RapID FAQs

Why do I need RapID?

707,500,000 data records compromised in 2015: 22 a second (and that number is up 22% so far in 2016). Gemalto 2015 Data Breaches Report

The average total cost of a data breach is $4 million: $158 per stolen record. Study conducted by IBM, across 12 countries and 383 companies.

75% of attacks on corporate networks take advantage of weak passwords – and a staggering 70% of employees report forgetting or having their password compromised. Survey conducted by uSamp, sponsored by Siber Systems

The solution is simple: kill the password. RapID from Intercede turbocharges application security with quick and secure identity authentication, that simultaneously improves your users' experience by eliminating passwords completely. It's super simple to implement: with just a few lines of code and our SDK, you're all set to provide the strongest possible protection for users, apps & data on any device.

The Internet of Things is progressing at a break-neck pace and massive high-profile breaches are pushing cybersecurity to the forefront of users' minds. Whether you're developing for e-commerce, coding the latest greatest Xbox game or creating an app to manage IoT connected tech, you need to be thinking seriously about security like never before.

What is RapID?

RapID is a secure, easy to implement authentication service for mobile apps and cloud services.
It allows service providers to quickly deploy strong authentication to services from mobile apps, with minimal effort and cost.

  • A world-class, low-cost, cloud-based identity authentication and credential management service, that overcomes the vulnerabilities of usernames and passwords.

  • Built on experience gained through Intercede's MyID, developed over the last 20 years to deliver secure credentials for some of the largest global organisations. Intercede software is currently used to manage over 11 million credentials worldwide, including numerous US and UK government agencies.

  • As well as foolproof security, RapID offers a frictionless solution compared to the clumsy operation of SMS/token based one-time passwords, meaning user frustration is kept to a minimum – and they can forget their passwords forever.

How does it work?

Easy Implementation: Simply include a few lines of code to use our SDK. The RapID environment comprises:

  • Your existing client App, which includes the RapID client library.

  • Your existing web service, which includes the RapID server library.

The process for users is as follows:

  • RapID One-time Registration using your existing customer on-boarding method to identify your customer (via postal or SMS activation code for example)

  • RapID Authentication is then automatic, combining a simple PIN or fingerprint with a digital identity held securely on the device. This provides security, convenience and ensures the right person is using the right device, without the need for further connection to the RapID server.

RapID supports

  • An app-centric experience - where the user can perform all their activity within the app.

  • A browser experience - where the user accesses your services through a web browser. Use our QR code authentication SDK and your users will be able to login to your website using their PC by scanning a QR code presented by the browser with their RapID enabled phone app.

How much does RapID cost?

Get your free trial licenses now and start enjoying the benefits of RapID today
Strong, frictionless two-factor authentication, just a click away

  • Banish passwords for good with enterprise grade security for the 21st century

  • Use our online guides and SDK to integrate RapID into your application – it only takes a few lines of code

  • Low-cost, affordable authentication for mobile apps

  • $12 per license annually – just $1 per month

  • Trial licenses available to try before you buy

Talk to us and learn more about RapID for you organization
Please talk to us about additional services & support

  • Engage with our experts to streamline your integration

  • Tailored on-boarding package to suit your needs

  • Priority support

  • Alternative pricing options for volume 5,000+

  • Additional payment options

Contact us for pricing information at sales@rapidauth.com

How can I get RapID?

RapID is available to app developers who want to build trusted identities into their apps and services.
You should follow the documentation provided at Getting started to begin implementing RapID.

What data is stored on the RapID Server? Credentials? Biometric details?

RapID does NOT store any of the users' personal data. RapID only stores anonymous IDs provided by you, and the status of each users' credentials. Biometrics, PINs and private keys never leave the end users' devices.

Which encryption Algorithm does RapID use?

RapID uses 2048-bit RSA keys with SHA256 hashes for its client certificates. Each customer's RapID certification authority has a 4096-bit RSA key pair securing the root of trust.

Can RapID be used to wipe off the data on user devices, in case the device is reported as lost?

This is not a function of RapID – third party commercial app offerings are available for this.

What's the workflow to report loss of a device to Intercede, for them to delete all the relationships to the device and the user's account?

Intercede does not need to be informed of lost devices. The RapID service is used for anonymously requesting and collecting credentials and no actual user data is stored.

Your web server application should check the anonymous ID mapping to the user account as part of the login flow. You should remove this mapping when an end user's device is lost and should not reissue a credential using this same anonymous ID.

How does RapID protect the credentials on a user's mobile device?

RapID uses a combination of operating system features of the mobile device along with additional security measures that we have added. This ensures the keys can only be accessed after the user has successfully provided the second factor (either a PIN or a fingerprint).

How does our app interact with RapID on the mobile device? Could this be attacked to extract credentials/UUID etc?

There is no way to get hold of the private key directly. There is one RapID SDK call to collect an end user's credential from the RapID service. The RapID SDK then deploys the credential to the mobile device.

Is RapID scalable?

We've used our expertise in certificate technology to ensure RapID does not have scaling pinch points. To support a dynamic growth environment, the RapID service uses the latest cloud technologies to provide a full scaling out capability.

Are multiple devices for a single user supported?

Yes. A new certificate request with a unique anonymous ID needs to be made for each device. The provider's system will need to map a user account to many anonymous IDs. It is recommended you capture some information about the devices (i.e. iPad, iPhone, Tablet) to help identify them in the scenario where you want to unregister an individual device.


How does RapID protect your customers and end users?

RapID provides a significant security enhancement for customers and providers. It also presents a much simpler user experience. The following describes the main threats avoided by RapID authentication.

Password phished, intercepted or stolen from provider

RapID prevents attacks of this sort by making them impossible: there is no password. In RapID, the user entered data (such as PIN) does not get sent to the server and is used locally on the device only. Furthermore, there is no central storage of users' security data in a RapID deployment.

Account identifier revealed

The anonymous ID that you provide to RapID is a pseudo account ID which is only used for authentication.

Your web server uses mutual TLS to establish a secure connection to your end user's device before the client credentials containing the Anonymous ID are transmitted.

At that time the web server is able to extract the Anonymous ID and perform a look-up to determine the identity of the end user.

Credential could be tracked over multiple sites

Each RapID credential is only used by one provider. TLS encrypts the user certificate in transit.

Attacker creates their own certificate with the anonymous ID

Each client certificate that RapID deploys to your end-users' devices is issued by the Trusted Issuer Certificate specific to your RapID account.

Using mutual TLS, you are able to guarantee that the client certificates that you allow to connect to your web server are issued by that Trusted Issuer Certificate.

Attacker requests a certificate from the RapID server by hacking into the RapID service

Each customer that signs up to RapID receives a client certificate called a service authentication certificate Requests for credentials for that account can only be made by establishing a mutual TLS connection to the RapID request service using the correct client certificate.

Handset is stolen and unlocked by an attacker

RapID requires user authentication to the handset – not just a screen unlock. You retain ultimate access control since you are able to remove the anonymous ID mapping for specific end users.

Information revealed that may be used in other authentication paths

The RapID credential only contains an anonymous ID. The actual User Account name is not exposed outside the Provider's system. Individual providers are free to choose the identifiers they wish to use.

'Bad' websites could request client TLS cert belonging to a different provider by adding the trusted root

The RapID library includes a 'whitelist' feature so that only matching URLs are allowed to present the client certificate.


RapID Connect App FAQ's

What should I do if I forget my PIN or lock out my PIN on the Rapid Connect App?

We provide a procedure for you to obtain a replacement credential. This can either be on the same device or on a new device. The process is designed to ensure that only legitimate users are able to obtain credentials that would allow log on to your RapID dashboard. As such, it involves not only the individual whose credential is being replaced, but also your company's RapID primary contacts. This extra layer of security ensures that even if your email account had been compromised it would not be possible to obtain a replacement RapID credential.

  1. De-register your device by clicking on the About link followed by the Forget Me link in the RapID connect app.
  2. Use the Credential Replacement page (reached via the Unable to log in - Click here link on the Welcome page) to request a replacement credential.
  3. From the Credential Replacement page, you enter your registered email address and click the button to request a replacement.
  4. You will receive an email with a link which allows you to confirm that it was you who made the request.
  5. Click the link in the email to initiate the replacement process.
  6. Your default company's primary contacts will each receive an email requesting that they approve your request for a replacement credential.
    • If you are a primary contact yourself, you will not receive this email.
    • If there are no other primary contacts, then the RapID support team will be notified and they will process the replacement request.
  7. Any one of the primary contacts can log on to your company's RapID dashboard where they will be able to see your replacement request.
  8. If necessary, the primary contact may reject your request for a replacement credential by pressing the Reject button. Otherwise, the primary contact clicks Approve to authorize your replacement credential.
  9. An email is sent to you which allows you to collect the replacement credential from your device in the same way that your original credential was set up.

What is my default company?

Your default company is the company you select as your default sign-in company if you have access to more than one company dashboard in the RapID customer portal. If you only have access to one company, then this company is automatically set as your default company.

What is a primary contact?

The primary contacts associated with a company are identifiable from the RapID dashboard. Each company will have at least one primary contact and a maximum of three. We recommend that you have at least two primary contacts for your company since that allows you to be self-sufficient regarding credential replacements.

Primary contacts also receive emails relating to RapID service updates and your license status.