For twenty years, an Irvine company has chased one stubborn question. Now it asks it of people, machines, and the AI agents quietly acting on their behalf.
Somewhere right now, an employee opens a laptop and is let in without typing a password. A customer taps a phone and a bank account swings open. And quietly, in the background, a software agent - not a person at all - requests access to a system and is handed a scoped, time-boxed permission. Three very different actors. One company deciding, in milliseconds, whether each of them is telling the truth.
That company is SecureAuth. It does not make a product you brag about at dinner. It makes the thing you only notice when it fails - the moment of trust between a user and a system. Its bet, repeated for two decades, is that the password was always the weakest part of that moment, and that the real question isn't "do you know the secret?" but "are you actually who you claim to be, right now, still?"
The slogan on its own brand art says it plainly: Continuous Authority. Most security stops at the door. SecureAuth wants to stay in the room.
The name is a tell. SecureAuth began life as MultiFactor Corporation - betting on multi-factor authentication years before "MFA" became a checkbox in every onboarding flow. Founded in 2005 in Irvine, California, it was early to an idea that later became gospel: that authentication should adapt to context, tightening when something looks off and getting out of the way when it doesn't.
That was the seed of risk-based authentication, a category SecureAuth helped define. Instead of treating every login the same, it scored them - device, location, behavior, time of day - and let the safe ones glide through.
The company kept its head down through a private-equity recapitalization led by K1 Investment Management in 2017, the same year it merged with Core Security. Then it went shopping. Acceptto in 2021 brought AI and continuous authentication. Cloudentity in 2024 added API access control and dynamic authorization. SessionGuardian, later that year, brought continuous biometric assurance.
The pattern is patient, not flashy: buy the pieces, stitch them into one fabric, and keep pointing at the same question.
SecureAuth organizes its work under two umbrellas - Workforce for employees and CIAM for customers - and powers both with the same AI risk engine. Here is the toolkit.
Passwordless sign-in, continuous risk-based authentication, and orchestration in one platform. Offers pre-, at-, and post-authorization - "invisible MFA" that runs behind the scenes.
SSO, MFA, and passwordless access for employees and contractors across cloud and hybrid environments - sign in with a mobile app or a FIDO2 key like YubiKey.
Customer identity for consumer apps, expanded by the Cloudentity acquisition to add API access control and fine-grained dynamic authorization.
Biometric Continuous Identity Assurance: continuous facial authentication that re-verifies a user throughout a session - built for a remote-first world.
Extends Zero Trust controls to AI agents and automated workflows, so the non-human actors now holding the keys operate under scoped, continuous authority.
Patented machine learning scores every request in real time, powering adaptive decisions for both workforce and customer identity.
SecureAuth is not a household name, and that is partly the point. It sells into the places where a bad login is expensive - financial services, healthcare, government, energy and utilities, retail. Roughly 150 to 220 employees. An estimated $55M in annual revenue. Headquartered in Irvine, with a leadership bench drawn from across the security industry.
The competitive set is crowded: Okta and Auth0, Ping Identity, Microsoft Entra, SailPoint, RSA, ForgeRock. SecureAuth's wager is depth on the risk-engine and continuous-authentication side, rather than breadth of brand.
In December 2025, SecureAuth named Geoffrey Mattson CEO. His resume reads like a tour of the security industry - former CEO of Xage Security, co-founder of MistNet.ai (acquired by LogRhythm), with earlier engineering roles at Juniper Networks, Huawei, Nortel, and, going all the way back, Bell Labs. He holds patents in AI, cybersecurity, and networking.
The hire signals where the company thinks the puck is going. As enterprises hand real operational authority to AI agents, those agents need identities too - badges, boundaries, and someone accountable when they act. SecureAuth's framing is that identity is becoming the control plane for how humans, machines, and AI agents work together.
Founded in Irvine, California - originally as MultiFactor Corporation - betting on multi-factor authentication before it was fashionable.
Recapitalized by private equity firm K1 Investment Management (~$200M) and merged with Core Security.
Acquired Acceptto, bringing AI/ML-driven continuous authentication into the fold.
Acquired and integrated Cloudentity, expanding CIAM into API access control and dynamic authorization.
Relaunched Workforce and CIAM under a new vision with redesigned user experiences.
Acquired SessionGuardian and launched Biometric Continuous Identity Assurance (BCIA).
Appointed Geoffrey Mattson CEO to lead the push into human, machine, and AI-agent identity.
Return to that opening moment. The employee who didn't type a password. The customer whose account opened with a tap. The software agent handed a scoped key. A few years ago, two of those three would have been a problem - the passwordless employee a risk to manage, the AI agent a thing nobody had a plan for.
SecureAuth's twenty-year argument is that all three belong to the same question, and that the answer can't be a one-time yes. It has to keep being asked, quietly, for as long as the session lasts. The door check became a room watch. The secret you knew became the behavior you can't fake. And the list of who counts as a "user" grew to include things that were never alive.
None of this makes headlines the way a breach does. That is rather the point. The best outcome SecureAuth can deliver is a moment you never think about - a login that simply, continuously, holds.