Redefining Cybersecurity Governance: From Vulnerability Detection to Identity-Based Defense
1. Describe your service/platform/product and how it’s using passkeys, based on FIDO authentication.
DragonSoft is a leading provider of cybersecurity vulnerability management and compliance governance solutions in Taiwan. We have deeply integrated FIDO2 authentication into our core governance platforms and vulnerability scanning systems.
- Implementation: FIDO2-based strong authentication is mandated for accessing administrative backends, authorizing high-risk network-wide scans, and performing final compliance audits.
- Hardware Synergy: Through our partnership with Swissbit, we utilize passkeys stored on industrial-grade hardware security keys as a “physical vault” for privileged accounts. This ensures that critical governance tools remain under the exclusive control of authorized personnel.
2. What were the challenges you were trying to overcome?
As enterprises undergo digital transformation, DragonSoft identified several critical “trust gaps” in traditional security management:
- Security Tools as Attack Roadmaps: Vulnerability platforms contain the “blueprints” of an organization’s weaknesses. If these platforms are protected only by passwords, a single phished credential allows a hacker to navigate the entire corporate network.
- The “Trust Black Hole” in Outsourced Maintenance: Many organizations rely on third-party vendors for system maintenance. It is historically difficult to verify whether a remote action is performed by a legitimate engineer or a malicious actor using stolen credentials.
- Prohibitive Compliance Costs: Under regulations like NIS2, NIST 800-207, or local cybersecurity laws, manually proving “strong authentication” for audits is labor-intensive and prone to human error.
3. Why did you choose passkeys over other options?
DragonSoft selected passkeys to shift cybersecurity from “reactive detection” to “proactive identity defense”:
- Phishing-Resistant Privileged Access: Passkeys bound to a security key ensure that private keys never leave the hardware. Even if an admin’s password is leaked, the system remains inaccessible without the physical token.
- Hardware-Backed Non-Repudiation: In outsourcing scenarios, every command is cryptographically bound to a physical key. This provides irrefutable evidence of “who did what,” solving the legal and audit challenges of third-party management.
- Compliance-as-Code: Since FIDO is the gold standard for NIST 800-207 Zero Trust, our platform can automatically generate audit-ready reports, reducing compliance costs by over 50% for our clients.
4. Describe your rollout of passkeys and the impact this had on your organization.
DragonSoft has successfully deployed this integrated solution across government agencies, financial institutions, and high-tech manufacturing sectors:
- Market Expansion: By integrating passkeys, DragonSoft has expanded from the IT vulnerability market into Critical Infrastructure (OT/ICS), where offline authentication via hardware keys is essential.
- 100% Protection Against Credential Theft: We have effectively eliminated the risk of remote account takeover for our scanning platforms.
- Strategic Transformation: DragonSoft has evolved from a tool provider into a Policy Decision Point (PDP) within the enterprise Zero Trust architecture.
Conclusion
“DragonSoft’s vision is to ensure that cybersecurity governance is no longer just about finding problems, but about locking down every critical decision with a physical line of defense. Through FIDO, we don’t just protect the system; we define the benchmark of trust.”
Reference: 中華龍網 DragonSoft|資安合規管理及安全應用整合方案
