Open Letter Addressing NSA and CISA New IAM Guidance Document

WinMagic applauds the joint NSA and CISA effort in creating the document “Developer and Vendor Challenges: Identity and Access Management.” The file provides pragmatic help to the community of vendors and developers and will benefit them greatly. For our part, we’d like to offer the below suggestions. We’ve categorized our suggestions into two sections — “MFA Definitions and Policy Changes” and “Standards Improvement Opportunities” — but the suggestions apply to many sections of the “Developer and Vendor Challenges” document.

WinMagic understands that some of our comments and proposals below are different and unconventional. We strongly believe that our innovative ways of thinking are most applicable to current state-of-the-art technologies and the industry’s zero-trust principles.

Regarding the “Developer and Vendor Challenges” PDF:

MFA Definitions and Policy Changes

Concerning the line: “MFA deployment is notoriously difficult for many organizations. One reason is due to confusing definitions and unclear policy around different variations of MFA…”

  1. We’d suggest differentiating between endpoint access and access to everything else. MFA considerations related to endpoint access are very different from MFA for other accesses, even to the extent that “endpoint access gives access to everything else.”

One factor for MFA for online access can be the endpoint. However, the endpoint might not be considered a factor for endpoint access — even if the TPM’s anti-hammering feature is very relevant regarding the strength of the model.

We believe that NSA and CISA can help clear one of the biggest confusions about “MFA” by differentiating endpoint access from all other access when considering MFA.

  1. Even the word “MFA” might imply a wrong direction when it comes to online authentication. We believe that, at this stage, (public key-based authentication is best) and with the aspiration to zero-trust principles (continuously verifying user and device) the server or system shouldn’t try to verify the user but rather verify the endpoint the user is using to access online services. The endpoint continues to verify the user, as it has always done, and is in the best position to do so. These ideas result in the key point: the user doesn’t have to be involved in online authentication protocols at all.

Note that, for passkey authentication, Apple, Google, and Microsoft believe that the user just needs to unlock the endpoint to access online accounts, which is in line with WinMagic’s strategy.

  1. Organizations will need time to fully deploy this new technology. The optimal solution for online authentication at this time includes
  • Public key-based authentication and no other method
  • Using the endpoint as the authentication device — which has a built-in crypto chip like the TPM or phone’s key vault. This setup is inherently phishing resistant and, in addition to the endpoint, can provide various real-time information regarding the security posture of the user and device, which can lead to “no-user-action” authentication. This framework offers MFA without any action from the user!

Without user action, the server can perform FIDO2 authentication often — at times every minute, if needed —without user friction. This FIDO2 verification uses a device-bound, unshared TPM key and will prove that the authentic user is using the authentic endpoint in real-time.

  • Based on FIDO2 protocols, the phone can be used as the fallback authentication method. Some user action is needed to achieve phishing resistance, as the phone has no direct association with the endpoint or user. With the phone as the fallback method, hackers will no longer be able to exploit the Help Desk, as with the Caesars and MGM hacks.
  • The phone can also be used as the main authentication method for unmanaged endpoints
  • The phone can also be used as an additional, explicit form of MFA on top of endpoint verification for even stronger authentication.
  • For additional, explicit MFA for online authentication, we can also use the PIV card or USB token. We can configure that, for certain online services, the user must unlock the endpoint again to verify themselves.

(This article will address more MFA considerations further along.)

Similar to stating that PKI and FIDO2 methods are stronger than others, we believe NSA and CISA could also state that using the endpoint as an authentication (crypto) device is better than using a phone, which represents neither the user nor the endpoint device — the logical subjects for verification. This reasoning is valid even though most solutions today use the phone. In contrast, WinMagic says the phone can be used as a fallback tool or additional out-of-band second factor.

  1. MFA is needed for endpoint login, ideally not only for the operating system, but also for pre-boot authentication (for full-disk encryption). Possible MFA modes include PIV cards, USB keys, the phone (via Bluetooth or Wi-Fi network), TPM, biometrics, and passwords. Some combinations of these modes can be used when extra-strong authentication is required.

Note that the fallback methods for endpoint login should also be considered. Unlike account recovery for online access, hackers can’t exploit the recovery for endpoint access because they would still need to gain possession of the endpoint.

Standards Improvement Opportunities

Regarding the quote: “Open standards are a critical part of the identity ecosystem, however, there is room for improvement. This paper focuses on several identity standards topics, but it is not meant to be a comprehensive list of such issues…”

  1. Based on the idea that the modern endpoint is capable of freeing users from online authentication steps, the federation protocol should facilitate the endpoint’s information. With this support, the authentication can be more accurate without the user having to enter a username.
  2. This information can be used to support zero-trust aspirations:
  • Continuous verification of the user and device for each application and transaction
  • “Trust in a claimed identity and access risk can change dynamically throughout a session, so credentials and signals must be continuously reevaluated post-login.” Gartner Inc. Shift Focus From MFA to Continuous Adaptive Trust
  • Achieve “always verify” through continuous monitoring via event-driven updates — without polling. With event-driven updates, we can monitor the endpoint in real-time (= always verify) and thus offer Continuous Adaptive Trust pre- and post-login, which is more comprehensive than just verifying at some login moment.
  • “Event-driven” features should be standardized. For example, service providers don’t need to verify the user and device before each transaction. Rather, the service provider can serve the endpoint until the IdP alerts the service provider that the user has logged off the endpoint, closed the application, or that something has compromised the endpoint. Then, the security posture assessment will no longer pass and the user or client will be locked out or restricted.

WinMagic appreciates the “Developer and Vendor Challenges” document, which helps further improvements in many aspects of user authentication for all types of organizations and businesses.

We believe these new directions listed above can help the U.S. Government achieve its zero-trust goals faster, even to the extent of “continual verification of each user, device, application, and transaction,” while completely frictionless to users.

WinMagic has delivered continuous innovation in data security for over 25 years. Our products are used in the most security-conscientious organizations. WinMagic SecureDoc disk encryption was certified by the NSA to support SECRET data for U.S. Government agencies. We also received the first Common Criteria certification in 2002 and have achieved the first NIST AES certification (#1). Many U.S. Government agencies use our disk encryption product today.

The above points are just a few of WinMagic’s progressive ideas. We’d welcome a chance to discuss and elaborate more and brainstorm how WinMagic can help implement or improve on these thoughts.

Contact Us


Previous Post
Tackling the Caesars and MGM Hacks with Secure Authentication Fallback
Next Post
WinMagic Discovered a Flaw in TLS and FIDO