Does this replace our existing SSO and IdP, or sit alongside it?

It sits alongside your existing MFA — not instead of it. Policy routes each worker to the right method. Your desk workers keep push notifications. Your factory floor, field staff, and restricted-environment workers get the card. Both are governed. Both are covered. Zero rip-and-replace. Deviceless MFA sits alongside device-bound MFA and closes the workers it can't reach.

How do we actually deploy Deviceless MFA to 50,000 users?

A single IGA workflow bulk-provisions cards for every worker simultaneously. No hardware procurement cycle. No app install. No per-worker IT session. Workers receive a card — same delivery channel as an ID badge. On-site, mailed, or kiosk-printed on demand. Deployment takes one day.

How do I explain Deviceless MFA to the board without getting into authentication acronyms?

Boards don't ask which authentication product you use — they ask how long the business is exposed when identity fails. Deviceless MFA is the answer to that question. When device-bound MFA goes down, the Identity Challenge Card keeps every worker verified. It's the continuity story that turns a front-page headline into a footnote in the annual report.

What is my SEC 8-K disclosure story if identity systems fail during a breach?

Under the SEC's four-day cyber disclosure rule, identity failure is a material event. Deviceless MFA gives CEOs a defensible answer to the first question on every 8-K filing: what continuity plan did you have for when device-bound MFA failed? The Identity Challenge Card is that plan — in production, audited, and documented.

Is Deviceless MFA a real category or a rebrand of hardware tokens?

Hardware tokens are devices — they have batteries, firmware, serial numbers, and supply chains. Deviceless MFA has none of those. A printed grid of word pairs resolves challenges locally with no power, no network, no provisioning cycle. The architecture is fundamentally different from FIDO2 security keys, TOTP apps, and push-based authenticators — which is why incumbents cannot replicate it by shipping an update.

Human Verification

Deviceless MFA

Identity
Challenge Card

Prevent Hacker Attacks

Iranian Stryker attack exposes device-dependent MFA vulnerability. Deviceless MFA authentication closes every exception. It verifies the human not the device.

100% workforce coverage
|
100% of the Time
|
Cost 75% less than current MFA

See It Try It Trust It

Identity Challenge CardCard ID: B7eCB15

#	A	B	C	D	E
1	INSTALL POWDER	GARDEN BRIDGE	MARBLE SILVER	ROCKET WINDOW	GUITAR CASTLE
2	PLANET ANCHOR	TURTLE FOREST	BASKET TEMPLE	VELVET PIRATE	COTTON DRAGON
3	CANYON MAGNET	PUZZLE ORANGE	VIOLET BEACON	COPPER JUNGLE	CARPET MONKEY
4	HARBOR KNIGHT	VISION QUARTZ	JASPER WILLOW	SUMMIT STREAM	PARROT FABRIC
5	MEADOW COBALT	FABRIC SPHINX	FALCON BINARY	ORCHID PRISM	LANTERN OXYGEN

Three-Factor Challenge

Card Word

BASKET

+

1234

+

Emp ID

EMP-48291

Protecting the world's workforce since 1997

The Device Dependency Problem

Device-Dependent MFA
Can't Protect Workers
Who Don't Have a Device

Device-dependent MFA has a compliance gap — and a hidden price tag.

It assumes every worker carries a managed device. Frontline staff, contractors, and shared-workstation employees usually don't — so they sit outside your MFA perimeter, outside your compliance posture, and squarely in your auditor's next finding. For the workforce you do cover, you're paying a quiet tax: MDM licenses, help-desk tickets, and an endless re-enrollment treadmill every time an employee swaps phones.

Deviceless MFA closes the gap without the overhead. End users self-enroll with nothing but a password — or IT mass-enrolls thousands in a single workflow. No devices to provision. No MDM to manage. No re-enrollment cycle. Just coverage.^1,2,3

Enterprise MDMUEM PlatformsMac Device ManagementCloud Directory ServicesEndpoint Management SuitesMobile Identity AgentsNone are deviceless

0%

of the global workforce is deskless

No device. No enrollment. No Conditional Access signal. Device-bound MFA can't reach them. Deviceless MFA can.

0

Industries

0–0%

Device MFA reach

Food Services & RestaurantsGlobal QSR & casual-dining chains

95% unprotected

5%

Hospitality & LodgingInternational hotel groups

95% unprotected

5%

Specialty & General RetailBig-box, grocery & specialty retailers

93% unprotected

7%

Construction & EngineeringGlobal engineering & construction firms

92% unprotected

8%

Agriculture & Food ProductionMajor food processors & agribusiness

90% unprotected

10% device reach

Transportation & LogisticsParcel carriers, freight & rail operators

90% unprotected

10% device reach

Device MFA Reach

Unprotected — No Device

The Identity Challenge Card. The first truly deviceless MFA.

A physical, air-gapped authenticator — no phone, no laptop, no app, no network. The card is the factor. That's what makes it deviceless, and that's what makes it the only MFA that covers 100% of your workforce — including the 70–95% your MDM was never going to reach.

For the CFO: every uncovered frontline worker is an uninsured breach vector — one stolen credential from a seven-figure incident, a denied cyber-policy claim, and an audit finding that pushes your next renewal. Deviceless MFA is how that math stops working against you.

Fifteen minutes. We'll map your coverage gap and what it's costing you today.

Sources

[1] Enterprise VC research — State of Technology for Deskless Workers (2020)
[2] Global strategy consultancy — Making Work Work Better for Deskless Workers (Dec 2022)
[3] Industry analyst firm — 75% of new mobile initiatives target frontline workers
[4] Business publication — 2025 ranking of largest U.S. companies by revenue (June 2025)

Full Methodology & Sources Download PDF

Built for the Day Traditional MFA Fails

The Iranian Handala
Stryker Attack Is
Why Deviceless MFA Exists.

Handala is Iran-aligned. They don't want a ransom — they want you offline.

State-aligned wiper groups don't negotiate; they build payloads designed to keep your workforce locked out. Then the phone rings at your service desk. “This is John from Cardiology — I need my access back, now.” How does the tech on the line know it's actually John — and not the attacker who already owned John's phone? At Stryker, when device-bound MFA failed, there was no way to confirm who was on the other end of the call. Every unverifiable caller is a decision you can't safely make.

The Identity Challenge Card verifies the human, not the hardware. Three factors on one air-gapped credential: the card(can't be cloned remotely), a PIN (never stored on a device), and an identity factor(verified at the point of use). Traditional MFA only proves the attacker hasn't rooted the device holding your token — an assumption that collapses in an Iranian-playbook incident before the first alert fires.

Service desk and IT operations use ICC as their live identity check. The caller reads the challenge off their card and performs some Avatier magic request. Now IT operations know they're who they claim to be, or they aren't. No social engineering. No deepfake voice that works. No password reset handed to the wrong person.

With Avatier ICC, you know every identity the moment a failure starts — workforce verified and operational in a single day. No re-enrollment. No MDM rebuild. No help-desk queue full of callers you can't verify.

And what the card does today is just the start. Ask us where it goes next.

Click the Book Meeting button to schedule a quick fifteen minute call. We'll walk your team through the Iranian playbook on your stack — and show you what verified recovery looks like.

Book Meeting→View Press Release→Calculate Your Cyber Attack Cost→

The Difference

Device-Dependent MFA vs
Deviceless Authentication

Device-Dependent MFA

Identity Challenge Card

Depends on devices

Works without devices

Depends on identity systems

Works without identity systems

Fails during outages

Designed for outages

Takes months to years to deploy

Rapid workforce deployment in 1 day

Push Bombing target

Eliminates Push Fatigue

Depends on MDM (like Intune)

Works without MDM

With this fallback identity layer, Stryker's rebuild would have been days, not weeks.

How It Works

Three Factors. Zero Device Dependency.

Each authentication combines three independent factors — none of which require a phone, an app, or a network connection. That's what makes it Deviceless MFA.

01

Challenge Card Factor

A randomized grid response unique to each card. The system asks for a coordinate — only the person holding the physical card can answer. It's the factor that makes the card deviceless.

02

Private Knowledge Factor

A secure PIN known only to the user. Even if someone finds the card, they cannot authenticate without this second piece.

03

Identity Anchor Factor

An employee ID or account number that binds the challenge to a specific person — closing the loop between card, knowledge, and identity.

Download Datasheet (PDF)

See Deviceless Authentication

See Deviceless Authentication. Try It.
Understand It in 60 Seconds.

Featured Demo

Self Enrollment or Auto Enroll Everyone at Once.

See the full Deviceless MFA enrollment flow from start to finish — a user receives their card, a temporary pin, and completes their first identity challenge. One day. Every worker. No devices.

1/6

Try Deviceless MFA Live

This is
Deviceless MFA.
Try it.→

A simple idea: a physical, air-gapped authenticator that keeps working when everything device-bound fails. No phone. No app. No network. That's Deviceless MFA.

✓

No phone required

✓

No app required

✓

No network required

✓

Works when device MFA fails

✓

Deploys in one day

✓

Zero help-desk bottleneck

Identity Challenge CardCard ID: B7eCB15

#	A	B	C	D	E
1	INSTALL POWDER	GARDEN BRIDGE	MARBLE SILVER	ROCKET WINDOW	GUITAR CASTLE
2	PLANET ANCHOR	TURTLE FOREST	BASKET TEMPLE	VELVET PIRATE	COTTON DRAGON
3	CANYON MAGNET	PUZZLE ORANGE	VIOLET BEACON	COPPER JUNGLE	CARPET MONKEY
4	HARBOR KNIGHT	VISION QUARTZ	JASPER WILLOW	SUMMIT STREAM	PARROT FABRIC
5	MEADOW COBALT	FABRIC SPHINX	FALCON BINARY	ORCHID PRISM	LANTERN OXYGEN

Three-Factor Challenge

Challenge Card Factor

Coordinate C2 — TOP word

Private Knowledge Factor

Your PIN 1234

Identity Anchor Factor

Employee ID EMP-48291

How Three-Factor Works

· Challenge Card Factor — Find the coordinate (e.g., A1, B3) and enter the TOP or BOTTOM word

· Private Knowledge Factor — Read your 4-digit PIN, then enter it in the PIN field

· Identity Anchor Factor — Your Employee ID is verified automatically

· Both factors required — The word and PIN must both be correct to gain access

· New challenge — Click 'New Game' to randomize a fresh coordinate and PIN

Outcomes by Role

The Business Value of
Deviceless MFA Mapped to Who's Buying

Every persona has different success criteria. See the outcomes that matter to your role — from closing audit gaps to defining a new market category.

Auditors expect 100% MFA coverage — but device-dependent solutions leave 80% of your workforce unprotected. The Identity Challenge Card eliminates every exception. Deviceless MFA is how you get to 100% with no asterisks.

Eliminate the 80% MFA Gap with Deviceless MFA

Most MFA mandates require all users — but device-based solutions exclude factory floors, shared workstations, field staff, and contractors. The Challenge Card closes every exception, giving auditors complete coverage evidence with no asterisks.

NIST 800-63BZero TrustSOC 2 Type II

Resist Push Fatigue & Real-Time Phishing

Air-gapped authentication eliminates push-notification hijacking, SIM-swap, and real-time phishing attacks that defeat SMS and TOTP. The challenge/response is offline and unreplayable — no interception vector exists.

CISA MFA GuidanceEO 14028FedRAMP

Maintain Audit-Ability & Policy Enforcement

Card issuance, expiration, re-enrollment, and revocation are all logged and policy-enforced. Admins set expiry windows; users receive automated reminders. Every access event is traceable — no gaps in the audit trail.

SOXPCI-DSS v4ISO 27001

Ready to close your compliance gaps with Deviceless MFA?

See how the Identity Challenge Card — Deviceless MFA — satisfies auditors and protects every worker in days, not months.

Book Meeting

Multilingual & Global

Built for Global Workforces

Challenge cards available in 29 languages for multilingual deployment across global workforces and customer-facing support environments.

Compliance-Ready Deviceless MFA

Deviceless MFA, Trusted in Regulated Environments

The Identity Challenge Card is Deviceless MFA engineered for regulated workloads: zero PII on the card, full lifecycle auditability, and an architecture that satisfies NIST 800-63B, SOC 2, PCI-DSS v4, and ISO 27001 on the first audit pass.

Privacy by Architecture

No PII on the card — nothing to breach

Zero personal information stored on the physical card
No name, no ID number, no user mapping printed or encoded
A lost card cannot be exploited without the separate PIN
Nothing to disclose under breach notification requirements
Deviceless MFA: privacy by design, not privacy by policy

Full Lifecycle Controls

Every card event is logged and policy-enforced

Card issuance, expiration, and revocation are fully auditable
Admin-configurable expiry windows with automated reminders
Service Desk use auto-expires the card immediately after use
Re-enrollment flows enforce policy before issuing replacements
Complete audit trail — every access event is traceable

Phishing-Resistant by Design

Air-gapped Deviceless MFA with no interception vector

Eliminates push-notification hijacking and SIM-swap attacks
Challenge/response is offline and unreplayable
No network dependency means no man-in-the-middle attack surface
Meets CISA phishing-resistant MFA guidance (EO 14028)
Satisfies NIST 800-63B verifier impersonation resistance

Deviceless MFA FAQs

Frequently Asked Questions

Everything you need to evaluate Deviceless MFA — by role, by risk, by question asked in the last procurement review.

Security posture & attack surface

What exactly is Deviceless MFA — and how is the Identity Challenge Card different from every other MFA?

Deviceless MFA is multi-factor authentication that works without a phone, an app, a hardware token, or a network connection. The Identity Challenge Card is the first production implementation: a printed grid of word pairs that a user looks up during login. When Stryker's device-bound MFA went down during the Iranian Handala intrusion, Deviceless MFA is the category that would have kept workforce verification running — one day to deploy, every worker covered, zero device dependency. Every FAQ below explains how it works, how it deploys, and how it satisfies auditors.

Is a printed card actually secure? A lost card means a compromised credential.

The card contains no personal data and no identity information. Without the PIN it is useless. A lost card is less dangerous than a lost phone — you can't SIM-swap paper. The card is revoked in seconds and replaced the same day. Cyber attackers cannot compromise paper. That is an architectural truth, not a tagline.

We already have MFA. Why does our existing solution leave a documented gap?

Authentication that works for 20% of your workforce does not protect your organization — it creates a documented 80% vulnerability. Every MFA exception you've written is a gap an attacker can map. Device-dependent MFA assumes devices, networks, and identity systems are available. During the Stryker attack, none of those assumptions held. Deviceless MFA is how you stop documenting 80% exceptions and start documenting 100% coverage.

How does this meet CMMC, HIPAA, PCI-DSS, and GDPR requirements?

Every major compliance framework requires authentication that works for every worker in every environment. Device-dependent MFA cannot deliver that — your exceptions are documented compliance risk. A governed Identity Challenge Card closes every exemption with immutable audit logs, policy-enforced expiration, and identity-verified re-enrollment. No personal data is processed by the auth mechanism — zero GDPR exposure.

What happens during an active cyberattack when identity systems are down?

That is exactly when this was built for. Nothing runs at authentication time — no server call, no network dependency, no identity provider. The card resolves locally. When everything else fails, the card still works. Your service desk can still verify users. Business operations can continue. That's what Deviceless MFA is built to do.

Can push bombing or replay attacks work against this?

No. There are no push notifications — so push fatigue attacks have no surface. Each coordinate value is one-time — used values are permanently burned and never reused. Replay attacks are structurally impossible. Air-gapped means no network attack surface exists.

See Where Deviceless MFA
Fits in Your Environment

No commitment · 30-min Deviceless MFA walkthrough · same-day response

Talk to the team behind the Identity Challenge Card — the first production Deviceless MFA.

Compliance-Certified

Live security rating from SecurityScorecard

SOC 2 Type II — Deviceless MFA compliance certification

SOC 2 Type IIAnnual audit of security controls, availability, and confidentiality.

ISO/IEC 27001 — Deviceless MFA compliance certification

ISO/IEC 27001International standard for information security management systems.

PCI DSS v4.0.1 — Deviceless MFA compliance certification

PCI DSS v4.0.1Payment card industry data security standard compliance.

GDPR — Deviceless MFA compliance certification

GDPREuropean data protection and privacy regulation compliance.

FERPA — Deviceless MFA compliance certification

FERPAFederal student education records privacy protection.

Section 508Certified accessible for screen readers, keyboard-only navigation, and assistive technology.

Avatier Trust Center

Review the Deviceless MFA certifications, penetration test summaries, sub-processor lists, and compliance documentation backing the Identity Challenge Card — all in one place via SafeBase.

Open Trust Center

Identity
Challenge Card

Device-Dependent MFA
Can't Protect Workers
Who Don't Have a Device

The Iranian Handala
Stryker Attack Is
Why Deviceless MFA Exists.

Device-Dependent MFA vs
Deviceless Authentication