Hackers can steal your password. They can lure you into granting them access by entering a one-time code received by SMS or other means. But what if a little code runs tied to your device and updates cryptographic keys on every interaction?
Relock is an Austin-based security startup established by the Polish developers Marcin Sznyra and Przemek (Prem) Cherklevich.
The startup is developing an authentication solution that instantly makes “100% of users phishing-resistant,” and they think they’ve nailed it.
Relock won’t replace passwords, passkeys, multi-factor authentication (MFA), or other authentication solutions. However, the team suggests adding an additional layer that constantly authenticates users in the background on every interaction without them ever noticing.
The “continuous passive authentication technology” works alongside existing authentication methods.
“Attackers can now bypass any MFA using readily available attacker-in-the-middle kits, costing just a few dollars. The only phishing-resistant authentication methods like passkeys take months to roll out and years to fully adopt,” the startup explains.
How would the additional security layer be different?
Marcin Sznyra, CTO and one of the co-founders at Relock, compares the solution to a passkey that lives in the browser and changes after every use. The system re-verifies the legitimate user in the background at each interaction, making sure that it is still the legitimate user using the application.
That’s the opposite of session tokens, which are issued after verifying a user’s identity once and can be used to access an account for a long time.
“Since passive authentication is continuous and automatic, it cannot be bypassed or downgraded – eliminating a key weakness of traditional MFA, where attackers can trick users into weaker authentication flows,” the startup says.
While all users instantly get resistance from phishing, credential theft, and session hijacking, the solution is not completely bulletproof from all cyberattacks. Any system can be hacked, but Relock believes its solution can make attackers' lives much harder while detecting compromised user sessions almost instantly.
How does “continuous passive authentication” work?
The new tech is targeted at companies handling very sensitive data, such as banks and healthcare organizations, but could be used by any service provider.
In the demonstration to Cybernews, Relock explained that no installation or configuration is required on the end-user side. The only required user interaction is to one-time verify each device that will use the service. Depending on the administrator's requirements, this can be done via email, with the previous device, or a real-world ID check.
Everything else happens in the background. In most cases, users won’t even realize they have an additional layer of protection.
When a user attempts to access their account and enters a password and other MFA means, they will also receive a JavaScript code that runs in the background.
This applet will issue, verify, and constantly renew so-called transient symmetric keys between the browser and the server. Think of these keys as secret codes that an app and the server use to exchange and verify the identity just once.
The keys are origin-bound and no other device could pass this check. All data on the user device is stored encrypted in the browser's storage and is only accessible during communication between the browser or app and the corresponding server.
This way, instead of a single authentication at the start of the session, the user is constantly reauthenticating with each action.
Even if phishers manage to steal credentials or lure victims into authorizing their fraudulent sessions, they won’t be able to log in – attackers can’t constantly generate secret keys in the background.
This new security feature goes beyond phishing resistance.
Hackers are already exploiting infostealer malware to snatch passwords and session tokens, and they are capable of spoofing users’ computers to bypass existing authentication without phishing. Relock’s solution offers partial protection from that.
Passwords and session tokens alone would no longer be useful for attackers. They would also need to steal and reverse engineer the underlying Relock code to generate and spoof transient keys to the bank.
Even if an attacker is able to implement everything, the system will detect the so-called “evil proxy” attacks. Once the legitimate user interacts with the server, Relock will identify the key collision and terminate all sessions.
“Industry data shows that attacks with legitimate credentials go unnoticed for many weeks. Relock drastically reduces this window. Even if the solution itself is compromised, it will inevitably discover that with the first click of the legitimate user – typically in no more than mere minutes.” said Przemek Cherklevich, CEO at Relock.
This means that sophisticated attackers could still control the account for a short while and do damage. However, administrators would be alerted about the compromise almost immediately. For comparison, current account compromise detection methods sometimes take months.
Relock is already testing the interoperability of its patent-pending solution with other contributors to the OpenID Foundation's Shared Signals Working Group, such as Okta, Google, or SGNL, using the Continuous Access Evaluation Protocol (CAEP).
What’s next?
Relock assures that the solution is very easy to implement – only a quick SDK integration is required on the application side.
“With just a few lines of code, the Relock SDK is added directly into your current authentication flow. Now, you only need to connect it to the Relock service, which is available through our cloud or self-hosted as a container. In a few minutes, your system will be ready to signal any phishing attacks and protect users continuously in the background,” Relock said.
The startup also warns that up to one in five users open phishing links, and over 80% of companies are attacked each year.
Relock has just launched its first projects with European and US integrators to facilitate easy upgrades for all major authentication and IAM (identity and access management) platforms. The company is also inviting CISOs who have faced low adoption rates for MFA and passwordless solutions into design partnerships.
Although Relock's product is invisible to the end user, the team hopes that Relock may well have your back next time your trusted application warns you about a phishing attack.
In Q3 2024, Relock, a cybersecurity startup, secured almost 1 million euros in a pre-seed round led by Early Game Ventures.
Your email address will not be published. Required fields are markedmarked