“I’m very excited to tell you more about our passwordless authentication, today. I believe it is game-changing and it will change the cyber security market,” said Thi Nguyen-Huu, Founder and CEO at WinMagic, during our “Passwordless for Government” webinar, hosted jointly with Carahsoft Technology Corp.
Leading the webinar, Garry Mccracken, CISO at WinMagic, began with the following descriptions of government security guidelines and executive orders:
- EO 14028. In May 2021, the federal government released Executive Order (EO) 14028. Executive orders tend to contain high-level policies, and this one was no exception. The order mandated that federal government sectors adopt new security best practices, pushing for zero-trust architecture and faster transitions to the cloud.
- M-22-09. The next major order was memorandum M-22-09 about moving the US government toward zero-trust principles. This document is more for strategy, prioritizing defenses against phishing and consolidating identity systems. The content emphasizes multi-factor authentication (MFA), but not just any MFA — phishing-resistant MFA. Government sectors are to discontinue using MFA that isn’t phishing resistant. Some options include Personal Identity Verification (PIV) cards or FIDO2 authentication. But, PIV cards aren’t always a practical option, which is why FIDO2 is seen as a leading choice.
Still, there’s more to zero-trust security than phishing resistance. Federal sectors must also leverage data from different sources to make intelligent decisions about authentication that include not just the user, but the user and device and the security posture of the device.
Even then you’re not done because, once you’ve authenticated the user and they have some access, they don’t get to have access forever. Maybe an hour, but not a day, week, or month. To achieve zero-trust security, you have to continuously evaluate any active session to see whether the user still deserves trust and, therefore, access to the service.
- CISA. Another document directed at agencies is CISA. This document also states that phishing-resistant MFA is the gold standard and that migrating to it should be a high priority. This document emphasizes that public key infrastructure (PKI) is ideal, although not always achievable for smaller, younger organizations.
- NIST 800-63-3. And then there’s Garry’s favorite: NIST 800-63-3 parts A, B, and C. Arguably the most foundational set of documents, section B covers authentication and lifecycle management, among other things, along with three levels of authenticator assurance. 1, 2, 3… the higher the number, the more secure the authentication is. Section C is about federation assertation and its three levels.
Then, Garry quoted EO 14028, “incremental improvements will not give us the security we need” and “instead, the Federal government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life,” before asking:
“Thi, what should those bold changes be?”
Thi began answering by noting that EO 14028 suggests huge changes in the cybersecurity industry and that WinMagic is spearheading a new approach to user authentication. 98% of companies want to improve authentication security. Everyone wants to ease the user’s burden, but what is this burden?
Users have to repeatedly log into online applications and services, often authenticating via MFA, which wastes time and energy.
To differentiate between the two types of logins:
- Endpoint access
- Access to everything else
With this distinction, WinMagic instates that endpoint access should give access to everything else.
What does that mean? Well, it means that we can ease the user’s burden 100% for online authentication — no more user action is required. This approach not only eases the user’s burden, but removes it. You might ask, can the endpoint give access to everything else securely with no user action?
In truth, the endpoint giving access to the application isn’t a new way of thinking. Let’s say, the user logs into the endpoint with pre-boot authentication and then logs into the operating system. But, once the user has endpoint access, users have always had access to desktop applications. So, the idea of endpoint access giving access to applications isn’t completely new.
Today, most services are no longer on the endpoint. They’re mostly in the cloud or a network. So, let’s address cloud-based services:
The industry’s solution for cloud-based services is federated authentication: the identity service provider (IdP) takes care of authentication for all supporting applications and services.
The IdP handles authentication so the application doesn’t need to and users only have to go to the IdP. At WinMagic, we realized that, once the user has logged into the endpoint, they shouldn’t need to reauthenticate themselves. Therefore, we take a no-user-action approach to federated authentication.
Authenticating the Endpoint
We have an endpoint and a server. WinMagic has created a MagicEndpoint Center that coordinates between the endpoint and the server. The endpoint’s job is to verify the user, which the endpoint has been doing since it was first created. Now, because the endpoint has to prove its authenticity to the IdP, the endpoint will first tell the IdP why the endpoint is authentic by using the trusted platform module (TPM) and create a key that only the TPM has. Nobody else in the world has this TPM in the exact public key-based protocol. The endpoint can guarantee to the IdP that the endpoint is correct.
But, the endpoint isn’t enough. We want to make sure the user is verified too. So, the endpoint verifies the user, as it’s always done, to form an entirely new identity: “user + device.” The TPM creates a new key that doesn’t exist until the user logs in and is erased when the user logs out. So, this new “user + device” key is only on the endpoint and only when the user logs in.
With this private key, the endpoint can prove to the IdP that the IdP is dealing with the authentic user and the authentic endpoint at this point in time, based on the TPM trust. Even if the endpoint were attacked, it would take 100 years before a hacker could break one endpoint, making it unbreakably secure.
“It would take 100 years before a hacker could break one endpoint, making it unbreakably secure.”
Having this identity on the endpoint supports a consistent connection to the IdP whereby the connection is secured by the TPM. Every time the IdP wants to verify something, the TPM can actively sign the signature. No other authentication solution can achieve this because no other solution offers no-user action that allows the endpoint to continually verify the “user + device.”
This persistent connection allows the endpoint to continuously supply the IdP with the security posture of the endpoint and the user’s presence. If the user logs off and there’s a locked screen, the endpoint can alert the IdP of the change. Even more importantly, the endpoint even knows the user’s intent. If a user opens Office 365 or any services, the endpoint is the first to know and can supply the IdP with that intel too.
This intimate connection plus the “user + device” entity provides the IdP with event-driven updates. So, the IdP doesn’t have to continuously poll, as polling can slow down the system. The endpoint identifies when it’s secure, reporting anything affecting the security posture to the IdP so the IdP can react accordingly.
This persistent connection is unbreakably secure and alerts the IdP in real-time every time the user and device are proven to be authentic. With this intelligence, the IdP can verify the user and device for all applications without any user action.
Other Passwordless Solutions
Let’s compare these concepts with most authentication solutions available today. Normally, the endpoint will tell the exchange server, “I want to access this email service.” The external server will tell the IdP to verify the user. Most solutions use phone-based MFA to verify the user. So, after the IdP talks to the phone, the user takes out the phone and presses a confirmation or types in a one-time passcode (OTP). The IdP is satisfied with the user’s identity and tells the server that access is granted.
But, you see, normally the IdP doesn’t even know if the endpoint and phone are close to each other. What’s the relationship between the two?
Ultimately, the IdP doesn’t know much about the endpoint and doesn’t know much about the user either. So, hackers can send requests to service providers and fool the user into approving the request on their phone, giving the hacker access to the service in what we call a “PUSH attack.” Push attacks can be successful because the user is experiencing PUSH fatigue by the time the hacker attacks.
The WinMagic Difference
Our solution is different with our MagicEndpoint center.
Step 1: The endpoint tells the IdP the user has just started Outlook. Outlook will send a server request soon. The IdP can verify the user now and ask them to unlock the endpoint again, or another action, but normally the IdP will know the endpoint is correct. So, the IdP doesn’t have to do anything. There’s no user action needed and the IdP knows that the endpoint is authentic and intends to use Outlook.
So, the IdP grants the user access without any user action. If step one didn’t happen and the endpoint didn’t start Outlook, the IdP will know the user didn’t’ start Outlook and alert the system to an attack.
Event-Driven Zero Trust Over Polling
Zero-trust security calls for continuous verification of the user and device for each transaction and application. When you think about continuous verification, you think about polling. But, polling isn’t practical. By using event-driven verification instead, our IdP doesn’t just get continuous information, but verifies every action. If something suspicious occurs, the endpoint will know.
WinMagic implements zero-trust security without continuous polling and without user action. Users should use MFA on the phone, PIV card, token, biometrics, or so on, to access the endpoint. However, after the endpoint is unlocked, the incredibly reliable TPM and FIDO2 protocols allow users to access all services securely without user action.
Improving Authentication’s Three Best Ideas
While WinMagic didn’t invent all these great ideas, we did expand and innovate upon them:
FIDO authentication has been very prominent these days. It uses public-key cryptography, which beats everything known today for remote authentication — until now. We’ve further innovated upon FIDO foundations by creating the “user + device” entity, or passkey: not only the device and not only the user. So, it’s a user + device passkey that actively proves the authentic user and the authentic endpoint are accessing the service.
The point is that we don’t require another device — we use the endpoint. The endpoint has a TPM and a built-in crypto chip that are very well-suited for verifying the endpoint. We don’t use a shared key, we don’t share a passkey. For every user + device combination, you have a key. A device can support hundreds of users, so each one will have a different, unshared key. These keys aren’t available until the user logs in and disappear when the user logs out of the device, which supports multiple users per device with uncopyable keys.
The fact that the keys are non-copyable allows additional layers, including FIDO2 protocols with a signature counter, and so on, on top of public key cryptography. A solution that can be layered is also a solution that’s future-proof with a quantum-safe area. The TPM will be the first layer to be quantum-safe.
The next best idea that we’ve expanded on is the concept of zero-trust security. The entire world aspires to reach zero-trust architecture, but we’ve added our expertise to make it possible. Our no-user-action approach allows us to take an event-driven approach, allowing for continuous verification without burdening the user.
WinMagic has protected the endpoint for over 25 years. We trust the endpoint with disk encryption, integrity checks, and more so that no bad actor can manipulate the endpoints. More recently, we’ve achieved no-user-action authentication with our endpoint innovation, allowing us to implement event-driven continuous verification, rather than polling.
The best idea is about federated authentication, so we use it extensively. But, we see that federated authentication doesn’t support endpoint-focused action. So, if we can change the protocols to support endpoint-based processes, they’ll be very secure without much user action at all.
With all these incredible advancements, MagicEndpoint is the most secure solution. We apply FIDO2 protocols continuously without burdening the user, delivering the best user experience — what could be better than no user action?
Secure Passwordless Pre-Boot Authentication and Windows Login
WinMagic knows how to protect the endpoint. For 25 years, we’ve differentiated between the operating system (OS) login and pre-boot authentication because they’re very different. For the OS, Windows has owned the services for you: how to use a network, how to use a USB, how to use biometrics, and so on. At pre-boot, they’re not managed by Windows. So, that’s what WinMagic has been taking care of for 25 years. We support the most comprehensive selection of MFA for Windows login and pre-boot authentication.
But, more importantly, is secure no-user-action remote authentication. We deliver the device’s security posture signals to the IdP, including the user’s intent, so that your user can have the best experience anyone can give them.
WinMagic is devoted to supporting all your business needs. We aim to fully support phones and macOS by the end of 2023. Then, users can use their phones to log into the endpoint on any platform.
Bring-your-own-device (BYOD) setups will be easily supported in the future, but by nature might not achieve the level of security, and zero-trust framework, to protect more sensitive data and high-risk sectors. WinMagic engineering has combined a FIDO2 virtual token that can use the endpoint itself with software or the TPM and the phone over Bluetooth, satisfying customer needs for strong authentication by not sharing the key.
So, we believe MagicEndpoint is the most secure user authentication solution, especially when combining encryption and authentication.
For over two-and-a-half decades, WinMagic has been very security-focused. In the year 2000, we received a certification from NSA for secret data for the US Government. In 2002, we were the first company in the world to receive the common criteria certification. Later on, we were the first to receive AES certification from NIST. We have level 2 full disk encryption, various certifications, and innovations to make our encryption solutions easy to use and secure.
With all this expertise, we’re moving to spearhead the movement toward zero-trust strategies while delivering an incredible user experience — no user action required.
Making User Authentication More Secure
Going back to the US Government’s zero-trust strategy, WinMagic was happy to see the release of M-22-09. The principles are very forward-thinking and have the potential to change the entire industry, raising the bar for combating cyber attacks.
Two issues that are difficult to achieve include
- Phishing-resistant MFA because, let’s face it, probably less than 5% of the world, maybe even less than 2%, are using public key-based authentication today. So, how can you satisfy M-22-09 phishing-resistance protocols?
- Continual verification of the user and device is even more challenging. How can an authentication solution continually verify the user and device without burdening the user or slowing down the device?
Luckily, WinMagic has solved these roadblocks. We use two key factors:
- The endpoint that performs FIDO2 authentication with an unshared key
- The MFA the user used to log into the endpoint. For example, the user may have used a PIV card to log in and the factor will continue to count when they access online applications
For zero-trust security, the idea behind continuous verification is correct. In their document Shift Focus from MFA to Continuous Adaptive Trust, Gartner says, “trust in a claimed identity and access risk can change dynamically throughout a session, so credentials and signals must be continuously reevaluated post-login.”
We rely on the endpoint to continuously verify the user, sending security data to the IdP in event-driven updates. This way, we satisfy both MFA requirements and zero-trust “always verify” architecture.
Using the Endpoint
To recap, we believe in an advanced approach to cybersecurity where security starts with the endpoint. Everything you do starts with the endpoint. If you use the endpoint correctly, it can lift the user’s load. So, use the endpoint.
For the US Government’s zero-trust strategy, M-22-09 and EO 14028, we provide security for both endpoint and online access. For a quarter of a century, WinMagic has offered award-winning endpoint encryption for Windows and Linux, along with MFA for pre-boot and more. Now, with game-changing zero-trust principles, the most secure strategy you can implement is to use a phone via BLE, PIV card, or a combination for pre-boot and OS login. But, for online authentication, you can let the TPM handle the work because it’s performing FIDO2 authentication with unshared keys.
Often, for extra security, we can add an additional factor, such as the phone, whereby the server will talk to the phone through FIDO2 protocols too. So, a combination of layers, which are available for on-prem, SaaS, and air-gapped environments.
WinMagic Ahead of the Game
WinMagic has been working on endpoint-centric user authentication for three years now. Only last year did Google, Apple, and Microsoft announce their passkey where the user just needs to unlock the endpoint to authenticate to online applications. We propose taking the user experience a step further to no-user-action authentication to improve productivity and reduce MFA fatigue.
Discover how MagicEndpoint can advance user authentication in your organization today!