So people don't have to remember a password, which eliminates a lot of identity attacks. Yeah, but everybody loves passwords. I mean, we should just have more of those, shouldn't we? Well, they were my bread and butter. Like when I was a little identity nerd like that was a lot of what I learned was how to secure password based systems and how often do you force people to rotate and what sorts of complexity do you require?
All this stuff that I was an expert in, like now I don't need it all because we've gone past that. What do you see as a different shader? Because there's a there's a lot of players in this authentication space, I guess. What makes you know? Let me put my jaded CSO hat on. What makes Beyond Identity special or unique in this area? Yeah. So we were founded only five years ago.
So we're fairly new to the identity space, which helped us kind of leapfrog a lot of the the legacy infrastructure. So we never had passwords in our system. There are no shared secrets anywhere in the beyond identity architecture. So we're fundamentally built on a on a foundation that is more secure and then we have that integration with security tooling. So we were actually not founded by identity nerds, we were founded by security nerds who said, hey, we can solve this
identity problem better. And so it's a really different way of approaching the identity problem than you'll see from most legacy vendors. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh. Not so bad yourself. I'm good. You can see my sweatshirt on.
I'm beyond cold, beyond cold here in February in the South. I see what you did there. This is in reference to our sponsored episode we're doing today, right? That's right, we were having a beyond kind of day. All right, well, why don't we get to it? We do have a sponsored episode today. We've got Beyond Identity. They have been kind enough to come on the show, and we'll have Sarah Cicchetti on here in a minute. But just to make it clear, right, this is a sponsored episode.
They have graciously donated to our nonprofit to help keep this thing running. And everything you hear today is going to be the truth as we see it from IDAC and Beyond Identity. But let me go ahead and introduce Beyond Identity, Beyond identity.com, Go there For more information. Actually, Beyond identity.com/idac, there'll be a special landing page for that. And then they've also got Beyond Con coming up in a couple weeks.
By the time people hear this on March 20th, that'll be in Palo Alto. So definitely go to the website and check that out. I'll have links in our show notes as well. But let's get to it. We've got Sarah Cicchetti, she's been with us before. She's the director of product strategy at Beyond Identity. Sarah, welcome back to the show. Hey, great to see you guys again. It's been a while.
I think I saw you in passing at Gartner's IM conference at the end of 2024. You were with us for episodes 199 and one O 1, I believe, and now we're in the three hundreds. So we got to catch up a little bit. But I think the biggest changes, you've moved to a new organization. Why don't you tell us a little bit about Beyond Identity? And then you got to tell me, what does a director of product strategy mean? What does that mean to people in the real world?
It's a completely meaningless title. Yeah. So I was at AWS for five years. So that was where I was the last two times I was on the show and being at AWSI, got the chance to talk to dozens of identity startups, hundreds of identity teams all over the world. And yeah, I was really floored by the technology that Beyond Identity had and wanted to come over.
And little did I know that at the exact same time, my colleague Dean Sacks, also from AWS, was talking to Beyond Identity. So we both ended up moving over at the same time. And basically what what they needed me to do was do some product discovery and innovation as well as facilitate Dean and Monty Weissman to do all of our standards work. So we go to, we participate in the Open ID Foundation, the Internet Engineering Task Force, the Fido Alliance, all that work is done by my team.
And so we figure out where we want to influence standards and how we want to move forward there. So we're a team of innovators, standards nerds and developers who are helping us bring new products to market. So what does Beyond identity do? Placing authentication space and to what degree and other things. We do. So it's a, it's an SSO or it can be only an MFA. So it's got kind of two different modes and it's sort of sits in the middle where it, it straddles both human and non
human identity. So the way that we do SSO is not typical. So typically you would have multi factor authentication, you'd have a password and some sort of device where you are verifying that it's actually you. The way that Beyond Identity does it is we put an endpoint directly on the device itself so that we can look at the security posture of the device. And then we also integrate signals from all of your
security tooling. So we can get signals from JF, from Z Scaler, from Intune and use those as part of your authentication policy to determine whether people get it or not. And we can do it continuously as people are working to say, hey, is this person still have the security posture that they did when they logged in. So it's a cool marriage of security and identity and data that all comes together with authorization and authentication and it's all in one very easy to use product.
So that's the that's the non human part. And then the human part is just the local biometric on the machine. That's how we do it. So people do not have to remember a password, which eliminates a lot of identity attacks. But everybody loves passwords. I mean, we should just have more of those, shouldn't we? Well, they were my bread and
butter. Like when I was a little identity nerd, like that was a lot of what I learned was how to secure a password based systems and how often do you force people to rotate and what sorts of complexity do you require? All this stuff that I was an expert in, like now I don't need it all because we've gone past that. What do you see as a different shader? Because there's a there's a lot of players in this authentication space, I guess. What makes you know?
Let me put my jaded CSO hat on. What makes Beyond Identity special or unique in this area? Yeah. So we were founded only five years ago. So we're fairly new to the identity space, which helped us kind of leapfrog a lot of the the legacy infrastructure. So we never had passwords in our system. There are no shared secrets anywhere in the Beyond identity
architecture. So we're fundamentally built on a on a foundation that is more secure and then we have that integration with security tooling. So we were actually not founded by identity nerds, we were founded by security nerds who said, hey, we can solve this identity problem better. And so it's a really different way of approaching the identity problem then you'll see from most legacy vendors. So let's talk about the name beyond identity. Is there any significance to it?
Is it just it's a cool name? First of all, the the the domain name was available. Tell me about the history there. So as I understand it, I was not at the company at the time, but the Google Beyond Corp white paper had just come out. There was a company called Beyond Trust and a company called Beyond ID. And so we decided to just, we wanted to add more confusion to the identity marketplace. And so we decided to call ourselves Beyond Identity, and that's kind of how it went. I love it.
It's simple and plus, you know, it's, it's, it's there's all the vowels are there in the name. So you can actually spell out beyond identity.com/IDAC. Go there, visit that For more information. So it makes it easy for that. I want to turn it over to Jim here in a second because I know we want to get into more details kind of around how this works. But one of the questions that I get asked a lot to ask vendors when they come on is tell me how your customers measure success.
In this case, authentication. I'm assuming it's things like, you know, MFA availability or risk reduction, but how do you how do beyond identity customers measure success with your product? Yeah. So a lot of it has to do with risk mitigation.
So when they go to their board, their C-Suite, their cybersecurity insurers, they can say with a completely straight face that they have eliminated entire categories of attack factors and that they can guarantee that because that that infrastructure simply doesn't exist in their identity solution. So that's a huge win. And then on the on the usability side, we actually have the customers of our customers. So employees of people who who use Beyond Identity raving about the user experience.
They don't have to remember passwords. They don't have to get out their phone. They can just use the biometric that's right on their laptop or right on their device. And we were just you, as you said, we were down in Dallas for Gartner. We presented with Inspire Brands. So Inspire is Buffalo Wild Wings and Dunkin' Donuts.
So a whole bunch of restaurants and like, they don't have a whole lot of attackers trying to get into Dunkin' Donuts, but they do need their employees to get in quickly and easily. And so after they implemented Beyond Identity, they actually had employees coming to them and they're a Texas based company. And so the employee said yeehaw, Hallelujah, because they love
the solutions so much. They loved how easy it was to log in. Well, and I love the doughnuts, so let's not forget, let's not forget about that. But I think this this whole line of what you're talking about there with it's kind of the balance between security and user experience. It's kind of the classic conundrum that we learned in our first days in information security. As you ramp up the security of a system or a process, the usability, there's more hurdles,
there's it's harder to use. How do you balance that? How do you make sure that you're not going too far in One Direction or you know, is that just kind of core built into the platform? So it's different for every customer, right. So some customers have a really high amount of risk tolerance and they are willing to make the system a little bit more open to more flexible in order to get that usability and that that quick response.
And we have other customers who are very security conscious who really want to lock down the system and say, no, we only want these type of biometrics. We only want to get signals from these security vendors. And we want to make sure that every single authentication respect all these things. We want to know these things about the machine that the person is logging in on. And so it, it really varies.
We have a wide variety of customers ranging from high usability to very high security use cases. I like that a lot. So you kind of there is that ability for the customer to kind of like move those levers back and forth. But I from what I understand, you know, you and I rubbed elbows at the Fido Authenticate conference last year. I think you guys are pretty heavy into the use of pass keys. Is that kind of part of what's
baked in? And you know what's different about your solution of pass keys? Yeah. So we use a, we use cryptography that is based on the machine. So if you want to call that a pass key, you absolutely can. Lots of people do. You could also call that a form of a certificate. You could call that a verifiable credential.
Like there's a whole bunch of ways to describe what we do, but essentially we put down a key pair on the machine and that key pair is locked into the secure enclave of that machine. So unlike say, a Google or an Apple Pass key, it is not syncable across multiple machines. You can have multiple machines registered to one person and that and you can change your settings so that that person can
add machines to their account. But there is no way to take the key, the the cryptographic key pair that's on the machine itself and move it somewhere else. So that's a key security property. That is a a big difference between the way that Fido credentials work today and the way that Beyond Identity credentials work. OK, so similar but different.
Similar but different and we're actually we're like we are Fido member alliance, we are part of the technical committee there and we would love it if Fido would adopt the way that we do things and standardize it. We are not trying to make this a proprietary protocol. We absolutely embrace standards and we want to see this level of security within Fido.
So we are pushing. For that, that idea of the of the key pair sitting on the device and not being able to sync those to other devices is really what I'm hearing is kind of like the differentiator here and where you'd like to see this go is that, is that fair that I describe that accurately? Absolutely. So the the problem with synced passkeys is that the user can share them, and there's no evidence that they've been shared. There's no evidence that that wasn't the original user who had
that passkey. There's no chain of custody for where that passkey came from or where it originated or how it originated. And we would love for those things to exist within the Fido standards. They don't exist today, but for right now we have to do it in a proprietary way. And that's also outside the browser. So that has usability aspects to
it as well. Where if Google or Apple wants to change something about the way that the interface works with users for how they store their pass keys, how they originate pass keys, that obviously if you're using those pass keys for your enterprise, that'll change your whole user experience out from under you where you don't have a chance to have a say. And so because we're using a proprietary mechanism for this, we can make that user experience
really consistent and secure. Yeah. So with Beyond Identity, does it matter if you're coming in on a corporate controlled device or bring your own device? It does, but we have a lot of customers who use us specifically for bring your own device. So if it is a corporate controlled device, if it has an MDM on it, we can query that MDM in real time and we can say,
sorry, not real time. We'll be able to query in real time once everyone adopts shared signals, which everyone should do, but we query it every 15 minutes. So we will talk to your MDM and we will say, look, what's the security posture supposed to be? Is it there? What are the policy settings for this company? And then if it's a bring your own device, obviously we can look at different things on the device, but it won't have an MDM
that we can query. Typically though, if you're doing BYOD for like a personal device into a work environment, they're probably putting some policies or something on your on your device. It's pretty rare that I see these days a unmanaged personal device with access to company
resources. But I don't know is, is that an accurate assessment, Sarah, of kind of my view of it or do you see kind of the Wild West still out there for when it comes to managing personal devices on a corporate network? Well, when you say bring your own, like you think of someone's like, oh, I've got my personal cell phone, right? That is a use case we see where we can say, you know, we want to make sure that that phone is not jailbroken.
We want to make sure that it's OS is up to date so we can see certain security aspects of that phone that people bring themselves. But often BYOD is just contractors, right? So it is a managed device, it's just not managed by your company. And so there are different things we can query in that case, but we can make sure that there is a security bar that's met by all devices that access the access the systems in your
company. I want to get back to something you mentioned earlier, because you mentioned two of my favorite food groups of wings and doughnuts, the other being chocolate and nachos. So don't you know, don't come at me. That's that's the, that's the real food square. Don't. Judge. Yeah, that's right. Do you have? You told me it was potatoes. I thought it was potatoes. Come on.
There are, I'm sure, a lot of good stories, but do you have any kind of stand out stories of how your customers are using beyond it Any today that might be either unique or hey, that was really cool or just like the yeehaw moment as you kind of put before earlier? Yeah. So just as just as an aside, because you mentioned Hot Wings, both our CEO and our Principal Security engineer, Dean Sachs
are big Hot Wings fans. And so we did like a little Hot Ones imitation episode while we were at Gardner that's going to be coming out on our social media soon, where I kind of quizzed them about different standards things and made them eat increasingly hot hot sauces as we went. So that'll be fun to lodge. But your question was about use cases. So yeah, one of the primary use cases we see is people who have multiple ID.
PS So either because of acquisition or because different departments in in the company were allowed to do identity in different ways, identity islands have formed. And that's true of almost every company. There's a great quote from Brian Poole. He used to do identity at Microsoft that says there there are two kinds of identity administrators. There's the kinds that administer more than one systems and the kinds that do not yet know that they administer more
than one system, right. And so one of the benefits of using Beyond Identity just as an MFA level is to say, you know, I've got two different ID PS here, or I've got three or five different ID PS here. I want one consistent security bar across them so that I as the CSO know that there is a consistent level of security across my company without having to dive into the config of each IDP and make sure that things
are are identical. So that's one use case we see and then the other use case is just straight up SSO. It's a really great user experience as a as a single sign on. And obviously because we're newer, because we have that more secure code base, we are in a much better place than companies who have been building up their code base for 10 or 20 years. And it's getting getting a little rusty and a little creaky and who knows what's going to happen? We didn't mean code.
That's right. Well, you mentioned too having that, that, that user experience, right? The consistency of the MFA experience is pretty important because that's one of the areas that we see users tend to struggle with the most of. OK, now we've got a new MFA. If we have the similar experience across all of our different authentication services, that goes a long way, not only for just the use of it, but also support, right? It's everybody's using the same thing.
Documentation can be streamlined to focus on one thing, so they have like 8 different ways to do it. I got to imagine that plays into the calculus as well, right? Absolutely. And you can modify the SSO so that different applications have different policies. So you can say, look, if you're paying for lunch in the cafeteria, if you're registering your car in the garage, like that requires almost no policy whatsoever. Like like anybody in the company can go do that.
But if you are touching the HR system, if you are touching the production database, right, then we've got a whole boatload of policies that you have to satisfy from all sorts of different places where we're getting security signals. So I have a follow up question, Sarah, with regard to the devices. So let's say I'm using an iPhone, that's one of the devices that has the Beyond Identity Secure Enclave. So it's keeping my authentication, my biometric data there locally.
Is it leveraging the the capability within the iPhone platform or whatever device I'm using to, you know, in other words, is it using Face ID from my iPhone? Is it kind of operating the same way or is it a second interface for, you know doing that that face match? Yeah. So to be clear, it doesn't use your Apple account at all, but it does use the biometrics that are registered to the phone as well as the secure enclave, the
TPM in the phone. So Monty Weissman, who's the father of the TPM is on my team, on our on our staff to help us understand how we interface securely with the TPM for each device. And then on our board is Taher Agamal, who will be speaking at Beyond Con on March 20th coming up and he's the father of SSL. And so we have a lot of people who are well versed in crypto and those APIs to get into the, the secure enclave of the iPhone actually didn't exist before
this company was founded. So like when Octo was founded, when Ping was founded, this was not a way that people could do identity. It just the, the technology wasn't there yet. And so it's because we were founded later that we are able to to utilize these technologies and say, yes, we can lock those key pairs into the secure enclave of the phone. And that's a much more secure way to do it. And it's completely localized along with the biometrics. So let me put a scenario out
there. So one of the things that always happens with my phone is that if it doesn't recognize my face, they'll say enter your PIN and so that I'm entering A6 digit numeric value, which you know is knowledge based authentication essentially. So does the beyond, did any platform have the ability to say, well, it has to be the biometric or is it going to fail back to the PIN or is that kind of a configuration that your client gets to make? Yeah, that can be configured by application actually.
So you can say look for the parking application, they can fall back to a pin. We don't care if they're trying to get into the HR database, they have to have a biometric and they have to have a biometric that was registered since the time, like before the time that the app was installed, right? So if somebody gets their phone and registers a new biometric because it's unlocked or something, that biometric won't work for that application.
So there's a, there's a wide variety of policy that you can put into the into the engine to do cool authentication and authorization. Stuff that's awesome. That's a neat trick of of screening and no pun intended I guess biometrics that were created after a certain point you can distinguish timestamp of the biometric itself. Did I hear that right? Of the creation of the biometric. Yeah. OK, interesting. OK.
You mentioned shared signals earlier and I know we did an episode recently with my friend Sean from Disney about this idea of continuous identity and kind of threat detection etcetera. You mentioned shared signals Cape is part of that continuous access evaluation profile. I, I struggle to get that one
right sometimes. Where is beyond ID fitting in with SSF and Cape and sort of this idea of, you know, being able to communicate with other technologies in the security apparatus or the organizational apparatus? Yeah, we're huge investors in SSF and Cape. So we'll be part of the Gartner Interop in, in London in March. And basically we were doing this before it was cool, right? So we, we have always exchanged events with security vendors.
So you have the ability in your beyond identity settings to say, hey, if something changes on the machine, go tell this vendor, the security vendor that I'm already invested in that that's happening. And you can go the other way as well and say, hey, after something happening in Zscaler, I want to know about it. And I want to block authentications based on that or I want to suspend users based on that. And so we haven't kind of always done this, but we have proprietary tool like we built
that all ourselves. That was all a build out between US and Z Scaler. It's all proprietary and it only pulls every 15 minutes. And so we love this idea of, hey, we can actually make this a standard. We don't have to make it proprietary. You can hook up any security vendor you want just like that. And it can be in real time because you have that Cape Highway transferring stuff back and forth. So we think that that's really valuable.
We're investing in it and we're really excited to see some some relying parties get on board. So we would love to be able to because we sit in the middle, right? Because we're an SSO and an endpoint. Like we have stuff to tell people we are a transmitter, but we also like want to hear stuff from people.
We are also a receiver because we're the SSO and so we would love to see like a GitHub or an AWS or something like that, get on board with shared signals so that we can tell them, hey, something about the posture of this device changed and we don't know what your customer's policy is, but we can tell you what changed so that your customer can write policy around that in the RP itself. I think a lot of people are still figuring out how to make this work.
What does this mean in the real world when we start talking about shared signals and communication between apps? You mentioned a couple of examples there, but for people who just haven't kind of gotten their their heads around, can you walk me through just a very basic scenario and kind of maybe hopefully make this real for people to help them understand kind of the art of the possible? Because I think we're still heading that direction and we're not quite there yet.
Yeah, sure. So we might see a Crowd Strike score that suddenly drops. And so we know that there's something about that machine that may have been compromised. And so we get that message from crowd Strike saying, hey, this machine just went from a 99 to A50. And you can write policy within Beyond Identity that says, hey, if this score drops below 60, you know, they can park, they can buy things in the cafeteria, but they can't get to the HR
systems. They can't get to the databases or like, we don't want to see them at all. We want to suspend them and have a, have someone from our SoC actually look at what's going on with that machine before we reinstate this account, right? So that those are the kinds of use cases that Shared Signals enables between security vendors and ID PS and then between ID PS and relying parties.
We would love to see something like, so GitHub today has like pseudo actions of like, hey, I want to delete this production repo or I want to add an admin to this production repo. And they can do step up authentication for those things. But that's a very course tool, right? So you as all you as a, as a customer can say is, yes, I want to step up when this happens, but there's no more fine grained policy you can write around that.
Whereas if we had shared signals in place, we could send all sorts of signals about what's happening with that machine, what's happening with that account, what's happening with that user. Maybe they just recovered. Maybe they just recovered their account in a way that's a little bit sketchy and GitHub might want to do something with that that is more interesting than just re authenticating.
Before Jeff asked, I follow up, I wanted to make the comment that, you know, one of the things that you know, you brought it up a few times where you're kind of wanting these things to be open standard, you're supporting the open standard. So I just wanted to say good on you for that. Then I also, as you're just kind of describing how you could use shared signals to secure beyond
identity product. I, I started thinking, OK, well, how do I know that a drop of 10 points in the crowd strike is where I should, you know, drop people from being able to access the HR system? So the way I formulated the question was this, do you have some way that like people run this in kind of learning mode for a while like that they start to pick these things up to say, OK, that is the the bending
point. And then here's the breaking point where we start to block all access for example. Absolutely. So people often think of us as an authentication company, but we're also an authorization company. And one of the things you have to do when you are an authorization vendor and you have a lot of policy and a fine grained policy engine like we do is you have to have an audit mode, right?
So you have to let customers write policy but not enact it and just say, OK, what's going to happen to my infrastructure if I do this? And also do policy simulation of, hey, I've got a fleet of 3000 machines. If I wrote this policy, how many of them would get locked out, right? And so doing auditing on your real data as well as simulation on things we know about your fleet will help you understand what impact those policies have and are and are going to have. Yeah.
So I think you're talking about these identity based threats and I'm kind of wondering like what where are they originating from? Where the majority of them originating from? Are they these things like you said, like the crowd strike scores are dropping or is it that you're getting, you're finding jail, broken devices or is it even something more simple than that? Well, I mean, a majority of identity based threats today are password based, right?
They're phishing, they are password compromised. And so we eliminate those all together. So most people who adopt Beyond Identity see a a huge drop in their risk level in their in their chance of breach to begin with. That's because you just, you just don't have passwords. We just don't have passwords. That's not even a setting that's allowed, right? And so that's. Not there, right? You're. Putting us all out of business, Sarah. I'm sick of those.
Cut, cut, cut. Yeah. So we're moving on to more sophisticated attacks like hey, I've jailbroken the phone, I've stolen the laptop, I've somehow compromised the operating system, I've gotten that user to install malware, those kinds of identity based attacks or I've compromised the browser itself. Those kinds of attacks we have to detect now that we've now that we've gotten rid of all the password based attacks, those are the more sophisticated ones
that we're going after. Yeah. And I. I've run into this question before of, you know, is password list more secure than MFA? Using MFA you've got, you know, possession based, probably might even be, you know, biometric, but you also have a password. So does the password add any value? Does it is it important to get as many factors as possible? Does that make this process more secure? Oh gosh, I could write you a novel. I mean, you've been to authenticate conference.
I'm sure you've seen Dean and Pam's great talk. If you haven't seen it, it's online about different factors and that really thinking about things as multi factor isn't serving us very well anymore. And we should be thinking about what kinds of threats we want to protect against and how well the different ways that we authenticate protect against them. And so even if you're using a password, there's a chance that your user is using a password
manager, right? And so then it's not a something you know that it's a something you have. And so using passwords is, we know it's bad for usability. We know it's good for attackers who can compromise those passwords. And if you're not using a password manager, you're likely to reuse passwords, which means that they're going to get breached. And then all of the places that you use that password are then
compromised, right. And so passwords are are not a great solution, which is why we we're moving more toward device and biometric so. Where are we at as an industry? Are we at the point where, you know, the attacks happen and then we've react to them? Is there a way that we can get smarter about it and kind of like get ahead of the attacks?
Is that what this is all about? Is that what Beyond the identity is essentially trying to do is to be that intelligent platform so that you're not you're not having to constantly react to what just happened? It is like, that's one of the things that I loved about your show with Sean Adele was that he talks about like identity and security. It's one like it's all one thing.
And right now the way that our vendors work is that you have security vendors and you have identity vendors and they don't really talk to each other, right? And so you have the the detection and the response on one side, and then you have the authentication on the other side. And that's not the way it should be, right? You should be able to detect and
prevent, right? So as soon as you get the detection, you should be able to ban that authentication and make sure that the the attack never happens in the 1st place instead of trying to respond and mitigate afterwards. I think getting smarter as an industry is always helpful. If we have Smart Tools, we got smart people, we have the data.
It seems to me like this has been something that's been a long time coming to actually take advantage of the capabilities and the standards development that have enabled
this. What do you see as sort of like the thing that has been really the enabler to get where you're at today from a from a product standpoint to say, OK, yeah, we are actually at a spot where what password there isn't a password to take because I see a lot of password less and then password dash less where there's still a password float around somewhere. What do you think has been the the key to shift that way? I mean, I don't think we are
fully shifted yet, right? Like we had to do this all proprietary, all of our connections with security vendors are proprietary the way that we do key pairs as proprietary, right? And we don't want it to be that way, right? We want this to be the standard for the industry. We want this to be the way that Fido does things. We want this to be the way that shared signals does things. And so I think we still have a long way to go in the identity industry to figure these things
out. But it was absolutely like in terms of what made it even possible to do the proprietary part, like it was absolutely like phones now have a secure enclave that apps can access. Like that's a huge part of it. Security vendors now have very robust AP is that we can just go call and see if anything is going on. So a lot of that has been built out in the last five years and that's what enabled this to exist the way it does today.
But there's so much more work to do to to get an industry wide. Sarah, what does the typical deployment of Beyond Identity look like in an organization? And what are some of the change management or adoption issues that, you know, you talk to the practitioners about like get out ahead of this?
Is there a resistance from a user base of like, oh, you know, I don't want to use my biometrics for this thing because it could get, it's going to get put down on some server, which we know from this conversation that's not a realistic thing. But what are some of the the main challenges you see? Yeah, I mean, identity is extremely sticky, right? Doing a full IDP tear out and and reboot is like every Ciso's worst nightmare.
And so the way that we see people deploying beyond identity is either as an MFA layer on top of their IDP and then they'll they'll pick certain applications that they think are their crown jewels to say, OK, we're actually going to switch to full IDP mode here for this application or for a pool of users. So we say, OK, we're actually going to switch out the IDP for our executive team, for our HR team, for our finance team, the teams where we're really worried
about breach. And so they're not doing that full RIP and replace. That's really painful and expensive and time consuming, but they're kind of dipping a toe in and then they're saying, OK, this, this is going well. Let's expand this to another application, another team and slowly over time kind of moving it throughout the company. And we have seen some resistance to biometrics. There are a lot of biometrics laws all around the world.
And obviously you can turn that off in the product if you feel like it's it's not what you want in your company. But the biometrics are local, so they are, there is no central thing to compromise with the biometrics. It is all stored on the on the phone or on the laptop. Is there a scenario where you could potentially selectively turn off the biometric for certain people and not other
people? Sorry if I'm hitting you with a trick question here, but I'm wondering like, OK, if you had kind of a, a Workers Union, I can't even remember the right term in in France and those folks for some reason or another, you just have to exclude them from using that biometric. Is that possible? Absolutely. So that's just role based access control, right? So that's you. You make a role that says, hey, this is the crazy France union
of people who hate fingerprints. And you make a policy that says, like, these people can get in without a fingerprint. Love the flexibility of the approach here because I think you're right where IDP surgery is a major surgery. And if you, and you know, there's a lot of legacy players out there. So the ability to add this capability to an existing Idpi think is a huge win. You know, for everybody. It's, it's the ability to be more granular with the approach for MFA, which is important.
It's the flexibility and the models and you know, just the different ways to approach. I think it's a really smart way to approach it. So I I tip my cap for you. So exactly, yeah, I, I fell in love with the technology, which is why I moved to the company. And obviously the, the people who I work with at the company are, are all fantastic. So it's a really great team. If you get a chance to meet us at a conference, please say hello, stop by the booth.
We're very friendly. And, and my team specifically will all be at the Internet Identity Workshop coming up in April. So we are excited to talk to you about anything innovative. If you have something that that you say, like God, I wish ID PS did this or God, I wish I had an endpoint that did that, come fly us down and tell us that that you want us to build new things because that's what we do. I say be careful what you asked for. I want my IDP to have a cup holder.
Might not be a realistic. Hey, we can make it happen. Right. So before that though, you've got Bioncon and I'm, I guess I'm not familiar with Bioncon. Tell me about this, because this is coming up March 20th. It's in Palo Alto, CA. I assume you and your team will be there as well, but what is Bioncon for? For people who aren't familiar with? It yeah. So we first started Bioncon last
year. We did it at our offices in New York. And basically it's a combination of a Broadway show and a whole bunch of identity nerds, some security nerds. We had a fantastic time. So Biancon is going to be. So we're doing one on the West Coast now in the spring, in two weeks on March 20th. And I will be there, our CEO will be there.
We will have live demos, people on keyboards at stations who will be showing you things, who you can ask questions, you can touch the keyboard yourself, you can play with the console, but none of this is just for show. We want to make sure that the technology is ready for you and that you can come and play with it if you want to. So having that chance to both
see some great speakers. So we're going to have Taher Elgamal, who I mentioned, who was the CTO of security for Salesforce for a long time and then switched over to VC and he was one of our founders who who founded and funded us as AVC. He will be speaking and Sam Curry from Z Scaler will be speaking about Zero Trust and how we kind of implement that given today's technologies and capabilities.
And then a whole bunch of people from Beyond Identity obviously will be there talking about the product and doing demos. And then at the end of the day, we'll open up the bar and we've got Broadway singers coming 'cause we're a New York company and we love, we love singing. We actually do karaoke whenever we get together at at a company audience so.
OK, you, you kind of preface my next question here because I was scrolling for the agenda and I see a, a private experience of Broadway jukebox hits and I see things from like Jersey boys, thank you, Valley, Four Seasons, etcetera. Tell me I'm, I'm, I'm interested in this because I don't think I've seen this at a conference, you know, before. What should people expect if they if they see this?
Yeah, so when we were in New York, we had people from the original cast of Hamilton who came and sang songs from Hamilton and it was incredible. It was very moving and exciting and just allowed kind of the group to to bond and have a great experience. And this will be the same thing. It'll be very intimate. It will be Broadway singers and you will have a have a great time so. And you piqued my interest with the the karaoke.
What's your karaoke song? So my favorite karaoke song is Let It Go from Frozen, but instead of singing Let It Go I say fuck it all. It's very cathartic. Highly recommended. All right, we earned the XLR rated on that one, but I'll we'll go. Yeah, you can bleep me if you right. Now I'm going to leave it in. Hey, we're all adults here, so.
I certainly feel like there are no children who are so interested in my identity that they're listening to I. Didn't under 12 if you're listening to this? Oh my gosh. Go outside, touch grass. You've shared a lot of information with us here, so I hope people go check it out Beyond identity.com/I DACI mentioned early on. It's been a while since you've
been with us on the show. And in that time I remember seeing a LinkedIn post, and it's probably a couple years ago at this point now, where you were heading off to Europe for a backpacking trip or, or something. Do I remember that correctly? Yeah, that was in April. So just about a year ago I went with my sister-in-law and we did the community of Santiago, which is walking across Spain. So it's a 600 mile trail. We just did the last 200 miles. But it was absolutely incredible.
I highly recommend it. You take your little backpack of all your stuff with you and you stay in a different place every night. And for this one, you actually, you are making a pilgrimage to a cathedral. And so you get to the end and there's this huge Plaza and all of these people who have walked hundreds of miles and they are crying and they're singing and they're screaming.
And it's, it is an incredible energy in that in that town, just to be there with all of these people who have accomplished what might be the most difficult thing in their lives. It's, it was an incredible experience. Highly recommended. So what was the impetus to to do this? Was it just something you saw? Are you, are you naturally a hiker or explorer? Adventurous like that. I really like wine and so and I like, I like my fitness kind of
low impact. So there are there are restaurants and there are bars all along the trail and there are hotels, right. So it's you get the benefit of hiking, but unlike hiking in America where like you bring a tent and you don't shower, like you hike and then you have dinner and a bottle of wine and you sleep in a bed and you would take a shower and then you go walk the next day. And so this is, this is like a vastly better experience than than hiking in America. OK, you totally sold me
everything you just said. Like that sounds definitely sounds like my kind of hiking. What was the what was the best meal or and or bottle of wine or just wine that you had on this trip? Oh, the the Riojas all throughout Spain were incredible. I managed to get some of them back to America. Not enough. So I'll have to, I'll have to go back at some point and get more. But actually by the end, we were so tired of Spanish food. Like we had one Chinese
restaurant. We were like, Oh my God, thank God. I got to the point where I didn't want any more ham. And I love ham. So like that was that was a lot. It sounds like a lot of fun, Jim, would you do a 200 mile trek to go get to do that? I mean you're you work out all the time. For Chinese food. For Chinese food in Spain. Yeah, so I've I've done a fair amount of backpacking in the US and gone through the no shower thing.
I actually remember one time backpacking in New Hampshire and going into a river to take a bath because it's been a couple days and the water was like just a degree or so away from freezing. It was not fun, but it it was good to be clean. But yeah, I've I've backpacked all over, but I've never backpacked in Europe.
I think it would be a great experience, but I'm kind of more into the next level of luxury, which, you know, would be a nice hotel bed and maybe even like four and five star hotels and stuff like that. So I probably won't do it. I can't say it's on my bucket list, but I've always thought it was like kind of a romantic concept to backpack through Europe right after finishing college or right after finishing
high school. So sounds dangerous, but I think backpacking anywhere for long periods of time can be dangerous. Well, wait to bring it down. Thanks, Jim. There's a lot of crazy. People out there. What about you, Jeff? I'm. Not a backpacker. I yeah, I'm, I'm, I'm not anything like that. But Sarah, you have sold me on this because I absolutely will walk from restaurant to restaurant to winery to winery.
My wife has big into wine. She's been to Spain and Portugal and France and all those places and part of her job in the past. So this sounds. Like tell me when you want to go, I'll do it again. This sounds like right up my alley. For sure, let's do it. And you know, I think the hardest part about this is at least in the US, it doesn't seem like there's areas where you can go 200 miles on foot and have all those amenities kind of there, right? You're going from village to
village or town to town. Like what was the give me just like a normal day as as you went through this. Yeah, you absolutely. You go from town to town. The towns are about 5 miles spaced out, so we would go through two or three towns in a day and it's, it's great. Like you stop for lunch and, you know, do you have whatever they have locally? So they might have a little bit of fried squid and some local beer or they might have sandwiches with lots of ham, obviously.
So whatever happens to be in that town, that's what you have that day. And then you keep walking and you meet all sorts of people from all over the world doing this. And people have told me there are similar trails in the UK and in Japan. So I I might go explore what else there is across the world in this vein that. Sounds really exciting. I I'm sold. This is this is this is something yeah. I'm going to Berlin for EIC in a
couple months. My wife and I are looking for something to do while we're out there. I think we're going to end up in Amsterdam. So I don't know, I'm sure we'll be doing plenty of walking and stuff like that, but maybe we can do something similar to that or maybe just sit on a train and go to the countryside and. Whatever it may be better. You've been very generous with your time. I want to make sure that we get
you out of here on time. But any final thoughts or things that people should be listening, that are are watching, should know about Beyond Unity that you want to get out. I'm just really glad we could sponsor you guys. I really love the work that you're doing here with the podcast, the way that you're bringing the community together. I think it's awesome. I, I'm an avid listener, although it's weird to hear you guys at real speed because I normally listen to you at like 1.5.
So like your voices are pitched. I'm like, oh, you're so masculine. Well, you know not. Really. But yeah, I, I really think that you guys are doing great work and thank you so much for giving us the opportunity to to support you. Well, we appreciate that flattery gets you everywhere in this show, so we'll have links in our show notes for people to check out. Again, website beyondidentity.com/I DAC, bunch of information there.
It'll be in our show notes as well as links to Beyond Con, which is coming up. So I'll put people will go check that out and then share it for yourself. We'll have your LinkedIn connection information in our show notes so people can reach out with questions, comments, or maybe stories from backpacking across Europe or whatever it may be. So with that, we'll go ahead and leave it for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one.
You've been listening to Identity at the Centre. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.