WinMagic Warns of Rising Costs From Identity Security Flaws

Thi Nguyen-Huu, founder and Chief Executive Officer of WinMagic, said, “Passkeys improve how we log in, but they do not fix what identity actually is. The problem is not just what happens after login. The problem starts at login itself. If you verify the wrong identity at the beginning, everything that follows is built on that mistake.” He further emphasized, “Organizations are not paying for stronger security. They are paying a recurring penalty for securing the wrong identity. A cost of doing business implies you are paying for the right thing. Organizations are not. They are securing a password, a bearer token, or a session cookie instead of the real identity. Real identity is a live equation, actor, platform, and conditions, bound together at the source. The industry never built for that.”

The financial impact of this structural flaw is significant. In the United States, the average data breach now costs $10.22 million, more than double the global average of $4.44 million. Compromised credentials remain a leading entry point for attackers, contributing to prolonged detection times and widespread financial losses. Identity related fraud has also resulted in billions of dollars in damages, extending the consequences beyond enterprise environments.

WinMagic argues that the industry has effectively split identity security into two separate domains: authentication at login and session management after access is granted. While both aim to verify identity, they operate independently, leading organizations to invest in overlapping solutions such as identity and access management systems, session monitoring tools, and breach response mechanisms. This layered approach increases complexity and cost without addressing the root issue.

The Wrong Identity Tax concept highlights how organizations are paying twice to solve the same problem. Authentication systems attempt to secure the initial login, while session controls attempt to maintain trust afterward. However, both rely on incomplete representations of identity, using credentials, tokens, and behavioral signals rather than establishing a continuous and verifiable identity.

To address this challenge, WinMagic proposes a model where identity is verified at the source and maintained continuously. Its approach combines user presence, device integrity, and policy conditions into a single cryptographic signal that persists throughout the interaction. Instead of granting access once and relying on session tokens, the system continuously validates trust and revokes access if conditions change.

This model leverages existing technologies such as Trusted Platform Modules and secure communication protocols to create a deterministic identity framework. By eliminating reliance on fragmented identity signals, organizations can reduce complexity while strengthening security.

Nguyen-Huu concluded, “The industry has spent decades layering controls and pouring budget into layers of cure to compensate for a definition error. When identity is established at the source and maintained continuously, security becomes simpler, stronger, and aligned with how the internet actually works.”

The Wrong Identity Tax underscores a critical turning point for cybersecurity strategy. As identity driven attacks continue to rise, organizations may need to rethink foundational assumptions about authentication and access control to close the gap between investment and effective protection.