Airlock

Inspiration

Voice identity is completely broken. Traditional defense mechanisms rely on audio scanners that try to guess whether a voice is a clone. But with frontier models requiring less than 3 seconds of audio to forge a perfect likeness, audio detection has become a losing arms race.

We read about Eleanor R., a 74 year old grandmother who lost $18,400 to a grandparent scam because the voice on the other end sounded exactly like her crying son. That broke us. We realized that trying to analyze the malicious channel is a fundamental design flaw. We wanted to build something that bypasses the audio stream entirely, democratizing un-hackable, out-of-band identity verification so that it is powerful enough for a corporate CFO but simple enough for a grandparent to use on a flip phone.

What it does

AirLock Zero provides instantaneous protection against voice-forgery, wire fraud, vendor bank changes, and high-stakes helpdesk vishing. Instead of trying to analyze or scan the phone call audio, AirLock Zero uses an out-of-band architecture to verify the actual identity of the person who is calling.

If a senior gets a suspicious call from a family member, or a finance team member receives an urgent wire request from their CEO, they simply text a single character question mark (?) to the AirLock Gateway. The platform immediately side-steps the active phone call and launches an out-of-band authentication challenge directly to the actual alleged caller's device. Within 2 seconds, the recipient knows whether the caller is legitimate or an AI-generated fake, collapsing a high-stress attack into a verified hang-up.

How we built it

AirLock Zero is engineered as an out-of-band network identity system split into three distinct operational layers:

-The Single-Character Gateway: A lightweight SMS receiving backend that maps an incoming alert trigger (like a user texting ?) to an active potential attack vector.

-The Context-Aware Identity Engine: An organizational registry that maps explicit relationship graphs using integrated corporate directories, payroll rosters, or personal contact networks. It evaluates context to know exactly who is plausibly allowed to request specific high-stakes actions from the user.

-Hardware-Bound Truth Tokens: When an alert is triggered, AirLock targets the actual alleged caller's device. It pings their phone over an isolated cellular path, requiring a response signed directly inside their phone's secure hardware chip (Titan M2 or Apple Secure Enclave).

The entire process completes in under 2 seconds. The security math behind the time-locked token decay ensures that if a token is not approved by the real device's hardware key within a specific time boundary ( t_{max} = 60 ) seconds, the authentication window collapses completely:

Challenges we ran into

Our biggest technical hurdle was solving the Owner Hijack problem. What happens if the scammer has SIM-swapped the caller, intercepted their text messages, or physically stolen an unlocked phone? If our platform relied on standard SMS 2FA codes, a carrier-level exploit would break the entire system.

We overcame this by engineering a strict multi-channel fallback matrix that refuses to let approvals ride on plain text: Option 1 (Highest Trust): Cryptographic signing via a physical hardware security key (YubiKey or Passkey elements over NFC/USB) which localizes the signature inside the physical silicon.

Option 2: Push notifications bound directly to local biometrics (Face ID/Fingerprint) inside our enclave-isolated application, rendering a swapped SIM on a hacker's device completely useless.

Option 3: Decentralized matrix routing using bot hooks over secure networks like Signal or Telegram, which map straight to account variables rather than vulnerable telecom infrastructure.

Option 4 (Lowest Trust / Degraded Mode): Standard plain text SMS fallback, strictly locked down to low-risk scenarios. AirLock completely rejects plain SMS text routing for high-stakes enterprise actions like wire transfers or password resets.

Accomplishments that we're proud of

We are immensely proud of building an un-phishable, enterprise-grade defense system that requires zero application installations or tech literacy for the end victim. Creating a system where a single text message character can collapse a multi-million dollar corporate fraud scheme or save an elderly person's life savings is an achievement we stand behind. We successfully integrated hardware secure enclave handshakes with instant cellular pathway signaling, consistently keeping our median response latency under 1,840 milliseconds.

What we learned

Through building AirLock Zero, we learned that user experience is the most critical element of security design. If a security tool requires a 74 year old to download a complicated application, configure settings, or memorize complex safe-words during a high-panic call, the defense fails. By lowering the entry barrier down to a single text message character, we proved that you can deliver mathematically rigorous, enterprise-grade hardware isolation without introducing user friction.

We also learned the power of out-of-band architecture. In cybersecurity, you cannot reliably defend an ecosystem if you are analyzing a stream that the attacker completely controls. Stepping off the line and choosing an independent pathway is how we win.

What's next for Airlock

We are focusing heavily on expansion across our consumer and enterprise tiers. Our immediate engineering goals include building native integrations for corporate SIEM/SOC infrastructure, logging all validation telemetry directly into platforms like Slack and Teams for active network security monitoring. We are also pursuing formal SOC 2 compliance and HIPAA BAA certifications to facilitate widespread rollout across sensitive healthcare networks and legal institutions. Finally, we plan to implement on-prem gateway choices for larger enterprise servers, building a robust corporate seatbelt for the age of frontier AI.

Built With

• elevenlabs
• lovable
• lucidereact
• react.js
• tailwind
• vite