The cybersecurity industry has spent twenty years sharpening one moment: login. Passwords gave way to MFA. MFA gave way to passkeys. Each step was real progress. None of them changed the underlying architecture.
That architecture treats authentication as a moment. A user proves who they are at the door. The system trusts them for hours afterward. Attackers learned that pattern a long time ago, and they no longer waste effort trying to defeat the gate. They wait for the gate to open.
The session is where the breach lives now
Adversary-in-the-middle (AiTM) attacks let an attacker stand between the user and the service, capturing the session cookie the moment MFA succeeds. The destination service cannot cryptographically tell the difference between the legitimate endpoint and the attacker’s machine presenting that same valid cookie.
Tycoon2FA is the proof point. The phishing-as-a-service kit that Microsoft, Europol, and partners disrupted in March 2026 was reaching more than 500,000 organizations a month at its peak, generating tens of millions of phishing emails monthly, and by mid-2025 accounted for roughly 62% of all phishing attempts Microsoft blocked. None of it required defeating MFA. It required being there when MFA succeeded.
Passkeys protect the login gesture. They do not protect the bearer token the system hands out afterward. The architecture has not changed.
Identity is more than the user
There is a deeper definition error here. The industry has argued for two decades about credentials versus true user identity, as if verifying the human harder is the answer. That is closer to right than verifying a credential. It is still incomplete.
In the physical world, a true user is enough. You are in the room. The room is implicit. Online, none of that is implicit. The device, its posture, the conditions of use — these are not the background of identity. They are part of identity itself.
Real online identity is a live equation. The actor, the platform they are operating on, and the conditions of that operation. Bound together cryptographically. Asserted continuously.
AI changes the economics of attack
AI changes the rate, scale, and credibility at which attackers can run these old playbooks. Phishing emails that used to be detectable by their grammar now read like internal correspondence. Reconnaissance and lateral movement that used to require human operators run at machine speed.
The deepfake threat has stopped being hypothetical. In early 2024, an employee at the engineering firm Arup transferred approximately $25 million to fraudsters after a video conference call in which the company’s CFO and several colleagues were AI-generated impersonations. None of Arup’s systems was compromised. Every participant on that call, other than the victim, was synthetic.
The gestures AI is good at faking — voices, faces, prompts, approvals — are the gestures most authentication flows still depend on. Architecture that does not depend on human gestures closes that attack surface.
Put identity on the endpoint
The endpoint is the only entity present for every moment of a session. The user, the device, and the conditions are all simultaneously known there. Cloud-only identity cannot see what the endpoint sees.
Hardware-rooted trust changes the category. A key anchored in a TPM, in a secure enclave, or in a similarly protected element never leaves the hardware. Cryptographic operations happen inside that boundary. Even an attacker with full administrator rights on the endpoint cannot directly extract the key — they can only ask the hardware to use it, and only while the policy bound to that key permits use. When the verified user logs out, when the screen locks, or when the device leaves an approved posture, the key becomes structurally unavailable. There is no revocation message to send. The capability simply ceases to exist.
The hardware is already deployed. to “Microsoft has made TPM 2.0 a mandatory Windows 11 requirement, calling it ‘a non-negotiable standard for the future of Windows’. Apple Secure Enclave, ARM TrustZone, and embedded secure elements in mobile and IoT devices round out the substrate. The work is to use that hardware as a continuous trust anchor, not as one more place to store a credential.
What this means for enterprises
Four practical moves, today:
- Move identity to the endpoint. It is the only place where the actor, the device, and the conditions are all simultaneously known.
- Shorten session windows. Short sessions only become safe when re-authentication has zero user friction.
- Use the hardware you have already paid for. TPMs and secure enclaves are sitting idle in most fleets.
- Stop treating login security and session security as two problems. They are one problem: identity over time.
In the TechEdge AI interview, WinMagic CEO Thi Nguyen-Huu puts it plainly: identity that is verified once and then assumed is not identity in any meaningful sense. It is a guess that ages badly. What systems actually need is identity in the present tense — a continuous cryptographic statement that the right actor, on the right platform, under the right conditions, is still acting, right now.
The technology to fix this exists. It does not need a forklift upgrade of the internet. It needs the willingness to fix a definition error the industry has spent twenty years working around — and, plainly, to stop using the token as the carrier of identity assurance.
Read the full interview with WinMagic CEO Thi Nguyen-Huu on TechEdge AI: https://techedgeai.com/beyond-passkeys-winmagic-highlights-the-shift-from-one-time-authentication-to-continuous-identity-verification/




