#353 - Sponsor Spotlight - Duo

60% of attacks have identity as a key component, meaning that without the identity piece, the attack would have never happened. And probably 80 to 90% involve identity in some way or another. And so like this identity crisis has been going on for several years, and it's just getting worse and worse and worse. And unfortunately, for whatever reason, our customers and identity practitioners out there haven't found an easy button to fix it.

And and that's where we stand today in this identity crisis that we live in. I think you just summarized perfectly this whole identity security space and why it exists and why it's so important. You've talked about security first, IAM, and I want to know from your perspective, what does this, what does that mean? Yeah. So security first, IAM. And if you missed it, last week we announced Duo identity access Management and Social Security First IAM is really the reason why we did it.

We felt that most of the IAM or identity players out there in the market were more focused on like helping people get to work and get access to the things they need and single sign on or reducing friction, which is all really good useful stuff.

But security has always been sort of an afterthought in add on on the back burner to honest the Duo security first IAM is really about making security the default secure by default, making so that you can start from day zero with no passwords, make it really easy to go password list and doing that all within kind of the cost envelope with the base tier. So that's what we mean by security first. I am is like we're making that security set of capabilities

part of the basic functionality. OK, and So what do you say to the pessimist who says, oh, another identity solution? We have a bunch of identity solutions. What's going to be different here? This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity of the Center podcast.

I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great man. I'm glad to be back in the Home Office and excited for this episode. Yeah, this is a good one. We got a sponsored episode today brought to us by our friends over at Duo and you can find more about them at duo.com. We're going to welcome back a guest here in a second. But just to make it very crystal clear, right, they've sponsored this entire episode.

So we do these from time to time in collaboration with our sponsors to to help apprise the industry of some of the things that they should be thinking about from AI. Guess you should say people in the industry about what they should be thinking about from an identity standpoint, security standpoint and some of the capabilities that are out there that people might want to take a look at by a trip over my own

tongue right now. So let me go ahead and get right into it. Let's introduce Matt Caulfield. He's the VPO duo and identity at Cisco, all things identity. Welcome back to the show, Matt all. Right. Thank you, Jess and Jim. Good to see you guys again. Happy to be back. Yeah, it's been a little while. So I think the last time you were on was episode #247 we talked, I, I, I called the episode big areas of identity to solve, right?

It was very thought provoking. I would encourage people to go back and listen to that because I'm not going to make you say how did you get into identity? You've already answered that you're a pro's pro for us. But it's been about a year and a half since then. So what have you been up to over that last year and a half? Yeah, what's new? A lot. I came back to Cisco about two years ago with the ORT acquisition.

And then recently about a year ago, I started as the head of product for, for Duo, which I think a lot of people, a lot of the listeners here in identity understand that Duo has a storied past in identity and authentication and, and they know the Duo brand really well. And so I, I've been really happy to work with that team in particular. The Duo team is known in Cisco for its culture, for its ability to ship product, for its ability to be kind of market leading,

focused on users. And so like, it's just been a real blessing to take over the leadership of the product team for Duo and help craft what we've been doing over the past year, which I'm also very excited to talk about. Yeah, I'm real excited to talk about it, Matt. And I was going to quote something that I've heard you say, which is that we have an identity crisis in this space. And you know, when you hear identity crisis, obviously it

has, you know, there's, there's other meetings outside of digital identity. So I'm assuming you mean a digital identity crisis. And I'm wondering what is it that's contributing to this crisis? What? Why is that a major theme? Yeah. No, your assumption is right that it is a digital identity crisis and not so much like a personal like existential identity crisis, although some of us have those digital identity crisis. You know, it's really a couple of things.

One piece is the rise in identity based attacks. And I feel like we've been talking about this for years, but it's still happening. So we're still talking about it. Fortunately now at Cisco, I get access to all this like really cool data. So we have this whole team called Cisco Talos and they go out and they study these things. They they deal with things like instant response and looking at

threats out in the wild. And one thing that they've picked up on is that now it's not 60% of attacks involve identity, 60% of attacks have identity as a key component, meaning that without the identity piece, the attack would have never happened. And probably 80 to 90% involve identity in some way or another. And so like this identity crisis has been going on for several years and it's just getting

worse and worse and worse. And unfortunately, for whatever reason, our customers and identity practitioners out there haven't found an easy button to fix it. And and that's where we stand today in this identity crisis that we live in. I think you just summarized perfectly this whole identity security space and why it exists

and why it's so important. You've talked about security first, IAM, and I want to know from your perspective, what does this, what does that mean? Yeah. So security first, IAM. And if you missed it, last week we announced Duo identity access Management and Social Security First IAM is really the reason why we did it.

We felt that most of the IAM or identity players out there in the market were more focused on like helping people get to work and get access to the things they need and single sign on or reducing friction, which is all really good useful stuff.

But security has always been sort of an afterthought in add on on the back burner to honest the Duo security first IAM is really about making security the default secure by default, making so that you can start from day zero with no passwords, make it really easy to go password list and doing that all within kind of the cost envelope with the base tier. So that's what we mean by security first. I am is like we're making that security set of capabilities

part of the basic functionality. OK, and So what do you say to the pessimist who says, oh, another identity solution?

We have a bunch of identity solutions. What's going to be different here? Yeah, it's a good question. We get that a lot. For a long time, Duo has been known as MFA and like it's kind of built into the name like 2F AM FA. And for the longest time Duo has been really good at that. We have over 100,000 customers that use us for MFA. There are lots of other identity solutions. So you might ask and other people have asked the question like why would Duo get into the identity space?

And a big part of it is because we saw that gap in that there are still attacks going on, they're still being successful. Traditional players are more focused on making single sign on and access management work and less focused on the security aspects to it. So we saw the need to come in with kind of security first approach. And the way that Duo is special is some of the end to end fishing resistance capabilities that we brought in in addition to the security first capabilities.

Really sets it apart from a lot of the other options that are out there. Plus the reasons why people pick Duo today, which is it's a solution that our customers love because it focuses on the intersection of usability and security for admins and for end users. You know, I'm, I'm playing the role that Jeff normally plays, which is like the pessimist. But you know, I've seen over

time, I've been in this space for 20 years and I was a big customer of both Oracle and CA. And they usually don't name drop in like any kind of negative light. But the big tech industry has kind of a history of going deep into acquiring different pieces of identity, of the identity stack, putting them together and then R&D dies on the vine.

And so, you know, given that history that none of that implicates you, but given that history, what would you say that's not going to happen again? Yeah, that's a good question. So Cisco makes a lot of acquisitions. You mentioned like the number 247 episodes, Cisco's done about 250 acquisitions over its history. So it's a lot, you know, it's averages, you know around 10 per year over the past few years

give or take a few. Over time, those acquisitions get brought in and made part of the bigger portfolio with Duo and with ORT in particular. So we acquired A Duo six years ago, still going today. We're still investing, we're still making big launches, and we're still just as relevant as ever in the industry, especially in the authentication market. And then with ORT, which I was part of, I was the founder and

CEO there. And we were an identity threat detection response company that was acquired 2 years ago. We've now made that part of Duo and Identity Intelligence, and we're continuing to invest in those capabilities. And we just announced a new capability as part of Identity Intelligence as well, which is this trust scoring mechanism that lets you pinpoint individual users and figure out which ones are actually compromised inside your organization. So you could have like 10,000

users. And this will narrow it down to like, hey, these three accounts, you need to go scrub those. Like it's almost like a laptop. You need to go wipe that laptop with that account and start over again because those are definitely taking over at this point.

So anyway, just some examples of Cisco does bring in companies and make them part of the bigger story, but at the same time continues to invest where it's needed, especially in areas of identity, because there's this realization that identity is a core pillar of security. It's the foundation of zero trust. And the whole industry has woken up to that. Yeah, I, you know, I think one of the one of the things that I recognize anyway is, you know,

when you talk about ORT, you guys were kind of an innovator and a leading company. And now look, you got your as an individual running the show there in terms of duo identity. That's pretty telling. I mean, are you bringing with you that culture of innovation that you had or let's talk, let's talk about that for a minute. It was kind of that transition you made from, you know, founder and CEO at ORT and now you're a part of a bigger tech company.

Would you bring the innovation or was it like you brought it, you came over and you're like, wow, this is a really innovative company. Yeah, it's, it's a really good question. I think you're picking up on a pattern that does exist. And it's not just me. Like plenty of other founders get acquired into Cisco and then get put into bigger roles, bigger responsibility expressly for the the value that they bring in terms of driving urgency and bringing in new ideas and innovation.

And it's not because Cisco lacks that at all. It just really helpful to have new fresh ideas constantly coming in. And that's one of the ways that bigger Cisco and now Duo has done it is kind of bringing in talent through through acquisition. So myself, we've had other leaders, you know, just in the year that I was acquired, like Armor Blocks was acquired on the e-mail side. And DJ Sampath is running a lot of the AI strategy now for Cisco overall.

So G2 Patel, who's our chief product officer and you know, president at Cisco now is really creating this, this culture of we need to think like a startup, even though we're a gigantic 100,000 person company. Like we need to think like a startup, act like a startup, and bring startup people in in order to drive and continue to drive urgency.

Yeah, I mean, that's that's kind of the answer I was expecting because, you know, when you talked about something like Tallows, I started to think, wow, like, imagine having the insights that they have and you can just sit down and have coffee with the people that are making it happen there. Tell us a little bit about Telus and some of that intelligence that they're bringing to the table that's influencing.

You know, look, you guys are taking on some big bold stuff, and it sounds like that having that intelligence was kind of at the center of making some of these decisions. It is so understanding what's really going on for customers on their worst days when they're suffering from security breaches is the type of insights that the Talos team brings to the table. And then that that team is just for a while also came in through

acquisition. I've looked through the Source Fire acquisition, which was one of our, you know, firewalls that we acquired. So that continues to this day and they've expanded from like just a focus on networking and network intelligence and network focused response into also things like understanding what's going on in the identity world, just because that's such a, a big aspect of the breaches that are occurring. It's a, it's a, it's a key

component. And that's really the, the research that we're highlighting here. It's not just this year or just Talos saying it. We've, we've seen kind of corroborating evidence coming from like Verizon, DPIR and some of the research that crowd

strike puts out. So it's, it's definitely not just us who are into it. But yes, I kind of get an inside track on, on getting the real details on what's happening in these attacks and what are the, what are the vectors through which these attackers are coming in so that we can build controls and detections into our products, into Duo, into identity intelligence to put a stop to that. Yeah. And I'm wondering, you know, so

to me, the 2 interesting angles would be that piece, which is all the other companies within Cisco or, or products, however you want to, you know, call the structure, but then also the customer insights that you must be getting, be able to come into customer conversations. And I'm wondering like, what are some of the, the challenges you're seeing? Are you coming into clients and finding a lot of laggers?

Are you seeing some clients that are just like, you know, innovating in ways that you're learning from? Kind of what are you seeing in that landscape? Yeah, customer insights are at a totally different scale at Cisco. So Duo alone has over 100,000 customers. So much as I'd like to, I can't talk to all of them in a single lifetime Even. So we rely a lot on data and then select, you know, customer

interviews. We just held one of our first duo customer advisory boards, strategic advisory boards in New York a few weeks ago. And that was really insightful because we got to sit down with 20 customers and really dig in a bit more into the problems that they're having in identity and that the common themes are things like fishing resistance.

How do I get the password list? How do I deal with like non employee populations, like contractors, little bit of non human identity, little bit of agentic popping up. And we can talk, maybe say that for the end, but these are the things that are kind of top of mind for our customers. And, and, and going from, you know, what they have today, which might be like a mishmash of different identity technologies to an architecture that they feel confident in from

a security perspective. That's really what they look into. A Cisco Duo 4 is like, OK, help me with these specific projects like fishing resistance and like password less. And then also help me think bigger picture of like, how do I tie this whole identity thing into my zero trust initiative, my zero trust architecture?

And so this was really well positioned to help with both those things, those kind of tactical things as well as the strategic bigger picture because we have this much broader portfolio. Yeah, whenever we get a thought leader like yourself on, I wanted to ask some questions

that are like maybe sound basic, but are are we solved? You brought a pastor list. Is authentication more or less solved and now it's just tactical getting it rolled out? Or is there still innovation to be had I. Think there's still innovation to be had? So if you look at it, how do you get to like NIST AAL 3 fishing resistance today? Usually you have to go buy a bunch of hardware tokens. And I have no issue with the folks who manufactured hardware tokens.

They're a good product and I use them myself. But for organizations when they're staring down, you know, a $50 per token priced AG and then having to provide two of them for everybody in case they lose 1, like it's a really hard pill to swallow for most organizations that aren't, you know, maybe financial services, let's say.

So that in particular is an area of innovation where Duo with recent announcements around and then fishing resistance, we've stepped into, we've announced this thing called proximity verification where you can get AAL 3 phishing resistant authentication where your your phone is your key. You've got Duo Mobile on the phone. It's using Bluetooth Low Energy between the phone and the

device. And by virtue of them being near each other and the fact that I've registered both devices, my laptop and my phone, and by virtue of me doing a Face ID or Touch ID on my device, I now have enough factors to say, OK, this is phishing resistant. And an attacker would need to be in the room with me kind of pulling up a chair to my desk in order to insert themselves from the flow. So there is innovation in authentication still.

That's good to hear because you know the it's not like the threats stop innovating either, right? So you kind of have to stay ahead of it as well. Yeah. And, and we do see that the attackers continue to innovate. But you know, we thought MFA was the silver bullet for the longest period of time where MFA, as long as you have MFA on your account, they're like, you're good, you're golden. But then we have things like SIM swapping or even more basic like push bombing, push fatigue.

And so then we move to like number matching and you know, OTP and you know, other one time codes. And then you have attacker in the middle where they created proxy and put it in the middle. So it looks like your sign in Page and you put in your 4 digit or 6 digit code and then they

steal that. And so we're constantly being pushed further and further towards eventually getting to where we are now with phishing resistant and hope is that this new dual proximity verification capabilities sort of the easy cheaper way to get to fishing resistant versus shipping everybody their own little Harvard key. I want to talk about the product here in a second, but I'm curious what your thoughts are from AAI perspective and some of

the threats that we're seeing, You know, what using AI to leverage against some of the identity security that maybe we've built out over the decades. You know, gone is the poorly written e-mail from the poor Nigerian Prince. And now it is a very well crafted, very believable, you know, text or message or whatever it may be that AI is really empowering the the other side, right, to be better at that. How do you see AI impacting identity security, you know, as

it stands today? And then what it what scares you the most when you start to think about these types of things and, and how you're going to defend against it or help others defend against it? Yeah, of course, I think it's twofold, right? There's there's one piece of it, which is like how do we think about identity for AI? And like identic identity or identic AI is almost like a human identity in that it's somebody that your organization hires and you need to give an identity to them.

Let's set that aside for a second because that's probably it's own kind of can of worms which we can get to. The more pressing thing right now is AI has enabled attackers to do social engineering at scale. So they can find and literally use tools like chat, TPT and say, hey, go find me all the profiles on LinkedIn who have like a Microsoft certification for intra ID And they look like they've been in the industry for a few years. So they're probably a global admin and help me figure out

like their home phone number. So I can try to call them up and convince them to turn over their, you know, their OTP or convince maybe their help desk to allow me to add my phone to their account so I can sign in as the attacker. And then once I do that, maybe I'll set up federation with my own IDP so I can persist in their environment and continue

to log into their apps. Like those types of social engineering at scale and kind of doing the research part, Intelligence part just got a lot easier because like every individual attacker now has an army of bots, chat bots that they can go out and say, hey, do the research for me to figure out who I should go after and where the soft targets are and then even help me get in the front door. So you're kind of screening those targets.

It's almost like hiring, right? You're like using an army of people to go find like good candidates and then screening them, except it's an attacker going and trying to find candidates or victims really. You know, I, I, maybe I'm one of those people who's just like taking in all the hype.

But I heard a recent one, I think it was Open AI was hiring 1000 developers and those thousand developers will each manage 1000 AI developers. So essentially, they're going to have a million developers if you do the math and you believe the height. I mean, are you guys leveraging AI in a way that you kind of like are now able to build the product faster, ship enhancements quicker, things like that? Does that resonate with you?

It does. So I think the most immediate thing that comes to mind is that we just shipped the Duo AI assistant. So if you you're logging into the Duo admin console, there's an AI assistant there that you can ask questions to. So like, hey, why, you know, Jeff's having trouble logging into his account. Why can't Jeff log in and the AI assistant will go and kind of virtually click around the admin console.

It's really talking to the API, but it's figuring out like, OK, what was Jeff's last error message? Why did that happen? What was it a policy? Was it some issue with the device he was coming from? Figure out what the issue is and then kind of spit out an answer is like, OK, Jeff couldn't log in because he was coming from an unregistered device. You know, something like that.

Getting to those answers really quickly is a benefit that we see AI providing to do admin so that it can answer questions about how to set up the product or how to troubleshoot really easily and kind of write it there right at their fingertips. And then internally, we're also using AI for a whole slew of things. I think everybody is content's a good example. It makes it easier to write documentation for the product. It makes it easier to do a little bit of like market research.

And then of course on the actual software engineering side, Cisco software engineering practice has kind of fully embraced AI and is trying to leverage it as much as possible to maximize and it's it's efficacy for for speeding up the software development process. That's such a super cool use of AII love being able to like say, OK, let me log in as an admin and say, OK, well, why doesn't Jeff work right rather than hunting around and pecking through?

Now that might be a more existential question, but let's just focus on me not being able to authenticate, you know, for that scenario. So talk to me a little bit about, I guess Duo from a product perspective And you know, is, is Duo shifting kind of the mindset here? It sounds like it may be to a more broader identity and access management or is it, you know, you still focus on the authentication space? Like where do you see Duo kind of fitting today? Because everybody likes to be

put into a box, right? Are you authentication? Are you IGA, are you Pam? You know what is Duo today and where do you think it'll be, you know, in the next few years? Yeah, I think I can answer that with it is a repositioning of of Duo really. You know, historically, whether we like it or not, the perception of Duo has been MFA and that's been a blessing and a curse because Duo is MFA and MFA is Duo. It's almost in the name.

Like I like I said earlier, this is really a repositioning and reinvention of what Duo is to our customers. It's not just multi factor authentication, it's not just how you add MFA to your account. It's still that. And like we do that really well, exceptionally well. But this is the expansion of what Duo is into Duo identity and access management. We're really entering that broader IAM market and tying that to the broader Cisco portfolio in a, in a big way, which is our, you know our

broader strength as a company. So it is a more of a revolution than an evolution of how you think about duo. So I've always noticed that Duo is very sticky with

organizations, which is a real testament I think to the use case that it's been solved traditionally, right? The MFA side, you see a lot of organizations that have an IDP that has MFA capability, but they like Duo and they just stay with it. I'm curious from a, a product standpoint, given how your customers maybe have measured success in the past around this might have been, you know, enrollments or things like that number of MFA prompts, you know,

whatever that might be how? Do you see that shifting in the future as part of this, you know, evolution of of the duo sort of identity security stack? Yeah, I think that how we measure success is an important question. It's one that we hold our product management team too. We have lots of individual contributor product managers and the question for them is, OK, you want to build this feature,

what is the metric of success? And so the metric of success for, you know, this launch that we've done and for our customers who are starting to adopt these features, especially on the password this front, it's almost the inverse, which is how many authentications have we saved because we're now gone password less. How can we make it so that each individual on average has one or fewer authentication, interactive authentications per day?

And so the ideal kind of dream state scenario is you walk into your office, you put your phone down on your desk next to your laptop or your, your desktop, whatever you're using, you log into the operating system through this kind of proximity verification that I described earlier. And then you're on with your day. You don't need to when you log into your browser or that browser or this, the client need to go through another

interactive auth. You've already established like Matt's in his office in front of his computer, like let's just go. And I think that is now our metric of success. So Cisco itself, Cisco, IT rolled this out with Duo over the past couple years. They get early access to all the things that we build. And we're now at a point where the number of authentications for employees are less than 5 per week per employee on

average. And like that is a major win for me personally as an employee here at Cisco. It's great. Like that user experience is really good. Was a big, it's a big win for for Duo and for the Cisco customer base more broadly. I love that procs card and really what the description you

made there kind of reminds me just like continuous authentication that can happen in the background and it's more than just, you know, logging in and you walk away, someone pops into your cube and does this set or the other. You can really use the technology that you're talking about to prevent a scenario like that. And the reason I chimed in was I wanted to ask, is your IM solution going to be focused on that workforce internal population or is it going to be the customer side or both?

Yeah, it's a good question. There are plenty of good solutions out there for the, you know, the customer side, you know, and plenty of awesome start-ups in that space as well that we, we talk to you frequently. What was launched here is, is for two major use cases. One is workforce, but then there's also extended workforce and B to B. We have a ton of customers using Duo for partners, contractors, vendors, third parties and how they log in to, to, to, to, to, to solutions inside the

environment. We do have some customer IM use cases that are more on the B to B side than the traditional Siam stuff that you would expect. So for example, you can imagine that if I'm building a SAS product which is more infrastructure focused and so that I have like admins who need to log into it. We've seen Duo embedded for those use cases as well where you want to provide a really easy to adopt an MFA for privileged access for certain

types of infrastructure. Often times we'll see Duo used for access like network devices because you know, Cisco is like, hey, I need the SSH into that router or that switch over there to change the the configuration on and you know, update the routing table, whatever. I will often put Duo in line for those types of use cases as well. So yeah, really workforce, extended workforce and sprinkle of of kind of B to B Siam as well. I love this idea of proximity based authentication.

I think this is something that it's, it's not new. It's been around for a little bit. I, I can think of like Windows has had it built in for a little while, but frankly, it hasn't really worked very well for my from for when I've tried to use it. Talk to me about this idea of proximity based authentication.

Is it I enroll my phone and I sit down and there is a Bluetooth beacon and you know, whether it's in the laptop or maybe some sort of add on or something that is picking that up. Can I use something other than a phone to authenticate that same way? Like maybe a ring? I mean, I wear a smart ring or maybe an Apple Watch or something else like that. Yeah, it's a great question. So the the way that this proximity verification works is yes, exactly right.

It is Bluetooth low Energy. So you do have the laptop in a beaconing out a or broadcasting out a cryptographically signed nonce that is specific to the user and their their phone. And so your phone will pick up on that when it's, it senses, hey, I'm, I'm getting this Bluetooth low energy signal. It's this nonce. It's for me in particular.

And then it will allow you to then use the phone to prove that it's you and, and dance between the phone and the laptop allows you to then log into the operating system or into the application that you're trying to access. This is great because it, unlike other solutions that rely on like GPS, for example, like that's not very reliable or it relies on IP address, also not reliable.

Easily spoof both of those. You can't really spoof being in the same kind of radio frequency distance, you know, within like 20 ish feet of of the laptop. So like that is fairly unique compared to these other approaches for proximity that have been tried in the past. We're relying on the physical medium between between the two of them. And yeah, we're not stopping here. Like this is one of many kind of frictionless experiences that we're providing for authentication.

But there's a whole set of other problems to solve, especially in spaces like retail and healthcare where you want to provide frictionless access to systems without having to take your phone out of your pocket, for example, where we're going to continue to innovate and then everybody else will get the benefits of of all that you mentioned, like the, you know, Apple Watch in particular, who has an Apple Watch, you know, app on today, as well as an Android watch app.

And you can use those today if you want to unlock, you know, or go through push based authentication. I think we'll continue to see more innovation around that. Other areas that are interesting are like NFC and trying to figure out if we want to do something in that space or other types of like badge based access. So more more to come. And this all strikes me as a really good way to get to that sort of passwordless Nirvana

that I think everybody's been trying to get to. And, you know, you've got your phone or some sort of, you know, possession based authentication. It strikes me as very fishing resistance to where, you know, if it's based on especially proximity to something, it's going to be kind of hard to like fish if you have someone sitting there in front of you and try to block your, you know, Bluetooth signals.

Talk to me about phishing resistance and and where does that play in in sort of the strategy of rolling out things like proximity based authentication or maybe other methods that Duo was looking at too? Yeah, so phishing resistance is really what's important here.

And we've seen, you know, phishing at every part of the user's journey, whether it's enrollment or it's operating system, log in, application, log in, mid session security like session hijacking or for recovery use cases, attackers have phished every step of the way. So when we came out with phishing resistance, it wasn't enough to say, hey, we've got proximity verification now. Like we're good. There's there's more to it. Like for enrollment, we had to go with identity verification.

And so we're partnering on the kind of government ID based enrollment flow. So you can use your government ID in a selfie in order to enroll into an account for same thing is true for help desk use cases and for recovery use cases, you use a government ID because you're now missing your phone that you're using before you. So you need a new kind of root of trust. And we just went through a whole hackathon with the California DMV to use verifiable credentials that the state

issues in order to verify. Oh, that's really you. You have a verifiable credential from the state of California and you can, you can prove it to me. That's a really cool way to bootstrap into the process as well. But once you're in it, then we can rely on these cool things like, OK, I'm in it. I've registered my laptop, I've registered my phone on my account. Both of those are trusted devices with, you know, some sort of certificate built into the TPM.

So I know cryptographically it's really that device. I know they're near each other and I know that, you know, it's me log into the device because I have my fingerprint or my face ID. Those kind of four factors really combined to make it phishing resistant because at no point along the way there are you entering something in whether username, a password or a code. And at no point along the way in there is it easy to man in the middle or attacker in the middle between any step of that flow.

And so like that's really what gets us to that fishing resistance for application and OS login. And then the last piece I want to mention is the mid session security. So session hijacking. So great. You did all this work to go and build a kind of foolproof fishing resistant enrollment process and application login process. But what if the attacker is on your device and in your browser and they just steal your your session cookie out of there like

it was all for nothing? Because the session cookie is basically with the credential at that point, and it's easily fishable. It can be replayed no matter what device it's coming from. We've gotten rid of cookies with this latest Duo announcement. We've gone to a cookieless architecture for our session management. So if you're logging in for Duo, you're not getting a, you're not

getting a cookie. You are setting up the kind of cryptographic trust between your device and our back end, and then we're relying on that for subsequent authentication. So never is there a point in time where we're storing something that can be replayed in your browser such that an attacker could pull it out and put it into their own browser. So you kind of stole my my question that I was going to

follow up with was that, you know, how do you how do you prevent session hijacking and man in the middle attacks and kind of things like that. So you got that. So I'm going to pivot to something else that Jim, I think touched on earlier was around this idea of continuous identity

or continuous authentication. It seems to me like this is another area where something like this could be very handy and not just the point in time login, but as long as, you know, I think I've heard it referred to as butts in seats or, you know, something along those lines is like as long as you are still in that same area, you're constantly emitting signals of some sort to say, yes, this is Jeff versus maybe, you know, someone else who maybe has come over to that same device or

something like that. How do you feel about that sort of idea of continuous authentication and leveraging those signals? Yeah, it's really interesting. There's a few things that we do on that front, especially with posture. So for a long time Duo has had Duo, a health agent which is now part of Duo Desktop that provides continuous posture signals from the device to the

back end. Such as if the posture changes or any aspects of what the user's trying to do changes, we can kill that session and force a reauthentication. Same thing is true with risk based authentication. At the time of authentication, we're able to see, OK, here are these IP address, the Geo information, the device information. And so we can say for each authentication for any application like, all right,

something's different here. Let's step up authentication or block entirely if it looks a little bit weird. So that's a piece. Risk based authentication is part of this. The posture based authentication is part of this. Identity intelligence is where we not just don't just get signals from Duo.

Duo signals are great. See a lot of information, but identity Intelligence is able to pull information from your other identity priors from ACTA, from ENTRA, from you can pull data from your HR system, you can pull data from specific applications to really form a user 360 profile.

And so we might get a much stronger signal on like a user trust score, so that if that score changes over time, we know that the reputation of that user's account isn't as trustworthy as it used to be. So that's important. And then to kind of pull all this together, we've invested a ton into shared signals. So SSF on the shared signals framework and, and, and the Cape standard.

We've been working with quite a few other companies in these Gartner IAM interops that they've been holding in order to understand, hey, does, does our solution work with your solution? So we work with like signal with App Omni. And we've shown like, yeah, there's real interoperability here when we all implement

shared signals. And so even if Duo can't detect something today on its own through shared signals, we can get signals from other providers that say, hey, it looks like, you know, something's fishy here. Something's a little bit unusual. Maybe you should log the user out of their session or or have them re authenticate. We don't have to just solve, you know, the whole problem on our own.

We can work with industry partners to build up a pretty robust solution that can find these kind of behavioral differences in terms of what users are doing. That really pulls it all together from an identity

security perspective. It's interesting. As you're talking and I was off camera, I was thinking, man, this sounds a lot like the Sassy framework, especially with the continuous authentication piece. So I went out. I googled to try to, you know, see if I can find a good concise summary. The 1st result that came back was from Cisco. So there you go. I guess her marketing team is doing a good job. Yeah. So Sassy secure access Service Edge, A big part of that is identity.

But what most companies don't provide is the identity piece. A lot of the sassy vendors out there, they're just doing networking for you. It's like, hey, get my packets from point A to point B. Not realizing, like the foundation of zero trust is identity. So Cisco is literally the only solution in the industry that has an integrated identity stack now with our Sassy solution. So you can take all that from Cisco and integrate super tightly and you get end to end of Sassy with Identity.

So you establish trust using identity and then parlay that into the network so you can then get access to just the resources that that user or that IoT device or you know that. Agents running in the cloud need access to that can all go through Sassy backed by Identity. Well, you heard it here first. You know, the, the thing I was

talking about earlier, Matt was kind of, you know, this whole innovation piece R&D and you brought up something about shared signals framework. And I was like, man, to me, that's like where things are heading. And you must kind of see it the same way to say, because it's, I wouldn't say it's like in the here and now, it kind of feels like the most innovative companies, it's in the here and

now for them. But when you look at like most organizations, I don't think they're that far in terms of adopting, adopting Cape in the signals framework for you to be investing in that, that's really innovative. Talk to us a little bit about that and why you made it, why you felt like that was important to invest in. Yeah. So that I mean among other things, we're always trying to solve this kind of complex equation for where we should spend our kind of limited

engineering bandwidth. And that that's the problem that product management is is tasked with with solving, right. It's like where should we spend, you know, limited resources. That one in particular I think is super important for two, two reasons. 1 is we need that internally. So Cisco has dozens of products that need to share signals about

identities all the time. I for a long time, identity services engine, which is a product that I'm I'm familiar with here at Cisco, is how we tied identity into the network. And they had a published, you know, published subscribe mechanism called PX Grid, which does pretty much exactly that. And shared signals we see as a kind of natural successor or complementary technology to how that technology operated.

So for a long time we've known like you need this kind of shared bus to share identity signals. So like that, that's nothing new. But yeah, back, back to your question of like how do we continue to innovate in the face of all these different technologies, It's really the ones that drive our connectivity into what a customer might have showed. So things that that really work with other things in the industry and that's very much because that's how Duo has

always operated. We are sort of an ecosystem player. We understand we are not just a, you know, an island in a much bigger industry. We integrate with other solutions in identity, other solutions in networking. And so it's really important that we do invest our limited engineering bandwidth into building stronger bridges so that we can do more with them.

Not just, you know, sample, but also OIDC and Skim and SFF and and and so on and so on. Like we need to make sure that these bridges are really strong and we invest in the protocols that make them possible. Maybe model context protocol is the next one, Who knows? So you can kind of tell I dropped the pessimistic angle about 1/2 hour ago, right?

I'm sitting, I'm literally sitting here thinking we should be paying Matt for being on here with us and like sharing this knowledge. So I'm going to pick your brain a little bit more. What, what should we be thinking about as the identity practitioners are listening to you? What should we be thinking about for the future? Yeah, I think the seizures hard to predict this fishing resistance thing.

I even know we're talking about it here and now is like it's going to be a long road, but we got to start implementing that. That's really important if we want to see that 60% number drop down to, you know, below 50 and hopefully closer to like 10 or zero. I the investment in password list fishing resistance, you know, biometric based cryptographically secure password list like I can't

emphasize that enough. Like there's the here and now and we've got the tools now to go and do it and that that's really important. But if we look out input on, you know, or goggles for what's happening 5 to 10 years in the future, there's a lot of interesting innovation happening both in terms of human identity, but in terms of machine and agentic identity. And they're all super interesting. Machine identity is kind of, it's been up and down in the hype curve like a few different

times. I think it's like ping ponging back and forth about whether there's a real market there and enough to go after. I think there is. There's there's such a need for strongly identifying and authenticating devices, not just when they connect to the network, but also when they go and access resources and whether the devices or workloads. There's a ton of innovation that's required around machine identity. Same thing's going to be true for identic identity.

If I'm hiring a team of 10 agents to do various things for me, I need to give them identities. I need to figure out what permissions I can delegate to them and when to delegate them to them, and then let them have the connectivity to go and access resources, but really closely watch what they're doing with the access that I gave them

so I can quickly take it away. Then the thing that's really interesting is, you know, you can corrupt a person, maybe by bribing them or figuring out what their intentions are and and manipulating them. Agents, it's just like so much

easier. Their value system is, is written in, in plain English and they they're easy to corrupt in such a way that we need to worry about the insider threat thing all over again, because each agent has the potential to easily become an insider threat just because it read like a weird PDF at some point in the past day. It's like, oh, he'd accidentally read this PDF and now it's malicious. Like that doesn't happen to people, it happens to agents and it, it's just bananas.

And I think that's, that's a really interesting problem to solve from an identity perspective because it gets to like, yeah, that agent is who it says it is. It still is. We can still authenticate, it still has that certificate, but like it's gone off the walls. It's crazy. We we need to shut down what it can do. Those problems around the Gentic identity and Gentic AI are, are fun to think about.

I think we'll see how much of it really comes to fruition, but I'm, I'm pretty excited about that in particular. I mean, there was a whole movie about this called The Matrix.

So we've got Neo and, you know, Agent Smith. And if you think about it, both are a gentic AI is kind of battling each other right through all the different levels of of the Matrix. I want to project us from the here and now into the future. I'm going to wrap up the episode here and you know, we're at Ideniverse as this goes live. So, but we're not there physically yet, right?

So we're going to use the power of time travel for the three of us. What is something that you are hoping to see at Ideniverse this year? Is there a specific topic, any sort of trends that you want to see? I have to imagine like AI is going to be kind of everywhere in this idea of non human identity. But like, what are you most looking forward to hearing more about at the Identifiers conference that we are all at right now?

Yes, here we are. So there's a ton of things and and yeah, you can't ignore AII think I'm interested to see what start-ups emerge around the agentic identity space. I'm already seeing a few really interesting ones. And you know, from my ventures point at Cisco, I, I get a sneak peek into like what's going on in the startup industry and that's pretty cool. The machine identity stuff. We've been talking about non human identity for a couple years now. There's been a crop of start-ups

that came about. I'm really interested to see where that goes. It's like, do we get beyond just visibility and observability there? It feels like we're, we're, we're there like when are we going to get an IDP for machines and when are we going to get an IDP for agents? And what are the sort of things that would make this happen? So then those things in particular. Interesting. I think the identity governance problem is still very real.

It's like we still don't have least privilege authorization. One hypothesis that I find super interesting that I'm going to be looking out for an Identiverse or am looking out for since we're there is whether this agentic AI problems forces us to finally solve the hard problem of authorization that everybody's been kicking the can down the road on for for so long. Because it's hard.

It's hard to figure out beyond the application level what permissions people should have and how to grant them and take them away in, you know, in an instant.

But with agents, like we were talking about, things can go wrong in an instant, and they can go wrong at scale, and you can cause really, really big problems if you don't have control over it. I think we might finally see solutions to authorization that not just work for agents, but we actually get the benefit from them for humans as well, and it's going to make our lives easier and more secure. Jim, what are you looking forward to at the Identiverse that we are currently at right now?

Yeah, well, look, I'm going to force the lighter note. I'm looking forward to improvements in the swag. I think it's very important that each booth give away something good. I don't need any more squeeze balls. I don't need one of those like window dealings that covers your camera when you don't want to be on camera. What I would like I I'm a fan of socks. Like I think giving away socks is a good thing. I know you're that's not your thing. I don't understand it.

Everybody likes socks like I I have 0 interest, less than 0 interest. I would give them away if I had someone give them to me. So socks I think is good because you, you know, you wear them a few times and then like you got them for free so you can just throw them away. I think somebody should have scarves, like how much would it cost to have a custom scarf or do something a little bit different. You want to say you think different than give away different swag at the at your

booth? That's my pro tip. Matt, any response to that as as a vendor? Yeah. No, I think the scar scarves in Vegas, in the in, in, in, in June is like really? That's going to be really good. It's going to be like 100° or when you're listening to this, it's probably 100° outside, but you get to stay inside in the it's. Chilly. No, I'm with Jim though, on socks. I I love the socks. Sorry, Jeff. No, hey, that's fine. Look, I know. I know what's super popular.

We have a lot of folks that have, you know, expressed interest in that. You know, I just, I don't get it. I think the most important thing for any type of swag is that you don't want to be the piece of swag that gets left behind in the hotel room because like, I'm not going to use this thing. That's just a waste for everybody. So it also means that your swag was not memorable enough to, to, to throw in the suitcase or into the bag or whatever you're doing.

So pro tip for all the vendors out there, right? Come up with something good. Who I appreciate most are vendors who give me stuff that I can give to my kids as souvenirs. It just like saves me a trip. I was at RSAA few years back and somebody was giving out like lightsabers. And so of course that was a very popular, you know, giveaway for people.

And I'll never forget getting on to the flight back home from San Francisco and just that time we've been going back to Chicago. So United flight and I get on the flight and I just see a whole bunch of lightsabers on the seats with all the people who had attended RSA and they were carrying back this thing. I don't know what company it was, but it was a very memorable swag on them.

So, you know, a unique memory as part of business travel of, you know, getting on board with what I assume are a whole bunch of Jedi and Sith Lords, you know, going back to Chicago. So you never know. Hey, I should mention though, Identity Center is recording. We're at a booth in the Expo hall and we will have stickers. So even if we're recording and can't stop and talk and grab a sticker, and if we are there and we're not recording, we'd love to say hi.

Yep, always. All right, let's go to wrap it

up. Matt, any final words of wisdom that you'd like to impart upon the global identity community that you're talking to? No pressure. OK, check out the new Duo. You know, go to duo.com, there's Duo Identity access management is pretty cool. We've got a directory now that's the big news. Let's go check that out. If it's not Thursday yet of Identiverse, check out my keynote on Thursday.

I'll be talking in the morning and if it's past that date, you know, feel free to check out the other recording of it afterwards. But no, that's that's I appreciate you guys having me on. Well, Matt, it's always a pleasure having you here. We're going to give you a virtual fist bump for now and hopefully make that a real fist bump in a couple days there.

Yeah. So we'll have links in our show notes, duo.com, duo.com and connect with us on LinkedIn and what else like and subscribe to all that fun stuff and show appreciation for the guests that we get on like Matt. So with that, we'll go ahead and wrap it up for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.