#382 - Sponsor Spotlight - HYPR

Welcome to the Identity at Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Fantastic Authenticate 2025. Here we are. We got a great guest to start things off today, so why don't we jump right into it? Yeah, we've got a sponsored

episode today, so we're joined by Bo Yan Simic from Hyper. We're going to get to him in a second, but if you find out more about what they got going on, you can go to hyper.com/I DAC. That's HY pr.com/I DAC and just make it clear, right? This is a sponsored episode. We do these from time to time to have really smart people come on, tell us about sort of what they're doing in the space and learn more about it. But yeah, let's jump right into it.

So welcome to the show, Buen. Thanks for having me guys. Yeah, so here we are. Authenticate. You got the lovely pass key background, right? We sacrificed that for our guests. Want to make sure that you look good. Tell us a little bit about your background. So I think it's the first time we've had an opportunity to actually meet and talk. I feel like we've been on phone calls probably in the past, but how did you get into the world of identity? Did they choose you or did you

choose? I, you know, I stumbled into it.

I started out as a software engineer. That's why I went to school for and I was a mediocre software engineer at best, I would say. But I wrote a piece of software once for a large client in Cincinnati, OH, I will not say who. And three months later, that product got breached. And so that was my first foray into cybersecurity. And then once I got into cybersecurity, I grew my career there and it progressed well.

And I was running a security team at a financial institution in New York City. And I was like, why is every bad thing that happens here due to an identity related thing? And so I, I figured, you know, I should jump head first into that. So when we had an opportunity to start this company, that's, that was my first official foray into identity and the vast complexity that it entails.

And so it's been a amazing journey over the last 10-11 years and I'm looking forward to sharing it more with you all.

So for those not familiar with hyper, what is like the 30 to 62nd elevator pitch when someone says, hey, so hyper, what's that about? Yeah. Look, we believe that users want fast, consistent and secure identity controls, right? Not relevant to what specific identity provider they have or whatever else. People just want fast, secure, consistent authentication, identity verification, baseline security controls that any user can understand and implement at scale and rule #1 is it's got to

work. And so we excel at that. And so we typically really focus on complementing our customers existing identity investments and solutions to get that best in breed set of controls from an identity verification and authentication perspective. So that's a good first rule.

It has to work. That's rule #1 and like, look, many people in Identity kind of really learned that lesson way too late, where identity it the reason why it's so hard or one of the many reasons identity is so hard is because it has to work all the time. And if especially the authentication system, if it's not working, your customers aren't working. And that is such a key component to any product, so. Tell me about the name of the company. It's suspiciously devoid of

vowels, so yeah. Lot of lot of consonants. And it's not because I'm Eastern European. It is because there is a there's a 80s book by Neil Stephenson called Stone crash may have heard about it. And in that book there is a thing called a hyper card. And it's this thing that contains a significant amount of knowledge or data information. And I'm a fan of that book. My Co founder is a fan of that book. So that's how we got here today. That's a cool little Easter egg

I love, like hiding out. Very cool Easter egg. So we're here at Authenticate 2025 and you guys have a booth out there. What's been sort of like the

buzz? Like what's the feeling like? What is the sort of, you know, the word on the street so. It's interesting, you know everybody, everybody that comes to authenticate is laser focused on pass keys which we have here. Everybody really wants to understand how do they deploy this stuff at scale Every I think for the most part, most organizations now are like on the pass key train. They're just trying to figure out like, how do I go fast?

And so many of these companies, to use the train analogy, are still kind of like in the, you know, shoveling coal into the steam engine type of thing. And they want the bullet train. So people are here trying to figure out what is the best way to do that and in in a way that's as low risk as possible to their careers. And then the second thing is agentic AI is, is sweeping a lot of board level conversations

right now. And so there's a lot of smart people here trying to figure out how do we securely authenticate these agents and these things and what roles do passkey and decentralized credentials play into that? Because I think we all know that, you know, agents should not be using passwords. Yeah, there's a lot of major themes going on in this conference. One of them is continuous identity, doing things in a

continuous manner. And when we got prepared for this show, you and I were talking about like let's educate people on something that is a big trend in the industry and

you talked about know your employee, that's the big trend, but also doing it in a continuous manner. So you're already on this trend. Can you talk a little bit about what that's all about? Yeah. Look, the reality is since the pandemic, pretty much every organization has a significant chunk of their workforce that is remote. And that's just a reality that's not going to change anytime soon.

There's the big banks of the world that are now saying you have to come in five days a week, but most of those people just show up in the morning, tap their badge and then go home. So they're still remoted. So, yeah. So, so it's becoming increasingly important to continuously verify individuals and, and this this is particularly important on the enterprise side where you have so many different personas working at any given

organization. So if you have a 10,000 person company, you got a couple thousand contractors, you have, you know, 3 or 4000 people who work remote, you have individuals who are frontline workers and you have to figure out like, what is the identity story across all those personas?

And that's not always easy. So being able to continuously verify people both from a credential and authentication perspective as well as an identity verification perspective is critical because we've seen recently a lot of instances where individuals are outsourcing their jobs. So if you're if you're, if you go on Reddit, there's a over employed subreddit, right where people are like talking about how they're juggling 345 different jobs at a time.

There's also now nation state efforts like with North Korea, where they have entire groups organized and basically set up to do jobs on behalf of US employees. And so every, I think people have read the article of that Lady. I think it was in Tennessee or Arizona somewhere where she had like 40 corporate issued laptops in her house and you know, people are remoting into those

laptops and doing the jobs. I just don't have the litz for to do something like that myself, but I'm I'm sure it's

happening. So what are companies doing about this today? How are they solving this problem? You mentioned? It got hot at the beginning of the pandemic. I remember was like we're all patting ourselves on the back like, hey, in six, six weeks everybody got multi factor authentication up and running. Is that what they're doing? Is that was that the last chapter of that book?

Well, it was like. You know, typically before the pandemic, it was like you get a job at a company, you, you start on day one, you get verified, you get issued an MFA credential and then that's it. Like that MFA credential is you for the rest of your career there, right? And so that's no longer the, the feasible way of doing identity security at the employee level anymore.

Now you have to be able to continuously verify people to make sure the person sitting behind that laptop is the person who's supposed to be sitting behind that laptop. And the person who has access to the MFA credential is the right person who should have access to the MFA credential, right? There's so many instances now of individuals like sharing their MFA with others, right, or issuing new MFA credentials to

them. And so this concept of you, you have like a seesaw type of thing where you have, you have to have a strong MFA credential. I think that's what Passkey's and the Fight Alliance have been working really hard towards and vendors like us to make sure that that thing is not fishable and all that, all that. But then you also have to make sure that that credential is being used by the right person at all times. So that's where the identity verification piece is, is similarly important.

And so now what we're seeing companies starting to do is things like, hey, if you're a contractor or a remote employee at our company, you have to go through identity verification, you know, at certain increments every three months, six months, or maybe if the level of risk justifies it. And, and this is the exciting part for me because we're finally starting to see the convergence of identity and

security. You know, when we started hyper 10 years ago, I would ask the identity teams, like where do you report into? And only about 10% of the time would they say they're reporting to security. Now it's like more than half the time, so it's really fascinating to see how that's evolving. Yeah, I mean, definitely want to

jump into that. One of the things that comes to mind is this kind of saying that's become popular, which is hackers don't break in, they log in. But it's so true when you're talking about something like this, right? And you know, I also think of the scatter spider example that happened recently where it's like the same old stuff. Call the help desk and social engineer your way in. I mean, is that why this kind of this old paradigm is failing? Yeah, it's so dirt simple too.

You know, one couple of the big casinos had breaches related to Scatter Spider recently, and I had an opportunity to listen to one of those phone calls. It was nothing sophisticated, right? It's like, hey, this is Bill. I can't log in and help me out here, you know, and, and the hackers don't have to be extremely smart, right? The, the way that they do these things is pretty simple. So they call up the help desk. They say, hey, it's Jeff, I forgot my password or I'm locked out.

And they say, OK, Jeff, what's your manager's name and the date that you started? And the hackers like, ah, damn, I don't know. So they hang up, then they call up Jeff and they'll hey, Jeff, this is your IT team. We're just doing a routine audit of your security questions. Can you confirm with me the date that you started in your manager's name? You're like, sure, here you go. Hang up, call up the help desk, answer the questions, get access to the account. That is the level of

sophistication here. It is not some zero day Stuxnet like crazy thing here. Like this is like a teenager can execute it. And but what's changed in the last couple of years in particular, these attacks are scalable at a level like never heard before.

So I was talking to a chief security officer of a large Japanese bank and he said I never had to worry about social engineering and scattered spider at my help desk because most hackers speak Chinese, English, Russian, they don't speak Japanese. It's like, but now with with AI, they speak fluent Japanese and my help desk can't tell the

difference. So all these companies that are in Latin America, certain countries in Asia, Europe, where hackers typically don't speak those languages because it wasn't necessarily profitable. Now it's open season. It's crazy. It's like the hack is fundamentally simple. The answer, though, is you better throw some technology at it, right? It's not just, oh, we're going to change our help desk process. You do need some technology behind it.

But I think there's also, it's not just that, you know, the defenders are throwing technology at it, the offenders, the attackers are also throwing technology. So the the language one is interesting because, you know, it used to be the, you know, Nigerian Prince with the poor word e-mail. Now it's a well crafted AI generated thing. There's things for voice. Now there's even things for voice that will remove an accent

from somebody. So, you know, if I have, you know, a thick accent in one language, I can in real time speak my normal cadence, you know, whatever language I'm speaking and have it be in real time translated into the appropriate language and get rid of all that. I posted videos on link to me speaking Japanese. I don't speak Japanese, and I send it to my friends who are Japanese and they're like, yeah, you sound like you're from here.

Perfect. Yeah. Maybe that's a spoiler we can put in here and like, just make this entire thing in Japanese, right?

Yes. OK, so who's on the hope when something like this happens? I mean, in other words, it seems like it's more than just an informational security problem, right? Yeah, it's fascinating. You know, like so if we break it down into a couple of areas, if somebody bypasses MFA, it's typically the security teams problem, right? But if somebody calls up the help desk and tricks them into issuing a new credential, oh, all of a sudden that's it's problem, right?

And then if a company interviews an individual and then the person who shows up and is on board and on the first day is not the person they interviewed for some reason, that's HR's

problem. So there is this like finger pointing, not just in terms of who has to deal with it, but who has to pay to fix it. And so this is where identity is more complicated than ever because now you have to have the ability to reach across the aisle and really work with other key stakeholders within your organization to drive this change more than ever. And that's always been the hardest part of identity. And that's that's why I like seesos are so scared of identity.

Like everybody talks about zero trust and the like, the five pillars of zero trust. But like, conveniently, all the seesos tend to like, ignore the identity one as much as they possibly can until the, you know, until it hits them where it hurts. Well, identity at the center. Hello. The, the pay thing is interesting angle because at the end of the day, the company pays. And so you don't want to be in a position where it's like, well, who's paying for the security, right? Is it HR?

Is it, IT, is it, IT security is a compliance thing. At the end of the day, someone's paying and guess what? It's going to be the macro company. So how do you, how do you articulate that with people that are out there saying, well, it's not my problem, That's your problem? No, no, it's our problem. We need to fix this issue. Yeah, it's really all about making sure that inside inside teams can find creative ways to get the project prioritized and paid for, right.

And so sometimes they're charging it back to security or to the business. Other times they have to have a broader leadership level discussion. But everything ultimately comes down to the business value. And like, how can us doing this make sure that we better differentiate ourselves from our competitors? Doesn't matter what your industry is, right? If you're a bank, you're in the, you're in the business of trust.

If an article comes out and, and you know, you hired somebody from North Korea, like that's a problem for you, even if it didn't have any material impact on your, on your business, it's a trust issue. So I think being able to socialize it and position it in such a way that like, hey, this is going to help our business and we need to work together

here is, is key. And, and just being very transparent here, Like when I talk to an identity team, one of the first things I ask is how long have you been here and what other change management have you been able to drive across the organization in that time? Because if they don't have good answers for that, like we know that we're going to really have to work with them to help them drive that change. So we know our primary listener is the identity practitioner.

Obviously, identity at the center is not a generalized topic, right? We want to make this as educational as possible. So what is the right solution? What should identity practitioners be doing to getting it to get ahead of this for their organization? I think you have to think about it in two ways. One is getting it prioritized and budgeted is the number one thing, right? So being able to speak the language of the business and put it in that context.

And then 2 is understanding what it's going to take to operationalize it quickly, right? So what we try to help our customers with is technology is usually the easier part. It's the people part that's more difficult. And so whenever we work with a

customer, for example, like we put together an entire change management program for our product so that they can use to implement it. I'll give you a really silly example. So like we were deploying Pass for list with a large company that has like 50,000 employees across 40 countries and they got to like 33,000 employees in three months. It was amazing. But what they did was they spent as much money on the internal marketing campaign as they did the technology.

So in any region, the 1st 100 people who signed up for passwords got a T-shirt that says I'm passwords, right? Or they got like a little Lego kit or or something that was branded to their organization that they could use to show off. And that internal marketing is every bit as important as the technology. Yeah, it reminds me of Jeff, your story right where you were rolling out. This was back in the day, self-service password reset. Yeah, which we would never do that to.

Any right? Yeah, give away an iPad. Give away an iPad. Right, $400.00 that we spent on iPad drove way more like self-service enrollments and I I like the idea of making it like exclusive, right. So maybe it's like a living time offer, like the first 100 get something and when that thing is gone, it's gone. So you create like artificial demand, right for the thing.

Now the thing has to be cool. I don't know if a T-shirt would get for me, boy, I'm sorry, but you know, a Lego or something that's like, you know, very unique would be very cool. Yeah, what this customer did, they, they gave the country manager because they were in 40 countries. They gave the country manager an iPad or a drone if it when they got to like 90% adoption and you'd be shocked. Like what? Highly paid executives are willing to do it for an iPad or a drone.

Yeah. Well, and The thing is, it's like you're spending a lot of money when you roll out any technology to 50,000 people. So that incremental spent on a few iPads and a few Lego boxes like it's well worth the money. Yeah. What we've done is we've actually like packaged that into a solution essentially, right. So we, we provide all the, all the marketing content for you, right? So you don't have to think about it. We're just like, here you go.

Here's what it could look like. Just let us know which of these things would resonate with your workforce the most. And so therefore like just meeting the customer where they are is is critical how? Many of your customers take you up on that like is that part of part of the deal? Say, hey, we were getting a hyper in and here's the plan for roll out? Like do they take that and kind of run with it? I'm sure they probably tweak it a little bit to some degree to fit their organization, but.

I mean, we're pretty. Involved as part of that. We're pretty adamant about it because that's the, that's the main way that we can get success. Like look, the last, the last thing we ever want to be is shelfware for any customer. And there's way too many security solutions out there that companies will buy and they just sit there and they never get implemented, right? So how do you get an identity product implemented? You get people excited about it, right?

And like when we first started this company, we're like, it's pastoralists, Everybody's going to want to use it. It's a no brainer. But that's not the case. The fact is, people don't like change, even if it's a positive change. And so you have to drive that change some other way. Yeah, that's a great point. So I think the other thing is like identity practitioners are kind of wired to bring people together.

I mean it's one of them few technology I think in the enterprise where it's like you touch so much of the business even if even though you're doing like IT security. So my question is what advice would you give for the practice? Like who do they need to be reaching out to and building these alliances and kind of what is the message that they take along, I mean, leveraging that framework that you talked about? Yeah, in terms of the internal stakeholders building alignment

there, that's key. So if you look at the typical enterprise, right, do you have, you have the HR team who's who's involved in the onboarding process, you typically have a digital workplace folks, right? These are individuals who manage things like, you know, the Windows 11 upgrade and stuff like that, right? And, and they, they also tend to have a stranglehold on what goes on the endpoint, right?

And then you have obviously the, the executive level team where if somebody complaints about a change management thing, they're the first ones who are going to, you know, go to the CIO or the CEO and say, like, what the Hell's the identity team doing? Like my, my users hate this, right? And then and then you have the help desk, right, Because if people have trouble with that technology, they're going to pick up the phone and call the help desk.

If the help desk is not fully prepared to handle that request, that's going to come your way really fast and it's not going to be pretty. So building that consensus within your organization of the individuals that you know are going to need to be a part of this and starting early, like especially, you know, some of these teams, they have, you know, three month change windows.

So if you want to get something done in the next 6 months, if you're not talking to them six months ahead, like it's not going to happen or giving them the heads up. So I think building that consensus early and, and often is, is key. And you can't just show up at the last minute say like, hey, can you do this for me? Like that's not how it works. You know, Jeff and I, during our

day job, we worked with the clients implementing identity solutions. I think one of the things that we've seen for a long time is still around today is identity sprawl. And So what did you get from you? Like kind of. What does that mean to you and why is that a problem? This is one of my pet peeves of the identity industry is like when when I talk to identity teams, they tend to tell me like, we are working on foundational things right now.

And so we're going to take our five ID PS and we're going to consolidate it into one. And then everything is going to be great. And then what happens? They get 20% of the way there and then they acquire another company that has three more ID PS and then they're like, oh, now we got to start all over again. So then then they start planning and so on and so forth. So the reality is consolidating everything into a single

identity source is a fallacy. Like it is it, it's possible in smaller companies that don't change very much. But guess what, if you're a smaller company, don't don't change very much, you're not going to become a bigger company. All right. So you, you really have to think about how do you implement these baseline security controls that are key to stop phishing and social engineering across that identity landscape, right?

And so that also gives you flexibility because now if you acquire another IDP for whatever reason or some line of business decides to go rogue and just deploy another IDP because they feel like it. Do that. Come on. You can bring it into the fold from an authentication experience really quickly. And what that then provides you is if your authentication experience is consistent across your identities.

Then if you do want to consolidate ID PS down the road for whatever reason and you want to simplify that, it becomes more of a back office function than something that is affecting the end user on a day-to-day basis. Is that what you're touching on earlier in the podcast to talk about leveraging these existing tools, which I think is something that every practitioner wants to do, right? We spent this money, we put these tools in place.

We don't want to just have to RIP them out every five years. Is that where you're getting at, or was there something deeper? That's exactly it. And then there's an additional part of it, right, which is, you know, I talked to, I talked to identity and security teams. And sometimes they'll say, if I could take the worst authentication experience in my company and just make it consistent across all my users, it will be way better than what we have now because the

consistency is so important. And then 2 is being able to leverage existing investments. So you know what, if you're an identity practitioner inside your company, you know what security people really like to hear? They like it when you go to them. You say, hey, you guys just spent millions of dollars on crowd strike. This identity thing I'm doing over here can talk to crowd strike really well.

And I can actually take the data from the tool that you just spent a lot of money and put your career on the line investing in and I can get you more value from it. That's the language that security teams speak and that's what they like to hear. Instead of coming in and saying, here's what we're going to do and here's how it's going to impose this change management and here's like what you have to do in order to make my project work. All right, So it's a give and take.

Some may flip that. I think a lot of people it resonates right to say, OK, let's get the most accountable tools we have, but at some point those tools are not good enough anymore. How, how do you know when that is the case? Like when is it time to move on and say, OK, we got X number of years out of this thing and it's time to move on? Like how do you have that conversation? How do you recognize that?

That's a really good question. And I think it's, it's a tough one because often times individuals have built their careers around specific tools, right? You go on LinkedIn and the first line on somebody's LinkedIn profile is I'm a sail point. So and so, right? And it's like, wow, that's your career, right? And, and I think that's a mistake.

I think, you know, most sophisticated identity and security teams, they have programs that protect them from being beholden to a specific vendor, right? And, and those are the teams that I've seen be most mature. So I think anytime you onboard A vendor, you have to think about the exit plan for that vendor. And it's that exit plan a month, a year or three years because depending on what you have, it

could be really, really long. Like most financial institutions still run on Rack F, you're not moving off of that anytime soon. So I think for identity especially, it's the same because identity is, is the perimeter, as we like to say. And so it's something that people interact with. So I think if you have an existing vendor, you need to have an exit plan for that vendor if you don't put one

together. And two is like any vendor relationship is, is key and it's about trust at the end of the day. So do they say that? Do they do the thing that they say they're going to do if they say they're going to have a specific feature that you requested in three months or six months and they don't deliver for two years, like writings on the wall there that like the thing that they're doing, the thing that you need is not their

priority. And you should think about that at the same time, like how resilient are your vendors? Third party risk is probably the biggest area of risk of growth in in the industry right now where, you know, most vendors don't have the security that the bank that's buying that vendor does, right? So how do you make sure that your vendors have the third party risk controls in place that they need to? Otherwise if they're not taking it seriously like it's not, it's a non starter.

We talked a little bit earlier about identity verification. I feel like this is one of the areas that from a technology perspective is the most different from 5-10 years ago where it's now document based verification technology tools. I want to get to how, how prevalent should they be or will they be in the enterprise? But before that, I just wanted to give a recognition that you know, we're at the authenticate conference and obviously it's like pass keys are the number

one thing. But you wonder, OK, where's Fido? The Fido standards going to take things in the future of Fido Alliance going to take things in the future. And we had Nishant, their CTO, on a few episodes ago and he talked about identity verification. It's like having a verified identity and then doing authentication in a strong way. It's like now you're talking about the Holy Grail. Yeah, look to tackle that. Like if you look at most enterprises right now, identity verification means kDa.

This is what Street did you grow up on and what's your manager's name? And I think we all know that that's not acceptable anymore right now on the consumer side of things, identity verification has been much more mature recently, especially since the pandemic started, where if you're signing up for an Uber account or something now or a Lime scooter app, like you have to scan your driver's license or

a document, right? And so the issue is the documented verification piece for identity verification doesn't really translate as much to the workforce. Like you need more flexibility because you have employees all over the world. You have employees who don't have driver's licenses, you know, or, or things like that, where they can reliably use that as a source of proving themselves. Additionally, in order to prove

somebody's identity. Well, if you look at the average enterprise where the where's that person's information actually stored that you need to verify, some of it is in work day, they're human Capital Management system, some of it is in their ID. PS Right. Some of it is in their, their, their HR and healthcare systems. So when you're proving an employee's identity, you have to be able to go into all those things, pull it down and then use that information to verify them.

So you have to have a lot more flexibility and orchestration in the way that you're verifying employees identities. And that's where we've really seen a good product market fit to the point where now our our customers are regularly verifying employees at scale. Yeah, seems like there's a certain level of friction involved with verification. I think in some of these cases, absolutely necessary.

But you know, I feel like in the enterprise the ability to insert friction into the process would be a lot higher, but it seems like there is a resistance there. What what's your philosophy in terms of like inserting friction into the process? Look on on the employee side, at least here in the United States, it's a little bit simpler, right? It's like you're a net will employee and we give you a paycheck. So you need to do it like that's, that's the mentality of

a lot of companies. But when you look at international organizations, it, it varies and you also have to have different levels of control for different personas within the organization, right. So my employee who works in a factory who logs into stuff twice a year to download their W2, like do I need to put them through the same process as I would my system engineer who you know has access to our AWS infrastructure? No. So that flexibility is is really important to have.

And then working with this is where identity is working with the legal department to really help them have an understanding of these processes is important because if you are doing something like a biometric match or a document scan as part of that verification process, your employee, your, your more privacy conscious employees will write a letter to HR or to legal and say, WTF is this? And they need to have a prepared set of answers, right? Or, or tackle those upfront.

And so this is where another reason that identity has to work with internal stakeholders more. OK, so I'm going to cross my barns here and put my jaded Cecil hat on.

What is it about Hyper that makes you guys unique in this space? Right, Because there's so many different identity tools, there's a lot of overlap. I'm sure you've got competitors out there. What is it that you think that makes Hyper special? So what makes Hyper a little bit different from most identity companies is we started out as a security company and and we started as a security company 11 years ago when there were very, very few or none identity focused security companies,

right. So we started out in that landscape from the get go. So what, what does that mean? That means that we built resiliency trust controls into the product from the get go. We built scale into the product from the get go. We understood that if hyper is not working, our customers aren't working, right? And then we're really focused on the areas where there were massive security gaps. So one of the first things we implemented was what we call desktop MFA, right?

As we realized most companies don't have MFA when they're logging into their endpoints. Let's build that, let's provide that to the security teams and many banks purchase that and, and use it today. The other thing that we did was, which was very differentiating was we built our identity verification capability focus for the workforce, right? So we noticed we, we were talking to, this was like 5 years ago, we were talking to some of the Swiss banks.

We're like, what do you do if somebody forgets a password? And they had the system where you could go to any two people in your company and they could request a part of your password for you. And then they can give you, you know, your password and in those multiple parts. And it's all tracked through an accountability system.

So we built a vouching system into our identity verification product where other people you work with would vouch for you over a video chat and then you could automatically be issued a new credential, right. So we took these best practices that were being implemented ad hoc or manually in the real world at some of the most sophisticated organizations and brought them to every business. And so we're not an IDP as a company, we don't try to be. We think that is a well

commoditized space. We really try to fit into our our customers existing ecosystems and bring them best in breed controls such as password list, identity verification for their employees, orchestration between their security tools and their identity tools that they typically don't have so they can fill those key gaps. So what's it take to set this up then? Is this let's say I've got a primary IDP already right? Microsoft Ping, Octa, etcetera, right?

What does it take for me as AI am administrator to set up Hyper? You log in, you choose which identity tools you have. So you choose Octa, Antra, Ping, and you provide authentication credentials to those. AP is and then we pulled it, pull it all in, and then we enable these capabilities for users. So if you're like an Octa or Entre customer, you can have users up and running with Hyper in 15 minutes. That's pretty fast. How do people measure success

with this? So it's kind of one of those things like, OK, why logged in, great. Like that's the expected result. What is a way that your customers have found to measure to say, OK, yeah, we are getting what we're paying for from hyper? Yeah, we helped them track with. So we have this identity assurance score essentially within our product where you can see the value you're getting from it in real time, right.

So we, we can show you like, here's how many of your authentications that people are doing today are fishing resistant and here's how many are vulnerable to fishing. Here's how much money you're saving on credential resets because people are no longer calling to help desk. Here's how much money you're saving in productivity because your employees aren't locked out because they typed in a password wrong too many times that morning.

So having these hard metrics that people can like share with their broader business is key because that's how ultimately they justified the investment. And look, we, we like to start with our customers smaller, sort of like let us prove our value to you and then we'll grow together.

So you mentioned a few things to me that I just jotting notes down as we were preparing and one that jumped off the page to me was never leave use of Stranded. I thought that was so cool. What does it mean? So picture this. You're on vacation with your family, right? And you lose your phone and your phone has your MFA on it. And you know, you're, you're, you really need to take care of an e-mail or send some report. And you're like, oh, man, I can't get in.

So you don't have your phone. You know, you have your laptop, but you need MFA to access things. What do you do? Right? And so call up the help desk and you say, hey, I know, I know, we have corporate issued phones, but you know, my wife has her phone. Can I get the MFA on her phone? No, you can't do that. And so employees have to go through so many hoops to prove that they are who they say they are. And lots of times they don't have the things available to them to prove that.

So what we built is a orchestration layer for identity verification, where in the worst case you can always get through, right. So if you don't have your phone number and you can't do OTP, that's OK. You can do something else. If you're in the wrong, if you're, if you're not in the right location, it's OK, you can do something else. If you can't scan your driver's license, that's fine. Maybe you lost your maybe like my phone has my driver's license on the back of it.

If I lose my phone, it's over. So then what can you do you? Well, we can put you, we can use any browser at any hotel kiosk to put you on a video chat with your manager or somebody you work with who can vouch for you, right? And so always having a way for an employee to get through and never leaving them stranded is so key because us identity people, we love to get hung up on the edge cases. And so being able to always have a way through is so important.

But it's not going to work this 1% of the time. So we got to hold everything up. Come on. Football. And that tags along with the next one that I took note of which was talked about it being authentication being a Tier 0 capability. In other words, it how many nines do you have has to be up all the time. All the nines.

And people stranded. You can't have it work. Well, everything except Sunday night at 2:00 in the morning. It's just got to work. Yeah. And that's that's where the resiliency piece comes into play so much, right. It's like, does this thing work across multiple regions, multiple multiple availability zones? How does it fall back? You know, like the word disaster recovery in most companies or most vendors is a tabletop exercise at best. And so how do you actually practice what you preach?

And and that part is so key and being able to prove that at scale is important. So like many of the top banks in the country use us and, and they have hundreds of thousands of employees. And so if we're not working, they're not approving loans, they're not, you know, opening checking accounts, they're not doing anything. And that that has a fundamental impact on our economy. And so step number one is making sure that you're at peace with

that, and that's the reality. And two is making sure it's part of your road map. And three is making sure that every employee truly understands the criticality of them.

So I've been having a lot of conversations with my day job about resiliency and Dr. plans and where does I am fit into Dr. plans? Because I think most, most larger companies will have like ADR plan, but what happens if their IDP goes down? I don't know if a lot of a lot of companies have really thought about like their identity infrastructure as being that critical.

And so yes, it has to be up. Are you seeing more of a push to make sure that identity is part of that Dr. strategy, that plan, whatever may be where, if something does go down, here is how we're going to recover from it. Absolutely. And that's where a lot of companies realize that they have gaps because your your ecosystem is only the chain is only as strong as its weakest link,

right? And when companies do Dr. plans and they execute those, they realize what the weak links in their environment is. They're like, oh, shoot, we have MFA. But for these key accounts, like you, turns out you can bypass it. And so, you know, like actually doing the exercise and finding compensation methods that are still secure to address those

is, is key. And, and it's something that's, yeah, it really started out in financial services as being a key control, but now it's starting to get into critical infrastructure and, and energy and, and a much broader set of verticals. So this is not a really fascinating conversation. Then we'll start to wrap things up. But there was a note on our notes here as we were getting set up as I, I think it's the first time we've had this on the show.

There's a note that says that you're a competitive boxer in the past. So I definitely have to get into this. Keyword was it was £50 ago. So how long ago was this? What was it like? I think taking me into the mind of a competitive boxer because this is the first time I think we've had had that on the show. Yeah, I went to AI, went to a party in high school and and I ran it, you know, I'm, I'm, I'm a tall guy.

I'm 6 foot 5. So I, I saw another guy that was taller than me and we immediately start talking and he told me it was a boxer. And so I, he invited me to join this gym. So in high school I joined this gym and I started boxing after that competitively and in

college I was decent. And, and the thing about boxing is you have to, you have to get to a point where you truly believe in yourself when you're doing something, because when you get in the ring with somebody, like you look around you and there's nobody there to help you, right? So you have to be very confident in yourself to execute on your plan. And as Mike Tyson says, you know, everybody has a plan until they get punched in the face.

And running a startup, you get punched in the face a lot. So how many fights like professionally in the competitive circuit and what was your record? I think I had like 18 fights. I think I won 12 of them and I was a super heavyweight and super heavyweight is anything over 195 lbs. And so I was like in the low 2 hundreds at that time. And it's fascinating because as a super heavyweight, anything over 195 lbs is a category.

So as a 200 LB guy, you're fighting somebody who's £300 and so you have to be very, very fluid in the way that you approach things. So it's a it's a good skill to have. So how much of a difference does that 100 lbs make in in that sort of snare? Right? So you're 200, someone else's 300. Is that 100 extra pounds of pure muscle or is it, you know what? What? Butter, butter, butter bean? What was the guy's name, right? Like I said, like that, right? Like, you know, maybe that

heavier set. Yeah, I boxed this guy that was like over 300 lbs and he was a NFL, He was a linebacker, right? So his his NFL career wasn't going the way he thought it would. So he was like, I'll try boxing. And the good news is like he doesn't have the stamina, but if you get hit, like I remember blocking a punch from this guy and thinking like, I didn't block it. So because it was so powerful. And, and so for for me, I think it depends. Like, you know, the bigger guys

don't have as much energy. So if you can survive the first two rounds, like you're good to go, but you got to survive. Yeah, done. I mean, it's a workout, right? Just to get out there for a couple months. I remember I used to do Taekwondo for a long time ago and I would, you know, do some light competitive stuff and man, you'd be gassed after just a couple of rounds, you know? The hardest part of boxing or any sport like that is, is I

forget. I don't know what the technical term for it, but my coach called it like being able to see punches coming. And so this whole concept of when somebody's trying to hit you in the face, like not freaking out or not holding your breath when that happens because when you hold your breath, your muscles get tired really fast. So seeing punches coming at your face and being able to breathe through that process is the trick. I. Mean. That's like a physiological response rising.

Oh, here it comes. You're tensing up. It's like being in a car, you know, a car accident. Yeah, they talked about how like people who are drunk and they're in a car accident, they don't break as many bones. Because they're relaxed. Yeah. So all right, last question. What is the hardest that you've ever been hit? Like, do you remember something that stood out like, oh, my God. Like you mentioned the block where you thought you didn't block it. Like is there something like that?

So one thing I was, I was an average boxer, but the one thing I was very proud of is I never been knocked out. In eight years of boxing I never got knocked out, so the closest I've got we'll. Try now. Folks who are listening don't want to have to go ahead and say. OK, let's do this. The closest I've gotten is I got it was I was fighting this guy who's who's boxing for the Navy and I don't remember actually

being hit. So he hit me in my temple and I dropped down to 1 knee and I got the stand EA count and I came back. But I don't remember it actually happening. I just remember my coach being like, yeah, you got knocked down on and but you didn't like fall over so. You're just like, stunned, I guess. I mean, yeah, if I. Finish the fight. So you're also married with kids. So was the boxing career. Was there overlap? Because I know that most wives

would be like done done. This is not happening. Go be ACEO of a technology company if you want. Yeah, look, I, I realized a while ago that I was not cut out to be a professional boxer for the long term. And, you know, I, I knew it because like I, I'd already had a career in software development and a degree in computer science and a job after college and I was still trying to box. And I was just like, I'm just not in the right headspace for this. And so I had to.

Plus I got plus my boss got tired of me showing up to meetings with my face all busted up.

That was great. Well, well, thanks for being here spending the time with us today. That story at the end was probably worth the price of admission. I'd encourage everybody to go out to the website hyper.com. That's hypr.com/IDC. There can be some unique stuff out there, so make sure you hit that URL specifically and anything else. Jeff No. Man, you were here taking it away. It was great. You mentioned the website idacpodcast.com. And our YouTube channel idacpodcast.tv.

Yeah, like and subscribe and that helps us get great guests like Bohans. So thanks for being here, being part of this and we'll go and wrap it up for this week. Thanks. For having me. Yeah, thanks for being part of this. Thanks for watching and or listening and we'll talk with y'all on the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at

identity@thecenter.com. See you next time on Identity at the Center.