We propose that endpoint access can securely grant
![]()
Transcript
98% of all businesses want stronger security and all want to ease users’ burden. But what is the user’s burden in cyber security? Well, mostly the logins users have to make. We distinguish between two types of login: endpoint access and access to everything else. Because, we propose that endpoint access gives access to everything else. It means users’ burden for everything else, 100% for online authentication, will be eliminated. No user action is required for them. Wouldn’t this solve this burden problem very well, beyond every expectation? So, I guess the question is: can endpoint access give access to everything else? Securely, with no user action? Well, that is the title of this slide. For that, we need new ways of thinking.
But actually, endpoint giving access to applications is not a new way of thinking. You have here the endpoint. Once you log in to the endpoint through endpoint authentication, ideally with MFA and Windows login with MFA, you have access to applications on the endpoint without user action, so that is not completely new. But, we know today that most applications and services are on the cloud and the network. So, this endpoint application idea no longer applies. Let’s discuss the services on the cloud.
The industry solution for these services is Federated authentication. The idea is the IdP, the identity provider server, takes care of all authentication so that the application doesn’t have to do that and the user only has to authenticate to the IdP. But, it still causes burdens.
WinMagic tried to solve the problem without user action. How can we do that? You can see we have the endpoint and we have the server. We created the MagicEndpoint Center to coordinate the two. The endpoint’s duty, first off, is to authenticate the user — that’s what the endpoint has been doing since it ever existed, better than the server and everybody else. So, the endpoint verifies the user accessing it. But, now because we talk about the cloud applications and services. The endpoint has to prove to the IdP that the endpoint is authentic. Also, ideally, that the user is authentic in real-time. For that, we use the TPM, which can provide a key unique for this endpoint. That TPM can actually serve several users on it. And, for each user, it has a different key, which won’t exist even on the TPM until the user logs into the endpoint. This entity of user and device is unique. Not only does no entity, no other device have the key, but this TPM doesn’t even have the key before the user logs in. When the user logs out, this key disappears. With just one FIDO authentication, the IdP will know that the user and device are authentic and in real-time. We call this device and user bond “passkey.” Equipped with this FIDO key, or passkey, the endpoint forms a persistent connection to the IdP and uses this protocol to make sure that, anytime the connection exists, the user and the device are authentic.
Of course, the device will inform the IdP about the security posture of the endpoint because the endpoint knows everything about it. The history about whether it’s patched, whether it’s encrypted: all security posture. Note that the endpoint not only knows the user’s presence: if the user logs off, if the user left the machine so that the screen lock is on, and, most importantly, the endpoint even knows the user intent. If the user accesses the VPN or Office 365, the endpoint is the first one to know it. So, the IdP knows very well the endpoint. The IdP can even confirm the endpoint access; it can be informed that then the endpoint has been stolen. So, it could tell the endpoint to lock out the user because it’s most likely the attacker.
In any case, by having the persistent connection, the endpoint can inform the IdP in an event-driven way without polling, and that allows the IdP to know everything. Because the ldP knows everything about the endpoint, including the user, when the application provider asks to verify, the IdP can respond without user action.
The idea is, again, very clear: you should use MFA to access the endpoint. But, after that, nothing is needed because the endpoint has a TPM, which can perform all the authentication to the IdP and to all service providers without use action. Can it really work? It’s so incredible. Well, we did not invent everything, but we took what we believe to be the industry’s best ideas and we added our innovation to it. The industry’s best idea is, of course, FIDO, as you all know. But, beyond FIDO, we propose to have this entity FIDO “user and device.” With this, we actively prove that the authentic user is using the authentic endpoint in real-time. We use the endpoint, we use the non-copyable unshared key for this. Because we use an unsharable single device key, the various layers within the FIDO protocol can apply to it so it has a very strong additional layer of security to it.
It can be also future-proof, as the TPM will become future-proof with quantum-safe technology in the future. Beyond FIDO, we also know that zero trust is the best idea in the solutions. But, unlike the word “continuous verification,” we use “event-driven verification” because we trust the endpoint. We trust the endpoint to be able to give event-driven updates and we trust the endpoint because we protect the endpoint with full-disk encryption with integrity check — no manipulation of the code and so on. By trusting the endpoint, we can perform unbelievable solutions.
Furthermore, Federated Authentication, like SAML and OIDC, on this protocol is very important for authentication. But, we find that the current protocol is not very endpoint focused and it’s not very event-driven focused. By adding these two ideas, we can make it really secure and completely easy for users with no user action.
To recap, we propose that the user uses MFA to unlock the endpoint. But then, for all services and applications, there’s no more action, there’s no more password reset, no burden because endpoint access gives access to everything else securely. With this solution in mind, we believe that MagicEndpoint offers the most secure solution on the market today because it uses FIDO2 continuously and with the best possible user experience, because what else can be better than no user action?
Let’s recap, we propose a FIDO entity. What does the FIDO key represent? Is it the user or the device? In our case, it’s the user and the endpoint combination, in real-time. This entity concept provides a better layer of security and it can even help the passkey to be more secure as well. Using this concept and more, we provide a FIDO token with the endpoint or with the phone, which we believe can satisfy the NIST and the bank requirement of stronger customer authentication of unshared keys. But, most important of all, we believe that MagicEndpoint provides enterprises with the most secure, zero-trust satisfying solution with no user action.
Let us help you make sure the capable endpoint can free your user from all online authentications.
![]()
Suggested Videos
MagicEndpoint Passwordless Authentication
MagicEndpoint Demo: Multi-user with Ping Federate
SANS Zero Trust Solutions Forum 2023 Presentation