Passwordless was never supposed to mean phone-dependent. We are defining the category that fixes that mistake.
Identity Anywhere™ — 2026
The industry declared war on passwords. Biometrics. Push notifications. Magic links. Authenticator apps. A decade of innovation, all solving the same problem for the same person — someone sitting at a desk, smartphone in hand, connected to a network.
Then the industry quietly looked away from everyone else.
The factory worker whose phone stays in a locker. The field surgeon in a sterile suite. The defense contractor in a shielded facility. The call center agent who started this morning and may be gone in 90 days. The operator in a communications-denied environment where a push notification is not just inconvenient — it is a security threat.
These are not edge cases. These are tens of millions of workers. And every one of them has been issued the same security policy: an exception.
Every dominant authentication method is built on the same broken assumption: that every worker has a device, has connectivity, and controls both. They don't. That is why the exceptions exist.
Requires a smartphone, a data plan, app installation, OS compatibility, and battery. Fails the moment the device is absent, dead, or forbidden. Network-dependent at the moment of authentication.
Requires network, device, and human judgment. MFA fatigue attacks work precisely because users approve pushes they should not. The adversary's attack surface is your own UI.
SIM swap attacks are trivial and well-documented. Carrier infrastructure is not your security perimeter. NIST has flagged it. The industry keeps deploying it.
$30–60 per user. Inventory overhead. Shipping cycles. Replacement requests clogging the help desk. Still a device dependency — just an expensive one with a longer list.
Device-bound. Privacy and compliance exposure. Fails in gloves, masks, and sterile environments. The most intimate possible credential — stored on infrastructure you do not fully control.
Every method above assumed users have smartphones, have connectivity, and have the right to carry personal devices on-premise. That assumption was never universally true. They built anyway.
The Category Declaration
When the mechanism is irrelevant and the principle is sovereign — you don't need a device to prove who you are — that is not an alternative. That is a new way of thinking about identity.
The Identity Challenge Card is a printed grid — words in cells, coordinates on demand. When you authenticate, the system names a coordinate. You find the word. You type it alongside your PIN. You are in.
No app. No battery. No signal. No hardware to procure, patch, or replace. No MDM enrollment. No personal device drafted into corporate security compliance.
The grid is the something you have. The PIN is the something you know. One without the other is useless. Together, they constitute genuine two-factor authentication — air-gapped, offline, and impervious to every network-based attack vector.
Cyber attackers cannot compromise paper. That is not a tagline. That is an architectural truth.
| # | A | B | C | D | E |
|---|---|---|---|---|---|
| 1 | INSTALL POWDER | GARDEN BRIDGE | MARBLE SILVER | ROCKET WINDOW | GUITAR CASTLE |
| 2 | PLANET ANCHOR | TURTLE FOREST | BASKET TEMPLE | VELVET PIRATE | COTTON DRAGON |
| 3 | CANYON MAGNET | PUZZLE ORANGE | VIOLET BEACON | COPPER JUNGLE | CARPET MONKEY |
| 4 | HARBOR KNIGHT | VISION QUARTZ | JASPER WILLOW | SUMMIT STREAM | PARROT FABRIC |
| 5 | MEADOW COBALT | FABRIC SPHINX | FALCON BINARY | ORCHID PRISM | LANTERN OXYGEN |
Enter coordinate B4 — provide the TOP word
· Find the coordinate — Look for the row and column (e.g., A1, B3, E5)
· Choose the word — You'll be asked for the TOP or BOTTOM word
· Answer correctly — Enter the TOP or BOTTOM word as requested
· Case doesn't matter — You can type in uppercase or lowercase
This is not a product category defined by a single technique. It is defined by a set of commitments that every solution in the category must keep.
Authentication cannot require the user to own, carry, charge, or install anything. Proof of identity must be achievable with what a person inherently has: knowledge and a physical token they can hold without electronics.
A credential that requires no network at the moment of authentication has no network attack surface. The absence of connectivity is the safest possible design choice. We treat it that way.
Authentication that works for 80% of your workforce does not protect your organization. It creates a documented 20% vulnerability. Deviceless authentication closes every exception. All workers. All environments. Always.
Issuing a credential and walking away is not security. Every credential must have a lifecycle — expiration policies, automatic invalidation, immutable audit logs, and identity-verified re-enrollment. The card is governed, not just printed.
Demanding that employees install corporate security software on their personal smartphones is a liability transfer, not a security policy. Deviceless authentication separates corporate identity from personal hardware permanently.
Complexity is an attack surface. The more steps, devices, and networks involved in authentication, the more opportunities for exploitation. The simplest mechanism that achieves genuine two-factor assurance is the most secure mechanism.
The future of enterprise authentication is the recognition that identity must work everywhere — with or without a device, with or without a signal, with or without a smartphone that belongs to you.
Security audits find no MFA exemptions — because none exist. Every worker, in every environment, is covered.
Compliance frameworks are satisfied not with workarounds, but with verifiable, policy-enforced audit trails across the entire workforce.
The help desk is not overwhelmed by lockouts from devices workers forgot, lost, or were never permitted to bring.
Passwordless no longer means phone-dependent. It means any method that eliminates the traditional password — whatever the environment demands.
Defense contractors, nurses, line workers, and field agents authenticate with the same confidence as the executive at a corporate desk.
Compliance frameworks don't create the MFA exception problem — they expose it. Every major standard requires authentication that works for every worker in every environment. Device-dependent MFA cannot deliver that. A governed Identity Challenge Card can.
AC & IA Domains
CMMC requires verifiable MFA for all users across all environments — including communications-denied facilities and classified spaces where smartphones are prohibited by policy.
IA.3.083 · AC.2.006 · IA.1.077
Zero exemptions. All AC/IA domain requirements satisfied across the entire workforce.
Technical Safeguards — 45 CFR § 164.312
Healthcare's highest-risk environments — sterile suites, shared clinical workstations, isolation wards — are the least compatible with phone-based MFA. The standard requires person authentication, unique ID, and audit controls.
§ 164.312(d) · (a)(2)(i) · (b)
Person auth + unique ID + audit controls — all satisfied. No personal device processing.
Requirement 8 — Authentication & Password Requirements
Requirement 8 mandates strong MFA for all users with access to cardholder data. Any organization with workers in environments where device-dependent MFA cannot be uniformly enforced carries documented compliance risk.
Req. 8.4.2 · 8.3.6 · 8.2.4
MFA + password elimination + lifecycle governance — closed by design.
Security of Processing
Device-dependent MFA creates two GDPR exposures: enrolling personal phones constitutes personal data processing requiring a lawful basis, and known MFA exemptions may constitute failure to implement appropriate technical measures.
Article 32 · Art. 5(1)(f)
No personal data processed by the auth mechanism. Zero documented vulnerability gaps.
CMMC
IA.3.083
Zero exemptions. All AC/IA domain requirements satisfied across the entire workforce.
HIPAA
§ 164.312(d)
Person auth + unique ID + audit controls — all satisfied. No personal device processing.
PCI-DSS v4.0
Req. 8.4.2
MFA + password elimination + lifecycle governance — closed by design.
GDPR Art. 32
Article 32
No personal data processed by the auth mechanism. Zero documented vulnerability gaps.
Every organization with an MFA exception policy is somewhere on this scale. The question is not whether deviceless authentication is necessary. It is how far the gap currently extends between policy and reality.
MFA is deployed for the majority of the workforce. Documented exceptions exist for workers in device-restricted or connectivity-denied environments. Every exemption is a documented vulnerability — a gap the policy acknowledges and accepts rather than closes.
Deviceless authentication has been piloted for a subset of previously exempt workers. Coverage is improving but not complete. Legacy exemptions remain for un-migrated populations. An expansion roadmap exists but is not enforced. The documented attack surface is shrinking but still present.
Deviceless authentication is deployed across every previously exempt population. The policy contains no carve-outs. All workers in all environments are covered under the same framework. The compliance posture is now defensible. This is the minimum acceptable standard.
Credential issuance, expiration, invalidation, and re-enrollment are policy-enforced and system-executed — not manually managed. Audit evidence is immutable and continuous. The post-issuance risk window is closed. Governance is not a quarterly event; it is the operating state.
Real-time coverage dashboards confirm 100% enforcement at all times. New-hire onboarding triggers automatic credential issuance. Federated with SSO and IGA. The gap between audit cycles no longer exists because assurance is continuous, not periodic.
These models are not mutually exclusive. Most enterprises use a combination. The right starting point depends on existing infrastructure, workforce profile, and where the coverage gap is largest.
No upstream federation. No network dependency at authentication time. Card + PIN managed entirely within the platform — deploys without touching existing infrastructure.
The Identity Challenge Card covers the workers your incumbent MFA cannot reach. Both factors coexist. Policy routes each worker to the right one.
The card is provisioned, expired, and revoked by joiner/mover/leaver workflows. One audit record across every credential type.
Card + PIN satisfies the ZT policy engine without device posture signals. Identity — not device — is the perimeter.
The model is not the constraint. The coverage gap is. Every model closes it.
Category arguments are won in the boardroom. They are lost in the operations review. Here is the operational reality — not the pitch, not the demo, not the edge-case hedge.
A single IGA workflow bulk-provisions cards for every worker simultaneously. No hardware procurement cycle. No app install. No per-worker IT session.
Same delivery channel as an ID badge — on-site, mailed, or kiosk-printed on demand. No enrollment appointment. No device pairing. No help desk touchpoint required.
No server call. No network dependency. The workstation resolves the challenge locally. Infrastructure is not part of the transaction.
There is no device to locate, wipe, or recover. Revocation is immediate in the IGA platform. A replacement card is issued the same day. Mean time to resolution: minutes, not hours.
These are not edge cases. They are the primary use case. No signal required. No device required. The card works wherever a person can hold paper.
The IGA platform triggers re-enrollment on the governance schedule. The old coordinate set is invalidated. The new card is issued. The audit trail is continuous and immutable throughout.
It participates in joiner/mover/leaver workflows, access certifications, policy enforcement, and audit reporting — identical to any other governed credential.
Every authentication attempt — timestamp, coordinate challenged, outcome — is logged. Every issuance and revocation is recorded. The governance history begins at provisioning and ends at expiration.
The operational questions have operational answers. The category does not ask enterprises to trade risk for coverage. It removes both.
Every vendor in every category shares one architectural assumption: the user has a device, a signal, or a power source. The Identity Challenge Card removes that assumption entirely.
These vendors offer methods that reduce or eliminate smartphone dependency. This is the direct competitive category. Each has meaningful limitations the Identity Challenge Card closes.
| Vendor / Product | Avatier Advantage |
|---|---|
| Entrust Identity Grid Card | Time-limited, auto-expiring, identity-verified re-enrollment, full immutable audit log. |
| HID Global ActivID Grid / Smart Card | No reader hardware. Only solution with IGA-integrated, policy-enforced credential lifecycle. |
| Thales (SafeNet) Printed OTP Cards | Governed issuance, automatic invalidation, policy-enforced expiration — unavailable in Thales printed cards. |
| FEITIAN OTP / Challenge-Response | Paper-based. No battery. No hardware to procure. Full lifecycle via Avatier platform. |
| WiKID Systems Soft Token | No software, no device, no app. Fully operational in communications-denied environments. |
| Avatier Identity Challenge Card | Air-gapped · Governed lifecycle · IGA-native · Deploys in hours · Zero per-user hardware cost. |
Every security leader knows where their MFA exceptions are. They wrote the exceptions themselves, because the tools gave them no other choice. The Identity Challenge Card removes every justification for every exception. No new infrastructure. No new devices. Deploys in hours.
Enroll every employee. All in one day.
Closing Definition
Deviceless Authentication
Authentication does not require a device. It requires proof of identity and a governance system rigorous enough to stand behind it. That is the standard. Everything else is a workaround.
Network dependency at the moment of authentication
Workforce coverage — including every environment you previously exempted
True two-factor: something you have, something you know. No device required.
Join 1,000+ enterprise organizations. No pushy sales — we show you the product.
No commitment · 30-min live demo · same-day response
