Lattix Passport

Lattix Passport follows a simple three-step workflow. First, the sender uploads a file of any size and applies security policies — classification level, handling restrictions, expiration, and access constraints. Second, the sender specifies recipients (one-to-one or one-to-many) and assigns recipient attributes that govern who can access the data. Third, the file is wrapped in Zero Trust Data Format (TDF), encrypted with post-quantum algorithms, and delivered. On the receiving end, the recipient authenticates via a one-time password sent to their verified email or phone. Once authenticated, they can download and access the file within the policy constraints — view-only, download-permitted, time-limited, or single-access. After the transfer window closes, access is revoked and the file is purged from Lattix infrastructure.

When both the sender and recipient are Lattix platform customers, Passport unlocks the full power of zero-trust ABAC enforcement. Instead of simple OTP verification, the recipient's identity is resolved through the Lattix Policy Decision Point (PDP), evaluating their full attribute profile — role, clearance level, organization, device posture, and location — against the file's embedded policy. This enables sophisticated access decisions: a file classified as ITAR-controlled can automatically verify that the recipient holds the required export authorization before releasing the decryption key. Key Access Service (KAS) integration ensures that decryption keys are never transmitted directly — they're released only after real-time policy evaluation passes. Audit trails capture the complete chain of custody from sender to recipient.

When the recipient is not a Lattix customer, Passport falls back to secure OTP-based delivery. The recipient receives a notification with a link to a web-based secure viewer. After entering the one-time password, the file is decrypted in the browser and made available for download or view-only access depending on the sender's policy. Even without full ABAC evaluation, the sender's policies are still enforced — time expiration, download restrictions, and access logging all remain active. Future enhancements will extend zero-trust capabilities to external recipients through federated identity (OIDC/SAML), allowing the KAS to evaluate claims from the recipient's corporate identity provider without requiring a Lattix account. This progressive trust model means that as recipients adopt standards-based identity, they automatically receive stronger security guarantees.