Not a compensating control. A structural fix.

MyCena removes credentials from human knowledge at the architectural layer — deployed as a software overlay in two weeks, no infrastructure changes, alongside your existing IAM, PAM, MFA, and SSO.
Book a briefing →
0
Of breaches exploit stolen or compromised credentials — Verizon DBIR 2024
0
From sign-off to live deployment — no infrastructure changes, no downtime
0
Of employees reuse passwords across personal and corporate systems — LastPass 2022
0
From revocation command to zero access across all connected systems
The architectural gap

The gap that every existing tool leaves open.

Thirty years of security tooling — firewalls, MFA, zero trust, PAM — share a single assumption: users hold their own credentials. Every one of these tools verifies or protects the credential after the user has it. None of them controls who holds it in the first place.

That is the gap. And it is the gap that attackers exploit in 81% of breaches — not through technical bypasses, but through the credential itself. Phishing, social engineering, credential stuffing, insider sharing: every one of these requires the same precondition. The user knows the password.

MyCena removes that precondition. The organisation generates every credential centrally. The user never sees it, never stores it, never knows it. There is nothing to extract — from a phishing page, from a social engineer, from a departing employee’s memory, or from a vendor who has overstayed their engagement.

Architecture

How it works at the technical layer.

MyCena operates across four stages — generation, distribution, injection, and revocation — as a software overlay that requires no changes to existing infrastructure.

Generation

Credentials are generated centrally by the MyCena platform — not by users, not by IT on behalf of users. Every credential is unique per user per system, high-entropy, and never derived from user-memorable information. The organisation holds cryptographic control over every credential in scope.

Distribution

Credentials are distributed end-to-end encrypted to the user’s authenticated device. They are never transmitted in plaintext. The browser extension is the only decryption point — at the moment of injection. No credential resides in user-accessible storage, clipboard, or memory in readable form.

Injection

At login, the MyCena browser extension intercepts the authentication request and injects the credential directly into the form field. The browser is actively blocked from saving, auto-completing, or displaying the credential value. The user clicks once — access is granted. They have no knowledge of what was used.

Revocation

A single administrator command revokes all credentials for any user simultaneously across every connected system. Revocation is confirmed with a timestamp and a post-revocation blocked access log. Average time from command to zero access: under 60 seconds. Every revocation event is tamper-evident and auditable.

Integration

MyCena operates as a software overlay alongside existing IAM, PAM, SSO, LDAP, RDP, SSH, and legacy application environments. No infrastructure changes required. Complements — rather than replaces — existing MFA, SSO, and PAM tools. Deployment: two weeks from sign-off to live.

The user holds the credential. That is the attack surface. MyCena removes it structurally.

Attack surface reduction

Attack vectors addressed — what changes structurally.

Each of these vectors requires the same precondition: a credential in human hands. Removing that precondition closes all of them simultaneously.

01 — Phishing
Credential theft via deceptive communication
User enters credential on spoofed site. Attacker gains valid session access, often undetected for weeks.
No credential exists in user knowledge. Phishing finds nothing to steal. User cannot enter what they do not know.
02 — Social engineering
Credential extraction via impersonation
Attacker calls as IT support. User reads credential aloud or enters it on attacker-directed screen.
“I don’t know my password — the system handles it” closes the attack vector entirely. Nothing to extract under pressure.
03 — Credential stuffing
Reused passwords exploited across services
Employee reuses personal password on corporate systems. External breach yields valid corporate credentials.
MyCena generates unique, high-entropy credentials per system per user. No reuse is possible. Stuffing finds no match.
04 — Insider threat
Deliberate credential sharing or sale
Employees share credentials, sell access, or leave with active credentials. Attribution is impossible.
Credentials are never in user possession. Sharing is architecturally impossible. Every access event is attributed to one named identity.
05 — Offboarding failure
Persistent access after employment ends
Departed employee retains active credentials for days or weeks. Revocation is manual and rarely covers all systems.
One command. All systems. Simultaneous revocation. Logged with timestamp. Zero access window provable from the revocation log.
06 — Third-party access
Uncontrolled contractor and vendor credentials
Vendors hold credentials to client systems indefinitely. Revocation on contract end is manual and often delayed.
All vendor credentials are organisation-controlled, scoped per system, and revocable instantly. Third-party access report on demand.
Technical Q&A

Common technical questions.

The questionThe answer

“Does this replace our existing SSO or PAM?”

No — MyCena is additive. It operates alongside your existing SSO, PAM, MFA, and LDAP. It addresses the layer beneath all of them: who holds the credential before SSO authenticates it or PAM manages it. No existing tool needs to change.

“What is the deployment footprint?”

Browser extension on user devices, plus the MyCena platform (cloud, on-prem, or private cloud). The client’s IT team spends approximately 4 hours on configuration across Days 1–2. No downtime, no user disruption, no changes to backend systems.

“How does it handle AI agents and service accounts?”

MyCena inventories, governs, and revokes AI agent credentials and service accounts using the same architecture as human credentials. Every automated access event is logged with full attribution — which agent, which system, when, from where.

“What does the audit log cover?”

100% of MyCena-mediated access events: user identity, system, timestamp, device identifier, source IP. Exportable in CSV, JSON, and SIEM-compatible formats. Covers provisioning, access, and revocation at 100% coverage.

“What happens if MyCena goes down?”

MyCena maintains 99.5% uptime SLA. Credentials cached on authenticated devices remain functional within configurable session windows during short outages. Full failover documentation provided at deployment.

The architectural position
“MyCena is the first and only patented technology that puts organisations in complete control of their credentials. Not policy. Architecture.”
— MyCena Security · Patented architecture · US & Europe
Compliance coverage

Framework evidence — generated automatically.

MyCena generates the access control evidence required by these frameworks as a byproduct of normal operation — not as a separate compliance process.

SOC 2 Type II (AICPA TSC)
  • CC6.1 — Logical access architecture
  • CC6.2 — Registration & authorisation
  • CC6.3 — Role-based access & removal
  • CC6.6 — External threat protection
  • CC6.7 — Transmission controls
  • CC7.2 — Security event monitoring
  • CC9.2 — Vendor access management
HIPAA Security Rule
  • §164.312(a)(1) — Unique user ID
  • §164.312(a)(2)(i) — Automatic logoff
  • §164.312(a)(2)(ii) — Emergency access
  • §164.312(b) — Audit controls
  • §164.312(d) — Entity authentication
  • §164.308(a)(3) — Workforce security
NIST CSF 2.0
  • PR.AA-01 — Credential management
  • PR.AA-02 — Identity proofing
  • PR.AA-05 — Least privilege
  • DE.AE-02 — Anomaly detection
  • RS.MA-01 — Incident containment
  • GV.OC-01 — Governance context
Request a technical briefing
Two weeks from sign-off to structural credential control. No infrastructure changes.
Book a briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.