After the Login: Our CEO on What Should Protect Every Transaction You Make Next

Every World Password Day, the conversation lands in the same place. Stronger passwords. More MFA. Passkeys. All of it is good progress, and all of it is about the login. 

Our founder and CEO, Thi Nguyen-Huu, wanted to ask a different question. Once you have logged in, what protects everything you do after that? His new article in the June 2026 edition of Cyber Defense Magazine, “After the Login: What Continuous, Endpoint-Bound Identity Actually Requires,” works through the answer. 

Here is the short version of what he covers.

The real gap is after login, not at it

Identity-based intrusions make up most security incidents today. The reason is not that login is weak. It is that authentication stops once login is done. You prove who you are in one moment, the system hands back a token, and for the next several hours nothing ties that token to the person who logged in. Steal the token and you inherit the session. That gap between a one-time login and everything that follows is where most attacks live.

We are verifying at the wrong layer

Login happens at the application layer, through things people do by hand. You type, tap, or look at something, and the app treats the result as proof. Thi makes the case that the right place for this is the transport layer, where machines already prove themselves to each other. Servers have done this in the TLS handshake for twenty-five years. The same math lets the user’s endpoint prove itself back, in the same handshake. Mutual TLS has supported this for years. What changed is the hardware now sitting in the endpoint.

Why the key has to live in hardware

A private key only works as a secret if exactly one thing can sign with it. The moment a second copy exists, every guarantee built on that key quietly falls apart, with no alert. That is what credential theft and token theft come down to. Software keys sit in memory and files, so anyone with enough access can copy them. Hardware keys close that door. The key is born inside the silicon — a TPM, a Secure Enclave, a secure element — and never leaves. Not for the operating system, the app, the user, or malware running with full privilege.

A live key, not a static one 

A key locked in hardware is necessary, but on its own it is still a credential. The article’s key idea is to bind that key to policy, and to check the policy without stopping. The hardware key works only while the endpoint confirms the right user is present, the device is healthy, and the conditions still match what policy allows. The ability to keep going is simply gone the moment the conditions are gone.

Audit becomes part of the protocol

When that hardware-rooted, policy-bound key signs the mutual TLS handshake, the encrypted channel is derived from the proof of identity that opened it. Identity and channel become one thing. Every request inside carries cryptographic proof of the user, the device, and the conditions at that exact moment. There is no separate token to forge or replay. The question “who did this” gets answered by the protocol itself, not by guessing from logs after the fact.

The pieces already exist

None of this asks for new hardware or new standards. The TPM ships in nearly every business laptop. Mutual TLS has been settled for a quarter century. Where pre-boot MFA is in place, the endpoint already verifies the user at power-on. What is missing is the choice to connect these pieces at the transport layer instead of stacking more on top of the app layer. As Thi notes, the standards bodies — W3C, IETF, NIST, and CISA among them — are moving toward the same picture from different directions.

Read the full article 

The password was the wrong starting point for the online world, and replacing it matters. But it is not the finish line. The full piece walks through how identity can be continuous instead of momentary, rooted in hardware instead of claimed in software, and carried inside the encrypted channel instead of passed across it.

You can read the full article in Cyber Defense Magazine, June 2026 edition (pages 131–135)

Previous Post
Identity for the Agentic Era
keyboard_arrow_up