M AIR-GAPPED SECURITY

Passwordless MFA 
in Air-Gapped Networks

MagicEndpoint delivers passwordless multi-factor authentication for environments without Internet connectivity, phones, or cloud IdPs. It extends Zero Trust to isolated systems ensuring identity assurance from power-on to shutdown, with no user action after endpoint login.

Why CISOs deploy MagicEndpoint 
in Air-Gapped Networks

Offline MFA – No External Dependency

Operates entirely on-premises. No SaaS, no push notifications, no external authorization calls. All trust is established locally within the isolated network.

Strong Authentication Under Isolation

Supports TPM/PIN, PIV smartcards, or BLE tablet authenticators for hardware-rooted identity verification-without mobile devices.

Continuous Trust Across Sessions

Once the endpoint is logged in, all subsequent authentication to RDP, SSH, LDAP, or legacy apps happens automatically, maintaining Zero Trust without user prompts.

Unified Policy and Audit Control

Centralized management for policy, key rotation, and audit reporting all maintained within the air-gapped boundary to meet CMMC and FIPS compliance.

How It Works

1

On-Prem Identity Provider

MagicEndpoint IdP is deployed entirely inside the isolated network. No external connectivity is required for authentication or policy synchronization.

2

Hardware-Rooted Keys

Each user/device pair generates a unique key pair secured in TPM. The private key never leaves the device and cannot be duplicated, ensuring cryptographic assurance at the hardware level.

3

Silent Authentication Flow

After endpoint login, authentication flows silently to authorized resources using persistent trust signals and session-bound cryptographic validation.

4

Removable Media Control

Integrated encryption and access control for USB or external drives (FIPS 140 validated), with full policy enforcement and audit trail for compliance.

Why MagicEndpoint

TRADITIONAL LIMITATION
Requires Internet or SaaS connectivity
Requires smartphones or push-based MFA
Relies on passwords and repeated logins
No end-to-end Zero Trust inside isolated networks
Insider risks via removable media (USB)
Lacks compliance with CMMC / PIV standards
HOW MAGICENDPOINT RESOLVES IT
Operates fully on-prem within air-gapped environments
Uses TPM, PIV smartcard, or BLE tablet authenticator
After endpoint login, all authentication is automatic (NUA)
Persistent endpoint-trust channel with on-prem IdP
Integrated encryption and media control (FIPS 140-validated)
Full coverage of authentication and encryption controls

Compliance and Operational Drivers

Shield badge

CMMC Level 2
DoD Requirements

Addresses all authentication and encryption controls relevant to Controlled Unclassified Information (CUI) protection and continuous verification.

Shield badge

NIST SP 800-171 / 63B

Meets AAL3 standards for hardware-based authentication without Internet dependency; ensures policy-bound trust in isolated systems.

Shield badge

FIPS 140 Validation

Ensures cryptographic modules used for key management and removable media encryption meet federal certification requirements.

keyboard_arrow_up