ZKX Helix Key Features

ZKX Helix is a holistic cybersecurity software platform designed to protect access to IT, OT, and IoT networks
and their resources with pinpoint accuracy. It enables secure, granular, and complete visible control of access to
resources on any network.
Helix is designed to prevent unintended access to any individual network resource, severely limit any degree of
unchecked lateral movement on the network, and protect identity and multi-factor authentication (MFA) data
for both the users and devices in the information ecosystem. “The user” exists in two categories: the end-users
and the administrators. Below we outline six unique advantages Helix delivers for these users.

Greater MFA protocol security

Zero-Knowledge (ZK) security protections make Helix MFA data inherently more secure than messages transmitted in more commonplace protocols like SAML, PKI, and FIDO.

For the end user

Even when the network can’t guarantee no one is seeing your traffic, Helix is still safeguarding your authentication data. Your MFA data is safe even against sophisticated adversaries using advanced techniques like session hijacking. Passwords (and other credentials) can be safely re-used across sites and accounts.

For the administrator

Traditional identity-driven sources of data leakage (man-in-the-middle attacks, packet sniffing, data mining, etc.) are much less consequential to the security posture of a network under the Helix regime. With Helix, all of the above-described attacks (and more – drive-by credential theft, and session hijacking) are rendered totally ineffective.

What makes ZKX different

Other MFA providers (e.g., Okta) have been recently hacked by methods Helix is impervious to. The results of these hacks are high-volume disclosure of client, user, and organization-sensitive data, as well as more devastating events like granting attackers illegitimate degrees of privileged access.

Wider MFA credential support

Helix provides near-arbitrary support for MFA credentials. Whether it is tried-and-true chip-enabled identity cards, more familiar options like PINs and passwords, or newer MFA methods like wearable NFC or biometrics, Helix supports the security story that makes sense for your network, your users, and your culture.

 

For the end user

You are able to leverage the identity-bound artifacts you already use and are native to your environment. There is no ramp-up time or “culture shock” that requires you to get used to new workflows, new credentials, or new behaviors, if you don’t want it.

For the administrator

Credential support is near-arbitrary and can leverage existing MFA tokens, artifacts, prompts, and the like. Whether you are looking to maintain your security ops with preexisting CAC/PIV cards, hardware tokens, PINs/passwords, or knowledge-based verification, or looking to migrate to a newer way of doing security with biometrics, endpoint identity, or wearable authentication gear, Helix will natively support you.

What makes ZKX different

Other MFA and ICAM providers are prescriptive when it comes to authentication methods – they tell you explicitly what will work and what won’t. Often, what will work is obnoxious, burdensome, and not adaptive or reflexive enough to the point where “security” becomes synonymous with “pain”. Helix enables you to write your own security story and see it fulfilled with what you’re already used to using (or looking to migrate toward).

Greater MFA credential strength

No matter what credentials are employed in any ecosystem, every credential used with Helix is inherently cryptographic and is never disclosed to any party, even the network performing the authentication and authorization of an end-user and their device. Whether you elect to employ traditional PKI certs or knowledge-based security questions, all credentials used with Helix are protected using both patented ZKX Solutions technology and standards-based, compliant cryptography.

For the end user

The odd happenstance of a malicious actor guessing your password after a few tries is now a thing of the past. With Helix, you can safely abandon archaic holdovers of a bygone era, frequently seen today in the form of the “password policy” (eight letters, two special symbols, etc.). Helix makes it possible for quick, simple, and yes – reusable – credentials to not only work, but work safely.

For the administrator

Save time, money, and resources on “cybersecurity awareness training” and other similar endeavors. Helix automatically bakes in much of the entropy (the randomness that makes complex passwords, for example, safe) into the patented processes it uses to process data. The weakest link in the chain of security is often the human user. Eliminate them from your security equation.

What makes ZKX different

Other MFA and ICAM providers still rely on the same old authentication processes that have repeatedly proven their insufficiency and unreliability for today’s infosec environment. They are outdated, weak, and often require auxiliary support to be effective in the form of password rotation and cybersecurity awareness training, and are quick to pass the burden of their shortcomings off to their clients rather than accept reality.

The answer to insufficient technology is not more training or placing an even higher burden on our end users and administrators in the name of security – as is the approach today. The answer to bad technology is better technology – as is the approach with Helix.

Private data is never stored on the server nor device

One of ZKX Solutions’ MFA-focused patented technologies eliminates the need to store authenticating credential data on any device, token, or piece of network architecture.

 

For the end user

Your credentials are no longer compromised in the event of a network data breach. Your password (and other credentials) no longer needs to be cycled or refreshed every 60 or 90 days. If your device is lost or stolen, the risk that an adversary will be able to recover your MFA data and begin using it to achieve their own ends is zero.

For the administrator

Lost or stolen end-user devices no longer pose the risk of leaving behind sensitive data (cryptographic or otherwise) even in contested arenas. Likewise, attackers earn much less value in targeting traditional authentication-focused attack surfaces like centralized credential servers or user endpoint devices.

What makes ZKX different

MFA providers and other cybersecurity businesses like social media and password managers have seen their clients’ MFA data breached and exposed to the open internet because they store private, authenticating data on their clients in some form or fashion either on their own networks, end-user devices, or both. A breach of Helix would never result in the illegitimate use of any one of a user’s accounts, as no private or authenticating information is ever stored by Helix.

Simultaneous user and device identity proofing

Helix MFA verifies both the identity of the user and the device they’re using simultaneously. A user can be treated separately and distinctly solely on the basis of their device identity alone. For example, a user may have limited degrees of privileged access when connecting to the network on their smartphone, but have unlimited access when connected via their workplace terminal.

User MFA data is coupled to their registered devices cryptographically, meaning if those two things aren’t exactly correct (the user’s data and their device), no degree of privileged access is possible to attain.

For the end user

In order to pass authentication checks, your MFA credentials (PIN, password, CAC/PIV, etc.) and the device you’re using must be exactly correct. In this arrangement, phishing is a thing of the past. Even if you disclose your password to adversary – whether intentionally or accidentally – your accounts and their privileges are totally secure from misuse.

For the administrator

Award your users different degrees of access based on the device they’re using – even if everything else is the same. For example, workplace terminals may be able to access intranet share drives, where BYOD mobile endpoints cannot. Even if a user has the privileges (and the MFA credentials) needed to access the share drives, they is no way they can when on their mobile endpoint, unless changed by you.

What makes ZKX different

Other MFA providers (e.g., Okta) have been recently hacked by methods Helix is impervious to: misuse or abuse of stale, leaked, or stolen credentials. The results of these hacks are high-volume disclosure of client, user, and organization sensitive data, as well as more devastating events like granting attackers illegitimate degrees of privileged access. The burden for making an attack like this successful against Helix is exponentially higher than today’s competing solutions.

Automated session authentication

Beyond unrivaled security, Helix offers just as prolific usability. After a user successfully completes an interactive MFA session on their device, an automated, non-interactive session takes over, ensuring that the user device’s lateral movements across the network (from application to application or even individual resource to individual resource) are scrutinized, verified, and authorized every single time.

In emerging security regimes like Zero-Trust (ZT) where authentications may be occurring at an exponentially higher rate than usual, Helix’s stride forward in secure, usable, and sustainable cyber ops is an absolute staple.

 

For the end user

Stop authenticating tens (or even hundreds) of times a day just throughout the course of your normal tasks and objectives. Eliminate the need to punch in a PIN number each time you want to check your e-mail. Quit taking the brunt of the friction burden placed on you by bad security technology. Maintain security and compliance without lifting a finger.

For the administrator

Enable your users to do what they’re best at: their duties. Take the burden of cybersecurity off of your tacticians and operators and allow them to take the work they’ve already done (successfully authenticating at a policy threshold set by you) and use it as credibility to continue accessing the network and resources of a similar sensitivity distinction

What makes ZKX different

Competition technologies, like their interactive MFA protocols, are still attempting to employ old, weak, and frankly outdated session authentication tools to advance the state of cybersecurity. Take, for example, the catastrophic SolarWinds breach, enabled in part by weaknesses in the SAML protocol and its sessions. Helix uses a zero-knowledge attestation scheme – an automatic session that is only possible to begin after interactive MFA has succeeded that comes with all the security and privacy benefits of zero-knowledge protection