Beyond Identity is just like FIDO and more
Beyond Identity uses similar standard FIDO protocols for public key cryptography to provide stronger authentication and protect user privacy. As such, private keys and biometric information never leave the user’s device.
Beyond Identity is a SaaS platform that goes above and beyond FIDO standards. Our passwordless, invisible MFA supports broad authentication use cases and turns all devices (including computers, tablets, and phones) into authenticators. Our platform validates the user, verifies the device is authorized, checks the security of the device, and executes an authentication decision based on the company’s risk policies.
At the core of Beyond Identity’s architecture is our patented technology, which creates new key pairs on all client computers, tablets, and phones authenticating to our cloud to secure users on all of the devices they login from.
Registration
During registration with Beyond Identity, the user’s client device creates a new key pair in the Trusted Platform Module (TPM) or secure enclave. No one has access to the private key in the TPM and it cannot be moved from the device. The device TPM retains the private key and registers the public key with Beyond Identity. This binds the user’s identity to the device.
All client devices authenticating are bound to a user and registered with the Beyond Identity Cloud. Users can enroll as many devices as the company allows. Each new device creates a key pair branch that’s bound to the user and bound to the hardware of the device.
Computers, tablets, and phones have the same core TPM technology to perform the creation and storage of key pairs. Beyond Identity supports all common device operating systems to create and store key pairs. Other FIDO-based solutions limit the creation of key pairs to mobile devices or Universal Second Factors (U2Fs), which reduces the number of use cases and security checks companies can support.
Registration of devices:
- User unlocks their computer, tablet, or phone using their local biometric or PIN
- User authenticates to their existing IAM provider—or clicks a time-limited one-time code sent via email, SMS, or QR code
- User’s device creates a new public/private key pair unique for the local device and that user’s account in the TPM
- Public key is sent to Beyond Identity and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
Support registration of all major device operating systems:






Control registration of devices:
- Users can enroll devices that meet the company’s requirements.
Sample business requirements | Example device registration policies |
---|---|
Workforce - BYOD and Unmanaged Devices |
|
Customer Identity and Access Management - Crypto wallet vendor |
|
Customer Identity and Access Management - Media, Publishing, Entertainment |
|
Login
When the user requests to login, the client device that is authenticating proves possession of the private key in the TPM to the Beyond Identity Cloud by signing a challenge. The client’s private keys can only be used after the device is unlocked with a local biometric or PIN.
- Beyond Identity Cloud challenges the user to login with a previously registered device that matches the company’s acceptance policy
- User unlocks the device using a local biometric or PIN
- Device uses the user’s account identifier provided by the company to select the correct key in the TPM and sign the company’s challenge
- Client device sends the signed challenge back to the company, which verifies it with the stored public key and logs in the user
Supports login to apps and services:
Web apps
Mobile apps
Native desktop apps
Desktops
WiFi
Device security checks at login
Every user client device is registered with Beyond Identity. The client device turns into a self-signed OpenID provider that issues checks for security programs, files, apps, and settings running on the device at the time of login.
During the authentication request, Beyond Identity challenges the client device, and the client device signs the token certificate and sends a JSON package with the results of the device posture check. Security checks run on OSQuery for extensibility and customizability by the company. This checks the authenticating device to ensure it meets policy requirements before allowing access.
Security Attributes | Example Values (not limited to) |
Supported Platforms |
---|---|---|
Standard | ||
Number of Devices Registered |
|
Windows, macOS, iOS, Android, Linux |
Platform |
|
Windows, macOS, iOS, Android, Linux |
OS Major / Minor Version |
|
Windows, macOS |
Customizable | ||
|
[Fill in the blank] MDM Provider
EDR / XDR Provider
Vulnerability Assessment
AntiVirus Provider
Client Management Tools & Backups
Blacklist services:
|
Windows, macOS, iOS, Android, Linux |
File exists… |
[Fill in the blank]
|
Windows, MacOS, iOS, Android, Linux |
Registry Key / Plist value contains… |
[Fill in the blank]
|
Mac, Windows |
Optional from integrations | ||
Microsoft InTune |
|
Windows, macOS, iOS, Android |
JAMF |
|
macOS, iOS |
Workspace ONE |
|
Windows, macOS, iOS, Android |
Crowdstrike |
|
Windows, macOS |
Control user authentication on devices:
- Users and devices can authenticate when it meets the company’s risk policies.
- Companies can customize extensible authentication policies with unlimited, granular security attributes.
Example scenarios | Example authentication policies |
---|---|
For example: Workforce - Finance and HR apps Allow managed and compliant Windows and Mac devices only. |
If…
Then, approve authentication with device biometric or PIN.
If…
Then, deny authentication.
|
For example: Workforce - Chat apps Allow managed and compliant windows and mac - and non-managed, compliant linux, iOS, and Android devices with posture checks. |
If…
Then, approve authentication.
|
For example - Workforce - Web conferencing apps Allow authorized users and authorized devices with posture checks. |
If…
Then, approve authentication.
|
User privacy
Beyond Identity is similar to FIDO standards. We built our platform with privacy in mind: biometric data never leaves the user’s device. Beyond Identity shares status reports and device checks with users through the Beyond Identity App to be transparent about the device information collected. It meets GDPR, CCPA, and Strong Customer Authentication (SCA) compliance requirements so end users are comfortable setting up and using their existing devices.
See it in action:
Beyond Identity guarantees that only authorized users, logging in from authorized devices that meet your security policy at the time of login, are able to access any apps or resources. The combination of unprecedented security and unparallelled user experience makes all the difference!