Passkey vs. MagicEndpoint

There are three types of people in the corporate world:

  • Those who think their laptop is just an average computing device
  • Those who use the endpoint for passwordless authentication
  • Those who realize the endpoint can do so much more

Now, if passkey were a person, they’d be in the second group: the ones who use the endpoint for passwordless authentication. This group is the vanguard for leaving password-based and traditional MFA techniques — which include SMS, PUSH, or OTP verification — in the past.

The biggest problem with traditional MFA is that it’s not phishing resistant, which is why the world is so eager for passkey options. The second biggest problem with traditional MFA is that it doesn’t create a good user experience, which is why most companies never fully adopted the practice. Regarding data security, it’s rare for a solution to offer both better security and a great user experience, which is why passkey authentication has been such a game-changer.

Passkey origins

Using the endpoint to verify the user isn’t a brand-new idea. Before computers had public key cryptography capabilities, the industry tried to improve the user experience by having the server authenticate the endpoint. Unfortunately, the system’s IP and MAC address are susceptible to spoofing, making this design not very secure.

Technology has come a long way since then. Recently, the big powers of Apple, Google, and Microsoft have pushed the simple idea that the device — not the user — should perform online authentication.

These leading players dubbed their breakthrough movement “passkey authentication,” which is founded on FIDO2 protocols. FIDO2 centers around public key cryptography and doesn’t use any of the user’s credentials to verify the user — no passwords, no fingerprints, no 2FA one-time codes, and no secret questions about your first pet or mother’s maiden name. Instead, FIDO2 security relies on the user’s device, or endpoint, which hackers can’t replicate.

How it works

On a fundamental level, passkey authentication models are like password managers with one clever difference: they store public and private encryption keys instead of passwords, which are incredibly difficult for hackers to crack.

The novel idea for the passkey is the user only needs to unlock the endpoint to log into their online accounts. The endpoint, which is the user’s device, uses a built-in crypto chip to keep the user’s key secret and inaccessible to hackers.

This strategy is a huge step up for passwordless authentication. Historically, it hasn’t been possible to have a great user experience with stronger security — until now. Passkey is an authentication strategy that users are actually excited to adopt.

Passkey security

For passkey authentication, the user unlocks the endpoint to access online accounts. Whether this verification happens through biometrics or a local PIN depends on the device. The endpoint is generally considered secure. At least, compared to online accounts and their vulnerabilities to cyber-attacks. If the system questions whether it’s the user accessing the endpoint, the user must log in again. Such is the case when a user wakes up their computer or there’s been an extended period of inactivity: they’re prompted to reauthenticate to the endpoint.

Multi-device authentication

In essence, passkeys are multi-device FIDO2 credentials. This design allows users to have multiple endpoints — typically a laptop, phone, and tablet — using one FIDO key. When a user buys a new phone, they don’t have to reregister to the dozens of online apps they use.

For this feature to work, the multi-device FIDO key is shared with a server. That server can reuse this key for the new phone or another device. Even though the key is shared over the network, this setup is still magnitudes stronger than traditional password-based authentication. Users are verified via public key cryptography, which is astronomically more complex and unguessable than human-made passwords.

While the passkey multi-device FIDO key simplifies manageability for users, sharing keys across devices inevitably weakens security. Even though these keys are well protected, once the multi-device key is shared across a network, it can no longer be considered “unhackable” because it’s not bound to the hardware.

Multi-device passwordless solutions exchange security in favor of ease of use. While this tradeoff is acceptable to most individuals and their personal devices, corporations need to have higher standards when it comes to data security.

The WinMagic way

MagicEndpoint offers enterprise-class passwordless authentication using the most secure practice of never sharing your unique FIDO key. The software is phishing-resistant by keeping all user credentials local — not even on a cloud-based keychain.

WinMagic is among those who realize the endpoint can do so much more than just stowing security keys and user information. The best way to keep your devices’ data secure is to keep it on the endpoint. Modern-day computers, phones, and tablets come with the technology you need to protect your data and accounts from hackers. Public key cryptography is the best tool to keep hackers out of your business — so long as the private keys are never shared.

We believe our passwordless authentication solution, MagicEndpoint, is the next evolution from passkey.

What makes us so confident that the endpoint can do so much more than authenticate the user? We’ve been using the endpoint for more than 25 years to protect our customers’ data. WinMagic solutions use the endpoint to verify the user locally, identifying them as a definite user + endpoint combination: a new entity that’s vastly stronger than user or device verification.

MagicEndpoint supports multiple users on one device. Each user can have the same secure and password-free experience because the software detects and verifies a different user + device combination. This concept brings security to a whole new level whereby the user’s access privileges depend on the endpoint.

For example, the endpoint’s unique crypto-protected key — or FIDO key — actively identifies UserA on DeviceX, or UserB on DeviceX. MagicEndpoint also detects if no user is actively using the endpoint — the user has been inactive or the lock screen appears — providing further protection against data breaches.

The software uses the device’s native trusted platform module (TPM) to verify the user + device combination where each user’s device has a unique key. MagicEndpoint confirms this unique key to verify the endpoint and the user at every single sign-on, ensuring no third parties are impersonating your FIDO key.

This configuration delivers a next-generation experience that frees the user from all actions: no passwords, no OTPs, and no verification steps beyond logging into your one-of-a-kind endpoint.

Zero-trust security

Today’s standard of security is the “Zero Trust” model that endorses security protocols to never trust, always verify.” WinMagic believes the endpoint can not only authenticate a user, but also continuously verify them. MagicEndpoint takes authentication to the next level by continually checking the user’s intention and remaining on high alert for any potential breach.

Consider this: if an authentication solution requires the user to verify themselves for every sign-on action, can it really offer “continuous verification”? The user is only verified every time they enter their credentials or click a button — which occurs every hour at best. This infrequency makes these solutions “verify every hour” instead of “always verify” designs.

While many authentication tools focus on the user, MagicEndpoint continuously verifies the user + endpoint device combination with active FIDO-based conditions. By monitoring user intention, the software catches suspicious activity from the start, safeguarding users against data breaches. Because the user is continually verified, they don’t have to reauthenticate to online apps so long as they remain verified by the endpoint.

This setup frees users from any action beyond logging into their endpoint at the start of their session. From that point on, they can seamlessly access products, services, and applications supporting FIDO2 authentication.


MagicEndpoint is proof that the endpoint can do so much more than simply authenticate the user. The next evolution from passkey is a no-user-action experience that provides state-of-the-art FIDO2 authentication and Zero Trust security measures.

While the passkey multi-device approach is designed for the user experience, it might not be the most secure option for businesses. To cover your business needs, MagicEndpoint targets user + device verification to amplify security. This configuration keeps your identity and keys secret and is impossible for hackers to imitate.

The endpoint has the potential to revolutionize the authentication process by enhancing the user experience and providing unparalleled security. It’s time to unlock your endpoint’s potential.


Book a demo

Previous Post
WinMagic Partners with Ping Identity to Simplify Identity Security for Federal Agencies
Next Post
Carahsoft and WinMagic Partner to Provide Authentication and Encryption Solutions to the Public Sector