Why we care
We deeply care about security. We know first hand that poor authentication security leads to account theft, data breaches, monetary losses, loss of trust, and damage of reputation. What is more, poor user experience related to authentication inevitably leads to suboptimal behavior and bad practices, which will cause security incidents. Therefore, out primary goal is to make idemeum Passwordless MFA secure yet make user experience seamless and frictionless.
Why we eliminate passwords
Passwords cause breaches. As simple as that.
Today passwords remain an extremely weak way to secure user accounts and a favorite target for hackers, evident in the fact that over 80% of data breaches involve stolen or lost passwords. Passwords are vulnerable to numerous types of security attacks, which has led to ongoing high-profile PII data breaches, the theft of billions of user accounts, and billions in monetary damage.
How idemeum MFA is more secure
Here is the list of attacks and vulnerabilities that idemeum mitigates with Passwordless MFA.
- Credential stuffing - form fields do not exist therefore attackers can not stuff them with static credentials.
- Credential replay attacks - attackers can't try stolen or leaked passwords because no static credentials are used.
- Lost or stolen token attacks - dedicated tokens are not needed so that they can not be stolen. Moreover, if phone is lost or stolen, attackers can not use it as idemeum authentication requires use of biometrics for each login.
- Phishing / spear phishing attacks - without static credentials, attackers can't phish them from vulnerable users.
- Key logging - as there are no passwords, there is nothing to log. idemeum protects against malware that captures users' credentials.
- Shoulder surfing - as there are no passwords, attackers can not physically observe or record a user inputting login credentials.
- Brute force cracking - there are no password hashes that we store in our cloud. Hence attackers can not leverage “guess-and-check” algorithms to decipher previously stolen password hashes, making them usable in order to illicitly access user accounts.
- Man-in-the-middle attacks - idemeum prevents interception of credential transmissions either over a local network or via a malicious website purporting to be the intended recipient of those credentials.
- Social engineering - idemeum stops use of deception to manipulate individuals into divulging credentials or other confidential data that can be used to defeat user authentication.
- Session hijacking / forgery - idemeum stops bypassing authentication by stealing or creating browser session keys that allow access to protected resources.
This is orders of magnitude more secure than traditional authentication methods, let alone the fact that user experience is simple and seamless with idemeum passwordless MFA.
How we designed idemeum MFA
Security is one of the core principles that is applied to everything we do - mobile, backend, dev ops, it does not matter, security is fundamental and key. We designed idemeum passwordless MFA in accordance with the latest best practices as it relates to confidentiality, integrity, and availability.
idemeum passwordless MFA leverages:
- Asymmetric cryptography to replace passwords with digital certificates
- Hardware backed storage to store keys that are used for authentication
- Secure and open standards such as SAML, PKI, FIDO2, Webauthn, DID
- Device attestation services provided by Android and iOS operating systems
- Detection of jailbroken devices in order to block application registration
- End to end encryption of data passing between mobile and user browsers
- Encryption of data at rest on a mobile device to protect identity claims
and much more...
We do it the right way.
If you have any questions or suggestions please contact our team.