Open Letter to IT Security Technology Thought Leaders: Embracing New Approaches to Defend Against Cyberattacks, Minimizing User Burden

Key issues:

  • With over 25 years of continuous innovation, WinMagic has consistently raised the bar in endpoint encryption. Leveraging our expertise in applied cryptography and endpoint protection for online access, we believe new ways of thinking can revolutionize cybersecurity to the extent that account hijacking is eliminated, with NO user burden.
  • We will highlight current challenges and present potential solutions or ideas unseen elsewhere. While we understand industry skepticism, we’re optimistic that these novel approaches will garner support and that the industry will refine and expand upon them. Our commitment lies in continuously improving these solutions and integrating them into industry standards and platforms for wider adoption.
  • This letter primarily addresses businesses with the majority of our strategies equally relevant and beneficial to consumers.

Our proposals focus on two pivotal areas: authentication and secure access.

1) Stronger Authentication

In today’s landscape, we need authentication methods that are strong — accurate — despite extensive attacks, and resilient to sophisticated and new, never known before, attacks. To achieve this, we propose:

a. Shift in verification focus: the system should authenticate the endpoint, which in turn verifies the user.

Most endpoints today can perform hardware, public key-based authentication like FIDO and PKI. This results in virtually unbreakable verification — that the endpoint is authentic.

The endpoint has always verified the user for endpoint access and is in the best position to do so, better than the server and the network.

Furthermore, today’s endpoints can create a unique “user + device” identity, whose (private) key is only available on the endpoint (hardware crypto chip) once the user has logged in. The endpoint agent consequently will erase that key once the user logs off — or even when the user is inactive and the screen lock kicks in. With this concept of identity, the verification of both user and device takes place completely transparently to the user.

Enhancing Security through “Binding Identities to Devices”: broadening the idea above, the core concept is to bind identities to specific devices and achieve having unique, private keys for the combined entity or identity. Each user-device combination results in a distinct identity for accessing online resources. This approach extends to various “accounts,” whether it is “user + device,” “application + device,” or “service + device.” This methodology fortifies online identity verification, laying a solid groundwork for the identity fabric framework. We are confident this resonates well with the industry’s “identity-first” initiatives.

b. Continuous Monitoring
Emphasizing integrity and security: Is unforgeable authentication at the time of client login to an online account sufficient? The answer is no. Stronger authentication methods like FIDO and various social engineering attacks, including MGM Resorts and Caesar attacks, have demonstrated that attackers can employ different means and channels to compromise accounts successfully.

While the principles of Zero Trust security and Gartner’s Continuous Adaptive Trust (CAT) recommend continuous verifications post-login, we believe additionally that continuous monitoring over extended periods offers more reliable verification even for each individual check, meaning it is useful even before the login stage. We can monitor the user and device not just pre- or post-login, but “always”, from the time the endpoint powers on until it is powered off. Given the substantial financial incentives involved, attacks are becoming increasingly sophisticated and resilient. A layered approach provides a more robust solution compared to just checking at login.

Notably, although this approach may appear excessive, many enterprises already have solutions in place for managing and continuously monitoring endpoints and users, such as disk encryption solutions. We only need to leverage these existing solutions and enhance or integrate them to achieve the desired level of resilience.

When employing an “endpoint encryption” solution, this comprehensive approach maintains a persistent connection with the endpoint. This allows continuous monitoring of its security posture and active control over user access. This connection serves as the “secure channel” between the Identity Provider (IdP) and the endpoint, akin to a bank directing customers to call the number on the back of their credit card rather than responding to unsolicited calls.

If the server verifies the client successfully, it grants access. However, instead of granting access to the requesting endpoint — which could be compromised via an insecure channel — the server provides access to the managed endpoint through the secure, persistent connection.

In essence, this fail-safe solution ensures the IdP never grants access to attackers, even if they bypass authentication. This could be a groundbreaking step toward achieving the primary goal of preventing unauthorized access by attackers.

2) Secure Access: Protecting All Transactions

While authentication receives extensive attention, securing post-login sessions — essentially safeguarding transactions — is actually the core objective of authentication and, currently, it represents a significant security gap. Besides incomplete implementation of what is needed for a secure session, many solutions grant prolonged access post-authentication and introduce vulnerabilities that are being exploited.

Without delving into all the details of our proposed solutions, here is a summary of our key recommendations:

a. Session Key Establishment: While it is fundamental and straightforward that the authentication should establish the session key, current authentication methods, including FIDO, overlook this critical step. While TLS serves as a gold standard with key establishment in the beginning, this security breaks down when subsequent principal authentication occurs. Continuing to rely on an existing session key post-authentication creates a vulnerability, which becomes apparent once the flaw is recognized.

b. Encryption Over Authentication: Effective encryption can negate the need for authentication. Our research reveals that at times current solutions use cryptography ineffectively, leading to unnecessary complexity and even gaps in security. Proper encryption ensures data remains inaccessible to unauthorized entities. For federated authentication, the Identity Provider (IdP) can set the TLS session key for the endpoint and the Service Provider (SP) and negate the need for complex holder’s key assertions.

c. Protect Transactions at Transport Layer: Embracing the “user + device” and “application + device” identity concept at the TLS layer and we can secure all transactions — without requiring user intervention. This approach is particularly effective for managing non-human accounts in enterprises.

d. Dynamic over Static — Leveraging Cryptographic Keys: Cryptographic keys provide enhanced security over static tokens or cookies. Whenever possible, we advocate for the use of cryptographic keys that in principle cannot be retrieved outside of the endpoint. Verification should rely on the endpoint’s ability to decrypt data, rather than the presence of a token that can be read externally. This approach transcends the traditional dynamic and static authentication methods, promising significant impacts in cybersecurity.

Fast forward to the not-to-distant future, even before the standards change, users can use online services completely transparently.

  • User logs in the endpoint. The endpoint can then build the private key for the identity “user on device.”
  • When the user connects to a service provider SP/website with https/TLS, TLS uses both server and client certificates. The SP knows then that the endpoint and the user are authentic and can give access to the user without further action.
  • The IdP manages the endpoint and the user and will only need to inform the SP that the identity/keys/cert for “userA on device1” is no longer valid when needed.

In Summary:

With industry support, our proposed solution offers:

  • Unparalleled secure authentication coupled with no user friction, achieved through binding identities to devices and continuous verification.
  • Securing all transactions, the core objective of cybersecurity, beyond authentication, by strategically leveraging encryption, preferably at the TLS level.
  • Perhaps most compelling, even if attackers successfully bypass authentication, they still CANNOT gain access. The solution grants access to the managed endpoint, not to the requesting one — not the attacker!

We believe cryptography is the best technology to establish trust in the digital realm. While our proposed solution covers multiple aspects, our focus is on applying cryptography more effectively, laying a virtually unbreakable foundation that supports and simplifies other security measures. We invite you to collaborate with us on this transformative journey towards a more secure digital future, without user’s burden!

Thi Nguyen-Huu
Founder and CEO
WinMagic Corp.

Get In Touch

Previous Post
What’s wrong with verifying users when they try to access online accounts?
Next Post
WinMagic Releases Open Letter to IT Security Thought Leaders