SlashID Launches Mutual TOTP, the First Cryptographic Verification Solution Built to Stop Vishing and Social Engineering Attacks

News provided by

SlashID

Apr 21, 2026, 09:00 ET

Purpose-built to defend against impersonation at the help desk and beyond, Mutual TOTP delivers bidirectional identity proof in seconds — no biometrics, no hardware tokens, no face scanning required

NEW YORK, April 21, 2026 /PRNewswire/ -- SlashID, the platform that secures every identity, today announced the launch of Mutual Time-based One-time Password (TOTP). This is the first cryptographic verification capability that simultaneously confirms the identity of both parties in any human-to-human interaction. By doing so, it eliminates the trust gap that makes vishing, deepfake impersonation, and help desk manipulation the most effective initial access vectors in enterprise breaches.

Social engineering was the leading initial access vector last year, accounting for 36% of all incidents investigated, according to Palo Alto Networks' Unit 42 2025 Global Incident Response Report. Similarly, Mandiant found that Vishing appeared in 11% of all infection investigations. Unlike email phishing, these interactive attacks are resistant to automated technical controls. As AI-generated voices and deepfake video lower the cost and skill required to impersonate employees, executives, and vendors, legacy defenses — security awareness training, face-scanning identity verification, and liveness detection — are failing to keep pace.

"Social engineering works because it exploits a gap that MFA was never designed to close: neither party on a call can prove who the other is," said Jake Whelan, SlashID's Head of Product. "Mutual TOTP closes that gap with cryptographic proof that's fast enough for employees to actually use."

Enterprises are spending heavily on identity verification tools that rely on face scanning, ID document processing, and biometric liveness detection. These solutions are expensive to deploy, invasive to use, and impractical to roll out beyond narrow help desk scenarios. Meanwhile, threat groups like Scattered Spider have demonstrated repeatedly that a convincing phone call is all it takes to bypass MFA, reset credentials, and gain persistent access.

Mutual TOTP solves these challenges with three core capabilities:

  • Bidirectional Cryptographic Verification: RFC 6238 TOTP codes bound to each user's device and refreshed every 30 seconds. Both parties receive and confirm a unique six-digit code simultaneously — if either side fails, the handshake fails and a warning triggers automatically.
  • Identity Risk Correlation: Every verification event is correlated against SlashID's full identity graph and access risk profile. Requests from high-risk identities or anomalous patterns escalate automatically, while low-risk interactions proceed without friction.
  • Full Session Audit Trail: Every verification session is logged with initiator, target, timestamp, verification status, and outcome — ready for compliance reporting, incident investigation, and integration with existing SIEM/SOAR workflows.

Unlike traditional identity verification tools Mutual TOTP operates bidirectionally at the cryptographic layer, proving both sides of an interaction simultaneously. Further it significantly reduces onboarding friction, privacy concerns and deep-fake evasion risk compared to traditional IDV solutions. The solution works on both desktop and mobile with biometric device protection, stores no biometric data on third-party servers, and costs a fraction of face-scanning alternatives. The result is a verification method practical enough to extend beyond the help desk to employee-to-employee calls, executive wire-transfer approvals, vendor onboarding, contractor access requests, and remote worker check-ins.

To learn more about Mutual TOTP or request a demo, visit slashid.com/use-cases/vishing-social-engineering.

About SlashID

SlashID is the identity security platform that stops identity attacks before they become breaches. The SlashID platform delivers unified visibility across human and non-human identities, 500+ out-of-the-box threat detections, automated remediation, and browser-level phishing prevention — enabling enterprises to see, detect, and fix identity risks across cloud, SaaS, and on-prem environments.     

Media Contact
ICR for SlashID
[email protected]

SOURCE SlashID

21%

more press release views with 
Request a Demo