A look at the world’s first Continuous Trust Verification Protocol

Authenticating both human and device identities is arguably the greatest threat facing cybersecurity experts – and by extension, the organisations they work for – this decade. If an attacker is able to pose as a genuine user with access to your network and your data, the damage they can do to your organisation, and potentially to your clients and suppliers, is significant.

But there are challenges in today’s authentication landscape that render organisations vulnerable to breaches and attacks – challenges that Cavero Quantum aims to solve with our unique authentication protocol, Authentikey. In this blog, we’re exploring the current challenges with authentication, and introducing you to the world’s first Continuous Trust Verification Protocol, Authentikey.

Challenges with current authentication methods

Challenge 1: quantum attacks

Many authentication methods rely on public/private key pairs, notably forms of PKI such as TLS handshakes or SSH. As we’ve blogged about before, the algorithms used to generate those key pairs are vulnerable to attacks from quantum computers.

One option is to simply replace the key exchange algorithm with one that is quantum-safe – generally one using Post-Quantum Cryptography, or PQC. However, the other challenges with authentication mean that this might not be the best solution.

Challenge 2: secret management

Whether you rely on certificates, keys, passwords or physical tokens, managing those secrets is a major headache for any security team. That includes securely storing the secrets in a method that is secure against attack, as well as managing the lifecycle of each secret. Rotating digital certificates, asking users to change passwords, posting employees new tokens – all introduce complexity and the possibility for error, especially in larger organisations with thousands of human identities and likely many times more machine identities.

In a bid to simplify management, some organisations take risky shortcuts including hardcoding secrets into source code, or not rotating secrets properly. Which can exacerbate our next challenge…

Challenge 3: authentication decay

Authentication decay is a relatively new term that refers to how a method of authentication can become less reliable over time. Consider a root certificate, for instance, which can be in use for twenty – yes, TWENTY – years. If that certificate were to be come compromised even halfway through its life, and the compromise wasn’t detected, that would be a DECADE of compromised authentications.

The same can be said if an organisation aims to simplify secret management by reusing secrets, or making them static. As time goes by, the risk that these secrets are compromised grows.

Consider this astonishing example: in 2024 it was revealed that Samsung’s cryptographic key had been leaked, meaning malicious actors could sign their malware as genuine software Samsung or Android apps. Despite this having potentially been a problem since 2016, Samsung still had not replaced those keys by 2024.

Challenge 4: the need for two-way authentication

Many authentication methods only validate one party (the prover) to the other (the verifier). In this system, the prover has no way to verify that they have connected with a genuine verifier, and not a fraudster. Think about when you bank calls you, and then immediately asks you to prove who you are. How can you trust that it is actually your bank that’s called you, and not a fraudster?

In an age where social engineering fraud is increasingly common, and where fraudsters are using AI bots to impersonate businesses, it’s vital that your organisation uses authentication protocols that don’t just validate your customers to you, but validate you to your customers as well.

Challenge 5: operating in constrained environments

As IoT devices, wearables, and embedded devices has grown in popularity, the number of machine identities in existence has ballooned: CyberArk reports that machine identities now outnumber human identities by more than 80 to 1.

But authentication methods such as digital signing often take up relatively large amounts of computer memory or computer resource, meaning that IoT devices may not have the necessary computational power to run these authentication methods.

The Solution: Authentikey

Authentikey is a solution that provides mutual endpoint authentication using a shared ledger of key exchanges. It is compatible with a wide range of trust anchors, but once that initial authentication has taken place, Authentikey handles all subsequent reauthentications without the need to refer back to the original trust anchor.

Here’s a closer look at how it works:

Let’s now look at how Authentikey overcomes each of the challenges we’ve described with existing Authentication systems:

Authentikey is quantum-safe

The keys used in Authentikey use PQC algorithms render them quantum safe. You can choose between ML-KEM, the NIST-approved PQC key exchange algorithm, or our unique Symmetrikey algorithm. Symmetrikey uses a similar algorithm to ML-KEM, but has been demonstrated to run twice as fast and can operate in constrained environments where ML-KEM is too bulky to work.

Authentikey can also be used with ECDH keys if quantum security is not a priority – though this obviously makes that particular implementation vulnerable to quantum attack. However, you can switch between different keys in Authentikey effortlessly, making it easy to migrate from ECDH to quantum-safe key exchange when you’re ready – otherwise known as crypto agility.

Authentikey simplifies secret management

Once the initial authentication using the trust anchor has been completed, the trust anchor itself doesn’t ever have to be used again to authenticate two endpoints with each other. This removes the need to store those secrets for a long time – or even at all – simplifying secret management.

Although the shared ledger between each endpoint is a secret that still requires secure storage, management is much simpler. Because Authentikey adds a new secret to the shared ledger with every interaction, Authentikey is in many ways a self-rotating secret. As long as the ledger is kept secure (as with any authentication protocol), there’s no need to manage its lifecycle.

Authentikey protects against authentication decay

Because the secret in Authentikey is constantly updated, and you don’t need to refer back to the initial trust anchors each time, Authentikey is essentially proofed against authentication decay. For this reason, Authentikey is a great complement to Continuous Authentication models that use biometrics to validate a human identity, providing an additional layer that validates the underlying machine identity.

The mechanism of the shared key ledger is one of the reasons the Authentikey is the world’s first Continuous Trust Verification Protocol – but we’ll cover that term later.

Authentikey provides mutual authentication

As we’ve already outlined, in the Authentikey protocol each party authenticates the other. This puts it on a par with existing systems like Mutual TLS handshakes – but without the bulky certificates to transmit and manage.

Authentikey also allows you to build up trust between parties, rather than having a simple trust/no trust state. This is vital for anyone looking to implement Continuous Adaptive Trust architectures, where Authentikey can be a valuable part of the dynamic evaluation of how trusted a particular identity should be.

Authentikey works in constrained environments

While testing and benchmarking of Authentikey are still ongoing, it’s highly likely that Authentikey offers optimal performance in constrained environments compared to using certificate-based authentication. Symmetrikey has been proven to run on resource-light devices such as SIM cards, setting Authentikey up as the authentication tool of choice for IoT and embedded devices.

The world’s first Continuous Trust Verification Protocol

We are calling Authentikey the world’s first Continuous Trust Verification Protocol because there aren’t any other tools out there that continuously verify the state of trust between two endpoints.

It’s distinct from Continuous Authentication, which is primarily concerned with monitoring biometric data to verify a human identity. It’s also different from Continuous Adaptive Trust – CAT is an architecture approach, while a Continuous Trust Verification Protocol is a method of authentication that supports CAT. It also supports zero trust architecture because it challenges both parties each time they attempt communication, even if an existing shared secret exists.

Who benefits from Authentikey?

Any authentication workflow is a multi-layered process, combining a range of tools to provide the best balance of security and user experience. Any system stands to benefit by adding Authentikey in as a strong yet lightweight layer, and we are actively looking for technical solutions partners interested in enhancing their authentication or replace outdated authentication methods.

In particular, we believe one of the most exciting use cases for Authentikey is in helping to secure machine identities, especially in the IoT, and Agentic AI spaces. We know that the telecoms industry is investigating these areas – but Agentic AI has value across a broad range of industries, as does IoT.

Beta test Authentikey

Cavero Quantum is looking for partners interested in Authentikey to help us refine the product and ensure it meets the needs of security-conscious organisations everywhere. We pride ourselves on making quantum-safe authentication accessible to any size of organisation, and to demystifying this technology in a world that’s often full of jargon and high science.

Authentikey is available in beta now – just fill in the form at the bottom of this blog to register your interest.