Liveness MFA for Microsoft Entra ID
Stop Phishing at the Face.
The only External MFA for Microsoft Entra ID that cryptographically binds every sign-in to a live, present human — delivering phishing-resistant authentication that meets FFIEC and NIST expectations without new hardware or user friction.
SMS and email OTPs can be intercepted, SIM-swapped, or bypassed by adversary-in-the-middle attacks. FaceLock Elevated MFA replaces shared secrets with a live biometric root of trust that cannot be phished, replayed, or stolen.
FaceTec® and UR Code™ are registered trademarks of FaceTec, Inc. Envoc is an official FaceTec reseller partner. FaceLock is powered by FaceTec's 3D Liveness technology and biometrically-bound UR Codes.
The MFA Gap Banks Can No Longer Ignore
In 2026, financial institutions face a regulatory and operational reckoning. FFIEC guidance and NIST SP 800-63B/4 now expect phishing-resistant MFA for high-risk access. Yet most organizations still rely on SMS or email one-time codes — methods that regulators increasingly classify as restricted authenticators.
The reality for banks today:
- SIM-swapping attacks allow fraudsters to hijack phone numbers and intercept SMS codes in real time.
- Adversary-in-the-Middle (AiTM) phishing kits — now available as a service — capture both passwords and session cookies even when users enter legitimate OTPs.
- SS7 network vulnerabilities enable interception of text messages without the user's knowledge.
- AI-powered deepfakes and voice cloning are eroding trust in any verification that does not confirm live human presence.
The result? Billions lost annually to credential fraud, escalating compliance risk, and help-desk costs that consume security budgets.
FaceLock closes the analog gap. Every authentication is sealed to a live 3D face — creating an immutable, auditable root of trust that push notifications, security keys, and 2D face scans cannot match.
Why 2D and server-side liveness fail →How FaceLock Elevated MFA Works with Entra ID
OIDC-based External Authentication Provider with FaceTec 3D Liveness, bitemporal biometric binding, and native Conditional Access integration.
Entra Redirects to FaceLock
Your existing Conditional Access policy triggers FaceLock as an External Authentication Provider. The user sees a familiar Entra-branded experience — no new app to download, no new hardware to distribute.
Live 3D Face Verification
The user's device performs a real-time 3D liveness scan. FaceTec's industry-leading technology confirms the person is physically present, not a photo, video, or deepfake injection. The live face is matched against the bitemporal BiometricBindings record — only a real, previously enrolled user succeeds.
Signed Token Returned
FaceLock issues a cryptographically signed id_token containing the assurance claim amr:["face"]. A new temporal audit record is appended, creating an immutable chain of custody for compliance and forensics.
Native Entra Experience
The authentication appears alongside Microsoft Authenticator in your Conditional Access policies. Users experience zero additional friction; security teams gain phishing-resistant assurance.
See FaceLock Elevated MFA in Action
Watch the live 3D face scan, biometric match against historical binding, and signed claim returned to Entra — all in seconds.
The Elevated MFA challenge, step by step
From Entra sign-in to phishing-resistant verification — what your users experience on their phone.
Sign-in request arrives
Conditional Access triggers FaceLock. The user receives a push notification to complete identity verification — no SMS code to intercept.
Identity verification begins
The user opens the request and sees that a liveness check is required to complete the Entra sign-in — familiar, branded, and purpose-built.
Live 3D face scan
FaceTec 3D Liveness confirms a physically present person — not a photo, replay, or deepfake — and matches against the enrolled biometric binding.
Verification successful
Identity verified. FaceLock returns a signed assurance to Entra and the user is signed in — with a new temporal audit record appended.
What Makes This Different
True 3D Liveness
FaceTec's proven 3D liveness detection with a public $600,000 Spoof Bounty Program — continuously tested against presentation attacks in production.
Bitemporal Biometric Binding
Every authentication is cryptographically sealed to a specific moment in time and a verified live face.
Seamless Entra Integration
Works natively with Conditional Access policies and appears alongside existing MFA methods.
Path to Verifiable Credentials
Successful Elevated MFA events can immediately power issuance of FaceLock UR Code credentials for offline verification.
The foundation is FaceTec 3D Liveness — validated through a public $600,000 Spoof Bounty Program and rigorous regression testing that has never been defeated in production.
Envoc is an Innovation Partner of FaceTec
FaceLock, created by Envoc, is an Innovation Partner of FaceTec. After rigorously evaluating numerous identity verification and liveness solutions, Envoc selected FaceTec as the undisputed gold-standard for biometric liveness detection. FaceTec puts its money where its mouth is by maintaining a real $600,000 Spoof Bounty Program — the largest and most transparent in the industry.
Built for Banking Compliance
FaceLock Elevated MFA is designed to help financial institutions meet or exceed:
FFIEC Authentication Guidance
Supports risk-based, phishing-resistant MFA across all user types — employees, third parties, and privileged accounts.
NIST SP 800-63B / NIST SP 800-63-4 (effective July 2025)
Delivers AAL2 phishing-resistant option and AAL3-capable cryptographic assurance with explicit user intent.
NIST Cybersecurity Framework 2.0
Provides the Govern function evidence examiners expect: documented policies, risk-based controls, and continuous monitoring.
GDPR & Audit Readiness
Bitemporal biometric binding answers "what was true at the moment of authentication?" with immutable chain-of-custody records.
Banking-specific outcome: Reduce fraud losses, lower regulatory exam friction, and demonstrate to auditors and boards that authentication controls are commensurate with risk.
Benefits for Banking Decision-Makers
True Biometric Root of Trust
Every sign-in is bound to a live, present human. No factor can be stolen, phished, or replayed — directly addressing the #1 attack vector in financial services.
Complete Temporal Audit Trail
Answer "who was authenticated and when?" with bitemporal queries. Built for FFIEC exams, GDPR Article 30 records, and forensic investigations.
Native Entra Integration
Appears as an External MFA method in Conditional Access. Works with existing policies. Zero new user training required.
Path to Credential Fabric
Successful Elevated MFA immediately enables issuance of FaceLock UR Code credentials — verifiable offline by any smartphone camera, even without network connectivity. One biometric root of trust powers both digital access and physical ID verification.
Battle-Tested Liveness
Powered by FaceTec 3D Liveness with a public $600,000 Spoof Bounty Program. Continuous regression testing against Level 1–5 attacks, deepfake injection, and virtual-camera bypasses — never defeated in production.
One Biometric Root of Trust. Endless Trust Use Cases.
After a successful Elevated MFA event, the same live biometric binding can immediately be used to issue a FaceLock UR Code credential — delivered as an Apple/Google Wallet pass or printed card. The credential carries the identical face-bound proof and can be validated offline by any Relying Party using the free FaceLock Reader app — even in areas with no network connectivity.
This creates a continuous chain of trust:
Strong Authentication Today → Sealed, Auditable, Offline-Verifiable Credential Tomorrow
Banks can now:
- Authenticate employees and customers with phishing-resistant MFA
- Issue the same biometric proof as a mobile driver's license, professional credential, or secure access badge
- Verify credentials at branches, partner locations, or in the field without internet
Ready to Replace SMS and Email MFA with Phishing-Resistant Biometrics?
Schedule a 30-minute security posture review with our team. You will receive:
- A confidential assessment of your current Entra MFA configuration against FFIEC and NIST expectations
- A tailored implementation roadmap for FaceLock Elevated MFA
- Live demonstration of the Entra integration and UR Code credential issuance
- ROI estimate based on your organization's fraud loss and help-desk ticket volume
No obligation. 30 minutes that could fundamentally strengthen your authentication posture.
Request Security Review →Elevate Entra Security with Live 3D Face Binding
From phishing-resistant login to offline-verifiable credentials — all with immutable audit history. The only External MFA provider with publicly proven liveness defense.