Self-Service MFA with Casa


Multi-Factor Authentication Under One Roof

People have a lot of credentials. Casa provides a single point of management for end users to view, enroll, and remove MFA credentials, including FIDO passkeys, software tokens, biometric credentials, and external federated accounts (e.g. Google, Microsoft Entra, Apple). Casa is brandable and extensible. You can write plugins to support third party authentication services, or to perform identity mangement “light” features like registraiton approval or delegated administration.

Deploy cloud-native

If you love Kubernetes, or services like Amazon EKS, Google GKE or SUSE Rancher, then Casa is for you! Casa supports cloud native deployments using standards tools like Helm. Casa also supports multiple database backends, including LDAP, Couchbase, RDBMS, Amazon Aurora, and Google Spanner.

Enforce strong authentication
Only the right user on the right device can gain access to applications. Improve your organization’s security posture by locking the front door! Casa offers an OpenID Connect API as the interface, and returns a standard JWT “id_token” that can be used for policy enforcement.
No more password resets
Users can easily enroll, manage and remove passwordless credentials on all their devices without calling the help desk or degrading the security of the credentials. Organization’s MFA is only as strong as the weakest account recovery workflow!

Self Service MFA done right

In the old days “password-reset” was a standard identity management (IDM) feature. Every IDM still has this capability today. But as organizations roll-out MFA, this “password-reset” process needs an upgrade. Technology leaders like Google or Gitlab enable end-users to see all their various MFA credentials on one page; end users can also add and remove new credentials. With Casa, your business can manage MFA like the pros!

Eliminate Phishing with FIDO

To defeat phishing, we need to stop the “Man in the Middle” (MITM) attack. Passwords are vulnerable, but so are OTP tokens and mobile push notifications. In order to block phishing, we need end users to start using FIDO passkeys.  The first step is to enable end-users to enroll USB, platform and Bluetooth FIDO credentials in your IDP. Let end users register as many devices as they want. Maybe you don’t even need to store toxic passwords? 

Easy to use the credentials people have

What is Lorem

Multi-Factor Authentication Under One Roof

Adaptive Authentication

Create a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials.

Location-based Authentication

Configure geo-location to trigger a requirement to use multi-factor authentication (MFA) or take other steps before access is granted to ensure the person is who they say they are since they’re attempting to log in from a location they wouldn’t normally be.

Trusted Browser

Configure web browsers to require verification. When you log in, you’ll be asked to verify your browser by entering your email, password, and a security code. Once you’ve entered these credentials, your browser will be considered verified.

Choose any standard or commercial
authentication solution


Built-in MFA that comes out of the box!

Super Gluu, a free iOS / Android App

Super Gluu can be configured to support a passwordless authentication workflow where the user scans a QR code for each sign in, or simply enters a username and approves a push notification.

FIDO / WebAuthn

Many great USB, Bluetooth and Lightning tokens are available from vendors like Yubico, Feitian, AuthnTrend and others. But new iPhones and MacBook’s also have FIDO built-in. You can’t “top-down” provision FIDO for users. Casa is an essential tool to rollout FIDO which requires end-users to enroll their devices.

Google Authenticator

Sometimes good old OATH tokens (HOTP/TOTP) are handy. Some devices just don’t support any mechanism to display a web page, and sending an OTP as the password mitigates some risk. Casa supports using a QR code to enroll an OTP software app (like Google Authenticator). You can also enroll a hardware OTP hardware device (e.g. a keyfob), manually or via an API.

Plugins add More MFA options

Casa is a plugin-oriented, Java web application. Existing functionality can be extended and new functionality and APIs can be introduced through plugins.


BioID Web Service offers liveness detection and facial recognition biometric authentication services. It strengthens identity verification around the world with reliable, device-independent anti-spoofing. BioID liveness detection is compliant with ISO/IEC 30107-3 and offers seamless implementation and user experience, requiring nothing more than a few selfies taken with any standard camera.


Multi-factor authentication from Cisco’s Duo protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with your existing technology.


Twilio is an American company based in San Francisco, California, which provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

Streamline your communication capabilities with Twilio’s advanced suite of APIs.