Invisible multi-factor authentication (MFA) is a new authentication category that breaks the mold of legacy MFA products that are reliant on passwords and other phishable factors — like one-time codes, magic links, and push notifications. The difference in capabilities between Invisible MFA and legacy MFA is drastic enough to warrant its own descriptor beyond a vague, overplayed marketing cliché such as “next-gen MFA.”
What makes Beyond Identity’s Invisible MFA...invisible? None of the factors require actions by the authenticating user, such as entering a password, a one-time code, or clicking a push notification. They are in essence, invisible to the authenticating party. Yet, unlike legacy MFA, all of the authentication factors Beyond Identity employs are based on proven, secure asymmetric cryptography and are not phishable.
Beyond Identity’s Invisible MFA enables organizations to confidently validate the user, ensure that the user is logging in from an authorized device and that the device meets the security requirements for the target application. What we have created is a state-of-art MFA that is lightyears more secure than existing MFA solutions and completely frictionless for users.
Why do you need an Invisible MFA Solution?
You have to have an MFA if it is a regulatory requirement in your industry. If it is not a requirement today it will be soon. We created Invisible MFA because organizations and individuals continue to deal with the severe impact of cyberattacks and existing MFA solutions simply don’t solve the problem. Worse, they provide a false sense of security. With the considerable increase in ransomware and account takeover attacks—resulting primarily from the use of stolen passwords—governments around the globe now require organizations to implement MFA. Additionally, heavy losses from ransomware payouts have prompted cyber insurers to make policy renewals contingent on the deployment of MFA.
Not all MFA is created equal. Users hate cumbersome MFA solutions that require multiple devices and multiple steps. At the same time, legacy MFA products fail to provide the level of security required to stem even simple attacks. To see why it’s easy to bypass legacy MFA, read “Why Is the Majority of Our MFA So Phishable?” by Roger Grimes, the well-known KnowBe4 evangelist. (See takeaways from his piece in the box.)
Highlights from "Why Is the Majority of Our MFA So Phishable?"
“For one, most MFA is overly susceptible to phishing. It is so overly phishable that it really does not provide as much protection as most organizations and users think. We need to change that.
“Push-based authentication is used by all sorts of popular vendors, like Google, Amazon and Microsoft. And it would seem a fairly foolproof method for authentication.
“Turns out end users frequently approve logins that they are not initiating. It is a very common problem in an environment where pushed-based authentication has been implemented. Users are approving malicious logins…many times when the user is not anywhere near their computer.
“If the MFA method they are pushing you to is easily phishable, are we really gaining much? I'm worried that much of the world is being sold a bill of goods that will be already spoiled on delivery."
Legacy MFA puts the weakest link in the chain (the user) into the middle of the authentication process, relying on them to input a code or respond to push notifications. This approach adds friction and makes legacy MFA prone to attacks.
What makes Beyond Identity’s Invisible MFA different from other MFAs?
There are two important ways that our Invisible MFA improves upon from legacy solutions. First, Beyond Identity’s Invisible MFA provides a far better, completely frictionless user experience. Secondly, it radically improves security compared to legacy products. (We discuss both in more detail below.) Why not start with the right building blocks and choose an MFA solution that conforms with government zero trust requirements, rather than having to rip and replace it later?
Legacy MFA’s friction problem
Some organizations have implemented MFA solutions for their workforce. But due to the user friction involved with legacy products, security teams had to pick and choose where to use MFA, resulting in it being deployed in front of only one, or just a few applications. Many CIOs and CISOs told us they would have a revolt on their hands if they turned MFA on for all of, or even most of, the applications employees use daily. Adoption typically occurred within organizations that had specific regulatory compliance requirements or took the form of very narrow MFA deployments where only a few externally facing systems, like VPNs or remote access tools, were included.
Similarly, marketing and product teams that build consumer-facing applications have struggled to gain traction with MFA. With the rapidly growing impact of account takeovers, some companies enabled MFA in their apps. However, the multiple steps and devices required to log in with MFA resulted in very low consumer adoption rates. Organizations—especially e-commerce providers—do not want to force consumers to adopt MFA because they understand the adverse revenue impact it would have if users switched to more convenient apps and service providers. (One notable exception is banks requiring customers to use MFA, given the high risk and potentially high cost of a breached account.) But consumers have largely shunned MFA efforts by companies across most industries.
Users specifically dislike the clunky process required to set up some MFA and the fact that legacy solutions don’t eliminate the headache of choosing and changing passwords. Worse, users loathe the clumsy login process: locating their phone or alternative second device, grabbing a code or a magic link from an SMS text message or email, or opening an authenticator app to find the code, then typing the code into the login screen. Alternatively, with push-based MFA, users have to first locate their second device and respond to the notification. For organizations with consumer-facing apps, the pain is revenue-impacting because users will choose other vendors, abandon transactions, or finish transactions as a visitor to avoid the pains of logging in as a known user. For workforces, the pain can be severe, particularly for the C-Suite, and a productivity killer for all.
Frictionless logins with Beyond Identity’s invisible MFA
With Beyond Identity’s Invisible MFA, users simply authenticate into their device via their local biometric or PIN and choose the app they want to use. Everything else is completely invisible to the employee or consumer.
For workforces, the solution is integrated with single sign-on (SSO) systems for streamlined setup and seamless logins.
For consumer-facing use cases, Beyond Identity’s Invisible MFA integrates directly into the app using our SDK/API. Consumers simply download the consumer app that has the Beyond Identity capability integrated under the covers. There are no separate sign-up tasks and consumers get a completely frictionless, secure login.
Legacy MFA’s security issues
Legacy MFA was supposed to help organizations overcome the issues of using passwords, a completely compromised authentication method. The goal was to validate the identity of the person with a higher-trust method than passwords alone. Unfortunately, attackers quickly figured out how to phish pin codes and magic links, or socially engineer users into responding to push notifications.
The problem has become so bad that the US Government issued specific guidance warning organizations to implement “phishing-resistant” MFA (see box for more detail). There are numerous methods and toolkits readily available for attackers to thwart legacy MFA solutions, including phishing attacks that use man-in-the-middle or man-on-the-endpoint techniques as well as SIM swaps. Push-based MFA is also problematic because adversaries can generate notifications that prompt unwitting users to respond. Many adversaries are doing these attacks to bypass legacy MFA at scale, while more sophisticated attacks that use stolen session cookies are becoming increasingly available. We detail some of these attack methods and include examples of known breaches in the blog post “How Your MFA Can Be Hacked (With Examples).”
US Government warns organizations about phishable MFA
“MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale. Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks."
Excerpt from Federal Zero Trust Strategy
Beyond Identity’s foundationally secure MFA
Beyond Identity’s solution starts with a strong, completely non-phishable method of authenticating users. The initial factor (possession) is established using secure biometric-based authentication built into modern devices from PCs and laptops to tablets and phones. Beyond Identity leverages proven asymmetric cryptography as a second factor, creating a public/private key pair. During setup, the private key associated with the user is securely stored in specialized hardware—available on all modern devices (e.g., Trusted Platform Module (TPM), secure enclave, etc.)—while the public key is stored in the Beyond Identity cloud. The private key cannot be moved or copied and neither the user nor Beyond Identity can access it.
During each authentication request, the Beyond Identity authenticator creates a new X.509 certificate that the Beyond Identity cloud uses to cryptographically validate the identity of the user. This method has the key benefit of cryptographically binding the user to their device(s). This way the organization can know with certainty that the user is who they say they are and that they are using a known and authorized device to access apps or services.
But Beyond Identity goes well “beyond” simply validating that the user is who they claim to be and that the device is authorized. The system also continuously assesses whether the device is secure enough to access the target application/resources. During every authentication transaction, Beyond Identity’s authenticator collects dozens of security posture and user behavioral attributes, passing them to our cloud backend so the Beyond Identity policy engine can assess whether the device meets security policy at the time of login. Between authentication transactions, the Beyond Identity platform continuously assesses whether the device remains compliant with policies.
Beyond Identity enables organizations to control which users and devices can access apps, ensuring that devices meet the organization’s security requirements on a continuous basis and before granting access. The solution works with both managed and unmanaged (BYOD) devices, and with or without mobile device management (MDM), enabling organizations to implement a fundamental component of their zero trust model.
Beyond Identity’s Invisible MFA combines frictionless experience users love with high-trust security that validates the user identity, ensures device security, and provides strong, zero-trust authentication required in modern hybrid/cloud environments. The solution starts with a foundationally secure and cryptographically sound (non-phishable) method of authenticating users and their devices while incorporating device security and user behavior as additional factors for added protection.
Beyond Identity’s Invisible MFA is the new gold standard for MFA. It is the only MFA that provides an enjoyable user experience, can not be phished, controls which devices have access to apps/resources, and can ensure the device meets security policies before providing access to critical data and systems.