's the threat model, and what attacks are out of scope?
ScrambleID's threat model addresses the attack surface around the authentication ceremony itself: phishing in any form, AI deepfake voice cloning, SIM swap, credential stuffing, OTP intercept, helpdesk social engineering, MFA fatigue, replay, relay, and session hijacking on the verification path. Out of scope: compromise of the customer's own IdP, compromise of the customer's application servers, and physical compromise of an enrolled user device with biometric coercion. The trust model in Section 03 above defines the boundary; what ScrambleID controls, ScrambleID secures. The full threat model with attack tree analysis is available in the security packet under NDA.
How is tenant data isolated?
ScrambleID is multi-tenant by default with logical tenant isolation enforced at every layer: the verification state machine, the database schema, the API surface, and the audit store. Tenant identifiers are bound to the verification session at issuance and verified on every subsequent operation. Cross-tenant queries are not exposed by any API. Cross-tenant Overwatch risk signals are aggregated to the tenant level only; raw events from one tenant are never exposed to another. Dedicated single-tenant deployments are available for regulated customers requiring physical isolation.
How are administrative actions protected and audited?
ScrambleID administrators authenticate to the platform using the same Verification Service that protects customer flows: passkeys or hardware-bound credentials, no shared secrets. Dual-control approval (Lockstep) is configurable for high-risk administrative actions like policy changes, tenant configuration, and key rotation. Every administrative action emits a tamper-evident audit record exported to the customer's SIEM. ScrambleID staff access to tenant data follows documented break-glass procedures with customer pre-authorization required.
What logging and audit events does ScrambleID emit, and in what format?
Every authentication event, every administrative action, and every configuration change emits a structured audit record. Records include timestamp (with monotonic sequence), tenant identifier, channel, intent, request origin, verification result, ceremony type, and policy decision. Records are tamper-evident, signed, and chained. Export is available via SIEM-compatible streaming (Splunk HEC, Elastic, generic syslog) and via webhook event stream. Retention is configurable per tenant. The full event schema is documented in the API reference.
What standards does ScrambleID conform to?
Section 04 above enumerates every standard with its spec body and implementation scope. ScrambleID primitives support NIST SP 800-63-4 AAL2 and AAL3 designs when configured per NIST guidance. The compliance mapping article in the Learn hub covers the specific NIST 800-63 and 800-53 control mappings auditors typically request.
What's the post-quantum cryptography roadmap?
Cryptographic primitives in the Verification Service are abstracted behind a verifier layer so algorithms can migrate without re-enrollment. ScrambleID's PQC roadmap tracks NIST PQC standardization and FIDO Alliance guidance for WebAuthn hybrid schemes. Once the FIDO2 hybrid signature scheme is finalized, it becomes the default for new enrollments. Existing enrollments migrate through scheduled key rotation.
Learn more.
Three ways to dig deeper, depending on the kind of evaluation in flight.
Vendor Risk Review
Request the security questionnaire packet.
For evaluators preparing a vendor risk assessment. Contains the SOC 2 Type II report, the NIST 800-53 control mapping, the threat model, and deployment topology details. Available under mutual NDA.
Integration Planning
Read the deployment patterns.
For IAM engineers planning the integration. The Learn hub has authored deployment patterns per IdP and per channel, with configuration walkthroughs and operational runbooks.
Architect Conversation
Talk to a ScrambleID architect.
For technical buyers with questions this page does not answer. ScrambleID staff architects walk through specific deployment scenarios, threat models, and interoperability concerns.