Badge’s device-independent MFA revolutionizes identity security

Identities are bestsellers on the dark web, with health and financial data among the most valuable due to their lack of traceability and outdated approaches to protecting them, which often include hackable device-dependent MFA techniques. Existing approaches that enforce device authentication do not meet the challenge.

When authentication techniques rely solely on devices as trust anchors, they leave ever-larger gaps where attackers can increasingly exploit their craft. Relying on specific devices to authenticate access also increases the friction that each user must experience to get their work done. Attackers use authentication fatigue techniques in combination with phishing and adversary-in-the-middle (AITM) attacks, all aimed at hijacking a device recovery process.

“When we founded Badge, our mission was to solve one of the toughest problems in authentication by moving the trust anchor for digital identities to humans instead of relying on a hardware device that can be lost or stolen become,” says Tina Srivastava, co-founder of License platetold VentureBeat during a recent interview.

“We eliminate the secrets in the authentication process. Both human identity, such as biometrics, and the private key are completely eliminated with Badge,” Srivastava continued.

Hardware-dependent MFA: An attractive attack target

Cybercrime gangs, syndicates and nation-state attackers continue to expand their arsenal of SIM swapping, AITM and Living off the Land (LOTL) attack techniques and technologies. The result: The world’s riskiest industries, including healthcare, manufacturing, financial services, fintech and others, are increasingly vulnerable to identity-based attacks.

“Adversaries continue to maximize the use of stolen identities and attempt to minimize the visibility of the defender network by ‘living off the land’ and thereby reducing potential indicators or alerts at the endpoint that the adversary knows are heavily scrutinized is taken. This tactic hinders threat hunters’ ability to distinguish adversaries’ activities from typical user and system administrator activities,” writes CrowdStrike in their recently released 2024 Threat Hunting Report.

Healthcare will be under pressure in 2024. Making matters worse, MFA is being implemented sporadically across the industry, and device-dependent approaches to MFA are becoming increasingly easier to breach for criminal gangs and nation-state attackers. “Multifactor authentication (MFA) can provide a robust line of defense, but it is often deployed unevenly, and successful attacks on MFA implementations are on the rise,” Gartner said in their recent report. How to limit the risks of account takeover.

A recent check from The Health and Human Services HHS Breach Portal notes that more than 45 million patient records have been compromised so far in 2024. Healthcare providers, including hospitals, clinics and treatment centers, have suffered 365 breaches this year alone, 86% of which started with an IT-based attack on networks.

“Multifactor authentication (MFA) can provide a robust line of defense, but it is often deployed unevenly, and successful attacks on MFA implementations are on the rise,” Gartner said in their recent report. How to limit the risks of account takeover.

The need for device-independent MFA

“With Badge, device dependency is gone: people are their own trust base instead of just a device or token,” says Srivastava. She explained that this approach not only strengthens identity-based security, but also improves user experiences by eliminating the need for fallback authentication processes, which attackers often target.

Badge’s device-independent MFA allows users to enroll once on any device and authenticate seamlessly across all their devices without hardware tokens or stored biometrics. Source: Badge Inc

Since the company’s founding, she and her team have made rapid moves in the healthcare, financial, and manufacturing sectors to close the growing gap their customers saw with hardware-dependent authentication techniques. Badging is seeing steady adoption in healthcare and finance, where companies want their frontline workers to enroll once and then authenticate on any workstation or device without having to re-register.

Badge’s impact and partnerships

Badge is attracting a growing number of partners based on their ability to deliver device-independent MFA at scale across enterprises. Partnerships and integrations include Microsoft, Okta, PingIdentity, Radiant Logic, ForgeRock and, most recently, Cisco Duowho Badge was looking for a partnership.

“Badge not only streamlines access between applications and devices, but also crucially reduces the risk of phishing attacks or credential exposure, making it an indispensable tool for maintaining the integrity of secure environments. Badge is excited to partner with Cisco Duo to bring Duo users this important security and user experience benefit,” Srivastava told VentureBeat.

Srivastava says the integration with Cisco Duo unlocks new identity and authentication use cases while reducing friction and enabling seamless passwordless enrollment using verifiable credentials (VCs).

In a recent blog post announcing the partnership, Kyle Kilcoyne, global head of partnerships and technology at Badge, and Ginger Leishman, technology partnerships manager at Cisco, said: wrote, “Badge provides a cost-effective solution to reduce friction and enable seamless, passwordless enrollment using authenticated credentials (VCs). Badge uses the initial Identity Verification (IDV) enrollment, and from there the user can authenticate to access these credentials anywhere, anytime, on any device. No need for repeated IDVs throughout the user’s lifetime journey. This saves money and frustration for the user.”

The Cisco message goes on to say that “In addition to simplifying the enrollment process, Duo can also operate as a certified passcode provider using Badge, allowing the passwordless possibilities of Duo.”

Badge’s vision of the future

“We see Badge as the foundation of the Internet’s identity backplane. It will be the way everyone authenticates to every application in the world,” predicts Srivastava.

Integration is key to Badge’s growth. It’s an area that Srivastava and her team have continued to focus on, as they see it as key to their ability to scale quickly across enterprises. “Badge can be plug-and-play with open standards such as OIDC. So if a company has deployed Okta, Ping, Microsoft Azure AD or similar systems, Badge can integrate with open standards,” said Srivastava.

Seeing integration as a prerequisite for scaling has been a priority since the company’s founding. Today, the company has zero-code integration that supports Oauth2, OpenID Connect, SAML, and FIDO standards.

Srivastava notes that CISOs continue to reach out to the company, offering their expertise and guidance to the fast-growing startup. In response, Badge established a CISO Council. “We’ve had a lot of people approach us because they wanted to be part of it, wanted equality and wanted to be part of Badge’s vision for the future. They also want to shape the industry and thinking around identity and privacy,” Srivastava said.

“Jeremy Grant, former Senior Executive Advisor at the National Institute of Standards and Technology (NIST) and member of our CISO Council, is a strong supporter of PKI. He helped write the original legislation that led to PKI and CAC cards in the DOD. He has always been interested in public key cryptography, but is fascinated by the usability challenges that Badge solves,” she says. On joining the Badge CISO Council, Jeremy Grant said: “As we look to advance a more user-centric approach to identity, Badge is a promising way to address key security and usability challenges and unlock the next frontier. reaches.”

With identities under attack and attackers looking for new ways to defeat device-dependent MFA, Badge’s innovative approach to reducing user fatigue and risk while redefining trust anchors at scale is needed to better protect any business facing identity-driven cyber attacks .