Your cell phone isn't designed to be a secure authentication device.
Multifactor was created when we realized that most people still receive 2FA codes via SMS messages on their cell phones, exposing them to a series of vulnerabilities and exploits. Multifactor's patent-pending system utilizes custom-designed virtual phones to securely receive 2FA codes.
Truly secure 2FA for all your accounts.
|Physical Access to Cell Phone||Critical Vulnerability||Not Vulnerable|
|On-Premise SIM Card Swap||Critical Vulnerability||Not Vulnerable|
|Remote SIM Card Swap||Known Exploit||Not Vulnerable|
|IMSI Catchers||Known Exploit||Not Vulnerable|
|SS7 Vulnerabilities||Plausible Exploit||Not Vulnerable|
|Spyware / Remote Access||Plausible Exploit||Not Vulnerable|
Multifactor goes above and beyond the industry-standard security measures, but there's no such thing as a perfectly impenetrable system. This page exists for marketing purposes and, for security reasons, only contains an approximation of Multifactor's true system architecture. Our Terms of Service takes precidence for the specifics of our warranties.
Starting at your browser, we'll take a deep dive into how Multifactor serves a single page request.
We don't store any sensitive data on your browser — cookies are only used for session tracking and analytics.
If you're concerned about others that have access to your computer, we have settings available to hide your login codes from onlookers. You can even require a 5-digit PIN to access your dashboard.
We use 256-Bit Extended Validation (or "Green bar") SSL / TLS encryption on all requests, making man-in-the-middle attacks impossible. Any insecure (HTTP) requests are redirected to a secure connection before serving any data.
All requests must pass through a secure Web Application Firewall (WAF) layer. Here, we apply a carefully-constructed ruleset to defend against a variety of attacks. Our firewall can:
Powered by CloudFlare and AWS WAF
To ensure complete end-to-end encryption, we use a secondary SSL certificate in between our WAF and our own servers. At this point, requests are also digitally signed so that nobody can circumvent our firewall.
System Status: Healthy
99.9% Historical Uptime
We outsource our infrastructure for data storage, content delivery (CDN), email delivery, and more. Our infrastructure providers are all industry leaders, and their facilities feature:
Powered by AWS and DigitalOcean
Multifactor utilizes a one-of-a-kind intelligent login system that evaluates dozens of factors (such as IP address, geolocation, browser, OS, etc.) to calculate a confidence score for each attempted login. If there's any doubt that a login is legitimate, we use this same intelligence to present the most appropriate challenges until we're 100% confident that it's you.
In addition to continuous internal testing, we hire external penetration testing firms at several times per year. We also have an ongoing bug bounty program.
Our developers share our commitment to security. We require that all of our developers have at least basic cybersecurity training (OWASP and CSA).
Every line of code is analyzed by a custom suite of both internal and third-party security tools. A manual review is then performed by our security team before publication.
We use Braintree, a PayPal company, to process our credit card transactions via Recurly.com. Both Braintree and Recurly are highly trusted and fully PCI-Compliant organizations. Sensitive credit card data is never stored on our own servers, and we are certified to be in compliance with the SAQ-A-EP standard.
Data used for authentication, including passwords and PIN codes, are hashed and salted before being stored in our database. We use a version of the blowfish algorithm that allows for variable hash strength, allowing us to continually increase the strength of our hashes to stay ahead of increasing brute-force speeds.
We use an encrypted data structure that ties every piece of data to a specific user account. That means that nobody — not even our own employees — can decrypt and read data under someone else's account.
Every Multifactor customer gets a dedicated virtual phone, hosted in its own virtualized environment and completely isolated from the virtual phones of every other customer. Each virtual phone is individually encrypted and can only be accessed via its corresponding Multifactor account. That means that when your virtual phone receives an SMS message, only the Multifactor account that the virtual phone is tied to can access the phone's contents and decrypt the message.
Multifactor has partnered directly with a US cellphone carrier (a CLEC), which means that our virtual phones are connected to the national cell phone network just like a mobile phone. Our CLEC is a FCC-registed phone carrier and as such is held to the same security standards of any other US cellular service provider (including NIST SP 800-13).
Sign up for free to instantly enjoy the benefits of Multifactor's secure infrastructure defending your accounts. If you're still using your cell phone for 2FA, you're doing it wrong.