Badge’s device-independent MFA is revolutionizing identity security

Identities are best-sellers on the dark web, with health and finance records being among the most valuable due to their lack of traceability and outdated approaches to protecting them that often include hackable device-dependent MFA techniques. Existing approaches that force device authentication are falling short of the challenge.

When authentication techniques rely on devices alone as trust anchors, they’re leaving widening gaps that attackers continue improving their tradecraft to exploit. Relying on specific devices to authenticate access also introduces greater friction that every user has to experience to get their work done. Attackers are using authentication fatigue techniques combined with phishing and adversary-in-the-middle (AITM) attacks, all aimed at hijacking a device recovery process.

“When we founded Badge, our mission was to solve one of the hardest problems in authentication by moving the trust anchor for digital identities to the human instead of relying on a hardware device that can be lost or stolen,” Tina Srivastava, co-founder of Badge, told VentureBeat during a recent interview.

“We eliminate the secrets in the authentication process. Both the human identity, like biometrics, and the private key are completely eliminated with Badge, ” Srivastava continued.

Hardware-dependent MFA: A compelling attack target

Cybercrime gangs, syndicates and nation-state attackers continue growing their arsenal of SIM swapping, AITM and Living off the Land (LOTL) attack techniques and technologies. The result: the world’s most at-risk industries, including healthcare, manufacturing, financial services, fintech and others, are increasingly vulnerable to identity-based attacks.

“Adversaries continue to maximize the use of stolen identities and attempt to minimize defenders’ network visibility by ‘living off the land’ and therefore reducing potential indicators or alerts on the endpoint, which the adversary knows is heavily scrutinized. This tactic hinders threat hunters’ ability to differentiate adversary activity from typical user and system administrator activity, “​writes CrowdStrike in their recently released 2024 Threat Hunting Report.

Healthcare is under siege in 2024. Making matters worse, MFA is sporadically implemented across the industry, and device-dependent approaches to MFA are becoming easier for criminal gangs and nation-state attackers to break. “Multifactor authentication (MFA) can provide a robust line of defense, but it is often implemented unevenly, and successful attacks on MFA implementations are on the rise,” according to Gartner in their recent report, How to Mitigate Account Takeover Risks.

A recent check of The Health and Human Services HHS Breach Portal finds that more than 45 million patient records have been compromised in 2024 year-to-date. Healthcare providers, including hospitals, clinics and treatment centers, have experienced 365 breaches this year alone, 86% of which started with an IT-based attack on networks. 

“Multifactor authentication (MFA) can provide a robust line of defense, but it is often implemented unevenly, and successful attacks on MFA implementations are on the rise,” according to Gartner in their recent report, How to Mitigate Account Takeover Risks.

The need for device-independent MFA

 “With Badge, the device dependency is gone — people are their own roots of trust rather than just a device or token,” Srivastava says. She explained that this approach not only strengthens identity-based security it also improves user experiences by eliminating the need for fallback authentication processes, which attackers often target.

Badge’s device-independent MFA allows users to enroll once on any device and authenticate seamlessly across all their devices without hardware tokens or stored biometrics. Source: Badge Inc

Since the company’s founding, she and her team have moved quickly in the healthcare, finance and manufacturing industries to close the growing gaps their customers were seeing with hardware-dependent authentication techniques. Badge is seeing steady adoption in healthcare and finance, where firms want to have their front-line workers enroll once and then authenticate on any workstation or device without needing to register again.

Badge’s impact and partnerships

Badge is attracting a growing base of partners based on their ability to deliver device-independent MFA at scale across enterprises. Partnerships and integrations include Microsoft, Okta, PingIdentity, Radiant Logic, ForgeRock, and, most recently, Cisco Duo, who sought out Badge for a partnership.

“Badge not only streamlines access across applications and devices but crucially reduces the risk of phishing attacks or credential exposure, making it an indispensable tool for maintaining the integrity of secure environments. Badge is excited to partner with Cisco Duo to bring this important security and user experience benefit to Duo users,” Srivastava told VentureBeat. 

Srivastava says the integration with Cisco Duo unlocks new identity and authentication use cases while reducing friction and enabling seamless passwordless enrollment using verifiable credentials (VCs).

In a recent blog post announcing the partnership, Kyle Kilcoyne, global head, of partnerships and technology at Badge, and Ginger Leishman, technology partnerships manager at Cisco, wrote, “Badge offers a cost-saving solution to help reduce friction and enable seamless, passwordless enrollment using verified credentials (VCs). Badge leverages the initial Identity Verification (IDV) enrollment, and from there the user can authenticate to access this credential anywhere, anytime, on any device. No need for repeat IDVs throughout the user’s lifetime journey. This saves money and user frustration.”

Cisco’s post continues, saying that “in addition to simplifying the enrollment process, Duo can also operate as a certified passkey provider leveraging Badge, extending the passwordless capabilities of Duo.” 

Badge’s vision for the future

“We see Badge as being the foundation of the identity backplane of the internet. It will be the way that every person authenticates to every application in the world,” Srivastava predicts.

Integration is key to Badge’s growth. It’s an area Srivastava and her team have continued to concentrate on, seeing it as key to their ability to scale quickly across enterprises. “Badge can plug and play with open standards like OIDC. So if a company has Okta, Ping, Microsoft Azure AD, or similar systems deployed, Badge can integrate with open standards,” Srivastava said.

Seeing integration as table stakes for growing at scale has been a priority since the company was founded. Today, the company has zero-code integration in place supporting Oauth2, OpenID Connect, SAML and FIDO standards.

Srivastava notes that CISOs continue to contact the company, offering their expertise and guidance to the fast-growing startup. In response, Badge created a CISO Council. “We’ve had many folks approaching us wanting to be part of it, wanting equity, and wanting to be part of the future vision of Badge. They also want to shape the industry and the thinking around identity and privacy,” Srivastava said.

“Jeremy Grant, former Senior Executive Advisor at the National Institute of Standards and Technology (NIST) who joined our CISO Council, is a huge proponent of PKI. He helped write the original legislation that led to PKI and CAC cards in the DOD. He has always cared about public key cryptography but has been fascinated by the usability challenges that Badge solves,” she said.  When joining the Badge CISO Council, Jeremy Grant said, “As we look to advance more user-centric approaches to identity, Badge is a promising way to address core security and usability challenges and get to the next frontier.”

With identities under siege and attackers looking for new ways to defeat device-dependent MFA, Badge’s innovative approach to reducing user fatigue and risk while redefining trust anchors at scale is needed to better protect every business facing identity-driven cyberattacks.