Affirmed Identity™ - Zero Trust Passwordless Push Authentication

Affirmed Identity

Beyond phishing resistant SFA of Passwordless Push and Passkey lies AffirmedID — passkey (FIDO2) with MFA and Continuous Authentication Monitoring.

Innovating

Digital Identity

for SMB, Enterprise, MSP

A unique Identity Provider Service that empowers businesses large and small to authenticate users and secure their sessions with continuous monitoring.

Superior

Authentication

Software as a Service

Affirmed Identity is an authentication and session security service that mitigates the risks and operational shortfalls of Passkey, FIDO2, and Passwordless Push solutions. It delivers superior True MFA without step-up requirements and OIDC and SAML SSO session providers with Continuous Authentication Monitoring. Simply stated, it’s an Identity Provider packaged and delivered as a software service.

Enterprise Grade

Authentication

with Simplicity of Passkey

The reinvention of Passkey (FIDO2), ensures every authentication ceremony doesn’t just assert device possession—it verifies you through behavioral identity in full compliance with NIST AAL3 and, it seamlessly integrates with Continuous Authentication Monitoring (CAM) in support of achieving CMMC Level 3 compliance.

A familiar Passkey experience—only easier, stronger, and safer.

Device-bound, not cloud-synced: Ensures private key storage in cell phone Security Element, not synced to a credential store in the cloud.
Behavioral identity built-in: Every authentication verifies who is using the device, not just possession.
Seamless experience preserved: Same effortless Passkey login—plus self-serve secure account transfer when cellphone is replaced or lost without help desk involvement.
Credentialless by design: Eliminates stored credentials and strengthens phishing resistance beyond that of FIDO2 and OS integrated passkey.
Continuous Authentication Monitoring (CAM): Real-time session protection with PDP/PEP integration or Syslog feed.
Scales for all: Affordable and deployable from the smallest SMB to the largest enterprise.

A Single Configurable

IdP Servicee

Many Diverse Applications

Phishing attacks more often target SMBs, resulting in breaches that hit hardest those least prepared to recover. That’s why it makes sense to offer AffirmedID IdP in two tiers: Tier 1, tailored for small SMBs, and Tier 2, designed for all other organizations.

IdP Managed Cloud Service

For clients with with fewer than 200 users, AffirmedID delivers advanced IdP capabilities as a fully managed cloud service—at less than half the typical cost. This approach empowers smaller organizations with enterprise-grade cybersecurity features that were previously out of reach due to technical complexity or financial barriers.

IdP On-premises Deployments

An on-premises deployment that tightly integrates superior identity provider technology into existing IT infrastructure. This no-gap architecture delivers full control, enhanced security, streamlined compliance, and predictable costs, empowering organizations to shape their own security destiny while maximizing long-term value.

The

Use Cases

for AffirmedID IdP Service

When the focus shifts away from consumerism, entertainment, and social media, the strengths of AffirmedID IdP Service stand out in sharp relief. Its most compelling use cases center on security, compliance, and simplicity. In truth, if something is worth protecting, it’s worth securing with AffirmedID.

Phishing-Resistant Workforce Authentication
Protect employees and contractors with credentialless FIDO2 passkeys and AAL3-compliant MFA, eliminating passwords and stopping account takeover attacks. (continued)

Zero Trust Access to Applications and Data
Continuously verify users and sessions with adaptive authentication across cloud, on-prem, and hybrid apps—enabling true Zero Trust identity assurance.
Compliance-Ready Access Control
Simplify alignment with CMMC, HIPAA, PCI DSS, SOC 2, and ISO 27001 by providing auditable identity proofing, strong MFA, and continuous monitoring.
Secure Customer Identity (CIAM)
Deliver seamless, passwordless login for customer-facing portals—reducing friction while providing enterprise-grade protection for SMBs and enterprises alike.
MSP-Delivered Identity as a Service
Enable Managed Service Providers to deliver advanced IdP capabilities with multi-tenant support, helping SMB clients access next-generation identity security at a fraction of the cost.

The

Integrated Components

of AffirmedID

Realizing the risks of supply chain attacks, we built our multi-part IdP architecture entirely in-house—where tightly coupled interfaces fit together by design. The following components form the sum of the whole we call AffirmedID.

AffirmedID Passkey (FIDO2) Authenticator (Cellphone App)

Unlike any other, our authenticator app meets the definition of a Passkey (FIDO2) while exceeding expectations in phishing resistance, ease of use, security, and NIST AAL3 compliance—outperforming passkeys from the “big three.” Its only distinction, if it can be called a limitation, is its tight integration with the AffirmedID API Service—a deliberate design choice that ensures unmatched reliability, orchestration, and security. Integration also positions it as the headwaters of CAM connecting what’s being monitored, the user, to the monitoring activity. (continued)

AffirmedID API Cloud Services (Lambda server)

A radical departure from the norm, this component delivers a suite of APIs that power every aspect of the Identity Provider service including the CAM Policy Decision Point (PDP). It is the core around which all other components revolve. Built for Amazon Lambda, Azure Functions, and DigitalOcean Functions, it provides the responsiveness required for authentication while its transient, serverless nature inherently enhances security.

AffirmedID Client Dashboard (Blazor Server)

The client dashboard is the tenant’s primary interface for managing, configuring, and monitoring their IdP instance on a day-to-day basis. Designed to support both single-tenant and multi-tenant environments, multiple dashboards may be deployed where needed. By extension, it also provides for admin configuring, maintaining, and monitoring Continuous Authentication Monitoring (CAM) when engaged.

AffirmedID Protocol Servers (Asp.Net Web Servers)

Tightly coupled with the API server are two dedicated protocol servers: one hosting OpenID Connect and OAuth 2.n providers, and the other hosting a SAML 2 provider. Providers are easily integrated with applications using the admin dashboard and deliver authentication, session management, and continuous monitoring (when enabled). Single-sign On (SSO), Client Secret, and PKCE authorizations are supported. Its CAM Policy Enforcement Point (PEP) applies event signals as directed by the admin.

Born from Pioneering

Techniques and Technologies

that Secure the Future

History—both long and near term—offers valuable lessons, especially in the evolution of defenses against cyber-attacks. AffirmedID itself is a testament to this belief, built in large part on inventions that trace back to 2013. Each invention addressed problems revealed by near-term history, laying the foundation for the advanced protections we deliver today. These are those inventions:

Credentialless Authentication

Here, credentialless means no stored secret is used for identity verification—so there is no credential to harvest, providing an enhanced form of phishing resistance. Instead, identity is verified through behavior recognition. For example, the way a phone is held, the interactions on its screen during PIN entry using a behavior reporting keypad, and other sensor inputs combine to form a behavioral biometric profile. AI analyzes these patterns to verify identity, and when combined with a FIDO2 assertion, they establish the foundation for a true multi-factor authentication ceremony at NIST Assurance Level 3 (AAL3).

Continuous Authentication Monitoring (CAM)

CAM is a unique feature for organizations with session security concerns or pursuing Zero Trust Architecture (ZTA) and CMMC compliance. The CAM modules of AffirmedID include the AffirmedID App, Admin Dashboard, Cloud API, and protocol providers for OIDC and SAML.

CAM signaling begins at the logical headwaters—the app closest to the user. From there, signals flow through the Policy Decision Point (PDP), where monitoring and analysis occur. Any exception events are sent to the Policy Enforcement Point (PEP). For integration with external Zero Trust systems, CAM outputs its CEF-formatted Syslog stream that can be consumed by external PDPs. Its internal PDP and PEP can be used in parallel with the Syslog stream or independently where internal PDP operations are configurable through dashboard Policy Admin Point (PAP) interface and from stored settings from Policy Information Points (PIP).

Three-point Authentication

Three-point authentication is designed to significantly reduce the risk of ceremony hijacking by distributing trust across multiple channels. In so doing this patented enterprise grade authentication methodology resists threats such as:

Remote phishing (proximity required)
Network MITM attacks (encryption + multiple channels)
Credential harvesting (keys never leave SE)
Simple device compromise (SE protection)
Session hijacking across single channel ()

Details reflected in Three-point Authentication diagram:

In response to access device user request to access, the Identity Provider (e.g., OIDC) sends an authentication request with a unique sessionID to the cloud API server.
The API server's FIDO2 client then issues a challenge—including the sessionID—to the user’s authenticator (cellphone) over an out-of-band network.
On receipt of a challenge, the authenticator app begins proximity authentication (BLE) with sessionID token while also verifying user PIN code and identity. (continued)

On user acceptance, the app responds to the challenge with assertion of user, device, and session identities. Identity Provider grants authorization after successful verification of the response and sessionIDs.

All exchanges are encrypted using point-to-point encryption with cryptographic keys stored securely in the phone’s Secure Element (SE), ensuring phishing resistance and end-to-end integrity.

Behavioral Biometric MFA

Implementing MFA should be straightforward. Its definition and required factors are clearly outlined by the National Institute of Standards and Technology (NIST). AffirmedID was built from the ground up to follow these guidelines to the letter. While our Passkey (FIDO2) app delivers a mobile user experience like Passkey from the big three, the similarities end there—under the surface, AffirmedID provides stronger assurance, greater security, and compliance at the highest assurance level (AAL3).

AffirmedID verifies user identity through behaviors detected during cellphone use. The authenticator introduces its own login requirement—a PIN code—but with a difference: it uses a purpose-built keypad designed to capture behavioral patterns during PIN entry. This means there is no need to store the PIN itself.

AI continuously learns and recognizes these behaviors. Sensor inputs are captured and analyzed in real time, then immediately discarded, ensuring both privacy and security while strengthening identity assurance. When necessary, AI artifacts are stored to and reloaded from the cellphone’s Security Element.

Did you know that among mid-to-large US businesses, upwards of 78-87% report requiring and/or using MFA. But when considered in view of NIST AAL2 Which clearly defines that MFA requires two different authentication factors, a significant portion—likely more than half—of those reporting use of "MFA" fail to meet that standard by use of methods that either: (continued)

Include no assertion of user identity (Passkey, FIDO2, Passwordless Push, and all forms of OTP)
Provide no cryptographic techniques and hence little or no phishing resistance (all forms of OTP, some Passwordless Push and Biometric implementations)
Are vulnerable to common attacks such as phishing, SIM swapping, and malware (SMS and Voice Call OTP)
Vulnerable to push fatigue, social engineering include all forms of Passwordless Push excepting those that require an OTP code.

From this basis then it is safe to conclude OTP, Passkey, FIDO2, and Passwordless Push solutions do not comply with the generally accepted NIST definition of MFA. This is not to fault any of these but rather to clarify what is and is not MFA. NIST proposes, and several use, step-up authentication to achieve AAL3 compliance but at the expense of the user performing two separate authentication ceremonies where just one AffirmedID ceremony achieves the same.

Intellectual Property

Many of the features of AffirmedID are built upon methods that, at the time of their invention in early 2014, were both original and unique. One such example was the ability to recognize a user based on their natural behaviors while using a mobile device, and the subsequent application of AI to form an opinion of identity based on those—a truly novel concept at the time. Coincident with that were others such as three-point authentication joining the cellphone, access device, and cloud service in performance of the authentication ceremony and proximity authentication ensuring the user and their cellphone were within arm’s reach of the access device.

Recognizing the significance of these innovations, we pursued intellectual property protection. The first patent application was filed in August 2015, ultimately leading to four separate U.S. patents. The most recent grant was published in 2021, together covering device-level, behavioral, session-layer, and cryptographic advances.

More specifics can be found via the following link.

AffirmedID Benefits	Why it’s important
** Hybrid Passkey (FIDO2), provides both improved user experience AND uncompromising security.	Where the use of a Passkey is necessary or desirable, the MSP has a dilemma: improved user experience configured as a cloud-synced Passkey or uncompromising security configured as a hardware-bound Passkey. Of course, an MSP has the option to switch to Hybrid Passkey thereby retaining the benefit of hardware-bound cryptography with a UX others rate as superior to Passkey.
** Multi-Factor Identity Verification should not be optional. Identity is important, so much so it is a prerequisite for every authentication ceremony.	Microsoft and Cisco Duo Passwordless Push, most forms of FIDO2, and every form of OTP authentication skip this very vital need, to verify user identity as an integral part of authentication. MSP’s can improve their clients' cybersecurity posture by simply upgrading them to AffirmedID, and where Passkey is currently used, improved security with no impact on their users.
** Credentialless authentication, identity recognition and verification without benefit of stored credentials. The ultimate in phishing resistance.	For years, DBIR has consistently reported that most breaches leverage user credentials. Stored credentials of any type—password, PIN, face, and fingerprint—are the target of most phishing attacks. A Black Hat 2025 presentation showed how easily Face ID authentication could be hijacked, in minutes, simply by replacing a stored credential. Hybrid Passkey phishing resistance is enhanced by being credentialless, leaving no credential to replace.
Hybrid Passkey's Single-Step AAL3 compliance is unique and in demand.	MSPs are increasingly receiving client requests for AAL3 compliance. Microsoft and Cisco responded by adding authentication ceremonies to a passwordless push ceremony. In effect, achieving AAL3 by combining two or more authentication ceremonies. And doing so with disregard for UX complexity and frustrations. Now, by switching clients to single-step Hybrid Passkey, the MSP provides AAL3 compliance without UX impact.
** Continuous Authentication Monitoring (CAM) may seem futuristic now but soon it will become a must have. For some, it already is.	CAM is in the operational fabric of ZTA and CMMC. MSPs are receiving client interest in ZTA and CMMC, in some cases urgently so. AffirmedID's end-to-end CAM solution is unique in monitoring user proximity, location, and behaviors from authentication to session logout. And the service provides the MSP with a wonderful up-sell opportunity to meet this growing need.
Zero Trust Architecture (ZTA) principles require continuous verification of trust—not just at login, but throughout the session.	While CAM may not be a named requirement, it’s a practical necessity for achieving and maintaining CMMC above level 2, for implementing ZTA strategies, and for conforming to NIST 171, 37, 53, RMF, and both FedRAMP and DFARS. Can HIPAA, FinTech, PCI/DSS, and others be far behind?
Superior Hybrid-Passkey UX Enter a PIN, tap a display button, done! A painless single-step authentication experience, universal no matter the account context. Simplicity throughout this do-it-yourself UX.	Transferring the hardware-bound Passkey or Passwordless Push authenticator to another cell phone is a nightmare that needs repeating for every registered account. Cross-framework Passkey use is both challenging and problem-prone. Users transfer the Hybrid Passkey account in less than 2 minutes, transferring all accounts at once. Hybrid Passkey has one framework no matter which type of cell phone is used.
** Out-of-band Tri-Net authentication improves phishing resistance by blocking AiTM / MiTM attack.	Passkey and Cisco Duo Proximity Authentication take liberties to exploit the inherent security benefits of tri-net authentication ceremonies. Tri-net foresight and methodologies predate Passkey, FIDO2, and Passwordless Push by several years, as do related patents. In one sense, adoption by others is a tacit endorsement of AffirmedID’s underlying framework.
** Incorporates patented methods that predate, and parallel core techniques now employed in Passkey implementations by Google, Apple, and Microsoft and in Cisco Duo Passwordless authentication—patents referenced by over 60 citations from across the industry.

Seamlessly Bridging to the IAM Landscape

An ongoing integration project adding ZT compliant Identity Service to IAMs

Availability: Now

Protocols: SAML, OIDC, OAuth 2