What Comes Next for Passkeys?

Passkeys are rapidly becoming the modern baseline for secure login. They replace passwords with strong public-key cryptography, provide consistent protection across platforms, and help everyday users move away from fragile, error-prone authentication habits. The industry’s broad embrace of Passkeys is a meaningful step forward.

But as WinMagic has been doing for almost three decades, we continue to challenge long-standing assumptions. One of the most foundational is the belief that verifying the user requires the user to perform an action. A fingerprint, a face scan, a PIN, a device unlock these gestures have always been treated as the necessary proof of human presence, Passkeys included.

This assumption feels natural because that’s how authentication has always been done. But technology has changed, and the environments in which we authenticate have changed. It’s now possible to ask a new question: what if strong user verification did not require user interaction?

Introducing Live Key: A Key That Exists Only While Trust Exists

Live Key builds on this idea. It introduces a credential that behaves differently from traditional keys:

Live Key is a cryptographic key that remains available only while the endpoint maintains verified trust including user verification, device state, and policy conditions.

Unlike static credentials that exist indefinitely once created, a Live Key becomes unavailable the moment trust is broken. This simple concept opens the door to a new generation of authentication: one that is secure, dynamic, and free from repeated user interaction.

How Live Key Verifies the User Without Requiring a Gesture

Live Key performs strong user verification at the points where trust is naturally highest, such as boot and OS login with local MFA. From there, the endpoint continuously upholds verified presence, using mechanisms built into every operating system: screen-lock enforcement, posture checks, integrity monitoring, application context, and real-time signals about how the device is being used.

Here is where Live Key introduces something no authentication model does today: user intention. The endpoint knows which application initiated a request, whether the user is interacting with the correct window, and whether the context matches the user’s behavior. A gesture alone cannot tell the system what the user meant to do but endpoint signals can.

This makes Live Key both more secure and more aligned with real human behavior.

A Timeline of Trust Is Stronger Than a Moment of Proof

Because trust is maintained continuously by the endpoint, Live Key does not rely on a single instant of user interaction. A gesture provides only a snapshot; Live Key establishes a timeline of trust, upheld by real-time conditions. This results in stronger accuracy, greater resiliency, and automatic revocation the moment conditions change.

The key point is not user interaction itself; it is that a snapshot can only capture one moment, while a timeline can reflect ongoing truth.

Removing Interaction Unlocks Transport-Layer Identity (LIT)

Once a credential no longer requires a user gesture during authentication, it can operate in places where gesture-dependent systems cannot. Live Key can participate directly in mutual TLS, proving identity inside the TLS handshake without interrupting the user.

This enables Live Identity in Transport (LIT) a model where the secure channel itself carries verified identity from the first packet. Identity moves from the login screen into the transport layer, changing how the entire session is protected.

Why Sessions and Transactions Matter and Why We Address Them

Passkeys focus on authentication. Current systems rely on different  including emerging technologies to protect sessions after authentication, such as cookies, OAuth tokens, channel binding, and holder-of-key assertions.

But as new ways of thinking can unlock new possibilities, Live Key can address what comes after login. Live Key and LIT extend beyond authentication into protection of the sessions, the transactions, and the data, reducing or eliminating the need for bearer tokens and the additional mechanisms the industry is working toward.

A next-generation Passkey can protect the whole session, not just the sign-in.

Extending the Model to Machine Identities

 

Today’s systems depend heavily on non-human identities applications, services, containers, background agents. Their legitimacy depends on real-time conditions such as device posture, code integrity, runtime approvals, and policy compliance. A static certificate cannot capture this dynamic reality.

A Live Key can.

A service holds identity only while its environment meets policy, and under LIT, it proves that identity directly in transport. Humans and services both rely on the same principle: identity exists only while trust exists.

A Unified Principle for the Next-Generation Passkey

This leads to a coherent model for what a next-generation Passkey should be:

  • identity that exists only while trust exists
  • continuous verification upheld by the endpoint
  • stronger assurance without repeated user interaction
  • transport-native identity that protects the entire session
  • one model that applies to people and services

Passkeys brought modern cryptography to login. Live Key and LIT take the next step: they enable FIDO2-level authentication with no user interaction and extend protection beyond sign-in to the transactions that follow. In the natural evolution of online authentication from passwords, to MFA, to passwordless the next stages move toward user-less and eventually authentication-less online access. With LIT, identity shifts from being a login event to becoming part of the secure connection itself.

The Path Forward: LIT Tomorrow, ME Today

Live Key and LIT together outline what the next generation of online access should look like: strong, continuous, transport-native identity that goes far beyond the limits of gesture-based authentication. This model does require adoption by service providers, because LIT shifts identity into the secure channel itself.

But that future is already within reach.

MagicEndpoint (ME) uses Live Key today, which means it delivers the closest experience to next-generation identity available anywhere. ME offers the benefits of non-interactive, continuously verified authentication immediately, while also providing broader coverage: IdP integration, endpoint intelligence, credential injection for legacy apps, and secure access across environments that do not yet support LIT.

Organizations can adopt ME now to benefit from the strengths of Live Key today and be ready for the transport-native identity model of tomorrow.

Previous Post
WinMagic Challenges Identity-First Security: The Industry Has Been Verifying the Wrong Identity
Next Post
60% of Cyberattacks Break Identity — Is Identity First a Bad Idea?
keyboard_arrow_up