idemeum is a Passwordless Application Management platform.
Our vision is to provide single place for small and medium businesses (SMBs) to set up and manage employee access to SaaS apps.
Employees access any type of application with mobile biometrics - Single Sign On apps (SAML), shared accounts, as well as password based apps.
We have a bold vision for how to transform application management, but at this point we focus on three fundamental problems every SMB is facing:
- Onboarding - how do I securely onboard my employees, especially in remote setting, while providing seamless experience and not introducing multiple tools in the process.
- Account creation - how do I automatically provision all necessary SaaS accounts so that my employees are productive immediately.
- Access - how do i secure access to SaaS applications and achieve the balance between security and usability.
We are passionate about eliminating passwords. We do not follow the approach most vendors pursue today - password masking. For most technologies on the market today passwords still exist behind the scenes and are typically masked by some overlay tools.
We rely on decentralized identity to eliminate passwords completely, and replace them with mobile biometrics to provide secure yet seamless user experience.
How idemeum works
Below you can see the high level platform overview. Let's now take a look at the platform main components that allow us to transform onboarding, account creation, and application access.
1. Passwordless identity
Everything starts with digital identity.
The way things work today is that admins have to create credentials for new hires and then distribute these credentials to employees somehow. Typically it is done over email, which is very insecure, or companies use password managers, which introduces friction and need to use yet another tool. Things get more complicated when admins later ask to enroll into MFA for secure multi-factor access.
At idemeum we take a completely different approach. We build a decentralized identity on a mobile device. New hires create digital identity on a mobile device by verifying email address, phone number, and driver's license. The identity resides on the phone only (no PII in our backend), and it is protected by phone biometrics.
Employees use mobile identity to self-onboard into an organization. Mobile device effectively becomes multi-factor key to access all company resources. By having identity decentralized allows us to:
- Completely eliminate passwords
- Remove the need for admin to be involved in the initial set up. It becomes zero-touch employee driven onboarding.
2. Onboarding / offboarding
For onboarding / offboarding we rely on the source of truth for employee data for any organization - HR system. The main idea is to verify digital identity presented by mobile device against employee records in the HR system.
When employees self onboard by scanning the QR code and sharing digital identity with organization (email address, phone number, and verified name) we search HR system to identify whether a person is indeed a new hire. If the record is found then employee is onboarded and account provisioning will be kicked off.
By following this approach we do not have to become yet another directory for organization and deal with sync and keeping the data up to date issues.
3. Account creation
Once the new hire is onboarded we kick off the provisioning process across SaaS applications. We look up additional information in HR system, such as department or employee role so that we can entitle (grant access) new hires only to specific applications that they need.
We can create application accounts either using SCIM protocol, or we have custom connectors for certain applications.
Once provisioning is complete employees can now access applications. First they access idemeum application catalog with mobile biometrics, and then they can access any application with one click.
Here are the use cases we support at idemeum:
- Passwordless Single Sign-On - if an organization is willing to upgrade to SaaS plans that support SAML SSO, idemeum can enable true end to end passwordless experience. Passwords do not exist anywhere in the journey! And the access experience is as easy as approving biometric login request on a mobile device.
- Shared accounts - admins can create applications for which credentials are shared across employees. When employees access these applications, credentials are auto-filled from a secure vault, and employees do not even see what those credentials are. From user standpoint it is the same experience with approving biometric scan on a mobile device.
- Login management - if an organization is not ready to upgrade to SAML SSO plans yet, we can manage account creation and login for SaaS apps on free plans as well. idemeum goes beyond what password managers do by supporting social login as well. And instead of having a master password employees use mobile device biometrics to access password based applications.
As a result, idemeum offers one platform to support SAML apps, shared accounts, as well as password based applications.
We will be sharing more details about our platform and offering more demos as we go. If you have any questions feel free to ping us at firstname.lastname@example.org.