Executive Summary

Relock’s authentication system has a decisive advantage over other methods: its continuous, ephemeral nature. Every request carries fresh, device- and origin-bound cryptographic proof with built-in reuse and compromise detection, eliminating the weaknesses of bearer authentication (passwords, OTPs, session cookies, bearer tokens).

Whereas today’s strongest authentication methods — passkeys and hardware keys — excel at protecting the private key, Relock protects the server–device relationship itself, ensuring there are no reusable credentials for an attacker to walk away with.

What that buys you in practice:

High-assurance continuous trust. Every request carries a fresh, origin- and device-bound Signed One-Time Token derived from a rotated, on-demand secret.

Phishing resilience out of the box. Session cookie theft, token replay, and AiTM phishing are neutralized — session trust cannot be bypassed.

Visibility, not just observability. The authentication gateway detects any reuse, mismatch, or tampering and triggers immediate server-side detection and session termination.

Frictionless user experience. No user gesture is required after the initial login; protection is invisible, silent, and continuous in the background.

Plug-and-play deployment. Lightweight JS agent plus a proxy header — no UX overhaul, complex management, hardware rollout, browser extensions, or OS-level software.

No user adoption hurdles: just plug it in.

At its core, Relock shifts security assurance level from a one-time login event to a model of continuous cryptographic trust, delivering strong posture, phishing resistance, and regulatory alignment — all while remaining invisible and frictionless for users.