Security
Go beyond auth with full fraud and risk protection
In today’s world, authentication alone is not enough to protect your users and company from fraudulent or malicious actors. That’s why Stytch offers a host of fraud and risk tools through our security product suite, to give your application future-proof, extra-mile coverage against account takeovers and other malicious activities.
Stay ahead of bad actors
If you want to keep your site safe from account takeovers or ransomware, you need to protect them from bots. This can be done with features like breach-resistant passwords and multi-factor authentication but also fraud and risk tools like device fingerprinting and CAPTCHA solutions that are specifically designed to tell non-humans from real people, and permanently keep bots out of your application.
of web traffic today is bot traffic, and over 50% of that traffic is malicious.
Full security coverage that’s totally customizable
Unlike other CIAM providers, Stytch offers full-coverage fraud & risk protection for modern companies, not just authentication or user management. Our suite of security tools are both strong enough to withstand the most robust hacking attacks while remaining flexible and customizable for your product. Some of our protections include:
Granular device fingerprinting
Stytch’s device fingerprinting combines a number of unique characteristics that are especially difficult to reverse engineer to help you detect humans vs. bots. We also offer customizable rules for device groupings, as well as individual device IDs for granular control, so that you can use our powerful device fingerprinting tools however makes sense for your application. Common use cases include device remembrance, traffic shaping, and anti-aggregation.
Explore Device FingerprintingBot-proof CAPTCHA
Unlike most CAPTCHA solutions, Stytch’s Strong CAPTCHA thwarts CAPTCHA farms in their tracks by eliminating the public key architecture that typically leaves CAPTCHA solutions vulnerable to hacking by bad actors.
Explore Strong CAPTCHABreach-resistant passwords
Stytch has built in several additional guardrails to make sure your users don’t use compromised or weak passwords that could be hacked with brute force attacks. For example, we scan data breaches to detect when users are using compromised credentials and alert you to this threat.
Explore PasswordsMulti-factor authentication
Even the most sophisticated passwords can still fall victim to social engineering. Phishing techniques only grow more sophisticated by the day, with over 80% of data breaches today caused by compromised passwords. Stytch supports a whole suite of multi-factor auth solutions, including phishing-resistant ones, to make sure only your users access their accounts.
Explore WebAuthnExplore PasscodesExplore Authenticator AppsExplore PasskeysSeamless integration
Our fraud & risk prevention products can integrate seamlessly with your company’s own auth and risk solutions, or come as part of our full-package authentication platform, including passwords, multi-factor authentication, and sessions.
Explore PasswordsExplore Multi-Factor AuthenticationExplore Session ManagementYour auth partner for the long-haul
Our platform helps you build secure onboarding and authentication experiences that retain and engage your users. We build the infrastructure, so you can focus on your product.
Boost security
With Stytch, you get full protection across the entire authentication and authorization process, as well as a suite of fraud & risk tools.
A unified platform
In addition to offering an iron-clad security platform, Stytch also provides a full authentication suite that includes passwordless auth, session management, breach-resistant Passwords, multi-factor authentication, as well as B2B offerings like org and access management and single sign on.
Save time
We prioritize customer support and lightning-fast integration, so your team can get auth up and running ASAP and get back to building your product.
Developer-first
We build all of our products developer-first, so you can get up and running in hours and minutes, not months. This includes:
Ready-to-go APIs
Take ownership of your auth experience and create fast, safe, and easy authentication flows by choosing our direct API integration. Whether you want to build MFA with Email Magic Links or WebAuthn, or step-up auth for more sensitive transactions, we make it easy to tailor your auth flow to the needs of your product.
Straightforward, user-friendly documentation
Get clear, searchable, encyclopedic documentation for quick and painless integrations. Everything you need to get up and running, all in one place.
FAQs
Do I have to use your authentication or org management services in order to get your fraud & risk tools?
Nope! Our fraud & risk management tools can work with any CIAM solution. Though if you’re looking for a more future-forward and affordable solution to your product’s authentication or session management, we’re always happy to chat.
What types of MFA does Stytch support?
You’re not alone! But unfortunately, certain MFA factors like SMS passcodes can still be vulnerable to certain kinds of attacks, mostly based on hackers’ ability to prey on peoples’ emotions. The best way to prevent this is through auth factors that leverage biometrics – a type of credential that’s much more unique and harder to steal given its device-tied nature. For a deeper dive on what this can look like, check out our blog on unphishable MFA, or our WebAuthn or Native Mobile Biometrics products.
What exactly does phishing-resistant MFA mean? I thought MFA was phishing-resistant…
Most CAPTCHA solutions are still vulnerable to bot-hacking through a cottage industry called CAPTCHA farms. This is because of their public key architecture, that exposes key information to the public that can then be exploited by hackers. Stytch completely removes the public key component from all client-side browser environments, protecting your users from bots and CAPTCHA farms alike.
What type of bot detection tools are right for my application?
Stytch offers two forms of bot detection and prevention. Device fingerprinting is a fully passive approach that requires no user friction and therefore is recommended for all use cases where you’re looking to prevent bot activity on your site. Strong CAPTCHA is a lightweight image CAPTCHA but does require user interaction to solve the puzzle – it’s best suited for advanced bot prevention where your site is experiencing particularly sophisticated bot attacks, and you’re OK presenting a small amount of user friction through the form of an interactive challenge.
How does Stytch’s device fingerprinting solution differ from others on the market?
We think our product differs in three main ways:
- Stability: Our device fingerprints remain stable across incognito browsing, webviews, VPNs, changes to user agent or IP addresses, and more.
- Customizability: While we offer a set of default groupings for devices (based on level of trust), we give our customers the ability to customize the rules and set the actions taken based on the grouping that a device falls into.
- Control and security: For customers who want even more granular-level controls, Stytch also offers a unique identifier for each device, making it easy to determine how you respond to individual users’ devices.
How does Stytch’s Strong CAPTCHA solution differ from others on the market?
Most CAPTCHA solutions are still vulnerable to bot-hacking through a cottage industry called CAPTCHA farms. This is because of their public key architecture, that exposes key information to the public that can then be exploited by hackers. Stytch completely removes the public key component from all client-side browser environments, protecting your users from bots and CAPTCHA farms alike.