Passwordless Authentication

for VPN via RADIUS

Challenge/ Situation

The threat of cyberattacks and privacy reasons have led many organizations to use secure and advanced solutions like VPNs to keep data protected. Especially now, with more flexibility with remote working options and bring-your-device (BYOD) policies, the need for more digital security and, subsequently, VPN has grown drastically.

This is why most VPN services still rely on the RADIUS protocol, which is not the most straightforward protocol to handle by external IDPs or IAMs due to the nature of this protocol and how its components interact with each other. Some IDPs/IAM don’t support RADIUS, and others need to jump through many hoops and extra agents to make it work.

On the other hand, companies usually use MFA solutions to secure authentications in these VPN services. MFA will generally protect against standard methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. In response to such dangers, the U.S. government has, in the last few years, pressed forward with a zero-trust strategy, which prohibits using SMS, OTP, push notifications, and even some of the passwordless solutions that incorporate the phone. Even though these passwordless solutions seem acceptable from a user-experience perspective, they suffer from the “association issue,” which is when it’s impossible to guarantee that an authentication request is coming from the legitimate/intended endpoint since the authentication does not involve the endpoint.


WinMagic’s MagicEndpoint is a passwordless solution that is phishing resistant and can be applied to VPN access and many other remote services that use RADIUS or other modern protocols such as SAML and OIDC. It meets today’s cyber insurance requirements for MFA and provides the best user experience in authentication that one can have in the market today. Once a VPN (RADIUS) service is integrated with MagicEndpoint, which can verify the user’s identity with MFA, all authentications after this will occur with minimal user interaction.

MagicEndpoint’s TPM hardware-protected based authentication only needs a securely protected key, and it doesn’t need multi-factor. None of a user’s knowledge nor inherence affects the protocol. The endpoint device can do that job perfectly without any other “factor,” be it from users, an external crypto device, a phone, or anything. Furthermore, on each VPN login, MagicEndpoint can verify the User Intention and make sure the
request is indeed coming from the legitimate device, hence removing the association issue mentioned above.

MagicEndpoint also won’t require any other component as it acts just as a RADIUS server; as far as the VPN server is concerned, as shown below:

  1. Requests sent to VPN Server
  2. VPN Server sends the requests to
    MagicEndpoint IdP using back-channel
  3. MagicEndpoint IdP checks with the endpoint
    to identify and authenticate the user+device
  4. MagicEndpoint IdP responds to VPN Server
    through the back channel.
  5. VPN server grants access to user+device

MagicEndpoint from WinMagic is the passwordless authentication solution that protects access by focusing on the endpoint, for the user. It requires no user action, and no third-party devices or keys, so it’s seamless, secure and virtually invisible.

Authenticate. Encrypt. Achieve.