Identity

Not another push notification – How device identity solves MFA challenges

(Adobe Stock)

COMMENTARY: MFA has become the default safeguard for enterprises, but its design makes it ripe for exploitation. Instead of stopping attackers, it often slows employees down, creates user fatigue and fuels resistance. Attackers are aware of this and weaponize MFA, from push-notification floods to SMS hijacking and stolen session cookies, to bypass defenses.

The result is a daily struggle between security and productivity. One weary approval or wrong click is all it takes to topple an organization’s security posture.

How device identity changes the game

Device identity shifts the burden of trust from the user to the machine. By cryptographically binding credentials to hardware, authentication becomes invisible, seamless and resistant to social engineering attacks, such as phishing.

Employees can connect to Wi-Fi without passwords or repeated prompts. Developers can authenticate themselves over SSH without needing to tap hardware keys dozens of times each day. SaaS applications become harder to breach when device identity is layered into platforms like Okta or Entra. Even session management improves, as devices can re-authenticate continuously instead of relying on fragile cookies.

In this model, security strengthens while the user experience improves. Rather than training employees to endure endless prompts, device identity enables them to focus on their work while IT security teams gain tighter control and assurance.

Why MFA frustrates people and helps attackers

To understand why device identity is such a powerful shift, it is helpful to examine why typical MFA approaches often frustrate employees, which can give attackers a way in. The problem is not that MFA fails in theory, but that it undermines itself in practice due to human behavior. Endless prompts turn security into a burden, leading employees to reuse personal devices, leave sessions open or click through prompts without thinking.

Attackers exploit this fatigue. In MFA fatigue attacks, adversaries bombard users with login prompts until someone, out of annoyance or confusion, finally approves one. SMS-based MFA is also weak. Attackers may hijack phone numbers through SIM swaps or telecom fraud to intercept codes. Stolen session cookies let adversaries bypass MFA entirely and continue operating undetected. The recent OAuth-related attacks against Salesforce customers show how social engineering can trick employees into granting malicious apps access, bypassing safeguards altogether.

But MFA also spans a spectrum of assurance. NIST defines three levels. AAL1 is the weakest, covering SMS codes with minimal protection. AAL2 is stronger, using apps, push notifications or hardware tokens, but is still vulnerable to phishing and fatigue. AAL3 is the gold standard, requiring hardware-backed cryptographic authentication such as device identity, i.e., credentials that cannot be phished, copied or exfiltrated.

However, most enterprises still operate between AAL1 and AAL2, leaving exploitable gaps that attackers eagerly target.

Device identity offers a stronger foundation for authentication

Device identity addresses MFA’s weaknesses at the source. Because credentials are bound to the hardware itself, they cannot be stolen or replayed in the same way that codes, cookies or passwords can. An attacker would need to physically compromise the device, which is a far more difficult and detectable challenge. Authentication becomes consistent and invisible, removing the risks of fatigue, confusion or social engineering.

Critically, device identity delivers AAL3-level assurance with a single, seamless step. A hardware-attested device effectively acts as an invisible second factor, meaning users gain stronger security without added complexity. Instead of relying on multiple prompts and hoping employees comply, organizations can anchor their security in hardware-bound trust.

Getting started with device identity

Enterprises can begin adopting device identity through practical, high-value integrations that improve both security and user experience. Certificate-based Wi-Fi, for example, can be rolled out quickly and allows employees to connect without passwords or repeated logins, all while giving IT teams far tighter control.

Adding device checks into single sign-on workflows instantly raises the security bar across all applications, while deploying device identity inside VPN or zero-trust network access environments ensures continuous authentication at scale. Privileged access scenarios, such as SSH for administrators and developers, also represent a prime use case. Here, device identity eliminates some of the most frustrating MFA workflows and replaces them with seamless, hardware-bound trust.

While each organization must tailor deployment to its workforce and threat model, the pattern is consistent: security improves, user friction decreases and attackers lose many of the vectors they once relied upon.

MFA remains an important pillar of modern enterprise security. But on its own, it leaves organizations exposed to modern attack techniques that exploit human behavior. Device identity fills that gap by delivering hardware-bound, invisible assurance that meets the AAL3 benchmark, the highest standard for authentication. When authentication shifts from the user to the device, the tradeoff between security and usability disappears. The result is a defense that is both stronger and simpler, keeping employees productive while keeping adversaries out.

Mike Malone

Mike Malone is Founder & CEO of Smallstep.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds