You're listening to the identity of the sender podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast. I'm Jeff. And that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm good, man. I was, I've been given thought to podcasts. I listen to a lot of podcasts outside of recording this podcast with you.
And I'm wondering what is your favorite podcast? Other than identity at the center of course. It's, I'll be honest, I don't listen to a lot of podcasts and I barely listen to this show because one I record it, right? So I'm here, I'm present for the conversation, I know what happened, and then I edit it, which means I'm usually listening to the show like three to four times.
So when I do listen to a podcast and it's the only couple that I listen to right now, with any type of regularity, it would be Conan O'Brien needs a friend and it's usually something around, you know, comedy and him talking to folks and, you know, just being Conan O'Brien himself and then the other one that I like is I'm a big fan of Anthony Jeselnik.
So Anthony Cecil neck and Greg Rosenthal have a comedy podcast, slash whatever is whatever you call it called the Jeselnik and Rosenthal Vanity project Jr. VP So I listened to that you know with with some regularity every at least every couple of weeks or so. What do you listen to? Well, I'm a big fan of the, the risky business podcast with Patrick gray. I think, you know, if you're a nerd in this space, you've got a, you've got a tune into that.
That it comes out every Tuesday, that's a fantastic one, where they just pretty much talked about the infosec headlines, mostly about companies that have gotten ransomware recently. And then, of course, I'm a huge baseball nut. So, I listened to the baseball America podcast, I listened to one called 30 with murdie murdie, being a Yankees
broadcaster. There's some other identity and access management As your podcast, I like to listen to like the hybrid identity protection podcast, shoot, there's a few others, there's one that was put out by the Sea. So over at Microsoft called security unlocked. And then there are a bunch that are put out by NPR which are really radio shows that have become podcast as well. Like This American Life Freakonomics, X hidden brain. So those are just I would Marketplace.
Of course I in those are I don't listen to all of them every week but that's kind of my listening list. That's a pretty healthy list. I mean for someone who doesn't listen to podcasts, you just named off like 700 different shows. Yeah, well I'm hoping that somebody can find a nugget there and but I definitely recommend the the risky business podcast and anybody who's listening to us on a regular basis. Also should should be tuning into that. Right on.
So why don't we change this podcast over to may be talking some identity? I think, you know, as we're kind of talking with our guest that will introduce here in a second, we were kind of looking at ideas on where do we take this episode and we settled on the past present and future of strong authentication, which I think is an amazing title.
If we do say so ourselves and the person who helped us come up with that title, his name is Kurt Johnson, he's the vice president of strategy and business. Development at Beyond identity, and want to welcome you to the show. Kurt Thank you very much. Nice to be here. Jeff, Jim, great to see you. Yeah, thanks so much for joining. So the company that you work for Beyond identity Beyond identity.com, it really plays in the strong off game.
So I'm really excited that you're here to kind of help us understand. You know, what is strong off, what does it mean? And maybe putting you know, helping us understand what are the differences. Maybe even the space because I think there are some things to kind of consider around that. But as this is the first time on our show we like to find out our guest origin stories when it
comes to Identity and infosec. So maybe you can kind of recap you know your your career from a from a from our perspective. At the identity level. How did you get into the identity space? It's something that you chose or did it choose you? Oh he definitely chose me has a bit of an accident in a bit of an evolution at the same time because I started in identity before we were even calling it
identity management. I actually spent years as an industry analyst I was working with a company called meta group that's now part of Gartner and One of the areas that I was covering was the whole it service management and help desk. And so, I was getting calls from clients all the time around. What could we be doing to reduce the number one called my help desk? Which was password resets. And this company chorion was on my radar as an early stage startup who was doing
self-service password reset. So I was digging into them to see if this was real and really became focused on the whole Self Service initiatives. And how do you reduce the burden and pain for these poor help desk agents and people And as I was kind of getting deeper in this and watching Korean kind of just the launch itself from its early Beginnings, it kind of hit me as well. That if I kept being an analyst I probably would be one the rest of my life.
And I was kind of tired of being the Roger Ebert. Wanted to be a Steven Spielberg, get my hands dirty on building. So actually joined Curry on right when they were about 12 people. And as we started to evolve, from password resets and talking to help desk people about this great tool, that could reduce their calls as we were getting deeper into the sale. Is cycle the security people and cisos in particular, going, you're doing what with
passwords? So, tell me a little bit more about this because, nobody's touching that is. So, as we realized, we had to shift our sales strategy, to really, appeal to the security side, and show this as a better way of doing it than kind of people, right? And sticky notes. And all of that and we were looking at automating other tasks and doing this hitting the joiners, movers lever. So built one of the first
provisioning systems. So we were doing all of His provisioning and identity governance and administration before we were calling it and then finally we started to see identity management emerge and that's where we really started branding around the term identity management when the regulations and governance came along around who had access to what we had this great system that was setting them up modifying them and turning them off that we now had a basis of a
governance solution before we were calling it. I never knew my identity governance and administration so I spent 15 plus years of Curry on watching. It from its early stages, we ended up selling it to a PE company was involved in some tuck and Acquisitions and actually merging it with core security which was time for me to leave after that amount of time.
And I actually went over to a fin tech company, early stage, 5 person company doing, electronic payments and we were doing great efficiencies and reducing cost and pain. But I realized I really miss security. I miss dealing with companies that were solving real problems that you know, they were coming under attack and how Help their
businesses keep going. That after we sold this fin tech company after a couple years, I immediately went right back into security and joined an email security company focused on cloud, email, security and anti-phishing. But realized, I was missing the identity side of the house as well. And it was great to be back to security, but I always kept my eyes open. And what was going on with the identity world.
And I think it was the in Glazer that said it's me one time, he said, you know, identities, like the mafia you can leave but you really can't. Do you think you We but it brings you right back and I got this call about this company in stealth mode that was looking to do. Some really interesting things around eliminating passwords and I had to listen and it was pre-revenue.
So to be part of a stealth company sound incredibly intriguing, the co-founders are Jim Clark and TJ, German lock and Jim. And TJ just have this incredible history of starting companies and, and building them into absolute name. Like Silicon graphics, and Netscape and at home networks and WebMD, and to be part of working with alongside them to start this company, and then frankly to get back into identity, really kind of Drew me in. So came back in around, January
of 2020 and, you know, I'm back. So, I feel like somewhere out there. There's like this identity Boogeyman, and they like, left the identity horse, head in your bed. So, when you thought you were, you're out, All of a sudden you wake up and I up now, I'm back in, I'm back into security, never mind. And this is how we know each other.
So we actually go back, you know, this makes me feel old like 15 years or so, because I was actually a customer of Korean at one point and, you know, I'm absolutely one of those people was like, all right, we're having trouble with passwords, right? And this is pi like the early 2000s and Koreans. One of the companies we reach out to and ended up kind of, you know, going with going with them and helping us with a variety different things. So we kind of go back from that perspective.
So it's always fascinating to kind of think. About where where you might be, you know, decades later and the relationships that get made. And, you know, this is why I think you never burn Bridges, right? Andrew, try to put yourself off in a into a professional mode so that because you never know what's going to happen.
And especially I feel like in the identity space is such a tight-knit group, where, you know, we see a lot of people who move from organization to organization but, you know, it's always ever-expanding but there's a lot of familiar faces that you'll see over time, you know, the longer you stick in the business. So Always great to see folks from Korean and or I should say the band formerly known as Corian. So we were still have it today.
I was at identify verse few weeks back and it was like old home week. You know, just seeing all these all faces different companies. Perhaps. But yeah, it really is. And it's been interesting to watch to is identity, and has really become far more prevalent and Security in the early days, it was kind of like, you felt like the outsider, but now it's like we're sitting at the cool kids table in the cafeteria. Yes, darn straight, I love it.
So, I've been hearing that the passwords been dead for four years now, I think like Bill Gates said, like a decade ago, it was dead and we keep hearing every year that it's dead. And I think that's really kind of where we're heading now, right? Is this really? It's not dead. It's really the strongest indication play. So, when we talk about the past present and future of the fun ocation, it probably makes sense to kind of start with the past and understanding, you know,
where have we been? And we all know passwords suck, where are we now and then, what's next? East right, maybe maybe can kind of take us through that Journey a little bit here to kind of level set the conversation for folks who are listening. Yeah, it's amazing to think it was kind of being the early 1960s that passwords were first introduced at MIT and working within kind of these data center environments and they served a purpose to enable more controls
and security around access. But then when we hit the 1980s and said our co-founders, Jim Clark and TJ Journal up, you know, Jim was the co-founder of Netscape, and Jim was the Our gym was the founder of Netscape and TJ the CEO founder of at home networks, which was the first Broadband provider to the home and the two of them play a large part on making the internet accessible to like everybody and passwords just exponentially grew and proliferated to the hundreds of
thousands even Millions. So, by the time, the 90s came along, that's where the focus was all on. Well, we have to make them harder and longer and And higher entropy to make them, you know, rotate them more frequently in expire because as more passwords came or password theft came, so, yeah, you really look at passwords and you talk about how much they suck and they suck for just about everybody except for
the attackers, right? Cuz because you don't have to break in anymore, you can just log in and password reuse and misuse and getting stolen left and right. I mean, we've really just created this environment where the vulnerability and risk is Other than ever before and so then we've kind of moved into the Band-Aids. So we created password manager. So you could at least have one place to go and let them recycle and move your passwords. But how did you access the password manager?
Well, with the username and password so now the compromise could open the door to even more attack. So Along Came are good friends, multi-factor authentication, and two-factor authentication, which the idea was that this plurality of security measures could hopefully increase the overall security but really what we saw was a significant increase in friction for the end-user waiting for a code or needing a
second device or on my phone. I had a have a folder prior to Beyond identity with a bunch of multi-factor authentication application. So where do I use authy? Where do I use? Microsoft authenticator a few Salesforce authenticator over here. So, you know, it's no doubt we've seen the adoption of MMA. Be so low. I think 451 the research company says around 50 percent adoption. IDC told us it was closer to 30% and their eyes, which is significantly.
Less than any other security functionality like firewalls are intrusion detection or even endpoint, which is hitting 90% plus. And why is that? I mean, the friction and experience for end users, as I said, is painful, and they're also complex and expensive to deploy. So even where you see there, Deployed. It's often just for a subset of users or capabilities, you know, maybe just for remote access
maybe just for our privilege. So I think as we've created this environment where we're putting more and more of these multi factors, it's kind of where we are today. This this world of whack a mole has to stop where the overwhelming majority of attacks are still based on stolen and misuse credentials. The world economic forum's that over 80% and Verizon is Over 60% but name your number.
It's a lot, right? And as I said attackers, don't need to break in. They just log in and if this critique vulnerability of this credential is being used. As a matter of fact, valid credential misuse is that the source of these attacks. So it is real passwords that are getting stolen and misused and guests and you know it can't continue you know the reality is were as vulnerable as we've ever
before. So with traditional MFA, you know, The password still there, it's still exist as part of that equation. And we created this Band-Aid to deal with what's become an open wound in organizations. And, you know, maybe you don't use the password, you're using a magic link or something else or an SMS, but now these are coming under attack. So are they more secure? Sure, but does it really slam the door on credential attacks?
Not really? And as matter of fact, it's opened the door to other kinds of attacks. So you know, we have removed SMS and then also on SIM card swapping took place. We have email links but email gets compromised we had the attackers doing these push attacks where if you hit the organization which with enough notifications and pushes with an OTP somebody's going to click. Yes that's me. So we've done all this and create greater user friction than ever before.
Clearly we know we have to change, right? And so that's why, I think where we are today, we're seeing the rise in early password list initiatives, you know? There's the Fido Alliance. There's a lot of things that are trying to bypass the password and I think we all have to agree the password has to go, which is creating rise in these new approaches but at the same time really are we eliminating passwords or we just kind of making them you know, less part
of the equation. So today, you know, you start to hear more, you know, we've been talking about identity is the new perimeter for a while. Now can't really call it the new perimeter anymore because we've been talking about a Enough that that statements even become commonplace to. But if you think about it, I believe that even the notion of
a perimeter is wrong. It's the idea that things inside We Trust, while those outside, we do not and authentic, I heard this used, I think by 451 research as well that authentications is like a bouncer at a nightclub, but once you get past the door, you could do whatever you want inside the club. So it really is forming to, you know, that's where we are. Where do we need to? To get to, and that's really leads to what's next. And what does this ideal solution?
Look like, which was really behind the beginnings of our company? You know, when we started to look to form Beyond identity, we looked out in this environment and all the pain and the friction for end users, but also the vulnerability for organizations.
And when we looked at what does Modern authentication look like, we know it had to eliminate passwords, we know you have to pass itive, leave a Date the users in the devices, they're on, you need to make it easy for users to gain access and not create friction in that process. While at the same time, reducing it, and support costs. And that kind of leads to kind of the beginnings in the thoughts around things like zero, trust and really kind of where we are.
You know, bottom line, regardless of who you are, where you are, what device you're on, what you're doing. You should be going through an identity system to authenticate and authorize what you're doing, but I think it needs to move. Move more to like a toll booth rather than a toll bridge, which is where we are today. Push everyone through a VPN, check the traffic, check the devices, it's not wrong, but
it's very hard, very expensive. And you don't have to do that to really get a good understanding of who the person is and the device they're on and what they're trying to do to create stronger authentication. So we need to move to an environment without passwords making it easier. And the big part is that it's not a And done, it needs to be
continuous. You can't just look once and let that person in. But you need to be kind of looking at what's going on on a continuous basis with the ability to take action and deny that authentication. So, you know, we talked a lot about, you know, where we're going and, you know, the bottom line is, you can't have zero trust. If you still have the password and if you do, you're already starting with a fail. Yeah. I think that the passwords, an
obvious weakness, right? I mean, we used to call it a cottage industry to to get these credentials and sell them on the dark web was reading an article prior to starting. This recording is the headline article and dark reading. The average cost to buy access to a compromise company $1000. So that's not even a cottage industry, right? That's a thrift store. That's, that's Walmart, you know, or a blue light special for going out and getting access and included in that is thousand dollars.
Gets you credential to a VPN or two? RDP. So if you're not at least using multi Factor, we said this a million times on the show, you need your absolutely need to be using multi Factor but, you know, to kind of play on what Kurt was talking about is, you know, with that zero, trust methodology or mindset? It's, you know, everything's happy cover.
If you can, you can't just think about it from your external points of Entry. But, you know, Kurt, I think you're, you know, you gave a really good overview about the Past present. Future. Think the future is your trust. Your trust is also right now. But, you know, I think and I think, look, if you're listening to this show, you probably already are like, okay guys? Yes, you you've beat this into us, we know the password socks,
right? If not a is not a strong enough control in this day and age, and I think everybody would say, if I could flip a switch and get rid of the password, I would do it. But it's It's hard, right? Or maybe you're going to tell me. It's not hard, but I'm thinking. Okay, I've got an Enterprise. I've got hundreds of systems, I've got different entry points, I've got some new technology. I've got some Legacy, I've got Cloud applications. Do I need to be pastoralists or
do I need less passwords? Yes, it's a great question and I think it's, I saw a survey that said that the average businesses are as 191 passwords. And I was challenging that on a road show, we were doing with C so event and all of them started talking up going. Oh yeah, I looked at my password manager, and I've got 300 or, I've got 290, and I think some estimates are so for 300 billion passwords.
So passwords have Truly, I mean, this day and age, kind of launching a company during a pandemic, which wasn't really part of our original Playbook. But a lot of things in perspective, but I think the rough analogy is that passwords are a virus. You know, they have spread like crazy and 300 billion of them out there, you can't just wipe them out overnight, but at the same time we need to, you know,
we need the herd immunity. We need people to be taking the steps to the approaches on what you can really do. And I I think that's where the term password lists and the industry has a number of different kind of players approaching this and we really are trying to distinguish between password less as one word versus two words or password Dash less. And that password list isn't just avoiding the use of a password.
You know it the term is meeting a broad set of things but we're not trying to just eliminate it from the end user side. I mean, the whole definition of a password as part of shared Secrets, right and shared Secrets, there's that one person and the other side know it. So if the individual knows it and it matches what sitting in the database of a system or a directory, then we will bless that but that gives you the opportunity of tacking either side.
So if you just kind of eliminated from the end-user, it still exists of there. It's still something that can be stolen. They can get at it. They can use it for another account where it's being reused. And even if you make a more difficult password that He'll be entered in a phishing attack as well. So I think it's important we're we're we're talking about this that the opportunity and the capability to truly eliminating. The password does exist, but you really want to look at what are
you replacing it with? And if you can look inside the architecture and Stevie that a password, still exists anywhere could you real, you know, or that still a vulnerability or, or did you replace it with something such as asymmetric cryptography or public keys and binding them to the device and carrying thing that with your identity, I think this was our thinking behind starting Beyond identity in the first place.
It's about eliminating the password, but finding that device and identity leveraging existing proven technology around asymmetric cryptography and digital certificates, but do so, in a way that you can make, this government level security available for the masses and make it easy to deploy, which has not traditionally been the experience of many, who dealt with pki or it'll certificates, but that capability does exist. We need to really look at how we can apply that part of.
It was when we even launched our solution, we give the password list authenticator away for free because that's just piece of the equation. Let's do our best that we can actually help eliminate the passwords out there and really eliminate them from the system. But with 300 billion of them out there, we know that's going to be a pretty big task could take
some time. So I think there's a lot of different kind of definitions around password lists and especially when it comes to kind of the, the different vendors that are out there, right? So you're one of several that at least that I know of and I'm sure there are others that I don't know, of when it comes to strong as education and trying to remove the password. Is there a common approach that vendors in this space kind of look at as far as okay?
Is it really eliminating the password or is it obfuscating the password somewhere behind some sort of? Hidden layer that it still exists but maybe you're just not a you know not aware that it's there. How do I guess? As an industry perspective, how our password list companies coming at it because then I think what I like to talk about next would be okay. So, you know, why are you special, right? What's the difference in the way that you guys are approaching
it? Yeah, I think it's part of the concern. I mean, obviously because passwords are so horrendous, the idea of password list, Is a catchy phrase. It's hate to say buzz word but that's truly kind of what it's becoming and I think it's, it makes it challenging for those looking at potential solutions to really distinguish between them because there is a lot that an organization has to do to really understand their goals
and initiatives. But also what the capabilities because there are a bunch of password list Technologies, which I would just say are ways of bypassing them and using something instead of a password But that password, absolutely still exists. And you know magic, links SMS, all of those are ways of kind of avoiding a password. I look at my banking application that I use on my iPhone. I use face ID to get into it but they're still a password, they're all, it's really in the passwords.
Even taking place in the authentication sequence. That's starting with face ID. So that's where I was saying before. We really have to look at the just making it less visible or less used by the end user. Versus absolutely eliminating it all together and make part of, even the naming of our company Beyond identity was like it has to go beyond just the password list angle. But since a lot of it is just the bypass it from the user
experience. As far as saying you really have to look at into the architecture. And can we truly eliminate it? And that's been our goal is that we really want to eliminate the passwords and all the risks and vulnerabilities that go with that. But doing so in a way that makes it a true secure authentication
capabilities. Eddie make that government level security available to the masses and that was when we were kind of looking at the market, you know, it, when we first went out there, we had a lot of debate to not even call ourselves password list, because we didn't want to be just lumped in with a bunch of kind of convenience Technologies for on users. Yes, eliminating friction for the end user and improving.
The experience was absolutely Paramount to what we were trying to do but the purpose and the goal was really to create a security solution and really bring that that to the realm of identity. Not just to kind of Change it in the sequence for the end users. So I really think that's you have to take a look at that from an architectural standpoint. Are we really eliminating them or we just kind of not making
the end-user use them as often. So I think it's really interesting because you know I see a lot of these Technologies kind of you don't come across are at least my view of it and you know asking us to look at it and provide thoughts, Etc. And that's one of the first Quest I usually ask is. Ok. So where's the password, right? Because usually there is still a password somewhere.
So if I'm listening and hearing what you're saying, it's your actually eliminating the password, there is no password in play which immediately piques my interest, so I guess help me understand. You know, we definitely, you know, try not to do commercials for any specific product. But I think this is an important distinction here, where I'd like to understand the approach that you guys take from a product perspective when it comes to Beyond identity.
And going, truly password lists, how do you do that? Yeah. So really what we did was we took a look out there and really looked at how could we take battle tested proven technology and extend that down to the end user and their device in the expend, the authentication experience. So coming back from, you know, our founders with Jim when he founded Netscape, that was the first creation of SSL. You know, the little lock in the browser to hair agama. Who's the father of SSL?
Sits on our Advisory Board? I had been working with Jim back in that day as is Marty Hellman of diffie-hellman Fame and when you really looked at these core technologies that are in place and over the last couple decades, really haven't changed that much. SSL is now TLS encryption but still using x.509 certificates and that is how all I mean, that's what secures trillions of dollars of transactions.
Every day on the web, that kind of in the old way, we have the user have a password to access these machines. But the machines use certificates. Gets to interact with each other. Technically private Keys verified through certificates to validate that when you made a purchase on Amazon with Paypal, that it was really PayPal on the other end that Amazon was
communicating with. And so we looked at taking that technology and really just extending that down to pull the end user and their device into that chain of trust. And that what we recognized was that you know, kind of back in the old days, it was kind of a Quest ask for anybody to want to be a certificate Authority for every end-user out there and frankly there was no place or nothing to do with a private
key. But come today, where you now, have these devices that have the TPMS and secure enclaves, which provide a perfect and secure way of housing that private key. And we've created this notion of a personal certificate Authority, where every end user could be their own CA without knowing, what a CA is, or Even does.
And so, we're not Reinventing any cryptographic protocols or algorithms, we're using these time-tested proven capabilities to pull that end user and the device into the equation and the process is that the end user gets the Beyond identity authenticator on their device. They register that initial profile and basically what you've done is, created a certificate chain, where the identity is the root of that chain and the devices are just different Things on that.
So what that does is allow the end user to extend that chain with various devices. And no one device is dependent on the other. So unlike traditional pki, where you remove one node and all the children, go along with it, this allows you to prune that tree and extend that chain, you lose one phone. You can use any other device to extend that and create a extension of the certificate chain, on a new device without calling it help desks or
administrators. And so being on that device offers a lot of interesting aspects, you know, we can actually interact with that device to assess the trust of the device. At the point of log n, and by being on the device, it can speak to the security of the device itself. When that end user is logging on, you know, by anchoring the key in the hardware, you eliminate the mobility of that key. As a credential, can't leave the device. It can't be ported from that device.
We disrupt the Roll movement or disrupting valid credential misuse by housing, it in that security p.m. but recognizing one of the benefits of passwords was the portability that you can be used from any device and still have that happen. We brought all of that down to the Beyond identity solution. So leveraging standards like x509 and TLS creating a notion of a personal certificate Authority, making it easy for the device itself to authenticate.
And thus, it's the analogy is, it's like, airport, security, you have to show an ID. So we know it's really Jeff for its really Jim. We then still have to go through the intro of the metal detectors. Do the same thing with authentication. Make sure it's you make sure it's your device, but make sure that device is trustworthy at the plate of authentication. So Curtis a conceptual of ones and some of those PK is of quite frankly goes a little bit over my head.
So, Is definitely very technical conversation, right? But at a conceptual level, you mentioned The Binding of a device. So, how does The Binding of a device to a human improve? Or strengthen? That authentication experience. Yeah. When you really look at it that the device itself as opposed to just being familiar like oh I've seen Kurt use this device before or it's part of a database, the strength of actually binding and identity in a device together. In my opinion, kind of becomes a
building block of of zero trust. You know you verify the identity, you actually bind it to the device that it's trying to access and then that can be transmitted and carried with you throughout the Journey of the transactions. If you look at most two attacks today, they're really hitting on those two factors, right? They're either trying to compromise the identity and pretend they are. Somebody. They are not really through stolen passwords or other even attacks on MFA.
They're going after the device itself, whether that could be malware or, you know, laying ransomware down through that. So, most zero, trust initiatives that we've started today are kind of looking at the various components, a single-threaded indicators of risk, you know, is this Kurt. But what if Kirk's trying to access from a computer in the library? That's covered in malware and don't know who's been used it before or it's my kids laptop with Tick-Tock and everything else on it and do.
Know if that thing's been compromised. So you also have often seen a lot of organizations, especially 3 went to the whole work from home through this pandemic, really focus on mobile device management. MDM or end point detection and response EDR tools because they needed more visibility into those devices and what was coming in or pushing them through the VPN. But many of those are very intrusive technologies that go beyond in enable you to really see a lot The information and
data on those devices. In frankly, putting cameras in dressing rooms can cut down on shoplifting, right? But do we really want to have that as a mechanism for security? Some people feel the same way about these. I don't want this on my personal device. So, you know, from our perspective, it was like, let's bring these factors together and really completely change the notion of having just looking at the security posture. Juror is disk encryption on his
firewall enabled. Is it a personal device or a corporate device? Is that been jailbroken? Is it that malware running on it? But bringing that at the point of authentication. So that's why I was saying it's like the airport analogy. I know it's me. I also know it's my bag and I'm going to screen that bag. But unlike airport security, I want it to be done without friction.
So from an end-user have launched an app, this runs in the background making sure passes all that but we can actually At the point of authenticating verify that only a laptop with disk encryption enabled can access patient data.
And if it's personal device, maybe it just should get office suite or email, but I wanted to be a corporate device of corporate managed device that has more of this secured lockdown capability before accessing AWS or, you know, GitHub or any other more sensitive applications. That's really is kind of where we need to evolve this too, and
that's what we feel. So when we can really kind of make those one and bind those together, it's a lot different than just looking at them as individual statistics and then you can look at things like the location in the network, you know, if I know it's Kurt's device and it's trustworthy at the point of authentication. Do I really care if it's coming from a Starbucks that I haven't seen before? Because I have good high assurance. And let's look at the rest of the indicators from like a
behavioral analytic standpoint. So what somebody's doing is it a risky action? Is it looked a typical than what they do then Yeah, but it's like them re-verify or let them step
up the authentication. So I do believe there's all the aspects of kind of really looking through the broad zero trust but this notion of really kind of bringing that identity and the device together as one, we just feel greens, such a higher level of assurance that then doing that in authenticating with the asymmetric cryptography and certificates, and not a password. The end user doesn't even know what's happening behind their,
you bring. It's one of the rare times we can bring higher level security and better. Our user experience at the same time. I feel like this is an area that couldn't exist, you know, a decade ago. I feel like this is an area where the modern advances in technology. And the, you know, the sheer power of computing, right? That you have at your fingertips, at these days, right? Is your phone might be the most powerful device you have, you know, in your, in your entire
life, right? It might be stronger than even your computer. And when we start talking about cryptography and being able to act, as you know, certificate Authority, Like this is this is the type of stuff you weren't going to see on your old you know, Blackberry or Windows phone or things like that. And you know, I think this is where the zero trust part comes in as well, right?
We're talking a lot, a lot of things you just described are, you know, typically what I see like under conditional or adaptive authentication rules, right? Taking a bunch of different signals and then figuring out. What do you want to do with that information, right? Is it safe? Do you re you know, do you meet the level of assurance that you want and maybe there's different levels of assurance? Yeah, I'm fine. I'm trying to get to the cafeteria menu, who cares.
Right. But would it be wide open? But if I'm trying to get to the secret sauce for or the, you know, the recipe, for KFC chicken, right? Maybe there's a few few more Hoops. They need to jump through before to get to that. So I think it's interesting that I feel like the, the advances in the technology space have definitely enabled this because I go back to the original statement.
I says, well Bill Gates said the Passover is dead like 10 years ago but I don't think it really could have been. I think what he meant real is, you know, the Password is really hidden behind something else, right? Biometrics, you know, whatever it may be. So I think that's kind of where I've seen the industry go, but I'm also a little bit of a skeptic. So, you know, I hear all this cool stuff.
I want to go password less but I also hear from a lot of different vendors and I think this is where the distinction comes into. So you know, Microsoft, you know, touts password list through Windows. Hello, you know, Apple has it through their various mechanisms of teach it, touch ID and face ID and if I'm a skeptical C, so You know, I guess the question I'm going to ask is, ok. So what is the value proposition here? Why do I need an ad on a syndication product?
Like a scoreless, when Microsoft or octave or ping or whoever? Right is telling me they already have this as part of their solution, is that something that you can kind of help me understand that context. Yeah, absolutely. I think obviously with the risk and vulnerability of passwords, this is an industry-wide movement to reduce that risk as much as we can. And everybody kind of trying to
get into to help support. That is a good thing though, that's where I was saying it's but it goes beyond that, you know, just the elimination of passwords, it's a critical component to it but this notion of zero trust and device Evidence and security posture are critical aspects, that take that Beyond just kind of an authentication experience.
And I think that's kind of been our different approach from a lot of the philosophy that you shouldn't have to have to pick up a second device in order to log in and even that of does avoid a password. Yeah, that's great. But we can bring that even one step further in our goals and initiatives out there as an industry being on that device gives the additional benefit of a better use. Our experience then you're right.
We before we had TPMS and enclaves of these devices that really wasn't possible or as secure. But take, we saw this, you know, with with apple back in the tragedy of the San Bernardino shootings, they wanted to get access to the PIN code to get into that iPhone. And Apple was like, we can't do that. So the device security built in taking that but then kind of extending that through broader means was really kind of what we
felt was. Was where the industry needed to move to. So yeah, you there are, you know, free features. You can get with a lot of these vendors and in my belief, a free feature can be a lot like a free puppy and really understand a lot of them require MDM or EDR to be in that equation, to give the device security, or you have to stand up your own certificate management system, or they'll do it for you, which comes at a cost, and that's not easy.
So, really kind of where our thinking in the goal was, was that? Yeah, you can Leverage The, Enclaves and TPMS to really enable the private key. But the notion of a personal certificate Authority, how can an end-user do this without knowing they're doing? It is a critical ingredient. So I think as customers of these vendors it's great to see what kind of features they have.
But the reason we felt that we could create a company and create a premium offering is its 100% focused on the delivery of the most secure authentication experience possible. Stop credential based attacks right in there. Tracks but make it a better experience for the end user so and don't do this just for the specific systems of that vendor.
But in a hybrid environment and our philosophy was that the approach we're taking binding identity and the security posture of that device bringing that at the point of authentication. Our first foray was doing this for the workforce and we didn't want to replace the identity providers. We made it. So we could integrate directly into OCTA pain Forgerock Microsoft and working just as a delegated identity provider, to interact with that system, which means it doesn't disrupt.
You don't have to change what you've done in those systems. You don't have to configure apis to make this work work with that environment. Then we took it through custom to customers as well and customer logins through interaction with Siam or even an SDK that can be embedded into the app. So we can provide this secure, easy form of authentication. Freakish frictionless, authentication for Customers and end users.
So you're bringing up some some really good meaty topics which I think are the things that, you know, our listeners that I am practitioners. There were people who are evaluating and procuring and then having to deploy Technologies like password, listen, their environment. And so, we had Martin kupenga on the podcast last week and we talked about the POC process was the right way to conduct a POC.
Not just Zeke something like the leadership cam Compass or the magic quadrant just take the solution. That's you know, ranked the highest in that analysis. It's really you know that can be a guide, right? That can be a data point but you need to conduct some kind of proof of concept. And so what I wanted to ask you is I mean I'm sure in your role. You've been involved with a lot of proof of Concepts where companies are evaluating pastoralists and what's your takeaway.
And you know, some of the best ways to do that. What have you, where have you seen? Where a customer's just doing it right there. There there really evaluating pastoralists on the right way. They're asking the right questions. Whatever versus what's the wrong way to do it?
Yeah. And I think part of its really going in to understand what your goals and initiatives are we were talking about this before password, plus means so many different things that That you're not going to find a laundry list of like RFP responses or checkbox items because if the systems are meant for very different things, one just to do multi-factor, authentication one to provide a full secure authentication experience.
It really is going into it with your eyes open to what are you really trying to accomplish here and Belief that our goal is to really truly eliminate that password is really going to provide the better long-term experience really understanding. Where does that occur in? Can that occur? So going into it, there's there's two sides to this, you know, we want to improve the security.
We also want to reduce the user friction and make that a good experience, and those have to be critical components of the proof of concept and you need to test this. What does it take to deploy the solution? Do you have to make configuration changes to your system? Teams or API changes to the applications, that you're authenticating to how easy can it get stood up? We challenge them to time us
from the point. We start to the point we finish and see how quickly we can actually integrate into that system and not cause any disruption to your current environment. But also with the policy itself, as I mentioned, bringing that device security into it is something very unique that most solutions aren't doing is that something important to you? And how do you want that to occur? What policy makes sense really thinking through your Organization on.
Where do we want to be more restrictive? Versus where do we want to be more open with that access as well? And the most important pieces testing this with end users and I say probably the most uncomfortable or awkward pocs or where only the IT people are testing it and it's the security people testing it. It's like put it in front of your end users who are the people who are your challenging call the help desk a bunch and
see how easy it is for them. Because when you change the user experience, especially at the point of Of authentication, you're going to have it. That's changed Behavior, that's impact. And so even when it's easier, it
can also be somewhat disruptive. We actually saw this through kind of some of the user experience testing we were doing early on because the whole notion and idea is that you launch the application and the redirect and the authentication and the price, the public he gets issue signing. It's a private key. None of that visible to the end user. They don't have to pick up our
app or pick up a second device. So they were opening the app and all they were knowing if they were In and they never enter in a password. So, that calling saying, hey, something's wrong here. Somebody's in my account. So, we actually had to create some graphic showing that something's happening behind the scenes here. It's doing something so, you know. Oh, okay. I feel comfortable that was authentically almost. Brought it too far.
So really understanding that user experience is just a critical piece and testing this with the right users we love the pocs because we feel once we take the password away from an end user is going to be real hard to give it back if they don't want to move forward. Yeah, no it absolutely. And that's I think a step that organization's needs to do more as organizational change management, really thinking about the impact, the customer experience that they're creating
weather. Even for internal users. I remember when I first got into, I am the mindset was. Okay. What is the difference between? See, I am and I am, I'll see. I am you have to have a really good user experience. But for employees who gives a hoot, I think that mindset is shifting a lot because Think
tools are better now, right? And that becomes a differentiator but, you know, I you've been great with your time, but I did want to ask one more question, which is, you know, selfishly from a consultant perspective, right? I'm still getting asked about self-service password reset. Hey should we be looking for a solution or how do we approach self-service password? Reset to me it seems like the answer ought to be. Why even if you haven't gotten there yet? Why go there?
Why not? Just go right to Pastor list. So can pass wordless be his substitute for self-service password reset and if so, what are kind of are, there are trade-offs, I mean, can is, it is a good substitute for password, self-service? Password reset. Yeah, I think it's, you know, we often say, hey, you can't steal a bike if the bike doesn't exist. So the password doesn't exist, you can't steal it. But the yet also don't need to reset it anymore.
And so it's actually kind of a True benefit that often prompts a lot of these organizations is that as much as they built. Many of these tools to do self service reset. It still is a major problem for these help desks. So yeah, if you rip that out all together you've got nothing left that needs to be reset. So absolutely can change the game. And I think part of it is as we've looked and, you know, you were asking before it's how we're different, you know, certainly logging on to
corporate resources. Logging onto consumer. Resources are important. You nailed it Jim. There's been this mindset with well with our employees we can get away with a lot more. We can make it more painful but even that hits a level at some point but we're seeing it with other things. Like you know we're seeing us being asked to integrate with like the Cyber arcs and psychotics and Beyond trusts of the world for privileged access. So why should we be pulling these things?
Out of a vault with MFA as well? If we can truly authenticate that experience and the new area we've been getting into is even with the Ups that you have developers who are signing code and interacting with these git repositories all the time and they do them from account. So you have Daffy Duck 123.
And you don't know who that is. And obviously with things like supply chain security and we saw it with the solarwinds attack that you want to make sure, you know, who is signing code and what device they're doing it from. So we have applicability there, but believe me, you want to talk about an environment? You don't want to make friction, is your developers who are writing code and sign.
Encode in. So kind of looking at all these different use, case scenarios the level of user friction is a critical component to it, but yeah, let's let's finally stopped the calls to the help desk and customer service for forgotten passwords. Or how many times have you gotten something from some service that said hey our password database looks like it may have been stolen. We don't know if your stuff has been but we were strongly
recommend. You change your password so we create that spiral all over again to something new I have to Amber that I'm bound to forget as well. So yeah, the best way of eliminating. The problem is truly eliminating, the problem, right? That's a great answer. So Kurt, you've been super generous with your time. We always like to wrap up each episode on The Ledger note, right?
Talk about something fun. And so we, when we were pre-gaming for this episode, you mentioned, you're from Boston, obviously, that's my favorite or maybe not. So obviously but that's my Everett donut shop, which is Dunkin Donuts, right? That's where it started in Boston, and I recommend it to Jeff that we could have an entire episode on doughnuts and so maybe we will do that at some point in the future. Let me know I'll be there donut
at the center. Don't consider donor holes but I'm also I'm from Augusta Georgia, right? That's the epicenter of golf. I think of the golf world and at least one once a year it is and you Cindy, you're an avid golfer. So I wanted to ask you, what is the best part of your golf game? And what's the worst part of your golfing? What, what what gives you hope that? What keeps you coming back to the course? And then what is it? That tells you you're never going to be a scratch golfer.
The greatest thing about golf is even when you're doing terrible all day long, you have that one great drive and it just gives you confidence. You can come back and think through Ooh, working on my game. I've really might driving has gotten much better and off the tee. I'm feeling far more comfortable than ever before and it's the old, you know, drive for show putt for dough.
I can't putt for anything to save my life and I watched these Pros analyze, these greens and squatting down and yeah, I'm out there squatting down, staring at them and don't have a freaking clue what they're actually going to do. And I'm like, why did my putco that way?
And it really started looking into it and just you know the worst thing you can do. Your golf game is go to a start-up because there's nothing you need to do than play more in a start-up doesn't really help you on on doing more of that but I just realize how many strokes I'm spending on the green and three puting that it's why I don't and but I'll go back to the range and just start hitting long balls again and feeling
really good about myself. So it gives me the confidence that hey, I can do this but then when you really get down to it. Yeah that's that's where it when you look at the pros and just that big huge book, They're carrying in their back pocket. I could never imagine Having one of those but you realize the and that's what I love about the game, right?
It's out there. What the environment been to Augusto, which is like, probably one of the greatest places I've ever been to, in a gust, a national to see it, how beautiful it is your Outdoors, you're interacting having good communication and good time with friends and even the frustration part. So you can kind of get past again, but yeah, if I could learn how to putt and just save so many of those Strokes, I think I could probably do a lot
better than just going. Back to the range and trying to hit bombs, probably you. Jeff. Yeah. I was listening to Kirk here and, you know, I was listening on it's like, yeah hitting good drives and can't Putt and I immediately thought of Happy Gilmore. Yes. So that you know, that he was the king of the master drive, you know, I don't golf anywhere near as much as I used to.
And I actually took lessons when I was much younger in my, I guess mid to late teens but I would say the strength of my game is the 7 iron. That is the club that I can. I can nail. L just about almost every time I cannot hit a wood or a driver to save my life.
And it shows because that's where my lessons ended, I learned how to hit irons and we were working our way up to the woods and I stopped taking lessons and I never actually got to, you know, the the driver, you know, the 3-wood 5-wood etcetera, those sort of things. So I struggle mightily any of those clubs. Yeah. I'm okay of putting, I guess, you know, not perfect at it, but I'm also not looking to beef but give me a 7-iron. And, and a Cough afternoon and I'm all over it.
What I love is that combination of physical and thinking there's a lot of thinking in it, but you talk about the lessons, it's incredible. How much different advice you can get that? You could just drive yourself crazy that these little tiny nuances, can completely mess up. A something that worked really well in the past. So, yeah, I'm always debating, do I go take another lesson?
But I do my best to try to stay away from YouTube because I just learned to many different things that never seemed to work. A lot of Ting ideas, Jim. What about you? But your golf game? Well, a lot of what Kurt was saying was resonating with me. But I think I to Thoughts with everything was one Topgolf. I've really enjoyed. I think that's a fantastic time. And you're drinking beer, while you're golfing to me. Is just that's the way to do it.
The second thing, just talking about a Augusta National and professional golf in general, made me think back to the mass of humanity following Tiger Woods as Went from hole to hole and whatever you think of Tiger Woods, right? The guy was the best golfer that I ever saw play. I mean, you know, the way he could perform in the clutch was just unbelievable, and I think that takes a special rare individual who can have all the pressure in the world.
To you have to perform right now and to be able to do it almost like podcasting. Almost almost yeah well I feel I'm working with the Tiger Woods of podcasting here with the two of yous flattery will get you everywhere. So thank you very much and I think that's like actually an excellent spot where you can leave it for this week before we go any final thoughts. Kurt for folks who are listening out there and you know, they're they're interested in password
lists, you know, what are some? Some key takeaways that they should take away from this conversation. Yeah, I think really looking at it from the notion as we were talking about before password list versus password Dash, Us. Let's get the herd immunity. Let's truly look to eliminate these and frustrate the fishing thrush. Frustrate the credentials stuffing. Attackers by really eliminating that threat.
But, yeah, I'm a big believer in the, in the notion of zero trust, we need to know the identity, the device, the network, the location, the behavior. But let's pull two of those identity and device together bring those signals at the point of authentication. And then the rest of the wrist signals we can look at from a true behavioral analytics, to kind of assess. Risk. I think we're moving in the right direction and the bottom line authentication.
No longer can be the bouncer letting you in or keeping you out. It needs to be continuous and taking a look at these signals on a ongoing basis, is the only way of really truing reducing the risk of their, it's okay to get smarter and password list is a way to get smarter. So good, thoughts there, Jim. How about yourself for this week? I mean, it's it's what I talked about earlier with the company's being compromised credentials
being sold for $1000. It just shows you the mass of the massive scale of which is being done. Pastor has to die. It's the only way that these credentials are being sold for $1000, is that it's the simple seamless off of people who've reusing passwords or using. Common passwords. He's got a it's just an insufficient control for your organization. So, multi-factor authentication is step, one, getting rid of the password is Step 2 and if you can go write this up to all the
better for you multi-factor. One of those doesn't have to be a password, so let's like get away from thinking that it has to be password. Plus something better, let's get the password out of the equation. You can still hit multi-factor but you don't need a password to be one of them. That's a great point, right? Password is Is not part of the MFA definition. It's just something. So that's a good one to go. That's a good way to end on. So why don't we go ahead and
leave it there. If you'd like to learn more about Beyond identity, you can find them on the web at Beyond identity.com. If you want to learn more about us on the podcast itself, visit our Spanky new website that's been redesigned and updated with all of our fancy new logos identity at the center.com and you can also hit us up on
Twitter at idea. See podcast I'll have some links to all of our LinkedIn. In the show notes as well as a link to that article and dark reading that Jim had mentioned about how cheap relatively $1000 for compromised company to get their passwords. Please do not use that for a bad things a thousand dollars in Bitcoin is like you know .000 three-point now and it just changed again and it just changed again and stop trying to follow it. All right we're gonna go and leave it.
Appreciate everyone's time this week. Thanks. So much for joining us. Kurt Jim thanks, as always. And for folks are listening, thanks for listening, please like, subscribe rate, share, whatever it is, share it with a friend share with an enemy don't care as long as it gets shared, get out there with our folks and we'll talk with everyone in the next one. Thanks for listening to the identity at the center podcast.
If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.