As identity-first security continues to fail, WinMagic, a cybersecurity innovator known for pioneering full-disk encryption and secure endpoint authentication, calls for a structural shift in online securityโtoward simpler, stronger trust with no user friction.
Historic and current approaches to online security have focused on the user, but overlooked three essentials: verifying the identity that receives the data, securing at the moment that truly matters, and applying the strongest technologies to make the process both simple and secure. Recognizing these gaps could make cybersecurity dramatically simpler and safer, according to Thi Nguyen-Huu, founder and Chief Executive Officer of WinMagic, who says, “User-verification is the wrong identity.”
Here’s are four reasons why:
- There’s a logical flaw in the “verify one, deliver to another” equation.
Today’s pattern verifies the user, then delivers data to the endpoint, which is the device you use to access online accounts. That misalignment makes clear that user-identity is the wrong one to verify. “Even verifying halfway toward the right identityโthe endpointโwould prevent most attacks, because attackers rarely travel to steal endpoints,” highlights Nguyen-Huu. - Patches don’t fix the flaw.
Attempts to bind user authentication to the endpoint, through number matching, device prompts, and passkey to “unlock the device” flows; all add friction and rely on fragile user vigilance. The steps still revolve around user-first ceremonies, which is inadequate for online authentication. - Technical common sense: online authentication is best done with cryptography.
Cryptography delivers mathematical assurance โ accuracy of one in zillions, resilience for centuries, even when under global attack. Users cannot do cryptography, and they don’t have to. Because better alternatives exist, the user is the wrong identity to verify. - Real-world common sense: trust should be continuous, not a snapshot.
While a single login is a snapshot in time, or a moment to secure, building a secure timeline from power-on to power-off creates a stronger, more durable shield. Humans can’t sustain constant prompts without fatigue. Trust should be maintained silently, constantly, and seamlessly.
Also Read:ย CIO Influence Interview with Duncan Greatwood, CEO at Xage Security
If User Identity is the Wrong Identity, What is Right?
“The right identity is theย user combined with a trusted endpoint,” Nguyen-Huu said. “This identity can be proven cryptographically and maintained over time via a persistent, trusted channel that gives real-time updates to the identity provider.”
Instead of granting trust in a single login moment, this model starts at the device (secure boot, encryption, OS login, integrity) and carries through from power-on to power-off. When systems recognize this identity, trust becomes silent, continuous, and structurally safer โ all with no user action beyond endpoint login.
Delivering on the Zero Trust Principle
The widely adopted security framework of Zero Trust changed the conversation in cybersecurity with its principle toย “never trust, always verify.”ย However, most implementations still rely on verifying the user through repeated prompts and multi-factor authentications (MFA) challenges. This vigilance creates fatigue, friction, risk, and fragile moments that attackers love to exploit.
The Right Identity matches Zero Trust in a way current models cannot. Here’s why:
- It delivers “always verify” without exhausting users.ย Verification happens silently and continuously, anchored in the endpointโnot through human gestures.
- It closes a gap Zero Trust never addressed.ย Today’s Zero Trust assumes identity is the trust anchor, but that identity is user-only, and attackers exploit it. Anchoring trust in the endpoint makes remote manipulation materially harder.
- It enforces trust cryptographically, not procedurally.ย Instead of fragile ceremonies performed over the network, trust is proven mathematically and maintained from power-on to power-off.
- It aligns with Zero Trust’s adaptive model.ย Keys exist only when policy conditions are metโsecure boot, encryption, OS integrityโmaking trust dynamic and policy-driven.
“The Right Identity approach doesn’t just complement Zero Trustโit makes its promise practical. Silent, continuous verification replaces repeated challenges, delivering stronger security and a better user experience at the same time,” Nguyen-Huu said.
A Glimpse ahead: Machine Identity and AI agents
This security model isn’t just for people. The same principles of cryptographic proof and continuous trust extend naturally toย machine identity, includingย AI agentsย and autonomous services.
Nguyen-Huu points out that, “With machine interactions scaling beyond human ones, the industry needs an identity foundation that worksย without human gestures.”
Catch more CIO Insights:ย Why Todayโs Web Agent Benchmarks Donโt Reflect Real-World Reliability
[To share your insights with us, please write toย psen@itechseries.comย ]
