A more secure “client” for passwordless authentication

In this article, I’ll introduce a new passwordless authentication thought process: an entirely new “entity” that advanced passwordless solutions should use to achieve maximum security for businesses.

If you’ve followed my past blogs, you might have noticed that I’ve addressed how using multi-device FIDO key authentication weakens FIDO security. The National Institute of Standards and Technology (NIST) also acknowledges risks associated with multi-device keys:

“Multi-factor cryptographic software authenticators SHOULD discourage and SHALL NOT facilitate the cloning of the secret key onto multiple devices.”

— Multi-Factor Cryptographic Software Authenticators

FIDO2 is today’s paragon for a secure online authentication approach that’s significantly stronger than traditional MFA. FIDO protocols are also the foundations of the advanced passkey solution that was recently developed by the three big powers: Apple, Google, and Microsoft.

There are various implementation methods and solutions for FIDO2 values. Some are better than others regarding phishing resistance and overall security. Public key-based protocols are the foundations of FIDO2 security and are considered unbreakable — if implemented correctly. This strength makes public key cryptography the de facto standard for years to come.

A better entity for client authentication

On a conceptual level, who or what entity should be the client in the client-server authentication?

The heart of FIDO, the key, is associated with the crypto device, which stores the private key. If the device is the endpoint, the FIDO key represents the endpoint. If the crypto device is a USB key or a phone — which FIDO calls a “roaming” or “portable” key — the key still represents the device. The idea is that the key, indirectly, represents the user: the user carries the key and could use different endpoints to access online accounts.

So, regarding FIDO and passkeys, what does the FIDO key represent? The FIDO key represents the “something you have” factor of MFA. For multiple endpoints, passkey authentication uses a multi-device FIDO key. This FIDO key represents the multiple endpoint devices the user might use to access online services.

WinMagic believes in a more secure approach. Instead of using the user or the device as the client for authentication, we use a user + device combination, creating an entity that should be not only more secure, but also more logical. In our model, the FIDO key represents both the user and device, not just one component. By verifying both instead of just one, the user + device entity is the most secure client for authentication.

The purpose of authentication is clear: to make sure the authorized user, and only the authorized user, can access user-restricted services such as apps and online platforms. The rise in cyber attacks is proof that authenticating just the “user” isn’t enough. The user is unable to perform something as complex as public key cryptography and can’t communicate directly via bits and bytes with the server. Therefore, the user is a weak point for authentication. However, if the endpoint device is the subject of authentication, the server will need additional means to verify the user.

As you can see, neither the user nor device are optimal for authentication. But, using the user + device combination accurately, if feasible, would aptly address this issue. With cyber-attacks growing more and more sophisticated, this level of verification is essential for today’s authentication process.

What the FIDO key represents

To examine this concept, we’ll break down what the FIDO key represents.

If the FIDO key represents the user + device entity, the key will be different if a user uses a different endpoint with a different private and public key. For example, the key for “UserA on Device1” is completely different from the key for “UserA on Device2.”

The main reason why FIDO authentication is stronger than previous MFA methods is that public-key-cryptography-based verification of the authentication device is considered unbreakable. The problem here is that, while the device can be verified securely and reliably, the association between that device and the authorized user identity is unreliable. Meaning, authentication methods need to be able to verify that an authorized user is using the authorized device.

With user + device authentication

  • FIDO2 authentication only happens on the authorized endpoint — no other device has the FIDO key
  • The user is logged into the endpoint device and actively using it
  • The endpoint has a different FIDO key per user
  • The user has a different FIDO key when using another endpoint
  • No keys are ever shared with other devices or the server

This recipe reinforces your FIDO parameters with the result being furthermore “unbreakable” and secure against cyberattacks.

Zero trust “always verify” security

Just like passwords and MFA, passkeys aren’t the endgame, but are a critical step in the evolution toward unbreakable authentication. We at WinMagic believe the security of passkeys could be even better, providing your business with the best defense against cybercriminals. MagicEndpoint, our next-generation passkey solution, verifies the endpoint device + user with an irreputable crypto-protected FIDO key without additional signals or other complex mechanisms. The server can verify the endpoint at each authentication and re-authentication instance.

To head off the rise in cyber attacks, the cybersecurity industry is working toward what’s known as the Zero Trust principle: “Never trust, always verify.” MagicEndpoint’s user + device verification method makes your Zero Trust aspirations reachable in a verifiable way. The software can continually verify the user throughout each session, truly achieving the “always verify” requirement of Zero Trust security, especially compared to authentication solutions that only verify the user at login and reauthentication events.

A no-user-action experience

Now that we’ve deduced that the user + device is the most secure entity for authentication, how can we verify both in one swoop?

I explained earlier that the endpoint device is the most reliable client between the user and the device. MagicEndpoint can continually verify the user, leaving the endpoint device in a unique position to verify the user + device entity in a reliable and secure way.

Because the endpoint is continually verifying the user, the user doesn’t need to reauthenticate while accessing online platforms and services. Instead, MagicEndpoint handles authentication on the user’s behalf without requiring any action from the user. The user doesn’t need to click, enter their password, or perform any MFA steps to access their online accounts, providing the best possible user experience.

A deeper look at the “user + device” entity

While the server and endpoint perform FIDO authentication using public key cryptography, FIDO protocols also offer a “signature counter” that we believe can contribute substantially to cyber security, particularly by helping detect if a key may have been compromised. This signature counter can, and should, be used as an additional layer of FIDO security. At each authentication instance, MagicEndpoint increases this signature counter in an increment of 1. If this signature counter were to jump in an increment larger than 1, the server would know the private key has been compromised and is being used on a different device.

This level of verification isn’t possible if the FIDO entity is not unique on each device. Meaning, if the user uses multiple endpoints, the FIDO entity — representing the user + device — should be different on each endpoint for the signature counter to be accurate. Similarly, if the endpoint supports multiple users, the FIDO entity should be different for each user-device combination, even though they’re using the same endpoint.

It is possible to apply this concept if your setup uses a multi-device FIDO key. In this case, the private key is the same, but the FIDO entity is different. The server can then check the device’s signature counter to further verify the user and endpoint device.

Keep in mind, a roaming key, like a USB or a phone connecting to the endpoint via Bluetooth, is a legitimate FIDO authentication device and is useful in different environments. Today’s endpoint is capable of FIDO authentication and verifying the user’s presence — even the user’s intent — and can support multiple users on one device, thus building a different user-device entity for each of them. By verifying the user + device entity, this solution offers stronger, more comprehensive security with less burden on the user, requiring no action from the user to achieve the best results.

Navigating MFA risks

When it comes to phone-based MFA, there are two approaches: using the phone as an extension of the endpoint via Bluetooth, or using the phone over the network, out-of-band (OOB) where its endpoint is not verified by the server. Because OOB Bluetooth connects via the network, it adds vulnerabilities and less-than-optimal phishing resistance. An OOB phone connection is mostly needed if you must use unmanaged endpoints and can’t achieve the “user + device” entity.


With cyberattacks getting wilier by the week, security solutions are hard-pressed to keep up. Many companies have been compromised without knowing — for years at a time. Attacks like the 2020 SolarWinds hack took 14 months to discover and are proof that companies can’t be lax on their security measures. But, advancements in technology can keep up, providing protection that has the potential to be magnitudes stronger than last-gen solutions. Security protocols have taken new directions, freeing users from remembering passwords while offering effortless, no-user-action solutions for online authentication.

In 2022, 34% of companies under cyber attack in the USA took six to eight weeks to respond. Prevention is better than a cure. Cryptography is the best technology to protect both users and data. Moving forward, WinMagic recommends three actions:

  • Use state-of-the-art technologies like FIDO2 that provide phishing resistance for online authentication
  • Wherever possible, keep your keys secret — non-shared keys are the only unbreakable ones
  • When available, push for user + device (endpoint) authentication instead of just user or endpoint models

Regarding cybersecurity today, “secure enough” falls short of keeping companies safe. Your security should be as innovative and up-to-date as the cyber attacks it protects you from. By using the capable endpoint, we can achieve authentication that’s magnitudes stronger while delivering the best experience — no user action required!

Extra layers, including disk encryption and other proven solutions, can safeguard your defenses. Before long, account takeover will be behind us. It’s time to leave passwords and traditional MFA in the past, freeing users from any action with the best authentication security available.

Learn more about MagicEndpoint, the most secure passwordless authentication solution around, by contacting our Sales team.

Previous Post
What passwordless means for the healthcare sector
Contact Us

This will close in 0 seconds