PLEASANTON, Calif., April 22, 2026 (GLOBE NEWSWIRE) — The cyberattack that disrupted Stryker Corporation earlier this year exposed a vulnerability that security professionals have long warned about when attackers target an organization’s identity systems, the very tools companies rely on to verify employees and restore access can become the first casualties. Today, Avatier is responding to that threat with the launch of the Identity Challenge Card, the first auto-enrolled, air-gapped Multi-Factor Authentication (MFA) solution designed to remain operational even when enterprise devices, networks, and identity platforms have been compromised.
Unlike device- or network-dependent MFA solutions, the Identity Challenge Card is a secure printed card pre-issued to each employee. Authentication requires only the physical card and a simple challenge-response exchange — no smartphone, no app, no battery, and no internet connection required.
Alongside the new product, Avatier is also highlighting its free Attack Cost Calculator at AttackCost.com, which enables executives to quantify the financial exposure of a cyberattack based on workforce size, average compensation, daily revenue, and projected system downtime.
What Happened at Stryker and Why It Matters
Public reporting on the Stryker incident indicates that attackers gained access to administrative credentials and leveraged enterprise device management tools to execute a large-scale device wipe, effectively locking employees out of their systems and disrupting internal operations across the organization.
The attack underscores a growing and troubling trend in cybersecurity: identity infrastructure has become the primary target. Compromising an organization’s identity systems doesn’t just open the door to data — it can bring an entire business to a halt.
Can Multi-Factor Authentication (MFA) Fail During a Cyberattack?
The short answer is yes — and understanding why requires a closer look at how most MFA solutions are built.
Multi-Factor Authentication (MFA) is a security process that requires users to verify their identity using two or more independent factors before gaining access to a system. In practice, most enterprise MFA solutions rely on a combination of three things: the user’s device (typically a smartphone running an authentication app), a connected identity provider such as Microsoft Azure Active Directory or Okta, and a live network connection to facilitate the verification process.
In a sophisticated cyberattack like the one targeting Stryker, all three of these dependencies can be knocked out simultaneously. When devices are remotely wiped, employees lose access to their authentication apps. When identity providers are taken offline or compromised, the systems that validate credentials stop functioning. And when network access is disrupted, authentication requests simply cannot complete. The result: employees cannot log in, service desks cannot verify caller identity, and IT teams are left without a reliable way to restore access at scale.
This is not a theoretical failure mode. It is an increasingly common outcome in enterprise-level attacks — and it is precisely the gap that the Identity Challenge Card was designed to address.
Introducing the Identity Challenge Card: Authentication That Works When Everything Else Doesn’t
Avatier’s Identity Challenge Card introduces a new category of enterprise security: Universal, Air-Gapped MFA. Unlike device- or network-dependent solutions, the Identity Challenge Card is a secure printed card pre-issued to each employee. Authentication requires only the physical card and a
simple challenge-response exchange — no smartphone, no app, no battery, and no internet connection required.
Key features of the Identity Challenge Card include:
- Auto-Enrollment at Scale: Organizations can enroll 100 percent of their workforce in as little as one day, with no device provisioning, no app installation, and no reliance on IT infrastructure.
- One-Time Challenge Values: Each authentication uses a unique, one-time challenge value — particularly when helpdesk is validating identity. Used values are permanently invalidated and never reused, preventing replay attacks while keeping valid entries available for future use.
- Air-Gapped by Design: Because the system operates entirely offline, it cannot be remotely compromised. There is no attack surface for credential-based intrusion or network-level exploitation.
- Crisis Continuity: When identity systems fail, service desks can still verify callers, employees can still authenticate, and business operations can continue — even in the middle of an active attack.
Quantifying the Financial Risk: AttackCost.com
For organizations seeking to translate cyber risk into boardroom-ready financial terms, Avatier has made its Attack Cost Calculator available at no cost at AttackCost.com. Unlike broad industry breach reports, the calculator allows organizations to model their own specific exposure — factoring in workforce size, compensation levels, revenue per day, and estimated downtime — to arrive at a concrete figure that executives and CFOs can act on.
For many mid-to-large enterprises, the results are sobering: a successful identity-targeting attack can translate into losses of $10 million to $100 million or more in a matter of days.
“Cybersecurity is no longer just an IT issue, but a business continuity issue. When identity systems are compromised, companies don’t just risk data exposure; they lose the ability to operate. The industry has spent years adding layers to MFA, but those layers depend on devices, networks, and identity providers that attackers can take down at the same time. We took a different approach by removing those dependencies entirely. With the Identity Challenge Card, organizations can maintain trust, access, and productivity even in the middle of an attack. Our goal is to help companies recover quickly and keep business operations running.”
— Nelson Cicchitto, CEO, Avatier
What Organizations Should Do Now
In light of the Stryker incident and the broader trend of identity-targeting attacks, security and operations executives are encouraged to take the following steps:
- Assess your current MFA solution’s dependencies, including what happens to authentication if devices are wiped or identity providers go offline.
- Calculate your organization’s financial exposure using the free Attack Cost Calculator at AttackCost.com.
- Request a rapid deployment briefing for Identity Challenge Card to understand how your organization can achieve enterprise-wide coverage within 24 hours.
- Visit avatier.com to learn more about the full Avatier identity security platform.
About Avatier
Founded in 1997 by Nelson Cicchitto, Avatier secures and automates the entire identity foundation so organizations can move faster, reduce risk, and empower every interaction. The Avatier platform delivers Trusted Conversational AI for Identity — automating the critical controls that enable Zero Trust and ensure compliance, including passwordless authentication, credential governance, lifecycle provisioning, and access governance. Trusted by Fortune 500 organizations across healthcare, financial services, manufacturing, energy, government, military, and education, Avatier turns identity into a measurable driver of security, productivity, and cost efficiency.
Identity Anywhere™ | avatier.com
Media Materials:
Cyber Attack Cost Calculator
Watch Stryker Attack Cost Video
Watch Stop MFA Push Bombing Video
Speak With Avatier CEO
Avatier Media Kit
Media Contacts:
Mary Marshall, Director of Communications, Avatier | +1 925-217-5170
Michele Nachum, FirecrackerPR | [email protected] | firecrackerpr.com | +1 425-698-7477
Photos accompanying this announcement are available at:
https://www.globenewswire.com/NewsRoom/AttachmentNg/e91d712a-e5d6-479e-b6c4-5f2cd7f7c01e
https://www.globenewswire.com/NewsRoom/AttachmentNg/b9242356-8466-4a5a-a925-0c10707b3d67