Passwordless, Unphishable MFA for Practically Any SSO in the Market!


We’re excited to share we’ve expanded support of our invisible multi-factor authentication (MFA) to customers who are using the following single sign-ons (SSO):

  • OneLogin
  • CyberArk Workforce Identity SSO
  • Google SSO
  • VMware Workspace One SSO
  • Shibboleth

This expands our existing support of Auth0, ForgeRock, Microsoft ADFS and Microsoft Azure AD, Okta, and Ping Identity customers. 

Beyond Identity partners and integrates with just about every identity and access provider in the market to eliminate passwords and other weak forms of authentication. Securing user and device access to SaaS apps in this remote-work world is more important than ever because attackers have turned their attention to MFA. They’re increasingly stealing passwords and intercepting SMS, push notifications, and one-time passcodes (OTP) through man-in-the-middle and phishing attacks. This leaves critical business data, especially in SaaS apps, vulnerable to unauthorized access, data loss, and lateral movement. Even the U.S. government is mandating that their software providers stop using SMS, push notifications, and OTP within the next two years.

That’s why customers turn to Beyond Identity’s passwordless MFA: we use three strong, unphishable authentication methods. Companies can verify the identity of the user (device biometric), verify the device (security key), and check the security posture of the device (device security checks). Biometric authentication is stored locally on the device in the Trusted Platform Module (TPM) and is the same technology that Apple and other hardware providers use to unlock the device. Second,  Beyond Identity’s lightweight authenticator kicks off the generation and storage of a decentralized private key on every device; it can’t be read or moved off the device. This private key then generates a public key that is stored in the Beyond Identity cloud which binds the user’s identity to the device identity. Every device that a user uses to login is bound to their identity. Lastly, we check the security posture of every device. These granular security checks are invisible to the user and can be used to stop unrecognizable and risky users and devices from authenticating.

Unlike other MFA solutions, Beyond Identity controls which devices can authenticate to SaaS resources behind a SSO. Some companies can force their workforce to only use company-issued, locked down devices, but the reality is that most companies can’t do that. They have to support the workforce (partners, contractors, and more) to be productive and work on any device they need to (as long as it's secure). Problem is, it's really complex to identify if a device is tied to an authorized user and ensure it has the proper apps, files, software settings on at the time of login. 

Beyond Identity checks every device for its security posture before allowing it access which helps organizations protect against unauthorized access and data loss prevention. This is possible because Beyond Identity utilizes a lightweight authenticator on every device. These device security checks are completely customizable, and if customers have an MDM or EDR, they can add these optional security checks to the authentication decision process. Additionally, all authentication data can be sent to your Security Information and Event management (SIEM) software, we have out of the box integrations with Splunk and other leading SIEM tools.

policy screenshot

policy screenshot



Ready to implement an unphishable, invisible MFA for your SSO?  Get a demo today.