Combines user and device authentication

Beyond Identity authenticates users and their devices with proven, government-grade cryptography that we have made accessible to organizations of any size. It cryptographically binds users to devices, providing complete control over who and what devices can access your SaaS apps and cloud infrastructure.

This is possible today because devices have native biometrics and a built-in chipset that securely stores private keys and performs high-trust cryptographic functions. The Beyond Identity authenticator generates an immovable private key on each user's device and stores the public key in the Beyond Identity cloud. This innovative approach provides the most secure and easy to use multi-factor authentication on the planet.

Provisioning made easy

Users are added to Beyond Identity's cloud-based directory via SCIM or API. A lightweight authenticator is downloaded from the app store, deployed via MDM, or optionally integrated into a native application for a streamlined consumer-facing deployment. The authenticator enables users to add new devices, while policies control which and how many devices are permitted. The authenticator shows the user all the data that is collected from the device to avoid privacy concerns.

Simplified self-enrollment

During enrollment, Beyond Identity creates a credential that is bound to the device. The enrollment step is initiated by clicking a link in an email, or a link provided once the user successfully completes an already established login flow. For example, a workforce user can log into the SSO while a consumer can log into an app or web-service to access the enrollment link. After enrollment, Beyond Identity cryptographically validates that both the user and device are permitted to access the requested service.

Bulletproof user identity and device verification

Our authenticator works with the device's TPM during enrollment to create a private key that cannot be copied, shared, or moved from the device. The public key is then sent and stored in Beyond Identity's cloud. During each login, the authenticator engages the TPM to mint a fresh X.509 certificate, which is sent to our cloud for verification. The public key is used to validate that the certificate was signed with the private key. This is the same proven cryptography that powers TLS, secures the internet, and protects trillions of dollars worth of transactions daily. You get the security of widely-deployed crypto without any of the hassles of implementing PKI or managing certificates.

Support for all devices

The Beyond Identity authenticator runs across a wide array of mobile devices, tablets, and computers. Each device requesting access must have the Beyond Identity authenticator app and a valid credential to access the target application or resource.


Verifies users and devices meet security policies during every login

Beyond Identity's policy engine ensures that only authorized users are able to enroll credentials on approved devices. Control whether your workforce can enroll credentials on work-issued devices or if BYOD is permitted. Policies can also limit the number of devices customers and consumers are allowed to enroll.

During every login or step-up authentication, the policy engine inspects up-to-date risk signals collected by the authenticator at the time of the request. The policy engine evaluates these fresh signals and determines if a user and a device meet your security requirements before permitting access to the requested applications or resources. Policies can be configured to alert and/or block access.

Use biometrics to prove device possession

Users are required to use the built-in biometric or secure PIN code to ensure that the device owner is in possession of the device at the time of login. A biometric scan or PIN code can also be required for step-up verifications, such as when a critical app is being accessed, or before completing a high-value or high-risk transaction.

Analyze dozens of device security and behavioral risk signals

Beyond Identity's cloud-based policy engine can check dozens of risk signals collected by the authenticator on every device at the time of the login for continuous, risk-based authentication. Signals include if the device is jailbroken, location, encryption, filevault, geolocation, and more. Use risk attributes natively collected by the authenticator, create your own device checks, or optionally, enhance the attribute set with out of the box MDM or EDR integrations.

Quickly deprovision lost or stolen devices

Users or admins can delete a lost or stolen device from the directory so that the credential tied to the device can no longer be used to authenticate and protects against unauthorized access.

The policy engine validates that the device biometric or PIN code is turned on at the time of login, ensuring only the authorized user is able to access applications.


Eliminates passwords from authentication and recovery processes

The only way to stop password-based attacks is to remove passwords entirely from being used as an authentication method. If passwords are hidden from the user, or are available as a backup authentication method, or stored in a database then organizations are still vulnerable to credentials stuffing, social engineering, phishing attacks, and ransomware via remote desktop protocol.

No password field for users

With Beyond Identity there is no password field for users login to your SSO, application, or other cloud resources.

No passwords used with our authenticator app

There are no passwords used in association with the authenticator that is present on every device.

No passwords in our cloud directory

There are no passwords in our directory associated with each user — only a list of devices and public keys that pose zero risk.

See it in action:

Beyond Identity guarantees that only authorized users, logging in from authorized devices that meet your security policy at the time of login, are able to access any apps or resources. The combination of unprecedented security and unparallelled user experience makes all the difference!

Secure passwordless MFA that users will love

Common Questions

Read our FAQs

Experience the strongest authentication on the planet