Affirmed Identity
Innovating
Digital Identity
for SMB, Enterprise, MSP
A unique Identity Provider Service that empowers businesses large and small to authenticate users and secure their sessions with continuous monitoring.
AffirmedID Auth
Identity Provider
Service
Unified Identity. Continuous Assurance
Passkeys promised simplicity. What we got was progress—with complexity hiding just below the surface. AffirmedID Auth delivers what the industry meant all along: secure, portable, user-first, zero-trust authentication without the warts.
Federated FIDO2 Authentication: Centralizes and manages FIDO2 credentials across relying party access devices and platforms.
Pioneering Three-Network Framework: Bidirectional authentication between authenticator and service provider, service provider and access device, access device and authenticator.
Behavioral Intelligence: Continuously assesses user behavior to enhance identity verification and reduce risk.
AAL3 MFA Support: Combines two proofs of user identity with FIDO2 assertion of device identity for high-assurance security.
Self-Service Account Transfer: Empowers user migration of their existing FIDO2 account to a new cell phone, inclusive of new FIDO2 binding to the existing centralized record, preserving all federated relying-party relationships with zero help desk impact.
Post Authentication Continuous Monitoring (Built-In): Monitors user and device behaviors, location, and proximity assuring authenticated and authorized session security.
AffirmedID Pulse
Continuous Authentication
Monitoring
Because Authentication Doesn’t End at Login
AffirmedID Pulse is the missing link that transforms Passkey and Passwordless Push into a Zero Trust–compliant framework through authenticated session security, a foundational requirement to achieving CMMC L3 compliance.
Always-On Monitoring: Continuous evaluation of user behaviors, device signals, and location to detect anomalies in real time.
IdP Agnostic: Integrates with any third-party authentication provider using cell phone authenticators, including Passkeys, Passwordless, and Push.
Behavioral Intelligence: Leverages patterns of device usage and user behavior to identify potential risks and unauthorized activity.
Seamless Integration: Easy deployment alongside existing mobile authentication flows without disrupting user experience.
Risk Reduction: Minimizes exposure to credential compromise, account takeover, and other post-login threats.
Born from Pioneering
Techniques and Technologies
that Secure the Future
History—both long and near term—offers valuable lessons, especially in the evolution of defenses against cyber-attacks. AffirmedID itself is a testament to this belief, built in large part on inventions that trace back to 2013. Each invention addressed problems revealed by near-term history, laying the foundation for the advanced protections we deliver today. These are those inventions:
Credentialless Authentication
Here, credentialless means no stored secret is used for identity verification—so there is no credential to harvest, providing an enhanced form of phishing resistance. Instead, identity is verified through behavior recognition. For example, the way a phone is held, the interactions on its screen during PIN entry using a behavior reporting keypad, and other sensor inputs combine to form a behavioral biometric profile. AI analyzes these patterns to verify identity, and when combined with a FIDO2 assertion, they establish the foundation for a true multi-factor authentication ceremony at NIST Assurance Level 3 (AAL3).
Continuous Authentication Monitoring (CAM)
CAM is a unique feature for organizations with session security concerns or pursuing Zero Trust Architecture (ZTA) and CMMC compliance. The CAM modules of AffirmedID include the AffirmedID App, Admin Dashboard, Cloud API, and protocol providers for OIDC and SAML.
CAM signaling begins at the logical headwaters—the app closest to the user. From there, signals flow through the Policy Decision Point (PDP), where monitoring and analysis occur. Any exception events are sent to the Policy Enforcement Point (PEP). For integration with external Zero Trust systems, CAM outputs its CEF-formatted Syslog stream that can be consumed by external PDPs. Its internal PDP and PEP can be used in parallel with the Syslog stream or independently where internal PDP operations are configurable through dashboard Policy Admin Point (PAP) interface and from stored settings from Policy Information Points (PIP).
Three-point Authentication
Three-point authentication is designed to significantly reduce the risk of ceremony hijacking by distributing trust across multiple channels. In so doing this patented enterprise grade authentication methodology resists threats such as:
- Remote phishing (proximity required)
- Network MITM attacks (encryption + multiple channels)
- Credential harvesting (keys never leave SE)
- Simple device compromise (SE protection)
- Session hijacking across single channel ()
Details reflected in Three-point Authentication diagram:
- In response to access device user request to access, the Identity Provider (e.g., OIDC) sends an authentication request with a unique sessionID to the cloud API server.
- The API server's FIDO2 client then issues a challenge—including the sessionID—to the user’s authenticator (cellphone) over an out-of-band network.
- On receipt of a challenge, the authenticator app begins proximity authentication (BLE) with sessionID token while also verifying user PIN code and identity. (continued)
On user acceptance, the app responds to the challenge with assertion of user, device, and session identities. Identity Provider grants authorization after successful verification of the response and sessionIDs.
All exchanges are encrypted using point-to-point encryption with cryptographic keys stored securely in the phone’s Secure Element (SE), ensuring phishing resistance and end-to-end integrity.
Behavioral Biometric MFA
Implementing MFA should be straightforward. Its definition and required factors are clearly outlined by the National Institute of Standards and Technology (NIST). AffirmedID was built from the ground up to follow these guidelines to the letter. While our Passkey (FIDO2) app delivers a mobile user experience like Passkey from the big three, the similarities end there—under the surface, AffirmedID provides stronger assurance, greater security, and compliance at the highest assurance level (AAL3).
AffirmedID verifies user identity through behaviors detected during cellphone use. The authenticator introduces its own login requirement—a PIN code—but with a difference: it uses a purpose-built keypad designed to capture behavioral patterns during PIN entry. This means there is no need to store the PIN itself.
AI continuously learns and recognizes these behaviors. Sensor inputs are captured and analyzed in real time, then immediately discarded, ensuring both privacy and security while strengthening identity assurance. When necessary, AI artifacts are stored to and reloaded from the cellphone’s Security Element.
Did you know that among mid-to-large US businesses, upwards of 78-87% report requiring and/or using MFA. But when considered in view of NIST AAL2 Which clearly defines that MFA requires two different authentication factors, a significant portion—likely more than half—of those reporting use of "MFA" fail to meet that standard by use of methods that either: (continued)
- Include no assertion of user identity (Passkey, FIDO2, Passwordless Push, and all forms of OTP)
- Provide no cryptographic techniques and hence little or no phishing resistance (all forms of OTP, some Passwordless Push and Biometric implementations)
- Are vulnerable to common attacks such as phishing, SIM swapping, and malware (SMS and Voice Call OTP)
- Vulnerable to push fatigue, social engineering include all forms of Passwordless Push excepting those that require an OTP code.
From this basis then it is safe to conclude OTP, Passkey, FIDO2, and Passwordless Push solutions do not comply with the generally accepted NIST definition of MFA. This is not to fault any of these but rather to clarify what is and is not MFA. NIST proposes, and several use, step-up authentication to achieve AAL3 compliance but at the expense of the user performing two separate authentication ceremonies where just one AffirmedID ceremony achieves the same.
Intellectual Property
Many of the features of AffirmedID are built upon methods that, at the time of their invention in early 2014, were both original and unique. One such example was the ability to recognize a user based on their natural behaviors while using a mobile device, and the subsequent application of AI to form an opinion of identity based on those—a truly novel concept at the time. Coincident with that were others such as three-point authentication joining the cellphone, access device, and cloud service in performance of the authentication ceremony and proximity authentication ensuring the user and their cellphone were within arm’s reach of the access device.
Recognizing the significance of these innovations, we pursued intellectual property protection. The first patent application was filed in August 2015, ultimately leading to four separate U.S. patents. The most recent grant was published in 2021, together covering device-level, behavioral, session-layer, and cryptographic advances.
More specifics can be found via the following link.
| AffirmedID Benefits | Why it’s important | ||||
|---|---|---|---|---|---|
| ** Hybrid Passkey (FIDO2), provides both improved user experience AND uncompromising security. | Where the use of a Passkey is necessary or desirable, the MSP has a dilemma: improved user experience configured as a cloud-synced Passkey or uncompromising security configured as a hardware-bound Passkey. Of course, an MSP has the option to switch to Hybrid Passkey thereby retaining the benefit of hardware-bound cryptography with a UX others rate as superior to Passkey. | ||||
| ** Multi-Factor Identity Verification should not be optional. Identity is important, so much so it is a prerequisite for every authentication ceremony. | Microsoft and Cisco Duo Passwordless Push, most forms of FIDO2, and every form of OTP authentication skip this very vital need, to verify user identity as an integral part of authentication. MSP’s can improve their clients' cybersecurity posture by simply upgrading them to AffirmedID, and where Passkey is currently used, improved security with no impact on their users. | ||||
| ** Credentialless authentication, identity recognition and verification without benefit of stored credentials. The ultimate in phishing resistance. | For years, DBIR has consistently reported that most breaches leverage user credentials. Stored credentials of any type—password, PIN, face, and fingerprint—are the target of most phishing attacks. A Black Hat 2025 presentation showed how easily Face ID authentication could be hijacked, in minutes, simply by replacing a stored credential. Hybrid Passkey phishing resistance is enhanced by being credentialless, leaving no credential to replace. | ||||
| Hybrid Passkey's Single-Step AAL3 compliance is unique and in demand. | MSPs are increasingly receiving client requests for AAL3 compliance. Microsoft and Cisco responded by adding authentication ceremonies to a passwordless push ceremony. In effect, achieving AAL3 by combining two or more authentication ceremonies. And doing so with disregard for UX complexity and frustrations. Now, by switching clients to single-step Hybrid Passkey, the MSP provides AAL3 compliance without UX impact. | ||||
| ** Continuous Authentication Monitoring (CAM) may seem futuristic now but soon it will become a must have. For some, it already is. | CAM is in the operational fabric of ZTA and CMMC. MSPs are receiving client interest in ZTA and CMMC, in some cases urgently so. AffirmedID's end-to-end CAM solution is unique in monitoring user proximity, location, and behaviors from authentication to session logout. And the service provides the MSP with a wonderful up-sell opportunity to meet this growing need. | ||||
| Zero Trust Architecture (ZTA) principles require continuous verification of trust—not just at login, but throughout the session. | While CAM may not be a named requirement, it’s a practical necessity for achieving and maintaining CMMC above level 2, for implementing ZTA strategies, and for conforming to NIST 171, 37, 53, RMF, and both FedRAMP and DFARS. Can HIPAA, FinTech, PCI/DSS, and others be far behind? | ||||
| Superior Hybrid-Passkey UX Enter a PIN, tap a display button, done! A painless single-step authentication experience, universal no matter the account context. Simplicity throughout this do-it-yourself UX. | Transferring the hardware-bound Passkey or Passwordless Push authenticator to another cell phone is a nightmare that needs repeating for every registered account. Cross-framework Passkey use is both challenging and problem-prone. Users transfer the Hybrid Passkey account in less than 2 minutes, transferring all accounts at once. Hybrid Passkey has one framework no matter which type of cell phone is used. | ||||
| ** Out-of-band Tri-Net authentication improves phishing resistance by blocking AiTM / MiTM attack. | Passkey and Cisco Duo Proximity Authentication take liberties to exploit the inherent security benefits of tri-net authentication ceremonies. Tri-net foresight and methodologies predate Passkey, FIDO2, and Passwordless Push by several years, as do related patents. In one sense, adoption by others is a tacit endorsement of AffirmedID’s underlying framework. | ||||
** Incorporates patented methods that predate, and parallel core techniques now employed in Passkey implementations by Google, Apple, and Microsoft and in Cisco Duo Passwordless authentication—patents referenced by over 60 citations from across the industry. | |||||
Seamlessly Bridging to the IAM Landscape
An ongoing integration project adding ZT compliant Identity Service to IAMs
Availability: Now
Protocols: SAML, OIDC, OAuth 2