Assurance of user identity (using PIN and behaviors), device identity (using phishing-resistant FIDO2), and session integrity (using location, proximity, and behaviors).

Good cyber hygiene in today’s online environment requires assurance of user identity as an integral part of authentication, proof of possession and use of a specific device, proximity of it to the access device, and continuous monitoring user presence and proximity throughout the authorized session.

A cell phone app including Level 1 certified FIDO2 implementation, self-contained AI-based identity recognition, cloud access over secure out-of-band networks, and identical operations across all cell phones and environments.

Focus is on security and user experience, consistent use on all cell phones, installs and registers in minutes with one-time FIDO2 registration. Provides a push experience with unique blocking protection from social media attacks. Many ease-of-use features including self-service account recovery from lost device.

By using AI to recognize a user from the behaviors they exhibit while using their cell phone foregoes the need to store or use credentials.

DBIR consistently reports annually that most breaches in the prior year leveraged compromised user credentials. Another report indicates that in 2024 over 80% of SMB breaches are fundamentally tied to authentication failures. SMB use of phishing-resistant FIDO2 and credentialless authentication is clearly warranted.

By combining FIDO2 using locally stored private key with user PIN and behavior verification, MFA at NIST’s highest assurance level, AAL3, is provided.

Phishing resistant technologies (FIDO2, Passkey, and Passwordless Push) provide high confidence, AAL2, the authenticator is bound to the authenticating account. But accelerating market interests are toward AAL3 assurances driven by government and regulations, a need for zero trust, and in response to advanced threats. To authenticate at AAL3, claimants are required to prove possession and control of two distinct authentication factors.

Achieved by combining authentication records with FIDO Client in the clouds, and doing so using secure out-of-band channel between authenticator and cloud, and then federating those to relying parties delivers a unifying experience.

Benefits of managed authentication records include exceptional usability, synergy across ecosystems, high security, out-of-band convenience, and resilience. Consider recovery from a lost cell phone (authenticator). In a single operation the user recovers all linked accounts in minutes without help desk aid. Relying parties reap the benefits not only in savings and uptime but also through improved UX.

Its configurable implementation provides seamless transition from MFA authentication ceremony to autonomous active or passive CAM streaming CEF format SIEM output to the zero trust framework endpoint.

Every SMB should use CAM. Failing to do so puts the organization at risk of cyberattack and is becoming a barrier to securing business where the use of a zero trust framework is a contractual requirement. It calls for the use of CAM. While its ROI may be difficult to measure in absolute terms, consider that nearly 61% of SMBs experienced a cyber event in 2024.

Included with the authenticator app is the independent UEM endpoint agent app. Following successful authentication, it seamlessly provides on going location, proximity, and behavior monitoring and reporting activities in support of zero trust framework.

Endpoint agent collects and forward location, proximity, and behavioral content to the cloud Policy Decision Point (PDP). Following analysis, PDP sends its findings to the Policy Enforcement Point (PEP) where enforcement of those findings is applied. When configured for 3rd party CAM mode, endpoint agent content is streamed to a 3rd party zero trust framework PDP endpoint.

Integration of two session controllers, OIDC with OAuth 2.1, and SAML SSO is provided for use behind an IAM or directly by client applications. Configuration and integration services are available while the online dashboard development continues.

In addition to their obvious benefits, both OIDC and SAML identity providers include a PEP endpoint that receives signaling from the PDP located on the API cloud server. At user logout, the cell phone app is advised of the end of the session. The active CAM resource can be configured for autonomous user logout by PEP upon detection of an event that warrants. Perhaps an inconvenience if a false positive, but a business-saving event otherwise.

A user experience that reflects its security, consistency, elegance, and synergy and that of the authentication service. Its most burdensome user activity, that of PIN entry.

At the intersection of seemingly small inconveniences and discord (think passkey), it is impossible to avoid UX frustrations. The step-up authentication of passwordless push, lack of synergy between providers and across platforms and devices, operational inconsistencies across devices and accounts and within the same and different framework, and onerous recovery resulting from device loss or upgrade, especially for high-security device-bound accounts. Inconvenient, singularly perhaps, but not so much when considered in context.