Skip to main content
Traceless is an identity verification orchestrator. When the agent needs to confirm an employee’s identity before a sensitive action, Traceless sends an MFA push notification through the employee’s existing authenticator — Duo or Microsoft Authenticator — without you needing to connect each one individually.
Traceless is configured in MSP Settings → Integrations.

When to use Traceless

Use Traceless if you want a single identity verification provider that works across an end-user base with mixed MFA tools. Traceless routes each push to the user’s existing factor, so you do not need to connect Duo and Microsoft 365 separately just for verification. If all your clients use the same provider (for example, Microsoft 365 everywhere), you can use that provider’s native push directly — see Identity verification.

How to connect

You’ll need API credentials from your Traceless admin settings before starting.
1

Get your Traceless credentials

Sign in to Traceless as an organization admin. From the admin settings page, copy your API signing secret and Organization UUID.
2

Open MSP Integrations

In the Rallied.ai dashboard, navigate to MSP Settings → Integrations.
3

Connect Traceless

Find the Traceless card and click Connect. A credentials form appears.
4

Enter your credentials

Fill in:
  • API Signing Secret — the signing secret from Traceless admin settings.
  • Organization UUID — your Traceless organization identifier.
  • Default Push Method — the authenticator app to route pushes to: Microsoft Authenticator or Duo Push.
5

Save and confirm

Click Save. Rallied.ai validates the credentials against the Traceless API. The card shows Connected when complete.

How verification works

When the agent decides an action is sensitive — for example, a password reset or admin permission change — it asks Traceless to verify the requesting employee:
1

Agent requests verification

The agent calls Traceless with the employee’s work email. Traceless reconciles the email against the connected MFA system to find the right device.
2

Employee receives a push

The employee gets a push notification on the configured authenticator app and approves it from their phone.
3

Rallied.ai polls for the result

The backend polls Traceless every few seconds for up to 5 minutes until the verification resolves.
4

Agent proceeds or stops

On approval, the agent continues the plan. On denial, timeout, or failure, the agent stops and informs the requester.

Push method options

MethodAuthenticator app
Microsoft AuthenticatorMicrosoft Authenticator on iOS or Android
Duo PushDuo Mobile
The push method you select applies to every verification Traceless handles for your MSP. To change it later, reconnect Traceless with the new value.

Outcome notes on tickets

When verification is triggered from a PSA ticket — for example, a new ConnectWise service ticket flagged as sensitive — Rallied.ai posts an internal note on the ticket as soon as the verification resolves so your technicians always see the outcome:
  • Approved — the agent is now processing the ticket.
  • Denied or failed — the agent will not process the ticket; it needs human handling.
  • Expired — the requester did not respond within the timeout window; the agent will not process the ticket.

Limits and timing

  • The verification window is 5 minutes from the moment the push is sent. After that, the verification expires and the agent does not execute the action.
  • The agent’s tool execution is paused for the entire client session while a verification is pending. No further actions run until the verification resolves.
  • A fresh verification is required for every new sensitive request, even from the same employee.
If verification fails or expires, the agent never executes the sensitive action — even if a technician already approved the plan. The requester must resubmit to try again.