Does this replace our existing SSO and IdP, or sit alongside it?

It sits alongside your existing MFA — not instead of it. Policy routes each worker to the right method. Your desk workers keep push notifications. Your factory floor, field staff, and restricted-environment workers get the card. Both are governed. Both are covered. Zero rip-and-replace. Deviceless MFA sits alongside device-bound MFA and closes the workers it can't reach.

How do we actually deploy Deviceless MFA to 50,000 users?

A single IGA workflow bulk-provisions cards for every worker simultaneously. No hardware procurement cycle. No app install. No per-worker IT session. Workers receive a card — same delivery channel as an ID badge. On-site, mailed, or kiosk-printed on demand. Deployment takes one day.

How does this integrate with SCIM and our IGA platform?

Card provisioning is driven by the same SCIM events that create a worker's directory identity. Issuance, re-issuance, and revocation flow through your existing IGA workflow — the same governance that approves access requests approves cards. Audit logs write back to the same pane of glass.

What happens during an active cyberattack when identity systems are down?

That is exactly what this was built for. Nothing runs at authentication time — no server call, no network dependency, no identity provider. The card resolves locally. When everything else fails, the card still works. Your service desk can still verify users. Business operations can continue. That's what Deviceless MFA is built to do.

How is Deviceless MFA actually cheaper than our current MFA stack?

No per-seat app license. No hardware token procurement. No device refresh cycle. A printed card costs cents per worker, and re-issuance is a reprint — not a procurement cycle.

What's the real financial upside when identity fails during a breach?

A week of identity downtime during an intrusion is a quarter of lost revenue for a lot of Fortune 500 operations. Deviceless MFA turns that week into a day. The board-level math favors having the control in production before the event — not after.

Does the card add hidden cost — reprints, storage, logistics?

Cards are printed on demand through the same logistics that deliver ID badges. Storage is the IGA record — not physical stock. Reprints are a self-service workflow. The hidden cost is the one you're already paying on app licenses and lockout support tickets.

How do I explain Deviceless MFA to the board without getting into authentication acronyms?

Boards don't ask which authentication product you use — they ask how long the business is exposed when identity fails. Deviceless MFA is the answer to that question. When device-bound MFA goes down, the Identity Challenge Card keeps every worker verified. It's the continuity story that turns a front-page headline into a footnote in the annual report.

What is my SEC 8-K disclosure story if identity systems fail during a breach?

Under the SEC's four-day cyber disclosure rule, identity failure is a material event. Deviceless MFA gives CEOs a defensible answer to the first question on every 8-K filing: what continuity plan did you have for when device-bound MFA failed? The Identity Challenge Card is that plan — in production, audited, and documented.

How does this meet CMMC, HIPAA, PCI-DSS, and GDPR requirements?

Every major compliance framework requires authentication that works for every worker in every environment. Device-dependent MFA cannot deliver that — your exceptions are documented compliance risk. A governed Identity Challenge Card closes every exemption with immutable audit logs, policy-enforced expiration, and identity-verified re-enrollment. No personal data is processed by the auth mechanism — zero GDPR exposure.

What does the service desk actually do when someone loses a card?

Re-issue through the governed IGA workflow. Identity is re-verified through the same controls that approved the original issuance — no social-engineering shortcut, no device pairing session. Access is restored in seconds.

How does the worker get a new card without coming to the desk?

Three options: on-site kiosk print, mailed card, or supervisor-approved local reprint. Each flow is logged. Each flow is governed. None of them require a phone call to the help desk.

What happens when the whole IdP is down and everyone is locked out?

The card resolves locally. The service desk runs the challenge against the printed grid — no IdP call, no network dependency. Workers are re-authenticated while the IdP recovers.

Is Deviceless MFA a real category or a rebrand of hardware tokens?

Hardware tokens are devices — they have batteries, firmware, serial numbers, and supply chains. Deviceless MFA has none of those. A printed grid of word pairs resolves challenges locally with no power, no network, no provisioning cycle. The architecture is fundamentally different from FIDO2 security keys, TOTP apps, and push-based authenticators — which is why incumbents cannot replicate it by shipping an update.

What's the TAM and why can't incumbents ship it in a feature release?

80% of the global workforce is deskless — that's the addressable gap every device-bound MFA vendor leaves uncovered. Incumbents can't ship Deviceless MFA without redesigning their architecture. The category is defensible by construction.

How does this compare to FIDO2, TOTP, and push authenticators?

FIDO2 needs a hardware key. TOTP needs an app with a shared secret. Push needs a working network and an attention budget. Deviceless MFA needs none of those — and matches FIDO2's phishing resistance without the device.

Deviceless MFA Comparison

See Compliance Trust Center Try It Book Meeting

Human Verification

Deviceless MFA

Identity Challenge Card

Name: Identity Challenge Card
Brand: Avatier
Availability: InStock
Rating: 4.4 (14 reviews)

Prevent Hacker Attacks

When Stryker's device-bound MFA went down during the Iranian Handala intrusion, recovery got slower, more expensive, and more dangerous. Deviceless MFA is the category built for the day traditional MFA fails.

100% workforce coverage — every worker, every environment
100% of the Time — works when devices, apps, and networks don't
Cost 75% less than current MFA — no hardware, no per-seat app licenses

See It Try It Trust It

Identity Challenge CardCard ID: B7eCB15

#	A	B	C	D	E
1	INSTALL POWDER	GARDEN BRIDGE	MARBLE SILVER	ROCKET WINDOW	GUITAR CASTLE
2	PLANET ANCHOR	TURTLE FOREST	BASKET TEMPLE	VELVET PIRATE	COTTON DRAGON
3	CANYON MAGNET	PUZZLE ORANGE	VIOLET BEACON	COPPER JUNGLE	CARPET MONKEY
4	HARBOR KNIGHT	VISION QUARTZ	JASPER WILLOW	SUMMIT STREAM	PARROT FABRIC
5	MEADOW COBALT	FABRIC SPHINX	FALCON BINARY	ORCHID PRISM	LANTERN OXYGEN

Three-Factor Challenge

Card Word

BASKET

1234

Emp ID

EMP-48291

Protecting the world's workforce since 1997 • Over 15 Million Licenses Sold

The Device Dependency Problem

Device-Dependent MFA Can't Protect Workers Who Don't Have a Device

Every MFA product on the market assumes a trusted device is available at authentication time. That assumption is wrong for most of the workforce.

80% of the global workforce is deskless. Factory floors, hospitals, field service, retail, logistics, education, construction — the workers running the operation rarely carry a work phone, and the ones who do can't use it on the shop floor.

The result is a documented coverage gap. Organizations write MFA exceptions for the workers they can't reach. Those exceptions are the attack surface cyber adversaries map first.^1,2,3

SMS / voiceTOTP appsPush authenticatorsFIDO2 security keysHardware tokensBiometricsPasskeysSmartcardsNone are deviceless.

80 percent

80% of the global workforce is deskless

2.7 billion workers worldwide don't sit at a desk, don't carry a work phone, and can't install an authenticator app — and they're the workforce most organizations leave uncovered.

20 industries

Industries

5 to 88 percent

Device MFA reach

Retail57 companies

95% Deviceless coverage gap

Healthcare42 companies

95% Deviceless coverage gap

Transportation & Logistics31 companies

93% Deviceless coverage gap

Manufacturing48 companies

92% Deviceless coverage gap

Food & Beverage19 companies

90% Deviceless coverage gap

10% Device-covered workers

Construction14 companies

90% Deviceless coverage gap

10% Device-covered workers

Device-covered workers

Deviceless coverage gap

Deviceless MFA closes the red. Device-dependent MFA can't reach it without a phone, an app, a token, or a network.

For the CFO: every uncovered frontline worker is an uninsured breach vector — one stolen credential from a seven-figure incident, a denied cyber-policy claim, and an audit finding that pushes your next renewal. Deviceless MFA is how that math stops working against you.

Fifteen minutes. We'll map your coverage gap and what it's costing you today.

Sources

Fortune 500 workforce composition derived from 10-K filings, Bureau of Labor Statistics industry occupation mixes, and Gallup's State of the Global Workplace (2024). Deskless ratio per industry follows Emergence Capital's Deskless Workforce Report. Full methodology available on request.

[1] Enterprise VC research — State of Technology for Deskless Workers (2020)
[2] Global strategy consultancy — Making Work Work Better for Deskless Workers (Dec 2022)
[3] Industry analyst firm — 75% of new mobile initiatives target frontline workers
[4] Business publication — 2025 ranking of largest U.S. companies by revenue (June 2025)

Full Methodology Download PDF

Built for the Day Traditional MFA Fails

The Iranian Handala Stryker Attack Is Why Deviceless MFA Exists.

Handala is Iran-aligned. They don't want a ransom — they want you offline.

State-aligned wiper groups don't negotiate; they build payloads designed to keep your workforce locked out. Then the phone rings at your service desk. “This is John from Cardiology — I need my access back, now.” How does the tech on the line know it's actually John — and not the attacker who already owned John's phone?

The Identity Challenge Card verifies the human, not the hardware. Three factors on one air-gapped credential: the card(can't be cloned remotely), a PIN (never stored on a device), and an identity factor(verified at the point of use). Traditional MFA only proves the attacker hasn't rooted the device holding your token — an assumption that collapses in an Iranian-playbook incident before the first alert fires.

Service desk and IT operations use ICC as their live identity check. The caller reads the challenge off their card and performs some Avatier magic request. Now IT operations know they're who they claim to be, or they aren't. No social engineering. No deepfake voice that works. No password reset handed to the wrong person.

With Avatier ICC, you know every identity the moment a failure starts — workforce verified and operational in a single day. No re-enrollment. No MDM rebuild. No help-desk queue full of callers you can't verify.

And what the card does today is just the start. Ask us where it goes next.

Click the Book Meeting button to schedule a quick fifteen minute call. We'll walk your team through the Iranian playbook on your stack — and show you what verified recovery looks like.

Book Meeting→View Press Release→Calculate Your Cyber Attack Cost→

The Difference

Device-Dependent MFA vs Deviceless Authentication

Device-Dependent MFA

Deviceless Authentication

Requires a phone, app, token, or hardware key

Works with a printed card — no device ever

Fails when devices, networks, or IdPs are down

Resolves locally during the outage

Push-bombing, SIM-swap, and replay are in-scope

One-time coordinates — replay is structurally impossible

Covers 20% of workforce; 80% is an exception list

Covers 100% of workers — every environment

Per-seat app licenses and hardware procurement

Printed once, reissued in seconds at cents per worker

Deployment measured in months per workforce segment

One IGA workflow — full deployment in one day

With this fallback identity layer, Stryker's rebuild would have been days, not weeks.

How It Works

Three Factors. Zero Device Dependency.

Deviceless MFA resolves three independent factors — all locally, all without a device, and all in under 10 seconds.

Challenge Card Factor

A printed grid of word pairs. At login, the system asks for a specific coordinate — the user reads the answer directly off the card. No network call. No device.

Private Knowledge Factor

A short PIN that only the user knows. Bound to the card via policy and verified in-memory so replay and brute-force have no surface.

Identity Anchor Factor

The user's directory identity — Employee ID, badge, or SCIM-provisioned principal. Ties the challenge to a specific human, with full audit trail.

See Deviceless Authentication

See Deviceless Authentication. Try It. Understand It in 60 Seconds.

Featured Demo

Self Enrollment or Auto Enroll Everyone at Once.

A narrated walkthrough of Deviceless MFA, the card, and how the three factors resolve locally.

1/6

Try Deviceless MFA Live

This is Deviceless MFA. Try it.→

No signup. No download. Resolve a live three-factor challenge against a printed card, right here — same flow a worker runs during an identity outage.

✓

No phone required

✓

No app required

✓

No network required

✓

No hardware token required

✓

No dependency on compromised systems

✓

Works in any language, including RTL and CJK

Identity Challenge CardCard ID: B7eCB15

#	A	B	C	D	E
1	INSTALL POWDER	GARDEN BRIDGE	MARBLE SILVER	ROCKET WINDOW	GUITAR CASTLE
2	PLANET ANCHOR	TURTLE FOREST	BASKET TEMPLE	VELVET PIRATE	COTTON DRAGON
3	CANYON MAGNET	PUZZLE ORANGE	VIOLET BEACON	COPPER JUNGLE	CARPET MONKEY
4	HARBOR KNIGHT	VISION QUARTZ	JASPER WILLOW	SUMMIT STREAM	PARROT FABRIC
5	MEADOW COBALT	FABRIC SPHINX	FALCON BINARY	ORCHID PRISM	LANTERN OXYGEN

Three-Factor Challenge

Challenge Card Factor

Coordinate C2 — TOP word

Private Knowledge Factor

Your PIN 1234

Identity Anchor Factor

Employee ID EMP-48291

How Three-Factor Works

· Challenge Card Factor — Find the coordinate (e.g., A1, B3) and enter the TOP or BOTTOM word

· Private Knowledge Factor — Read your 4-digit PIN, then enter it in the PIN field

· Identity Anchor Factor — Your Employee ID is verified automatically

· All three factors required — the word and PIN must both be correct to gain access

· New challenge — Tap 'New Game' to randomize a fresh coordinate and PIN

Outcomes by Role

The Business Value of Deviceless MFA Mapped to Who's Buying

Every stakeholder wins a different outcome. The Identity Challenge Card is the rare control where the CISO, CIO, CFO, CEO, service desk, and industry analyst each get their own answer.

Stop defending an exception list. Phishing-resistant MFA that covers every worker, every environment — including the ones device-bound MFA can't reach.

Phishing-resistant for 100% of workers

Most MFA mandates require all users — but device-based solutions exclude factory floors, shared workstations, field staff, and contractors. The Challenge Card closes every exception, giving auditors complete coverage evidence with no asterisks.

Phishing-resistantZero Trust

Breach-resilient identity layer

Air-gapped authentication eliminates push-notification hijacking, SIM-swap, and real-time phishing attacks that defeat SMS and TOTP. The challenge/response is offline and unreplayable — no interception vector exists.

ResilienceIncident response

Audit-ready from day one

Card issuance, expiration, re-enrollment, and revocation are all logged and policy-enforced. Admins set expiry windows; users receive automated reminders. Every access event is traceable — no gaps in the audit trail.

AuditCMMCHIPAA

One IGA workflow provisions cards for every worker. No device procurement, no per-seat app install, no re-enrollment campaign.

Day-one deployment

No network dependency. No battery. No software patches. Business continuity plans that rely on device MFA have a documented failure mode — the Challenge Card functions through outages, disasters, and offline deployments that regulators increasingly require planning for.

IGASCIM

Works with your stack

No MDM enrollment. No app installs. No device provisioning. Cards are generated and distributed through your existing service desk workflow — users are live within minutes of receiving their card, not weeks of IT onboarding cycles.

SSOIdPInteroperable

Zero per-seat app licensing

Every hardware token and managed device is an inventory line, a support ticket, and a replacement cost. A printed card eliminates all three — with no battery to die, no firmware to patch, and no asset tag to track.

TCOLicensing

Printed cards at cents per worker replace a stack of app licenses, hardware tokens, and device refresh cycles.

75% lower authentication spend

Cyber insurance underwriters now price device-bound MFA gaps into premiums. The Identity Challenge Card closes the 80% gap without hardware, without MDM, and without per-device licensing — the three costs that make universal coverage unaffordable.

TCOFinance

Material reduction in breach exposure

When Stryker's device-bound MFA went down, every hour of recovery carried a P&L cost — lost revenue, overtime, incident response fees. Deviceless MFA gives CFOs a continuity number they can defend in a board deck.

RiskMaterial impact

Continuity story for the board

Hardware tokens, MDM licenses, and device replacement cycles are the invisible tax on universal MFA. A printed Challenge Card replaces all three — no battery, no firmware, no asset tag, no refresh cycle. The math works at every headcount.

BoardGovernance

When the SEC asks what continuity plan you had when MFA went down, the Identity Challenge Card is the answer — in production, audited, and documented.

Defensible SEC 8-K disclosure

When a cyberattack takes down device-bound authentication, the board's question isn't which tool failed — it's how long the business was exposed. The Identity Challenge Card keeps workforce verification running through the incident, turning a headline risk into a footnote.

SEC8-K

Headline becomes a footnote

The SEC's four-day cyber disclosure rule turned identity failure into a material event. Deviceless MFA gives CEOs a defensible answerto the first question on every 8-K: "What continuity plan did we have for when device-bound MFA failed?"

ReputationContinuity

Every worker covered — every country

Identity resilience is becoming a board-level conversation. The Identity Challenge Card — Deviceless MFA — is the clearest instantiation of that category. CEOs get the upside of being the customer named in the analyst note, not the one in the breach case study.

GlobalWorkforce

When the card is the fallback, the help desk isn't the bottleneck. Workers self-resolve and you get your team back.

Self-service lockout resolution

Lost phone? Dead battery? No cell signal? The Challenge Card is always available — it works offline, requires no device, and gives the service desk a reliable identity verification method when every digital channel is down.

Self-serviceDeflection

Re-enrollment in seconds

Social engineering attacks target the help desk because knowledge-based verification is guessable. The Challenge Card replaces "mother's maiden name" with a cryptographic challenge/response that attackers cannot research, intercept, or replay.

Re-enrollmentGoverned

Audit trail in the same pane of glass

Major incidents create account-lockout surges. When MFA infrastructure is the problem, the card becomes the fallback that keeps the queue moving — no escalation to security, no manager override, no waiting for systems to come back online.

AuditIGA

Deviceless MFA is a greenfield category. 80% of the global workforce is the addressable market — and incumbents cannot ship this in an update.

Category-defining coverage

This is not another authenticator app. The Identity Challenge Card defines a new infrastructure layer — the Identity Continuity Layer — that ensures authentication persists when device-dependent systems fail, creating a category with no direct competitor.

CategoryMoat

Fortune-500-scale proof points

The addressable market spans three budget lines: MFA gap closure, service desk identity verification, and business continuity planning. Each use case opens a separate procurement path, expanding the total addressable market beyond traditional MFA competition.

EnterpriseRegulated

Clear comparison to FIDO2 and TOTP

No PII stored. No device required. Multilingual. Air-gapped capable. This is a fundamentally different architecture — not an incremental feature on an existing platform — which means incumbents cannot replicate it by shipping an update.

MarketComparison

Ready to close your compliance gaps with Deviceless MFA?

Book a 20-minute walkthrough tailored to your workforce — we'll map your exceptions to a deployment plan before you leave the call.

Book Meeting

Multilingual & Global

Built for Global Workforces

The Identity Challenge Card ships in 29 languages, including RTL Arabic and Hebrew and CJK Chinese, Japanese, and Korean. Same card, same three-factor flow — localized for every worker.

Compliance-Ready Deviceless MFA

Deviceless MFA, Trusted in Regulated Environments

Designed from day one for CMMC, HIPAA, PCI-DSS, GDPR, and FERPA workloads. Three architectural pillars make the compliance story simpler than device-bound MFA, not harder.

Privacy by Architecture

Zero personal data on the auth mechanism

No phone number, biometric, or personal data touches the card
Card contents are opaque without the user's PIN
Zero GDPR exposure from the authentication channel
No third-party processor between the user and the challenge
Revocation is immediate — no upstream device cleanup

Full Lifecycle Controls

Governed issuance, revocation, and audit

Every card is issued through the existing IGA workflow
Every challenge and re-issue writes an immutable audit record
Policy-enforced expiration and re-enrollment windows
Identity-verified re-issuance closes the social-engineering path
Separation of duties between issuer, approver, and auditor

Phishing-Resistant by Design

No push, no replay, no relay

No push notifications — push fatigue has no surface
Each coordinate value is one-time — replay is structurally impossible
Air-gapped verification — no network attack surface
No TOTP shared secret to exfiltrate
FIDO2-equivalent phishing resistance without a device

Recognized on Gartner Peer Insights

4.4

Based on 14 verified reviews of AvatierIdentity Governance and Administration

Read the reviews on Gartner Peer Insights

Executive Briefing

Download White Paper + Product Sheets

The full category argument, the Stryker recovery narrative, and the product sheet — three PDFs for the CISO, CIO, and board packet.

Download White Paper (PDF)Download Enhanced Sheet (PDF)

Deviceless MFA FAQs

Frequently Asked Questions

The same questions come up in every CISO, CIO, CFO, CEO, service desk, and analyst call. Answers below — pick your persona.

Phishing-resistant MFA for 100% of the workforce

What exactly is Deviceless MFA — and how is the Identity Challenge Card different from every other MFA?

Deviceless MFA is multi-factor authentication that works without a phone, an app, a hardware token, or a network connection. The Identity Challenge Card is the first production implementation: a printed grid of word pairs that a user looks up during login. When Stryker's device-bound MFA went down during the Iranian Handala intrusion, Deviceless MFA is the category that would have kept workforce verification running — one day to deploy, every worker covered, zero device dependency.

Is a printed card actually secure? A lost card means a compromised credential.

The card contains no personal data and no identity information. Without the PIN it is useless. A lost card is less dangerous than a lost phone — you can't SIM-swap paper. The card is revoked in seconds and replaced the same day. Cyber attackers cannot compromise paper. That is an architectural truth, not a tagline.

We already have MFA. Why does our existing solution leave a documented gap?

Authentication that works for 20% of your workforce does not protect your organization — it creates a documented 80% vulnerability. Every MFA exception you've written is a gap an attacker can map. Device-dependent MFA assumes devices, networks, and identity systems are available. During the Stryker attack, none of those assumptions held. Deviceless MFA is how you stop documenting 80% exceptions and start documenting 100% coverage.

Can push bombing or replay attacks work against this?

No. There are no push notifications — so push fatigue attacks have no surface. Each coordinate value is one-time — used values are permanently burned and never reused. Replay attacks are structurally impossible. Air-gapped Deviceless MFA means no network attack surface exists.