Phishing-Resistant MFA
Shift the burden of security off of end-users by using an MFA with no phishable factors.
"We actually had some penetration testers come in and attempt to phish our user base. And as you would expect, or as you would imagine, we actually had a couple of users that clicked on a link.
Beyond Identity essentially blocked that penetration tester from accessing those users' accounts at all because that penetration tester did not have access to that root of trust that is established by Beyond Identity.”
— Marcos Christodonte II
Global Chief Information Security, Unqork
The issues with traditional MFA
Traditional MFA still uses passwords as the first factor, which can easily be stolen and hacked
Hackers have found ways to easily bypass phishable factors through push fatigue, SIM swap, and man-in-the-middle attacks
Traditional MFA does not bind identities to devices so there’s no way to verify the user is who they say they are
Regulatory agencies are uniformly mandating phishing-resistant MFA given the vulnerabilities of factors used in traditional MFA
Requirements
According to a definition by the US Cybersecurity Infrastructure Security Agency, in order for an MFA solution to be phishing-resistant it must:
- Use FIDO and WebAuthN
- Be Public Key Infrastructure based
Beyond Identity solutions use these and supports all major SSOs and open standards including OIDC, OAuth 2.0, SAML, and SCIM
Why Beyond Identity provides the most secure phishing-resistant MFA
Complete elimination of phishable factors
Our unique architecture eliminates passwords by replacing them with universal passkeys where the private key is immutably and exclusively tied to a user’s trusted device.
Beyond Identity only uses strong authentication factors that cannot be phished:
- Local biometrics
- Cryptographic security keys
- Device-level security checks
Single-device MFA to deliver a frictionless user experience
MFA solutions that require two devices erode security and user experience. With Beyond Identity, users never need to pick up a second device for a one-time code, push notification, or magic link.
With a phishing-resistant MFA that is frictionless for the user, Beyond Identity removes the adoption hurdle of first-generation MFA solutions and enables organizations to widely deploy across BYOD and extended workforces.
Future-proof authentication for zero trust environments
First-generation MFA is fundamentally incompatible with zero trust architecture given the reliance on passwords and phishable factors.
In order to meet the “never trust, always verify” primitive of a zero trust approach, authentication must:
- Immutably verify user identity
- Immutably verify the integrity of devices requesting access
- Enable dynamic access policy enforcement based on real-time user and device risk signals captured directly from the endpoint or ingested from existing detection and response tools
- Continuously evaluate risk signals to establish trust in user and device prior to every authentication request and during authenticated sessions. It should also have the ability to take action to quarantine devices that fall below established security threshold defined in policy.
How to get started
Integrating Beyond Identity is designed to be simple for IT and security administrators. Companies can choose to implement Beyond Identity to any portion of users, even retain existing passwords to ease the transition.
Less than one day:
- Integrate with your SSO. We have integrations with all major SSOs and support OIDC and SAML.
- Sync your directories using SCIM or API connectors.
- Configure your SSO to delegate authentication to Beyond Identity.
Over the next two to four weeks:
- Refine fine-grained risk-based access policies to align with your security and compliance requirements.
- Test with a small group
Complete roll out in a timeframe that makes sense for your users
Experience the strongest authentication on the planet for yourself.
"Beyond Identity has exceeded my expectations. Our deployment time frame was aggressive, but we had great support from the engineering and product teams from Beyond Identity who made it happen. It’s also seamless for my customers, and we are getting all positive feedback.”
— Sasha Jovicic
CTO, RunBuggy
Learn more about phishing-resistant MFA
Beyond Identity doesn't use any phishable factors like:
- One-time passwords
- Magic links
- Push notifications
- SMS text messages
We're also completely passwordless— there are no passwords used anywhere ever. It's also a clear winner for user experience because Beyond Identity's eliminates cumbersome passwords and annoying second factors.
Read more about how Beyond Identity compares to traditional MFA.
Since 2017 NIST has called for avoiding MFA requiring a code or call sent to a second device. NIST standards state: “Use of the PSTN [Public Switched Telephone Network or a phoneline connection in human-speak] for out-of-band [authentication] verification is RESTRICTED.”
WebAuthN aka Web Authentication API, in the long form, provides the underpinnings for passwordless, phishing-resistant authentication for websites via supported browsers, including Safari, Chrome, Edge, and Firefox.
WebAuthn and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP) combine capabilities to make up the FIDO2 specification.
