The Things You Wanted to Know About Beyond Identity, But Were Afraid to Ask
Here is a running list of frequent questions we get about Beyond Identity and how we eliminate passwords. The overall takeaway is: “yes, it’s very secure” and “yes, it’s easy to implement.” If you have a question you can’t find the answer to here, don’t hesitate to reach out!
What is being used instead of passwords?
We replace passwords with an authenticator that’s powered by fundamentally secure x.509 certificates. This is the same highly secure, scalable, and proven technology used in TLS (which you may recognize as the lock icon in your browser, by the URL). Our authenticator is also a “personal certificate authority” that creates and signs certificates on each endpoint. This approach means that admins and end users don’t need to see, understand or manage any certificates themselves. Beyond Identity platform takes care of 100% of the certificate management tasks, does not require customers to run their own certificate authority, and protects the cryptographic keys in a secure hardware module on your devices (see below).
Can someone steal my credentials?
Simply stated: no. Beyond Identity employs the same standard asymmetric encryption used in TLS. During each authentication request, a private key is used to sign and encrypt an X.509 certificate which is presented to the Beyond Identity cloud for verification. During the enrollment process, Beyond Identity’s cloud stores a public key that corresponds to the private key. The public key is only used to verify the certificate and positively assess whether the corresponding private key was used to sign the certificate.
With Beyond Identity, your private key is securely stored in the Trusted Platform Module (TPM or secure enclave). This is a specialized piece of hardware on modern PC and mobile devices specifically designed to securely store keys and perform cryptographic functions. The private key remains in the TPM, on your own device, and can not be moved or accessed. You own your private key and Beyond Identity, can not access it.
If your credentials are passwords, or other “shared secrets” then they are stored in databases, on the cloud, and who knows where else (e.g., yellow sticky notes). This is, for hopefully obvious reasons, not secure and why Beyond Identity exists in the first place.
What if Beyond Identity is breached?
Only public keys and email addresses are stored in our cloud platform, whereas private keys are securely stored in the device’s TPM. This means all private keys used in the authentication process are stored securely in each user’s device - they own their own identity. Even if someone were able to gain access to the public keys, they would not be able to do anything useful with them.
What if someone steals my phone or laptop?
With Beyond Identity your accounts will remain secure even if your phone is stolen. Hackers can not access your private key from your device - even if they have possession of the device. If they wanted to use your Beyond Identity authenticator to log in to something, the thief would first have to login to the device itself. Modern devices use very strong authentication methods, such as biometrics (e.g., fingerprints or face scans), for verification. They also use PIN codes as a backup, but modern device PIN codes have anti hacking methods built in (see our blog post on this.) These security measures lockout after too many incorrect attempts, which protects the device against Brute Force attacks. This is why even organizations like the FBI are having issues logging into modern devices without the user’s help (learn more.)
What if I get a new computer?
Once you’ve set up the Beyond Identity Authenticator on your first device: you can use that device to set up a 2nd, 3rd, 4th, etc., device. You can do this all without having to call the help desk. A user can use their smartphone, tablet, or even old laptop to enroll their new computer. If you do not have your previous device, or any other device, available, then you repeat the initial enrollment process and set up your Beyond Identity Authenticator again, as you did when you first joined.
Do I need to use my phone to login to my laptop?
Nope, this isn’t some inconvenient legacy MFA solution. The Beyond Identity Authenticator is downloaded onto your computer, so that you don’t need to pick up a second device, such as a phone, to login.
Will I need any sort of additional hardware to use the service?
No additional hardware is required. All the secure hardware you need is already built in your device - modern devices have come with secure TPM/enclave hardware built into the chip set for years. You can download and set up the Beyond Identity Authenticator on any of your existing devices (macOS, windows, iOS, android, etc.) The idea is to reduce the number of unnecessary hurdles - not simply replace them with different, unnecessary obstacles!
Can I still use a password if I want to?
We’ve never had a user ask us to go back! The goal of Beyond Identity is to eliminate the password, so that attackers have no way to get into the application. While the goal is phase out passwords, to provide greater security and a frictionless user experience: in certain circumstances, there’s existing tech debt delaying some legacy systems from going passwordless.
Am I just shifting my trust to Beyond Identity?
Our mission is to enable you to trust yourself! Beyond Identity isn’t storing anything of value - we are providing a tool that enables you to control your own identity. The storage of passwords is outdated and dangerous. Even a complex password has to be stored somewhere, and therefore can be a vulnerable target for hackers and thieves. As a rule: anyone who says “you can trust us” probably shouldn’t be trusted! Trust in your own private key, which can not be viewed by us, or anyone else.