MFA and Zero-Trust Misconceptions Prevent Effective Solutions

The WinMagic team believes we can revolutionize the cybersecurity of the world. Our latest authentication solution, MagicEndpoint, is ready to deliver the most secure authentication with the best user experience. Incredible? Unbelievable? Yes. Not because we can do magic, but because we recognized some misconceptions that prevented previous solutions from being effective.

What are these misconceptions? Are you ready to be shocked? 🙂

There are two main misconceptions:

  • MFA (multi-factor authentication) is needed for online authentication.
  • The best security requires continuous verification of each user, device, application, and transaction.

And, from there, these next misconceptions appeared, even if they might seem unrelated to the main one:

  • Frictionless access is ideal, but we should be realistic to know frictionless means no security. So, some friction is needed.
  • Security is better because these new solutions get rid of passwords.


Regarding MFA as a Requirement for Online Authentication

Let’s address the misconception that “MFA is needed for online authentication.”

To do this, we should first ask: whom should the server — meaning the service provider (SP) — authenticate? The common answer has been “the user,” which is what the industry has been employing. The user must think of and remember a password — a “what the user knows” factor. Then, as the story goes, the user must use multi-factor authentication because passwords aren’t secure enough, which grows the desire to get rid of passwords.

But, while it is largely correct that the SP gives services to the user and the SP should try to verify the user, the more correct — and advantageous — concept is that the SP gives services to the endpoint the authentic user is using. Thus, the SP should verify that endpoint instead of the user directly. Today’s endpoint devices are equipped with crypto chips and can perform state-of-the-art, public-key-based protocols. The server can verify the authentic endpoint accurately with magnitudes more certainty than verifying a user who can’t perform public key operations.

At the same time, the capable endpoint has always verified the user and should continue to do this job. When implemented correctly, the capable, trusted endpoint will accurately verify with the server that it is talking to the authentic endpoint with the authentic user using it, in real-time.

Addressing the points above, we propose that secure online authentication doesn’t need MFA.

In fact, secure online authentication doesn’t need user involvement at all. The endpoint can perform online authentication better while continuously verifying the user using it, in real-time — without user action.

Friction, MFA, and passwords are all related to human users. Once we recognize that online authentication should be done by the endpoint — and the user’s MFA doesn’t affect the authentication protocol— we can see that no user action, or complete frictionless access, is possible and should be implemented today.

With this concept in mind, users would be more secure not because we’ve gotten rid of passwords, but because we’ll get rid of user involvement in the online authentication process. In other words, users aren’t the weakest link in cybersecurity. The industry unfairly asked users to do what they shouldn’t — and the endpoint should — do in the first place.

Keep in mind, a password — “what you know” — can be very good for endpoint access. It offers what cryptography keys need: random and secret, which are two characteristics “what you are” does not offer. For the endpoint, it can be short — 6 characters — due to the endpoint’s anti-hammering feature. There should be just one easy password to remember.

The above misconceptions could be cleared if we recognize that, for the current technology and market, we should adopt this authentication approach: endpoint access gives access to everything else.

So, the new ways of thinking are:

  1. Distinguish between endpoint access and everything else. In today’s material, we don’t see this differentiation and thus most discussions about MFA and passwordless authentication are confusing — for all.
  2. All other accesses, besides endpoint access, can be done without user action or involving the user at all. With today’s capability, particularly regarding the built-in crypto chip in the TPM and otherwise, the endpoint can authenticate to all remote, online servers substantially more securely than a user can.Note that, without user action, the server can actively, really verify the client — often “continuously,” where applicable.
  3. Endpoint access is not just about one desktop login. As it has always done, the capable endpoint can require MFA login after inactivity, or, whenever applicable, monitor the user’s presence with face ID, typing behavior, phone proximity, etcetera. Furthermore, the endpoint can know the user’s intention as the user request services on the endpoint in the first place. This capable endpoint can accurately provide the server with intelligence on security posture and other relevant information, verifying the authentic endpoint with the authentic user, in real-time.

If, for certain services or circumstances, the user should be verified again, or more, the endpoint is in the best position to do that as well — not the server.


About Continuous Verification of User, Device, Application, and Transaction

We should clarify that the idea of “always verify” is not a misconception, even if continuous verification for each transaction seems impossible to achieve. The possible misconception is that when reading “continuous verification,” we think about the server continuously polling data somehow to verify the user and the endpoint device. And, because it seems impossible to burden users that much, this strategy is an aspiration rather than a real solution that can be implemented.

The better approach than continuous polling is event-driven updates. Concretely, the server can verify everything in the initial authentication. Then, the capable endpoint will send relevant updates, like endpoint security posture and user’s presence to the server, when there are changes. This real-time update lets the server verify, manage, and even control the endpoint more effectively, without requiring continuous polling. Real-time updates achieve “continuous verification of user and device, for each application and transaction,” even when no transaction takes place. This approach means that zero-trust measures should protect the endpoint too, not just the applications.

For the statement above, the application provider doesn’t need to verify the device or the user before each transaction. It can continue to provide services to that endpoint until the IdP informs the application providers — all the SPs — that, for example, the user has logged off the endpoint.

To clarify, the endpoint can be trusted with Endpoint Detection and Response (EDR), especially when paired with full disk encryption and integrity checks. Some people may understand the zero-trust “never trust” policy to mean “never trust anything.” However, our interpretation is to first and foremost protect and trust the endpoint. This arrangement supports user security, as every interaction the user has with the IT team is via the endpoint. Having protected the endpoint for over 25 years, WinMagic believes in the endpoint and the tasks at hand before relying on complex signals, machine learning, and AI, which are too complex. Additionally, users can help reinforce security by reporting the endpoint as “stolen,” if applicable.

The authentication industry is overly complex these days. While the US government’s zero-trust memorandum mandates the discontinuation of traditional MFA, cyber insurance companies have MFA as a requisite. By recognizing the misconceptions and adopting the above new ways of thinking, we can really implement the zero-trust “always verify” principle and give users completely frictionless access to online services. Online authentication should not require MFA. Instead, we should use the capable endpoint more completely to allow a “no user action” experience.

Previous Post
WinMagic now integrates with Ping Identity’s PingOne DaVinci to provide authentication and encryption solutions to federal, state and commercial enterprises
Next Post
WinMagic partners with Lumen Technologies to offer mission-critical cybersecurity solutions