Last updated: Aug 17, 2022



WinMagic Data Security Solutions, Protection Services and Software

The Challenge

Many organizations use phone-based MFA methods for their multi-factor authentication, but these authentication methods, including SMS, OTP and Push Notifications, fail to resist phishing. This phasing out of traditional MFA factors has raised the bar on security, making current phone-based passwordless authenticator Apps that use OTP or Push no longer acceptable, even ones that utilize public key cryptography. What does this mean? Phone-based authenticator apps like MS Authenticator, when configured to use OTP or Push (i.e. with just an “Approve” or “Deny” button) are no longer good enough. And considering the requirement for “continual verification,” even some phishing resistant methods today will be too much of a burden for users.

The Solution

WinMagic’s MagicEndpoint brings a new way of thinking to endpoint authentication. With MagicEndpoint, the device itself becomes the authenticator. MagicEndpoint utilizes public key cryptography and the Trusted Platform Module (TPM) that is found in all business class machines to perform all the remote authentications while supporting local PIN, biometrics, external tokens and mobile phones (as a token) for authentication to the endpoint. This new way of thinking distinguishes remote access from endpoint access so that there is MFA to access the endpoint and the endpoint verifies the user, continuously if needed; even the user’s intent supporting the Zero Trust “always verify” principle. MagicEndpoint not only satisfies the phishing resistance requirement that is causing the phasing out of the most popular out of band, phone-based solutions today, but it also offers the best user experience any application can wish for – no user action required.And with that, it in turn helps the future aspired Zero-Trust principle of continual verification without user’s burden. It’s our new way of thinking! It’s Innovation!

MagicEndpoint from WinMagic is the passwordless authentication solution that protects access by focusing on the endpoint, for the user. It requires no user action, and no phones or external tokens, so it’s seamless, secure and virtually invisible. MagicEndpoint and Okta work together to support a “No User Action” passwordless authentication environment. MagicEndpoint utilizes public key cryptography and the Trusted Platform Module (TPM) that is found in all business class machines to authenticate the endpoint for the user.

When users request access to their applications via Okta Single Sign On (SSO), Okta subsequently delegates authentication responsibilities to MagicEndpoint. Unlike other passwordless authentication solutions MagicEndpoint, using public key cryptography, actively verifies the user + device AND the user’s intent to access the service each time with no action required by the user. With this solution MagicEndpoint can alert Okta at the first access attempt from a cyberattack because it knows that the user and endpoint have not initiated a service request, thus the service request from the service provider sent to Okta is a fraudulent one.

The end result: -most, if not all, credential theft based cyberattacks today won’t be successful because the hacker would have to steal the endpoint and unlock it first. This continuous verification of user and device and intent supports the Zero Trust “always verify” principle.

And MagicEndpoint, being end point based, is well suited to collecting and providing endpoint security posture data for access control decisions in the future.

No User Action Passwordless SSO workflow diagram


Here is a section all about documentation, integration, and implementation.

Okta Verified
Okta Verified
The integration was either created by Okta or by Okta community users and then tested and verified by Okta.