In the last year alone, legacy SSOs have been breached frequently and severely, compromising their customers’ data, disrupting their business operations, and making it impossible to believe that vendors like Okta and Microsoft are concerned with building products that secure their customers. 

Beyond Identity is a secure-by-design organization with a collection of lifelong security practitioners that believes in solving the identity problem. We noticed that when customers needed answers to security questions, the competition would often have to schedule a follow up meeting for when their SME was available. At Beyond Identity everyone is prepared to talk about security outcomes, because that is our business.

When Taher Elgamal, one of our advisors, helped introduce SSL, he enabled the world to communicate securely. When Monty Wiseman helped introduce TPMs, our Principal Architect, he made it possible to have HSM-like hardware guarantees in general purpose computing. When Louis Marascio, our Product Architect, created the first secure remote access solution without a VPN, it became the foundation of IP telephony remote access in the Cisco firewall product.

Identity and access systems are a key part of modern productivity. It turns out they're also a key part of the attack sequence, as most adversaries simply login. Whether it is authentication flows with passwords, push notification, TOTP, or magic links, most IAM platforms have been serving up their customers to the adversary on a platter. While this may seem bombastic, just look at the metrics, how many of the incidents in your queue are identity related. If you're anything like the typical enterprise, it's around 80%.

When the world changes, you can’t afford to stay stagnant with the status quo. That’s how bad actors win. As a security-first organization, we see it as our duty to innovate and move the world forward once again. 

Today, we’re introducing Beyond Identity Secure Access. It is the first Secure-by-Design identity and access management (IAM) platform that can be deployed as a unified or modular solution to enable the security you need to protect identities in your organization. 

What is Beyond Identity Secure Access?

Beyond Identity Secure Access is the first Secure-by-Design IAM solution that defends against modern threats with security guarantees. These threats include credential theft, phishing, adversary-in-the-middle, MFA bypass, and generative AI deepfakes. 

The Secure Access Platform includes the following components:

Secure Single Sign-On (SSO)

‍Preserving the functionality of SSOs to enable and accelerate productivity, our SSO enables end-users to login to their apps with a single frictionless, passwordless user experience.

Going beyond legacy SSOs, our SSO is secure by default without complex configurations, optimized for zero trust architectures, extends risk-based authentication on a per-application level, and aims to enable zero standing privileges. In addition to the security features, our SSO currently supports a federated directory, OIDC and SAML applications, customizable application launcher, and additional administration and end-user UX improvements. 

We also recognized that migrating SSOs is not a trivial task for most organizations. To that end, we are expanding the capabilities of Access360. Access360 is a tool that today allows you to scan your Okta configuration to identify vulnerable authentication paths. In its soon-to-come iteration, Access360 will surface insights from your legacy SSO and turn that into migration guidance within the Beyond Identity admin console. 

Passwordless, phishing-resistant multi-factor authentication (MFA)

‍Phishing and social engineering attacks, it turns out, is a solvable problem. And it is a problem that can be solved in a way that moves beyond probabilistic protections.

A deterministic phishing-resistant MFA solution is characterized by a few properties:

1. Digital signatures that do not move. Secret-based authentication involves distribution of that secret. While there are attempts to protect the movement and storage of these secrets, none can solve the inherent problem which is that the secret has left footprints on the internet during its distribution. Digital signatures leverage public/private key cryptography that do not move in order to authenticate, minimizing the attack surface to the smallest possible area. 
2. Humans cannot be relied upon for authentication. Human beings, for all of our intelligence and creativity, are fallible. It’s impossible for us to discern with 100% certainty if a domain is valid, if an email is legitimate, if a login page is spoofed, and so on. By moving a computational problem away from the human, you can drive the number of successful phishing attacks to zero.
3. Hardware over software. While digital signatures make it possible for secrets to not move, it doesn’t guarantee that it hasn’t.  Anyone who has been developing software has experienced private key sprawl and seen private keys end up in open source repos. Using hardware secure enclaves to anchor a private key allows you eliminate, not just reduce, entire classes of security incidents. If a credential never moves and cannot be stolen, then credential stuffing and password sprays just do not happen. 

Device posture assurance

What other access management solutions miss is that it’s not just the human that’s authenticating, it’s also their device. 

Organizations struggle with device security compliance given that they have no visibility into unmanaged endpoints, no simple way to verify real-time device configuration (and configuration drift will always happen), no way to dig deeper beyond what MDMs and EDRs offer, and no continuous verification of device security compliance.

Secure Access provides the ability for organizations to query their devices, monitor real-time misconfigurations over time, and create custom device risk queries that can be easily translated into our policy engine to be used for access decisions. Plus, unlike MDMs and EDRs, we can give you visibility into unmanaged devices. 

Functionally, what this means for IT, security, and IAM administrators is a substantial reduction in time to remediation. According to the latest Verizon Data Breach Investigations Report, it takes organizations 55 days to remediate 50% of critical vulnerabilities. Instead of 55 days, you can query your fleet for impact from a specific CVE with real-time data and use that query as a risk attribute in our policy engine to prevent authentication from compromised devices in minutes. 

Continuous authentication

‍Risk is never static so why should your authentication policy be static? 

Our platform re-evaluates user, device, and third-party risk signals every 10 minutes and enforces risk-based policy against these ongoing evaluations even during active sessions. Combined with the ability to set policies on a per-application basis, a new capability introduced with our SSO, you can easily leverage continuous authentication for high risk applications. 

Integration ecosystem

‍Most organizations have invested heavily in device management and detection and response tools which provide a useful set of risk signals. However, these risk signals are currently being ingested by SIEMs for security analytics and threat hunting — that is, they are not being put to work for prevention. 

Security takes a village but the villagers, if we were to continue the analogy, must be able to communicate with each other in order to be successful. This is why supporting flexible and robust integrations is a core component of our Secure Access platform. 

You can configure your existing security tools and be able to pull any attribute you’d like from these integrations into your policy engine to make risk-based access decisions. For example, if a user has a CrowdStrike Zero Trust score of less than 50 you can prevent them from authenticating into your environment. 

Enterprises can adapt or fall victim to modern threats

Businesses must evolve their IAM approach from one of simply enabling productivity to one where security is a first-class citizen. At this juncture of increasingly frequent and successful attacks, the thing that feels safe, waiting and hoping that legacy SSOs will eventually evolve and innovate, is actually the most insecure choice you can make. 

Waiting, hoping, and standing still are not viable options. 

If you’re interested in being a part of the journey to pioneer the first security product designed to solve identity problems, book a demo today.