Thank you
Your demo request has been received and a member of our team will be reaching out to you via email shortly to get it scheduled.
CloseThe only IAM platform architected to deliver security guarantees.
Your demo request has been received and a member of our team will be reaching out to you via email shortly to get it scheduled.
CloseBeyond Identity redefines identity and access (IAM) security. With a core principle of secure-by-design, our platform is the only IAM platform architected to deliver security guarantees that radically shrink the threat surface of modern organizations.
Quick note:
Against our security architects' recommendations, our marketing team has bravely chosen the word "guarantees" to describe our security claims. As the saying goes, death and taxes are the only things guaranteed in life. No security company, including us, can make absolute guarantees but we are the only IAM platform that provides deterministic defenses, not probabilistic ones. This isn't a legal document but this marketing asset has been rigorously reviewed for technical accuracy.
If you'd like to dive deeper into our product details or challenge us on these guarantees (we welcome it), get in touch.
Phishing at its core relies on tricking a human end-user to go through a fraudulent site or connection and provide their legitimate credentials. The delivery mechanism of phishing attacks leverages any available communication channel including email, text messages, phone calls, conference calls, Slack or Teams messages, etc.
The problem with most defenses against phishing available on the market today is that they can only provide probabilistic controls – they work to reduce the risk of people being scammed and lower the number of successful phishing attacks. These include end-user awareness training, email scanning tools, or legacy multi-factor authentication (MFA). None of these tools can guarantee the elimination of phishing risk.
Beyond Identity is different. Unlike other phishing defenses, we take a deterministic approach to eliminate the possibility of successful phishing attacks.
To be clear, no one can stop attackers from trying to phish your users. Unfortunately, no one can stop your users from clicking malicious links either or entering their password on a website that looks legitimate. However, with Beyond Identity, those phishing attempts will not succeed even if users click bad links. Here’s how.
1. Make credential theft impossible by never using shared secrets
The problem with shared secrets (e.g. passwords, security questions, OTPs, etc) is that to execute a shared secret based protocol you have to distribute that secret. The method of sharing that secret involves creating copies of it and moving them around the internet, expanding your attack surface and creating an opportunity for the secret to be stolen.
Digital signatures, more commonly referred to in the market as passkeys, are the secured alternative to shared secrets. Signatures leverage public-private key cryptography and a key benefit is that the secret (i.e. the private key) is not shared. Beyond Identity uses public key cryptography to authenticate users and never falls back to phishable factors like passwords, SMS one-time passcodes (OTP), or push notifications. This ensures no credentials could be phished or stolen.
2. Deliver verifier impersonation resistance
A fact about human beings is that no matter how well trained, we will never be able to tell a legitimate link versus a malicious link with 100% accuracy. The only way to deliver a secure authentication system is to unburden the human being from ensuring authentication security. Security that can make guarantees is rooted in reality – understanding that we will always have users who will click on malicious links, and relying on more robust security measures to keep access secure.
This is where platform authenticators come into play. When you have a platform authenticator with the ability to verify origin of access requests, it can match it to the origin that the credential was registered for. Humans cannot detect URL differences reliably. Platform authenticators are the machine-based way that eliminates the attack vector of website impersonation deterministically.
3. Provide hardware backed assurances for challenge legitimacy
A nuance with public key cryptography is that while it’s possible for the private key to not move, it does not provide any guarantees that it did not move. Anyone who has been developing software for the last 20 years has experienced private key sprawl, seen private keys get copied around the Internet, or seen them end up in open source repositories accidentally.
The key (no pun intended) here is the secure enclave. The majority of devices today come with some form of a secure enclave. It is a hardware component that is distinctly different from the traditional set of homogenous CPU cores executing instructions. It has a limited set of capabilities. First it can securely store a small amount of secret material in its nonvolatile storage. Second, it has a secure volatile store for intermediate computations. Third, it has a set of predefined instructions for key operations such as create key pair, destroy key pair, sign with key, etc. Finally, it has a limited interface to communicate with the rest of the system.
What you get when you combine public-private key cryptography and secure enclaves is an authentication system in which the private key can be placed in secure memory with a property that prevents its memory location from being read; it can only be used by signing instructions. Enforced at the hardware level, this combination provides guarantees that private keys aren't discoverable and cannot exist outside the secure enclave.
Credential stuffing is an attack where bad actors test stolen username and password pairs to attempt to gain access. Typically, the attack is carried out in an automated manner.
The reason that credential stuffing remains a viable form of attack even in environments where phishing-resistant authentication exists is that, unless phishing-resistant authentication is universally deployed, the login page continues to accept passwords for login, recovery, or as a fallback option.
The only way to eliminate credential stuffing attacks is to eliminate the password all together for authentication, recovery, and as a fallback mechanism. This requires a seamless user experience and broad-based support for different operating systems. Here’s how Beyond Identity enables universal phishing-resistant MFA deployment to eliminate credential stuffing attacks.
1. Passwordless, phishing-resistant MFA that eliminates all user friction
Authenticating with Beyond Identity means users can login to their applications the same way they login to their devices – with a simple touch, glance, or a local device PIN. There’s no second device, time-bound OTP (TOTP), push notifications, or hardware keys involved.
Don’t believe us? Watch Mario Duarte, VP of Security at Snowflake, talk about how authenticating with Beyond Identity has caused users to send emails of gratitude.
As a side benefit, you can also unburden your team from fielding the password reset calls. There’s no more passwords, ever.
2. Passwordless, phishing-resistant MFA that supports all operating systems
Universal coverage also means universally deployable on all devices no matter their operating system, even the less common ones like Linux and ChromeOS. Beyond Identity supports the most commonly used operating systems:
Push bombing or flooding attacks are increasingly common as more organizations use push notification as a second factor for authentication. During this attack, bad actors flood the user’s phone with a barrage of push notifications. The frequency of push notifications causes overwhelm, confusion, and can render the user’s phone unusable leading the user to approve an unauthorized access attempt. This is the exact tactic used in the 2022 Uber breach.
In addition to causing end-user frustration, push-based second factor authentication also does not provide any security guarantees on the risk posture of the first device that started the access request nor the second device. There is also no validation that the origin of the push notification prompt on the second device is from the first device initiating authentication.
Beyond Identity completely eliminates push bombing attacks because authentication never falls back to phishable factors such as push notifications. Additionally, our MFA enables device compliance checks on both the first and second device with validation that the second device is only responding to legitimate access requests sent from the initiating device.
1. Only phishing-resistant factors used in authentication
Beyond Identity devotes significant engineering resources to tightly integrate with all commonly used operating systems (OSes) and their unique cryptographic functions to always create public key credentials secured by the TPM, Secure Enclaves (T2 chips), and similar hardware roots of trust. These OSes include Windows (X86 and ARM64), Android, MacOS, iOS, iPadOS, Linux, and ChromeOS.
This architectural foundation allows us to only authenticate with hardware-bound public key credentials and local device biometrics or PIN without falling back to push notifications, ever.
2. Policy sequencing to ensure security compliance for any device in the authentication flow
In addition to secure-by-default authentication, our adaptive policy engine allows administrators to always enforce biometrics for authentication even if the device is in clamshell mode or does not support biometrics. This allows administrators to remove the local device PIN as an allowable factor. It works by sequencing authentication to a second device with a biometric, such as a mobile device.
However, unlike push-based second device authentication, not only can organizations ensure biometric validation they can also enforce fine-grained device risk checks on every device in the authentication chain.
3. Cryptographically bound identity and device
Beyond Identity establishes a cryptographic chain between users and their authorized devices by leveraging certificates (no central CA management) and JSON Web Tokens (JWT). These provide structured, and signed metadata about the key lifecycle, acceptable use, holder, verifier, and audience of the public key credential. The fact that the metadata is digitally signed allows you to validate that it hasn’t been tampered with and compare the authority of who signed the metadata against a root of trust.
This means you can have immutable, cryptographic assurances that an authentication took place from a specific device, by a specific user, and any changes are immediately obvious as the digital signatures no longer compute properly.
During authentication, it’s not just the user that’s logging in, it’s also their device. However, there are a few common vulnerabilities when it comes to devices:
This creates the situation in which 74% of IT and security professionals feel that their current security controls are not adequate for unmanaged devices (Forrester) while 70% of successful cybersecurity breaches originate on endpoint devices (GovTech).
Beyond Identity is the only IAM solution on the market that delivers fine-grained access control that accounts for real-time device risk at time of authentication and continuously. This is how we achieve this capability.
1. Platform authenticator providing real-time risk telemetry
The first benefit of a platform authenticator is the ability to provide verifier impersonation resistance. The second benefit is that, as an application that lives on the device, it can provide real-time risk data about the device such as firewall enabled, biometric enabled, disk encryption enabled, and more.
With the Beyond Identity Platform Authenticator in place, you can have guarantees of user identity with phishing-resistant authentication and enforce security compliance on the device requesting access. After all, it’s not just the user that logs in, it’s also their device.
2. Coverage for managed and unmanaged devices
Unlike mobile device management (MDM) or endpoint detection and response (EDR) tools, an authenticator does not require admin privileges which means it does not come with the privacy concerns surrounding MDMs and EDRs. This means that it can live on unmanaged devices or devices that you don’t manage (e.g. contractor and partner devices).
3. Continuous identity and device risk validation
Beyond Identity is uniquely architected to enable real-time identity and device security posture checks on regular intervals (measured in minutes) even during active sessions. Given that configuration drifts happen, continuous authentication ensures that any device gaining access complies with your security policy prior to access and on an ongoing basis.
4. Policy sequencing to ensure security compliance for any device in the authentication chain
In situations where the user cannot or does not want to use their first device for authentication, Beyond Identity’s adaptive policy engine allows administrations to sequence fine-grained risk policies for every device involved in the authentication chain.
If authentication is routed to a second device by user preference or security policy (e.g. the first device does not support biometrics but policy states that authentication requires biometric validation), our policy engine will validate your enterprise policy against the first device as well as the second device. Additionally, our policy sequencing capability automatically detects the operating system to apply the correct policy set to each device.
Given the proliferation of security tools, risk signals can come from a variety of disparate sources ranging from MDMs, EDRs, ZTNA, and SASE tools. Adaptive, risk-based access is only as strong as the breadth, freshness, and comprehensiveness of risk signals that are fed into its policy decisions.
Beyond Identity provides a flexible integration architecture that prevents vendor lock in and reduces complexity of admin management and maintenance. Additionally, our policy engine allows for continuous authentication so you can enforce comprehensive risk compliance even during active sessions.
Our integrations architecture allows you to integrate across a wide breadth of solutions and leverage any signal available via their API to make policy decisions. Given the fine-grained nature of the policy assessment and that risk signals are checked at time of authentication and continuously, we ensure that the security software you want running is actually running, not just present.
Schedule a call with a Beyond Identity expert.