The Company

Authentication built the session.
We build the act.

Yuthent is an Execution Authority Infrastructure company. We produce the cryptographic primitive the rest of the identity stack does not: a proof that a specific human authorized a specific action on a specific device, at a specific moment, with intent. The SDK. The control plane. The contract. Founder-led, pilot-operated, publicly honest about what is shipping and what is on the way.

The average U.S. data breach now costs $10.22M (IBM/Ponemon, Cost of a Data Breach 2025).

Start an enterprise pilotRead the architecture →
The Thesis

A session is a bearer token. An act is a signature. The industry has been building the wrong one.

For three decades, identity infrastructure has answered a single question: who logged in. That question was enough when the user, the device, the session, and the action were a single object in a single room. It stopped being enough the moment any of those separated. Remote access. Shared workstations. Cached sessions. Stolen cookies. Autonomous agents. A session tells you a credential was present. It cannot tell you whose hand, on what hardware, with what intent, pressed the button that moved the money or prescribed the dose or granted the privilege.

The regulatory surface has noticed. PSD2 SCA Dynamic Linking. DORA. EU AI Act Article 14. Every modern framework asks a question session-based authentication cannot answer: who specifically authorized this specific action at this specific moment.

The AI agent surface has noticed too. The next decade of economically significant activity will be executed by autonomous agents acting on behalf of humans. The primitive that lets an agent operate on routine actions while pausing for fresh human authorization on high-stakes ones does not exist in OAuth, SSO, or passkey stacks. It is the primitive Yuthent produces.

Founder

The observation that became the company.

Mohamad Khalil Yossif, Founder and CEO of Yuthent

Mohamad Khalil Yossif

Founder & CEO

Yuthent started from a real problem I faced while building a workforce and business-management product. Customers refused to replace on-site biometric check-ins. Not because they loved biometrics, but because it was the only control that reliably proved the right human was present. Passwords, one-time codes, passkeys, and sessions could all be shared, borrowed, or taken over. The biometric press was the only act that stayed tied to the person.

That observation generalized. Every industry facing social engineering, insider abuse, session hijacking, or AI-agent delegation is fighting the same gap, and every existing stack produces a session token as its answer. Yuthent is the primitive that answers differently. The biometric press, hardware-bound, action-bound, producing a signature that is cryptographically tied to the human and to the exact action, at the moment.

“A valid session is not proof of approval. A signed action is.”

What We Have Built

Concrete. Operating. Available to pilots.

Android and iOS SDKs, native

Full P/S/E/A action-authorization surface. Hardware-bound keys in StrongBox, TEE, and Secure Enclave. Device-side trust engine across five signal categories. Offline-first signing and durable queue. Architecture parity across platforms.

The control plane

A tenant-facing portal for device forensics, trust policy, fraud triage, action ledger, usage, access management, and pilot monitoring. Shipped and in daily use. BigQuery export to a customer-owned bucket. Webhook stream into the tenant SIEM.

The backend that enforces the contract

Hash-chained per-actor action ledger with daily anchors. Per-risk-level monotonic counters. Server-side device-attestation verification with action-bound nonces. External-decision callback for integrator fraud and UEBA systems.

Link-enrollment grant flows

In-person link, web-initiated in-person, and video-remote link enrollment. Time-boxed, scoped, signed grants. The primitives under patient-consent flows, supervised onboarding, agent delegation, and field operator workflows.

How We Work

Narrow scope. Paid pilots. Published honestly.

Paid pilots, named scope

Every engagement begins with a scoping call and a named integration target. The pilot is paid. The scope is one high-stakes flow. The deliverable is a working integration with cryptographic evidence auditable on day one.

Sponsored pilots for strategic partners

A small number of pilots operate under a sponsored structure with partners whose regulatory position or fleet scale makes them load-bearing for the category. Sponsorship is negotiated. It is not the default.

Honest release notes

When we change a security-relevant behavior, the release note says so. When a capability is in-flight, the site says so. When a capability is pilot-scoped, the site says so. We do not quietly change posture.

Accelerator and patent posture

Yuthent operates inside the SafeNology Accelerator Program, operated by Takwin Ventures and S.T-Impact, and the Hasoub Labs Accelerator. Core authorization method and architecture are patent pending. Founder-led engineering with a senior advisory circle.

Standards contribution

Yuthent's founder authored a requirement now included in OWASP AISVS 1.0, a contribution to the application-security standard itself.

Work with us.

We are selective about pilots. Each one ships a working integration on one critical flow, with cryptographic evidence auditable on day one. The fastest way into the roadmap is to tell us the flow you want to protect. Founder reads every request. First call within five business days.