1 00:00:09,700 --> 00:00:12,400 You're listening to the identity of the sender podcast. 2 00:00:12,800 --> 00:00:15,600 This is a show that talks about identity and access management 3 00:00:15,700 --> 00:00:18,600 and making sure you know who has access to what let's get 4 00:00:18,600 --> 00:00:29,300 started. Welcome to the identity of the 5 00:00:29,300 --> 00:00:30,600 center podcast. I'm Jeff. 6 00:00:30,600 --> 00:00:32,100 And that's Jim. Hey, Jim. 7 00:00:32,600 --> 00:00:35,500 Hey, Jeff, how are you? Oh, not so bad yourself. 8 00:00:36,200 --> 00:00:38,400 I'm good, man. I was, I've been given thought 9 00:00:38,400 --> 00:00:41,600 to podcasts. I listen to a lot of podcasts 10 00:00:41,700 --> 00:00:45,100 outside of recording this podcast with you. 11 00:00:45,700 --> 00:00:47,900 And I'm wondering what is your favorite podcast? 12 00:00:47,900 --> 00:00:50,300 Other than identity at the center of course. 13 00:00:50,500 --> 00:00:54,100 It's, I'll be honest, I don't listen to a lot of podcasts and 14 00:00:54,200 --> 00:00:58,500 I barely listen to this show because one I record it, right? 15 00:00:58,500 --> 00:01:00,400 So I'm here, I'm present for the conversation, I know what 16 00:01:00,400 --> 00:01:03,000 happened, and then I edit it, which means I'm usually 17 00:01:03,000 --> 00:01:05,099 listening to the show like three to four times. 18 00:01:05,500 --> 00:01:09,600 So when I do listen to a podcast and it's the only couple that I 19 00:01:09,600 --> 00:01:12,900 listen to right now, with any type of regularity, it would be 20 00:01:13,300 --> 00:01:16,400 Conan O'Brien needs a friend and it's usually something around, 21 00:01:16,400 --> 00:01:18,900 you know, comedy and him talking to folks and, you know, just 22 00:01:18,900 --> 00:01:21,600 being Conan O'Brien himself and then the other one that I like 23 00:01:21,600 --> 00:01:23,400 is I'm a big fan of Anthony Jeselnik. 24 00:01:23,800 --> 00:01:30,100 So Anthony Cecil neck and Greg Rosenthal have a comedy podcast, 25 00:01:30,100 --> 00:01:34,200 slash whatever is whatever you call it called the Jeselnik and 26 00:01:34,200 --> 00:01:39,700 Rosenthal Vanity project Jr. VP So I listened to that you 27 00:01:39,700 --> 00:01:42,300 know with with some regularity every at least every couple of 28 00:01:42,308 --> 00:01:44,100 weeks or so. What do you listen to? 29 00:01:44,900 --> 00:01:49,300 Well, I'm a big fan of the, the risky business podcast with 30 00:01:49,300 --> 00:01:51,200 Patrick gray. I think, you know, if you're a 31 00:01:51,208 --> 00:01:54,600 nerd in this space, you've got a, you've got a tune into that. 32 00:01:54,800 --> 00:01:59,100 That it comes out every Tuesday, that's a fantastic one, where 33 00:01:59,100 --> 00:02:02,900 they just pretty much talked about the infosec headlines, 34 00:02:02,900 --> 00:02:06,200 mostly about companies that have gotten ransomware recently. 35 00:02:06,200 --> 00:02:09,199 And then, of course, I'm a huge baseball nut. 36 00:02:09,199 --> 00:02:14,700 So, I listened to the baseball America podcast, I listened to 37 00:02:14,708 --> 00:02:19,800 one called 30 with murdie murdie, being a Yankees 38 00:02:19,800 --> 00:02:24,400 broadcaster. There's some other identity and 39 00:02:24,400 --> 00:02:26,800 access management As your podcast, I like to listen to 40 00:02:26,800 --> 00:02:33,200 like the hybrid identity protection podcast, shoot, 41 00:02:33,200 --> 00:02:38,300 there's a few others, there's one that was put out by the Sea. 42 00:02:38,300 --> 00:02:43,200 So over at Microsoft called security unlocked. 43 00:02:43,300 --> 00:02:46,700 And then there are a bunch that are put out by NPR which are 44 00:02:47,300 --> 00:02:51,100 really radio shows that have become podcast as well. 45 00:02:51,100 --> 00:02:56,900 Like This American Life Freakonomics, X hidden brain. 46 00:02:57,100 --> 00:02:59,200 So those are just I would Marketplace. 47 00:02:59,200 --> 00:03:03,600 Of course I in those are I don't listen to all of them every week 48 00:03:03,600 --> 00:03:06,300 but that's kind of my listening list. 49 00:03:06,700 --> 00:03:08,900 That's a pretty healthy list. I mean for someone who doesn't 50 00:03:08,900 --> 00:03:11,500 listen to podcasts, you just named off like 700 different 51 00:03:11,500 --> 00:03:15,200 shows. Yeah, well I'm hoping that 52 00:03:15,200 --> 00:03:18,800 somebody can find a nugget there and but I definitely recommend 53 00:03:18,800 --> 00:03:22,700 the the risky business podcast and anybody who's listening to 54 00:03:22,700 --> 00:03:25,500 us on a regular basis. Also should should be tuning 55 00:03:25,500 --> 00:03:27,700 into that. Right on. 56 00:03:28,200 --> 00:03:31,800 So why don't we change this podcast over to may be talking 57 00:03:31,800 --> 00:03:34,300 some identity? I think, you know, as we're kind 58 00:03:34,300 --> 00:03:36,600 of talking with our guest that will introduce here in a second, 59 00:03:37,300 --> 00:03:41,300 we were kind of looking at ideas on where do we take this episode 60 00:03:41,300 --> 00:03:45,700 and we settled on the past present and future of strong 61 00:03:45,700 --> 00:03:47,700 authentication, which I think is an amazing title. 62 00:03:47,900 --> 00:03:52,200 If we do say so ourselves and the person who helped us come up 63 00:03:52,208 --> 00:03:54,800 with that title, his name is Kurt Johnson, he's the vice 64 00:03:54,800 --> 00:03:56,400 president of strategy and business. 65 00:03:56,600 --> 00:03:59,900 Development at Beyond identity, and want to welcome you to the 66 00:03:59,900 --> 00:04:02,400 show. Kurt Thank you very much. 67 00:04:02,400 --> 00:04:04,600 Nice to be here. Jeff, Jim, great to see you. 68 00:04:04,900 --> 00:04:06,200 Yeah, thanks so much for joining. 69 00:04:06,800 --> 00:04:09,800 So the company that you work for Beyond identity Beyond 70 00:04:09,800 --> 00:04:13,100 identity.com, it really plays in the strong off game. 71 00:04:13,100 --> 00:04:15,500 So I'm really excited that you're here to kind of help us 72 00:04:15,500 --> 00:04:18,100 understand. You know, what is strong off, 73 00:04:18,100 --> 00:04:20,000 what does it mean? And maybe putting you know, 74 00:04:20,000 --> 00:04:21,899 helping us understand what are the differences. 75 00:04:21,899 --> 00:04:24,500 Maybe even the space because I think there are some things to 76 00:04:24,500 --> 00:04:27,300 kind of consider around that. But as this is the first time on 77 00:04:27,300 --> 00:04:30,700 our show we like to find out our guest origin stories when it 78 00:04:30,700 --> 00:04:34,700 comes to Identity and infosec. So maybe you can kind of recap 79 00:04:34,900 --> 00:04:38,200 you know your your career from a from a from our perspective. 80 00:04:38,200 --> 00:04:40,400 At the identity level. How did you get into the 81 00:04:40,400 --> 00:04:43,000 identity space? It's something that you chose or 82 00:04:43,000 --> 00:04:46,700 did it choose you? Oh he definitely chose me has a 83 00:04:46,700 --> 00:04:49,500 bit of an accident in a bit of an evolution at the same time 84 00:04:49,500 --> 00:04:52,800 because I started in identity before we were even calling it 85 00:04:52,900 --> 00:04:55,800 identity management. I actually spent years as an 86 00:04:55,808 --> 00:04:58,600 industry analyst I was working with a company called meta group 87 00:04:58,600 --> 00:05:02,500 that's now part of Gartner and One of the areas that I was 88 00:05:02,500 --> 00:05:05,300 covering was the whole it service management and help 89 00:05:05,300 --> 00:05:07,000 desk. And so, I was getting calls from 90 00:05:07,000 --> 00:05:10,600 clients all the time around. What could we be doing to reduce 91 00:05:10,600 --> 00:05:12,100 the number one called my help desk? 92 00:05:12,100 --> 00:05:15,500 Which was password resets. And this company chorion was on 93 00:05:15,500 --> 00:05:18,300 my radar as an early stage startup who was doing 94 00:05:18,300 --> 00:05:20,900 self-service password reset. So I was digging into them to 95 00:05:20,900 --> 00:05:25,700 see if this was real and really became focused on the whole Self 96 00:05:25,700 --> 00:05:28,500 Service initiatives. And how do you reduce the burden 97 00:05:28,500 --> 00:05:32,800 and pain for these poor help desk agents and people And as I 98 00:05:32,808 --> 00:05:35,500 was kind of getting deeper in this and watching Korean kind of 99 00:05:35,500 --> 00:05:38,800 just the launch itself from its early Beginnings, it kind of hit 100 00:05:38,800 --> 00:05:40,800 me as well. That if I kept being an analyst 101 00:05:40,800 --> 00:05:42,600 I probably would be one the rest of my life. 102 00:05:42,600 --> 00:05:44,800 And I was kind of tired of being the Roger Ebert. 103 00:05:44,800 --> 00:05:47,900 Wanted to be a Steven Spielberg, get my hands dirty on building. 104 00:05:48,200 --> 00:05:50,600 So actually joined Curry on right when they were about 12 105 00:05:50,600 --> 00:05:53,900 people. And as we started to evolve, 106 00:05:53,900 --> 00:05:57,800 from password resets and talking to help desk people about this 107 00:05:57,800 --> 00:06:00,500 great tool, that could reduce their calls as we were getting 108 00:06:00,500 --> 00:06:03,600 deeper into the sale. Is cycle the security people and 109 00:06:03,600 --> 00:06:06,900 cisos in particular, going, you're doing what with 110 00:06:07,100 --> 00:06:09,200 passwords? So, tell me a little bit more 111 00:06:09,200 --> 00:06:11,600 about this because, nobody's touching that is. 112 00:06:11,600 --> 00:06:15,400 So, as we realized, we had to shift our sales strategy, to 113 00:06:15,400 --> 00:06:19,100 really, appeal to the security side, and show this as a better 114 00:06:19,100 --> 00:06:21,000 way of doing it than kind of people, right? 115 00:06:21,000 --> 00:06:23,100 And sticky notes. And all of that and we were 116 00:06:23,100 --> 00:06:26,500 looking at automating other tasks and doing this hitting the 117 00:06:26,500 --> 00:06:28,700 joiners, movers lever. So built one of the first 118 00:06:28,700 --> 00:06:31,600 provisioning systems. So we were doing all of His 119 00:06:31,800 --> 00:06:34,900 provisioning and identity governance and administration 120 00:06:34,900 --> 00:06:37,700 before we were calling it and then finally we started to see 121 00:06:37,700 --> 00:06:41,200 identity management emerge and that's where we really started 122 00:06:41,200 --> 00:06:43,700 branding around the term identity management when the 123 00:06:43,700 --> 00:06:47,600 regulations and governance came along around who had access to 124 00:06:47,600 --> 00:06:50,200 what we had this great system that was setting them up 125 00:06:50,200 --> 00:06:53,500 modifying them and turning them off that we now had a basis of a 126 00:06:53,508 --> 00:06:55,800 governance solution before we were calling it. 127 00:06:55,900 --> 00:06:58,800 I never knew my identity governance and administration so 128 00:06:59,000 --> 00:07:01,200 I spent 15 plus years of Curry on watching. 129 00:07:01,300 --> 00:07:04,400 It from its early stages, we ended up selling it to a PE 130 00:07:04,400 --> 00:07:07,000 company was involved in some tuck and Acquisitions and 131 00:07:07,000 --> 00:07:10,800 actually merging it with core security which was time for me 132 00:07:10,800 --> 00:07:12,600 to leave after that amount of time. 133 00:07:13,200 --> 00:07:16,200 And I actually went over to a fin tech company, early stage, 5 134 00:07:16,200 --> 00:07:19,800 person company doing, electronic payments and we were doing great 135 00:07:19,800 --> 00:07:22,200 efficiencies and reducing cost and pain. 136 00:07:22,200 --> 00:07:24,700 But I realized I really miss security. 137 00:07:24,700 --> 00:07:28,800 I miss dealing with companies that were solving real problems 138 00:07:28,800 --> 00:07:31,800 that you know, they were coming under attack and how Help their 139 00:07:31,800 --> 00:07:35,600 businesses keep going. That after we sold this fin tech 140 00:07:35,600 --> 00:07:38,000 company after a couple years, I immediately went right back into 141 00:07:38,000 --> 00:07:41,500 security and joined an email security company focused on 142 00:07:41,800 --> 00:07:44,200 cloud, email, security and anti-phishing. 143 00:07:44,600 --> 00:07:47,800 But realized, I was missing the identity side of the house as 144 00:07:47,800 --> 00:07:49,100 well. And it was great to be back to 145 00:07:49,100 --> 00:07:51,200 security, but I always kept my eyes open. 146 00:07:51,200 --> 00:07:53,900 And what was going on with the identity world. 147 00:07:53,900 --> 00:07:56,600 And I think it was the in Glazer that said it's me one time, he 148 00:07:56,600 --> 00:07:59,300 said, you know, identities, like the mafia you can leave but you 149 00:07:59,300 --> 00:08:01,800 really can't. Do you think you We but it 150 00:08:01,800 --> 00:08:05,500 brings you right back and I got this call about this company in 151 00:08:05,500 --> 00:08:07,800 stealth mode that was looking to do. 152 00:08:07,800 --> 00:08:11,500 Some really interesting things around eliminating passwords and 153 00:08:11,700 --> 00:08:16,200 I had to listen and it was pre-revenue. 154 00:08:16,400 --> 00:08:19,200 So to be part of a stealth company sound incredibly 155 00:08:19,200 --> 00:08:23,300 intriguing, the co-founders are Jim Clark and TJ, German lock 156 00:08:23,300 --> 00:08:25,600 and Jim. And TJ just have this incredible 157 00:08:25,600 --> 00:08:29,500 history of starting companies and, and building them into 158 00:08:30,000 --> 00:08:32,700 absolute name. Like Silicon graphics, and 159 00:08:32,700 --> 00:08:37,100 Netscape and at home networks and WebMD, and to be part of 160 00:08:37,600 --> 00:08:41,400 working with alongside them to start this company, and then 161 00:08:41,400 --> 00:08:44,200 frankly to get back into identity, really kind of Drew me 162 00:08:44,200 --> 00:08:46,400 in. So came back in around, January 163 00:08:46,400 --> 00:08:52,100 of 2020 and, you know, I'm back. So, I feel like somewhere out 164 00:08:52,100 --> 00:08:55,200 there. There's like this identity 165 00:08:55,200 --> 00:08:58,100 Boogeyman, and they like, left the identity horse, head in your 166 00:08:58,100 --> 00:09:00,100 bed. So, when you thought you were, 167 00:09:00,100 --> 00:09:03,200 you're out, All of a sudden you wake up and I up now, I'm back 168 00:09:03,200 --> 00:09:04,900 in, I'm back into security, never mind. 169 00:09:05,500 --> 00:09:06,900 And this is how we know each other. 170 00:09:06,900 --> 00:09:10,200 So we actually go back, you know, this makes me feel old 171 00:09:10,200 --> 00:09:12,500 like 15 years or so, because I was actually a customer of 172 00:09:12,508 --> 00:09:16,500 Korean at one point and, you know, I'm absolutely one of 173 00:09:16,500 --> 00:09:18,300 those people was like, all right, we're having trouble with 174 00:09:18,300 --> 00:09:19,900 passwords, right? And this is pi like the early 175 00:09:19,900 --> 00:09:22,400 2000s and Koreans. One of the companies we reach 176 00:09:22,400 --> 00:09:25,100 out to and ended up kind of, you know, going with going with them 177 00:09:25,100 --> 00:09:26,500 and helping us with a variety different things. 178 00:09:26,500 --> 00:09:28,500 So we kind of go back from that perspective. 179 00:09:28,500 --> 00:09:31,200 So it's always fascinating to kind of think. 180 00:09:31,300 --> 00:09:35,600 About where where you might be, you know, decades later and the 181 00:09:35,600 --> 00:09:38,000 relationships that get made. And, you know, this is why I 182 00:09:38,000 --> 00:09:39,900 think you never burn Bridges, right? 183 00:09:40,000 --> 00:09:44,100 Andrew, try to put yourself off in a into a professional mode so 184 00:09:44,100 --> 00:09:46,100 that because you never know what's going to happen. 185 00:09:46,500 --> 00:09:48,900 And especially I feel like in the identity space is such a 186 00:09:48,900 --> 00:09:52,100 tight-knit group, where, you know, we see a lot of people who 187 00:09:52,100 --> 00:09:55,500 move from organization to organization but, you know, it's 188 00:09:55,500 --> 00:09:58,000 always ever-expanding but there's a lot of familiar faces 189 00:09:58,000 --> 00:10:00,000 that you'll see over time, you know, the longer you stick in 190 00:10:00,000 --> 00:10:02,400 the business. So Always great to see folks 191 00:10:02,400 --> 00:10:05,500 from Korean and or I should say the band formerly known as 192 00:10:05,500 --> 00:10:08,000 Corian. So we were still have it today. 193 00:10:08,000 --> 00:10:12,500 I was at identify verse few weeks back and it was like old 194 00:10:12,500 --> 00:10:14,300 home week. You know, just seeing all these 195 00:10:14,300 --> 00:10:17,000 all faces different companies. Perhaps. 196 00:10:17,000 --> 00:10:19,900 But yeah, it really is. And it's been interesting to 197 00:10:19,900 --> 00:10:23,600 watch to is identity, and has really become far more prevalent 198 00:10:23,600 --> 00:10:27,400 and Security in the early days, it was kind of like, you felt 199 00:10:27,400 --> 00:10:30,000 like the outsider, but now it's like we're sitting at the cool 200 00:10:30,000 --> 00:10:33,800 kids table in the cafeteria. Yes, darn straight, I love it. 201 00:10:34,100 --> 00:10:36,800 So, I've been hearing that the passwords been dead for four 202 00:10:36,800 --> 00:10:39,400 years now, I think like Bill Gates said, like a decade ago, 203 00:10:39,400 --> 00:10:41,300 it was dead and we keep hearing every year that it's dead. 204 00:10:41,300 --> 00:10:43,700 And I think that's really kind of where we're heading now, 205 00:10:43,700 --> 00:10:44,600 right? Is this really? 206 00:10:44,600 --> 00:10:45,900 It's not dead. It's really the strongest 207 00:10:45,900 --> 00:10:49,400 indication play. So, when we talk about the past 208 00:10:49,400 --> 00:10:52,700 present and future of the fun ocation, it probably makes sense 209 00:10:52,700 --> 00:10:55,500 to kind of start with the past and understanding, you know, 210 00:10:55,500 --> 00:10:58,200 where have we been? And we all know passwords suck, 211 00:10:58,700 --> 00:11:01,100 where are we now and then, what's next? 212 00:11:01,200 --> 00:11:03,600 East right, maybe maybe can kind of take us through that Journey 213 00:11:03,600 --> 00:11:05,900 a little bit here to kind of level set the conversation for 214 00:11:05,900 --> 00:11:08,800 folks who are listening. Yeah, it's amazing to think it 215 00:11:08,800 --> 00:11:12,000 was kind of being the early 1960s that passwords were first 216 00:11:12,000 --> 00:11:16,700 introduced at MIT and working within kind of these data center 217 00:11:16,700 --> 00:11:20,800 environments and they served a purpose to enable more controls 218 00:11:20,800 --> 00:11:24,800 and security around access. But then when we hit the 1980s 219 00:11:24,800 --> 00:11:27,800 and said our co-founders, Jim Clark and TJ Journal up, you 220 00:11:27,800 --> 00:11:31,800 know, Jim was the co-founder of Netscape, and Jim was the Our 221 00:11:31,800 --> 00:11:37,800 gym was the founder of Netscape and TJ the CEO founder of at 222 00:11:37,800 --> 00:11:40,600 home networks, which was the first Broadband provider to the 223 00:11:40,600 --> 00:11:44,400 home and the two of them play a large part on making the 224 00:11:44,400 --> 00:11:48,200 internet accessible to like everybody and passwords just 225 00:11:48,300 --> 00:11:52,700 exponentially grew and proliferated to the hundreds of 226 00:11:52,700 --> 00:11:56,100 thousands even Millions. So, by the time, the 90s came 227 00:11:56,100 --> 00:11:58,000 along, that's where the focus was all on. 228 00:11:58,000 --> 00:12:01,900 Well, we have to make them harder and longer and And higher 229 00:12:01,900 --> 00:12:04,900 entropy to make them, you know, rotate them more frequently in 230 00:12:04,900 --> 00:12:10,100 expire because as more passwords came or password theft came, so, 231 00:12:10,200 --> 00:12:12,500 yeah, you really look at passwords and you talk about how 232 00:12:12,508 --> 00:12:15,200 much they suck and they suck for just about everybody except for 233 00:12:15,200 --> 00:12:18,200 the attackers, right? Cuz because you don't have to 234 00:12:18,200 --> 00:12:23,500 break in anymore, you can just log in and password reuse and 235 00:12:23,500 --> 00:12:26,100 misuse and getting stolen left and right. 236 00:12:26,100 --> 00:12:29,700 I mean, we've really just created this environment where 237 00:12:29,700 --> 00:12:33,300 the vulnerability and risk is Other than ever before and so 238 00:12:33,500 --> 00:12:36,100 then we've kind of moved into the Band-Aids. 239 00:12:36,100 --> 00:12:39,100 So we created password manager. So you could at least have one 240 00:12:39,100 --> 00:12:42,200 place to go and let them recycle and move your passwords. 241 00:12:42,200 --> 00:12:45,000 But how did you access the password manager? 242 00:12:45,200 --> 00:12:47,900 Well, with the username and password so now the compromise 243 00:12:47,900 --> 00:12:50,100 could open the door to even more attack. 244 00:12:50,100 --> 00:12:53,900 So Along Came are good friends, multi-factor authentication, and 245 00:12:53,900 --> 00:12:59,200 two-factor authentication, which the idea was that this plurality 246 00:12:59,200 --> 00:13:03,100 of security measures could hopefully increase the overall 247 00:13:03,100 --> 00:13:07,200 security but really what we saw was a significant increase in 248 00:13:07,200 --> 00:13:10,800 friction for the end-user waiting for a code or needing a 249 00:13:10,800 --> 00:13:15,600 second device or on my phone. I had a have a folder prior to 250 00:13:15,600 --> 00:13:19,100 Beyond identity with a bunch of multi-factor authentication 251 00:13:19,200 --> 00:13:21,100 application. So where do I use authy? 252 00:13:21,100 --> 00:13:23,500 Where do I use? Microsoft authenticator a few 253 00:13:23,500 --> 00:13:25,500 Salesforce authenticator over here. 254 00:13:25,800 --> 00:13:31,100 So, you know, it's no doubt we've seen the adoption of MMA. 255 00:13:31,200 --> 00:13:34,100 Be so low. I think 451 the research company 256 00:13:34,100 --> 00:13:39,800 says around 50 percent adoption. IDC told us it was closer to 30% 257 00:13:39,800 --> 00:13:42,900 and their eyes, which is significantly. 258 00:13:42,900 --> 00:13:46,800 Less than any other security functionality like firewalls are 259 00:13:46,800 --> 00:13:50,600 intrusion detection or even endpoint, which is hitting 90% 260 00:13:50,600 --> 00:13:52,600 plus. And why is that? 261 00:13:52,600 --> 00:13:56,000 I mean, the friction and experience for end users, as I 262 00:13:56,000 --> 00:13:59,300 said, is painful, and they're also complex and expensive to 263 00:13:59,300 --> 00:14:01,100 deploy. So even where you see there, 264 00:14:01,200 --> 00:14:03,700 Deployed. It's often just for a subset of 265 00:14:03,800 --> 00:14:09,300 users or capabilities, you know, maybe just for remote access 266 00:14:09,500 --> 00:14:13,900 maybe just for our privilege. So I think as we've created this 267 00:14:13,900 --> 00:14:16,900 environment where we're putting more and more of these multi 268 00:14:16,900 --> 00:14:19,100 factors, it's kind of where we are today. 269 00:14:19,100 --> 00:14:22,700 This this world of whack a mole has to stop where the 270 00:14:22,700 --> 00:14:26,100 overwhelming majority of attacks are still based on stolen and 271 00:14:26,100 --> 00:14:29,100 misuse credentials. The world economic forum's that 272 00:14:29,100 --> 00:14:33,700 over 80% and Verizon is Over 60% but name your number. 273 00:14:33,700 --> 00:14:36,800 It's a lot, right? And as I said attackers, don't 274 00:14:36,800 --> 00:14:39,400 need to break in. They just log in and if this 275 00:14:39,400 --> 00:14:42,600 critique vulnerability of this credential is being used. 276 00:14:42,600 --> 00:14:45,800 As a matter of fact, valid credential misuse is that the 277 00:14:45,800 --> 00:14:49,000 source of these attacks. So it is real passwords that are 278 00:14:49,000 --> 00:14:53,400 getting stolen and misused and guests and you know it can't 279 00:14:53,400 --> 00:14:57,100 continue you know the reality is were as vulnerable as we've ever 280 00:14:57,100 --> 00:15:00,800 before. So with traditional MFA, you 281 00:15:00,800 --> 00:15:03,600 know, The password still there, it's still exist as part of that 282 00:15:03,600 --> 00:15:06,200 equation. And we created this Band-Aid to 283 00:15:06,200 --> 00:15:10,100 deal with what's become an open wound in organizations. 284 00:15:10,400 --> 00:15:13,200 And, you know, maybe you don't use the password, you're using a 285 00:15:13,200 --> 00:15:17,800 magic link or something else or an SMS, but now these are coming 286 00:15:17,800 --> 00:15:20,000 under attack. So are they more secure? 287 00:15:20,100 --> 00:15:24,400 Sure, but does it really slam the door on credential attacks? 288 00:15:24,400 --> 00:15:26,400 Not really? And as matter of fact, it's 289 00:15:26,400 --> 00:15:29,000 opened the door to other kinds of attacks. 290 00:15:29,000 --> 00:15:33,100 So you know, we have removed SMS and then also on SIM card 291 00:15:33,100 --> 00:15:35,500 swapping took place. We have email links but email 292 00:15:35,500 --> 00:15:38,700 gets compromised we had the attackers doing these push 293 00:15:38,700 --> 00:15:41,300 attacks where if you hit the organization which with enough 294 00:15:41,300 --> 00:15:44,900 notifications and pushes with an OTP somebody's going to click. 295 00:15:44,900 --> 00:15:48,000 Yes that's me. So we've done all this and 296 00:15:48,000 --> 00:15:51,200 create greater user friction than ever before. 297 00:15:51,500 --> 00:15:53,900 Clearly we know we have to change, right? 298 00:15:54,400 --> 00:15:56,900 And so that's why, I think where we are today, we're seeing the 299 00:15:56,900 --> 00:16:00,900 rise in early password list initiatives, you know? 300 00:16:01,100 --> 00:16:03,900 There's the Fido Alliance. There's a lot of things that are 301 00:16:03,900 --> 00:16:07,600 trying to bypass the password and I think we all have to agree 302 00:16:07,600 --> 00:16:11,100 the password has to go, which is creating rise in these new 303 00:16:11,100 --> 00:16:15,600 approaches but at the same time really are we eliminating 304 00:16:15,600 --> 00:16:19,700 passwords or we just kind of making them you know, less part 305 00:16:19,700 --> 00:16:22,700 of the equation. So today, you know, you start to 306 00:16:22,700 --> 00:16:25,000 hear more, you know, we've been talking about identity is the 307 00:16:25,000 --> 00:16:28,300 new perimeter for a while. Now can't really call it the new 308 00:16:28,400 --> 00:16:31,700 perimeter anymore because we've been talking about a Enough that 309 00:16:31,800 --> 00:16:34,600 that statements even become commonplace to. 310 00:16:34,900 --> 00:16:37,500 But if you think about it, I believe that even the notion of 311 00:16:37,500 --> 00:16:41,600 a perimeter is wrong. It's the idea that things inside 312 00:16:41,600 --> 00:16:46,000 We Trust, while those outside, we do not and authentic, I heard 313 00:16:46,100 --> 00:16:49,800 this used, I think by 451 research as well that 314 00:16:49,800 --> 00:16:52,500 authentications is like a bouncer at a nightclub, but once 315 00:16:52,500 --> 00:16:55,700 you get past the door, you could do whatever you want inside the 316 00:16:55,700 --> 00:16:58,900 club. So it really is forming to, you 317 00:16:58,900 --> 00:17:01,000 know, that's where we are. Where do we need to? 318 00:17:01,100 --> 00:17:05,099 To get to, and that's really leads to what's next. 319 00:17:05,200 --> 00:17:07,200 And what does this ideal solution? 320 00:17:07,200 --> 00:17:11,300 Look like, which was really behind the beginnings of our 321 00:17:11,300 --> 00:17:13,200 company? You know, when we started to 322 00:17:13,200 --> 00:17:16,700 look to form Beyond identity, we looked out in this environment 323 00:17:16,700 --> 00:17:20,500 and all the pain and the friction for end users, but also 324 00:17:20,500 --> 00:17:22,500 the vulnerability for organizations. 325 00:17:22,500 --> 00:17:25,900 And when we looked at what does Modern authentication look like, 326 00:17:25,900 --> 00:17:29,800 we know it had to eliminate passwords, we know you have to 327 00:17:29,800 --> 00:17:33,000 pass itive, leave a Date the users in the devices, they're 328 00:17:33,000 --> 00:17:36,900 on, you need to make it easy for users to gain access and not 329 00:17:36,900 --> 00:17:40,100 create friction in that process. While at the same time, reducing 330 00:17:40,100 --> 00:17:43,700 it, and support costs. And that kind of leads to kind 331 00:17:43,700 --> 00:17:46,100 of the beginnings in the thoughts around things like 332 00:17:46,100 --> 00:17:48,100 zero, trust and really kind of where we are. 333 00:17:48,100 --> 00:17:51,300 You know, bottom line, regardless of who you are, where 334 00:17:51,300 --> 00:17:54,200 you are, what device you're on, what you're doing. 335 00:17:54,200 --> 00:17:57,700 You should be going through an identity system to authenticate 336 00:17:57,700 --> 00:18:01,000 and authorize what you're doing, but I think it needs to move. 337 00:18:01,100 --> 00:18:04,200 Move more to like a toll booth rather than a toll bridge, which 338 00:18:04,200 --> 00:18:07,500 is where we are today. Push everyone through a VPN, 339 00:18:07,500 --> 00:18:11,000 check the traffic, check the devices, it's not wrong, but 340 00:18:11,000 --> 00:18:15,700 it's very hard, very expensive. And you don't have to do that to 341 00:18:15,700 --> 00:18:19,300 really get a good understanding of who the person is and the 342 00:18:19,308 --> 00:18:23,300 device they're on and what they're trying to do to create 343 00:18:23,300 --> 00:18:26,000 stronger authentication. So we need to move to an 344 00:18:26,000 --> 00:18:29,000 environment without passwords making it easier. 345 00:18:29,300 --> 00:18:32,300 And the big part is that it's not a And done, it needs to be 346 00:18:32,300 --> 00:18:35,500 continuous. You can't just look once and let 347 00:18:35,500 --> 00:18:37,700 that person in. But you need to be kind of 348 00:18:37,700 --> 00:18:40,600 looking at what's going on on a continuous basis with the 349 00:18:40,600 --> 00:18:43,300 ability to take action and deny that authentication. 350 00:18:43,600 --> 00:18:46,000 So, you know, we talked a lot about, you know, where we're 351 00:18:46,000 --> 00:18:48,800 going and, you know, the bottom line is, you can't have zero 352 00:18:48,800 --> 00:18:50,400 trust. If you still have the password 353 00:18:50,400 --> 00:18:52,300 and if you do, you're already starting with a fail. 354 00:18:53,300 --> 00:18:55,900 Yeah. I think that the passwords, an 355 00:18:55,900 --> 00:18:59,200 obvious weakness, right? I mean, we used to call it a 356 00:18:59,200 --> 00:19:03,000 cottage industry to to get these credentials and sell them on the 357 00:19:03,008 --> 00:19:06,700 dark web was reading an article prior to starting. 358 00:19:06,700 --> 00:19:09,600 This recording is the headline article and dark reading. 359 00:19:09,900 --> 00:19:15,100 The average cost to buy access to a compromise company $1000. 360 00:19:15,200 --> 00:19:17,000 So that's not even a cottage industry, right? 361 00:19:17,000 --> 00:19:21,500 That's a thrift store. That's, that's Walmart, you 362 00:19:21,508 --> 00:19:25,200 know, or a blue light special for going out and getting access 363 00:19:25,400 --> 00:19:28,300 and included in that is thousand dollars. 364 00:19:28,300 --> 00:19:30,900 Gets you credential to a VPN or two? 365 00:19:31,400 --> 00:19:33,500 RDP. So if you're not at least using 366 00:19:33,500 --> 00:19:36,600 multi Factor, we said this a million times on the show, you 367 00:19:36,600 --> 00:19:40,200 need your absolutely need to be using multi Factor but, you 368 00:19:40,200 --> 00:19:44,100 know, to kind of play on what Kurt was talking about is, you 369 00:19:44,100 --> 00:19:46,900 know, with that zero, trust methodology or mindset? 370 00:19:47,100 --> 00:19:49,400 It's, you know, everything's happy cover. 371 00:19:49,400 --> 00:19:53,600 If you can, you can't just think about it from your external 372 00:19:53,600 --> 00:19:57,500 points of Entry. But, you know, Kurt, I think 373 00:19:57,500 --> 00:20:00,900 you're, you know, you gave a really good overview about the 374 00:20:01,000 --> 00:20:02,200 Past present. Future. 375 00:20:02,300 --> 00:20:06,300 Think the future is your trust. Your trust is also right now. 376 00:20:07,300 --> 00:20:11,200 But, you know, I think and I think, look, if you're listening 377 00:20:11,200 --> 00:20:13,300 to this show, you probably already are like, okay guys? 378 00:20:13,300 --> 00:20:17,700 Yes, you you've beat this into us, we know the password socks, 379 00:20:17,700 --> 00:20:19,900 right? If not a is not a strong enough 380 00:20:19,900 --> 00:20:25,100 control in this day and age, and I think everybody would say, if 381 00:20:25,100 --> 00:20:27,900 I could flip a switch and get rid of the password, I would do 382 00:20:27,900 --> 00:20:32,400 it. But it's It's hard, right? 383 00:20:32,400 --> 00:20:33,300 Or maybe you're going to tell me. 384 00:20:33,300 --> 00:20:36,900 It's not hard, but I'm thinking. Okay, I've got an Enterprise. 385 00:20:36,900 --> 00:20:41,500 I've got hundreds of systems, I've got different entry points, 386 00:20:41,500 --> 00:20:44,900 I've got some new technology. I've got some Legacy, I've got 387 00:20:44,900 --> 00:20:50,300 Cloud applications. Do I need to be pastoralists or 388 00:20:50,300 --> 00:20:54,900 do I need less passwords? Yes, it's a great question and I 389 00:20:54,900 --> 00:20:59,900 think it's, I saw a survey that said that the average businesses 390 00:20:59,900 --> 00:21:04,200 are as 191 passwords. And I was challenging that on a 391 00:21:04,200 --> 00:21:08,600 road show, we were doing with C so event and all of them started 392 00:21:08,600 --> 00:21:10,400 talking up going. Oh yeah, I looked at my password 393 00:21:10,400 --> 00:21:13,900 manager, and I've got 300 or, I've got 290, and I think some 394 00:21:13,900 --> 00:21:16,000 estimates are so for 300 billion passwords. 395 00:21:16,300 --> 00:21:19,600 So passwords have Truly, I mean, this day and age, kind of 396 00:21:19,600 --> 00:21:22,100 launching a company during a pandemic, which wasn't really 397 00:21:22,100 --> 00:21:24,800 part of our original Playbook. But a lot of things in 398 00:21:24,800 --> 00:21:29,200 perspective, but I think the rough analogy is that passwords 399 00:21:29,200 --> 00:21:31,700 are a virus. You know, they have spread like 400 00:21:31,700 --> 00:21:35,800 crazy and 300 billion of them out there, you can't just wipe 401 00:21:35,800 --> 00:21:40,700 them out overnight, but at the same time we need to, you know, 402 00:21:40,700 --> 00:21:44,300 we need the herd immunity. We need people to be taking the 403 00:21:44,300 --> 00:21:47,300 steps to the approaches on what you can really do. 404 00:21:47,600 --> 00:21:51,500 And I I think that's where the term password lists and the 405 00:21:51,500 --> 00:21:54,600 industry has a number of different kind of players 406 00:21:54,600 --> 00:21:58,000 approaching this and we really are trying to distinguish 407 00:21:58,000 --> 00:22:02,300 between password less as one word versus two words or 408 00:22:02,300 --> 00:22:05,300 password Dash less. And that password list isn't 409 00:22:05,300 --> 00:22:08,500 just avoiding the use of a password. 410 00:22:08,500 --> 00:22:12,900 You know it the term is meeting a broad set of things but we're 411 00:22:12,900 --> 00:22:16,200 not trying to just eliminate it from the end user side. 412 00:22:16,200 --> 00:22:18,500 I mean, the whole definition of a password as part of shared 413 00:22:18,500 --> 00:22:21,800 Secrets, right and shared Secrets, there's that one person 414 00:22:21,800 --> 00:22:24,600 and the other side know it. So if the individual knows it 415 00:22:24,600 --> 00:22:28,400 and it matches what sitting in the database of a system or a 416 00:22:28,408 --> 00:22:31,900 directory, then we will bless that but that gives you the 417 00:22:31,900 --> 00:22:34,000 opportunity of tacking either side. 418 00:22:34,100 --> 00:22:36,200 So if you just kind of eliminated from the end-user, it 419 00:22:36,200 --> 00:22:38,400 still exists of there. It's still something that can be 420 00:22:38,400 --> 00:22:40,400 stolen. They can get at it. 421 00:22:40,400 --> 00:22:43,900 They can use it for another account where it's being reused. 422 00:22:43,900 --> 00:22:48,200 And even if you make a more difficult password that He'll be 423 00:22:48,200 --> 00:22:50,200 entered in a phishing attack as well. 424 00:22:50,500 --> 00:22:53,100 So I think it's important we're we're we're talking about this 425 00:22:53,100 --> 00:22:56,000 that the opportunity and the capability to truly eliminating. 426 00:22:56,000 --> 00:22:58,800 The password does exist, but you really want to look at what are 427 00:22:58,800 --> 00:23:01,500 you replacing it with? And if you can look inside the 428 00:23:01,500 --> 00:23:05,200 architecture and Stevie that a password, still exists anywhere 429 00:23:06,300 --> 00:23:10,000 could you real, you know, or that still a vulnerability or, 430 00:23:10,000 --> 00:23:13,200 or did you replace it with something such as asymmetric 431 00:23:13,200 --> 00:23:17,500 cryptography or public keys and binding them to the device and 432 00:23:17,500 --> 00:23:21,000 carrying thing that with your identity, I think this was our 433 00:23:21,000 --> 00:23:23,700 thinking behind starting Beyond identity in the first place. 434 00:23:23,700 --> 00:23:28,000 It's about eliminating the password, but finding that 435 00:23:28,000 --> 00:23:32,600 device and identity leveraging existing proven technology 436 00:23:32,900 --> 00:23:36,700 around asymmetric cryptography and digital certificates, but do 437 00:23:36,700 --> 00:23:39,500 so, in a way that you can make, this government level security 438 00:23:39,500 --> 00:23:43,600 available for the masses and make it easy to deploy, which 439 00:23:43,600 --> 00:23:46,500 has not traditionally been the experience of many, who dealt 440 00:23:46,500 --> 00:23:51,000 with pki or it'll certificates, but that capability does exist. 441 00:23:51,000 --> 00:23:53,700 We need to really look at how we can apply that part of. 442 00:23:53,700 --> 00:23:57,800 It was when we even launched our solution, we give the password 443 00:23:57,800 --> 00:24:00,500 list authenticator away for free because that's just piece of the 444 00:24:00,500 --> 00:24:03,000 equation. Let's do our best that we can 445 00:24:03,000 --> 00:24:06,300 actually help eliminate the passwords out there and really 446 00:24:06,300 --> 00:24:09,400 eliminate them from the system. But with 300 billion of them out 447 00:24:09,400 --> 00:24:11,700 there, we know that's going to be a pretty big task could take 448 00:24:11,700 --> 00:24:14,900 some time. So I think there's a lot of 449 00:24:14,900 --> 00:24:17,700 different kind of definitions around password lists and 450 00:24:17,700 --> 00:24:20,800 especially when it comes to kind of the, the different vendors 451 00:24:20,800 --> 00:24:23,200 that are out there, right? So you're one of several that at 452 00:24:23,208 --> 00:24:25,100 least that I know of and I'm sure there are others that I 453 00:24:25,100 --> 00:24:28,800 don't know, of when it comes to strong as education and trying 454 00:24:28,800 --> 00:24:32,700 to remove the password. Is there a common approach that 455 00:24:32,700 --> 00:24:36,700 vendors in this space kind of look at as far as okay? 456 00:24:37,000 --> 00:24:40,800 Is it really eliminating the password or is it obfuscating 457 00:24:40,800 --> 00:24:42,600 the password somewhere behind some sort of? 458 00:24:42,700 --> 00:24:46,900 Hidden layer that it still exists but maybe you're just not 459 00:24:46,900 --> 00:24:48,600 a you know not aware that it's there. 460 00:24:49,300 --> 00:24:52,300 How do I guess? As an industry perspective, how 461 00:24:52,300 --> 00:24:55,300 our password list companies coming at it because then I 462 00:24:55,308 --> 00:24:57,600 think what I like to talk about next would be okay. 463 00:24:57,600 --> 00:25:00,100 So, you know, why are you special, right? 464 00:25:00,100 --> 00:25:02,100 What's the difference in the way that you guys are approaching 465 00:25:02,100 --> 00:25:06,400 it? Yeah, I think it's part of the 466 00:25:06,400 --> 00:25:08,600 concern. I mean, obviously because 467 00:25:08,600 --> 00:25:13,400 passwords are so horrendous, the idea of password list, Is a 468 00:25:13,400 --> 00:25:16,400 catchy phrase. It's hate to say buzz word but 469 00:25:16,400 --> 00:25:19,700 that's truly kind of what it's becoming and I think it's, it 470 00:25:19,700 --> 00:25:22,500 makes it challenging for those looking at potential solutions 471 00:25:22,500 --> 00:25:27,600 to really distinguish between them because there is a lot that 472 00:25:27,600 --> 00:25:31,500 an organization has to do to really understand their goals 473 00:25:31,500 --> 00:25:33,800 and initiatives. But also what the capabilities 474 00:25:33,800 --> 00:25:37,100 because there are a bunch of password list Technologies, 475 00:25:37,100 --> 00:25:40,600 which I would just say are ways of bypassing them and using 476 00:25:40,600 --> 00:25:44,400 something instead of a password But that password, absolutely 477 00:25:44,400 --> 00:25:47,600 still exists. And you know magic, links SMS, 478 00:25:47,600 --> 00:25:50,300 all of those are ways of kind of avoiding a password. 479 00:25:50,900 --> 00:25:53,800 I look at my banking application that I use on my iPhone. 480 00:25:53,800 --> 00:25:56,500 I use face ID to get into it but they're still a password, 481 00:25:56,500 --> 00:25:58,200 they're all, it's really in the passwords. 482 00:25:58,200 --> 00:26:01,200 Even taking place in the authentication sequence. 483 00:26:01,200 --> 00:26:05,200 That's starting with face ID. So that's where I was saying 484 00:26:05,200 --> 00:26:07,800 before. We really have to look at the 485 00:26:08,300 --> 00:26:12,600 just making it less visible or less used by the end user. 486 00:26:12,900 --> 00:26:17,000 Versus absolutely eliminating it all together and make part of, 487 00:26:17,000 --> 00:26:20,500 even the naming of our company Beyond identity was like it has 488 00:26:20,500 --> 00:26:23,100 to go beyond just the password list angle. 489 00:26:23,400 --> 00:26:26,500 But since a lot of it is just the bypass it from the user 490 00:26:26,500 --> 00:26:28,100 experience. As far as saying you really have 491 00:26:28,100 --> 00:26:29,900 to look at into the architecture. 492 00:26:29,900 --> 00:26:33,100 And can we truly eliminate it? And that's been our goal is that 493 00:26:33,100 --> 00:26:36,100 we really want to eliminate the passwords and all the risks and 494 00:26:36,100 --> 00:26:37,800 vulnerabilities that go with that. 495 00:26:38,000 --> 00:26:42,100 But doing so in a way that makes it a true secure authentication 496 00:26:42,100 --> 00:26:44,000 capabilities. Eddie make that government level 497 00:26:44,000 --> 00:26:48,700 security available to the masses and that was when we were kind 498 00:26:48,700 --> 00:26:51,800 of looking at the market, you know, it, when we first went out 499 00:26:51,800 --> 00:26:54,800 there, we had a lot of debate to not even call ourselves password 500 00:26:54,800 --> 00:26:57,400 list, because we didn't want to be just lumped in with a bunch 501 00:26:57,400 --> 00:27:00,300 of kind of convenience Technologies for on users. 502 00:27:00,300 --> 00:27:03,200 Yes, eliminating friction for the end user and improving. 503 00:27:03,200 --> 00:27:06,500 The experience was absolutely Paramount to what we were trying 504 00:27:06,500 --> 00:27:10,200 to do but the purpose and the goal was really to create a 505 00:27:10,208 --> 00:27:14,200 security solution and really bring that that to the realm of 506 00:27:14,200 --> 00:27:18,200 identity. Not just to kind of Change it in 507 00:27:18,200 --> 00:27:21,900 the sequence for the end users. So I really think that's you 508 00:27:21,900 --> 00:27:24,500 have to take a look at that from an architectural standpoint. 509 00:27:24,500 --> 00:27:28,200 Are we really eliminating them or we just kind of not making 510 00:27:28,200 --> 00:27:31,500 the end-user use them as often. So I think it's really 511 00:27:31,500 --> 00:27:34,600 interesting because you know I see a lot of these Technologies 512 00:27:34,600 --> 00:27:37,700 kind of you don't come across are at least my view of it and 513 00:27:37,700 --> 00:27:40,600 you know asking us to look at it and provide thoughts, Etc. 514 00:27:41,000 --> 00:27:42,800 And that's one of the first Quest I usually ask is. 515 00:27:42,800 --> 00:27:44,500 Ok. So where's the password, right? 516 00:27:44,700 --> 00:27:46,700 Because usually there is still a password somewhere. 517 00:27:46,900 --> 00:27:50,300 So if I'm listening and hearing what you're saying, it's your 518 00:27:50,300 --> 00:27:53,600 actually eliminating the password, there is no password 519 00:27:53,600 --> 00:27:57,800 in play which immediately piques my interest, so I guess help me 520 00:27:57,800 --> 00:28:00,400 understand. You know, we definitely, you 521 00:28:00,400 --> 00:28:02,600 know, try not to do commercials for any specific product. 522 00:28:02,600 --> 00:28:05,900 But I think this is an important distinction here, where I'd like 523 00:28:05,900 --> 00:28:09,600 to understand the approach that you guys take from a product 524 00:28:09,600 --> 00:28:11,800 perspective when it comes to Beyond identity. 525 00:28:12,200 --> 00:28:16,000 And going, truly password lists, how do you do that? 526 00:28:16,900 --> 00:28:19,400 Yeah. So really what we did was we 527 00:28:19,800 --> 00:28:24,700 took a look out there and really looked at how could we take 528 00:28:25,000 --> 00:28:29,100 battle tested proven technology and extend that down to the end 529 00:28:29,100 --> 00:28:32,200 user and their device in the expend, the authentication 530 00:28:32,200 --> 00:28:35,900 experience. So coming back from, you know, 531 00:28:35,900 --> 00:28:39,400 our founders with Jim when he founded Netscape, that was the 532 00:28:39,400 --> 00:28:41,800 first creation of SSL. You know, the little lock in the 533 00:28:41,808 --> 00:28:44,700 browser to hair agama. Who's the father of SSL? 534 00:28:44,700 --> 00:28:48,100 Sits on our Advisory Board? I had been working with Jim back 535 00:28:48,100 --> 00:28:52,500 in that day as is Marty Hellman of diffie-hellman Fame and when 536 00:28:52,500 --> 00:28:55,100 you really looked at these core technologies that are in place 537 00:28:55,100 --> 00:28:57,600 and over the last couple decades, really haven't changed 538 00:28:57,600 --> 00:29:00,600 that much. SSL is now TLS encryption but 539 00:29:00,600 --> 00:29:06,100 still using x.509 certificates and that is how all I mean, 540 00:29:06,100 --> 00:29:09,000 that's what secures trillions of dollars of transactions. 541 00:29:09,000 --> 00:29:12,500 Every day on the web, that kind of in the old way, we have the 542 00:29:12,500 --> 00:29:15,400 user have a password to access these machines. 543 00:29:15,400 --> 00:29:16,600 But the machines use certificates. 544 00:29:16,700 --> 00:29:18,400 Gets to interact with each other. 545 00:29:18,900 --> 00:29:22,400 Technically private Keys verified through certificates to 546 00:29:22,400 --> 00:29:26,300 validate that when you made a purchase on Amazon with Paypal, 547 00:29:26,300 --> 00:29:28,800 that it was really PayPal on the other end that Amazon was 548 00:29:28,800 --> 00:29:33,200 communicating with. And so we looked at taking that 549 00:29:33,200 --> 00:29:37,200 technology and really just extending that down to pull the 550 00:29:37,200 --> 00:29:40,700 end user and their device into that chain of trust. 551 00:29:40,700 --> 00:29:45,200 And that what we recognized was that you know, kind of back in 552 00:29:45,200 --> 00:29:48,200 the old days, it was kind of a Quest ask for anybody to want to 553 00:29:48,208 --> 00:29:51,800 be a certificate Authority for every end-user out there and 554 00:29:51,800 --> 00:29:55,700 frankly there was no place or nothing to do with a private 555 00:29:55,700 --> 00:29:58,700 key. But come today, where you now, 556 00:29:58,700 --> 00:30:04,500 have these devices that have the TPMS and secure enclaves, which 557 00:30:04,500 --> 00:30:08,800 provide a perfect and secure way of housing that private key. 558 00:30:09,300 --> 00:30:11,900 And we've created this notion of a personal certificate 559 00:30:11,900 --> 00:30:14,900 Authority, where every end user could be their own CA without 560 00:30:14,900 --> 00:30:17,400 knowing, what a CA is, or Even does. 561 00:30:17,800 --> 00:30:20,600 And so, we're not Reinventing any cryptographic protocols or 562 00:30:20,600 --> 00:30:25,200 algorithms, we're using these time-tested proven capabilities 563 00:30:25,400 --> 00:30:31,000 to pull that end user and the device into the equation and the 564 00:30:31,000 --> 00:30:34,900 process is that the end user gets the Beyond identity 565 00:30:35,000 --> 00:30:39,000 authenticator on their device. They register that initial 566 00:30:39,000 --> 00:30:41,500 profile and basically what you've done is, created a 567 00:30:41,500 --> 00:30:44,600 certificate chain, where the identity is the root of that 568 00:30:44,600 --> 00:30:47,600 chain and the devices are just different Things on that. 569 00:30:47,800 --> 00:30:52,600 So what that does is allow the end user to extend that chain 570 00:30:52,800 --> 00:30:55,800 with various devices. And no one device is dependent 571 00:30:55,800 --> 00:30:58,000 on the other. So unlike traditional pki, where 572 00:30:58,000 --> 00:31:01,400 you remove one node and all the children, go along with it, this 573 00:31:01,400 --> 00:31:04,800 allows you to prune that tree and extend that chain, you lose 574 00:31:04,800 --> 00:31:06,700 one phone. You can use any other device to 575 00:31:06,700 --> 00:31:11,100 extend that and create a extension of the certificate 576 00:31:11,100 --> 00:31:15,100 chain, on a new device without calling it help desks or 577 00:31:15,100 --> 00:31:19,000 administrators. And so being on that device 578 00:31:19,000 --> 00:31:22,400 offers a lot of interesting aspects, you know, we can 579 00:31:22,400 --> 00:31:26,200 actually interact with that device to assess the trust of 580 00:31:26,200 --> 00:31:28,900 the device. At the point of log n, and by 581 00:31:28,900 --> 00:31:31,500 being on the device, it can speak to the security of the 582 00:31:31,500 --> 00:31:35,500 device itself. When that end user is logging 583 00:31:35,500 --> 00:31:39,100 on, you know, by anchoring the key in the hardware, you 584 00:31:39,100 --> 00:31:41,200 eliminate the mobility of that key. 585 00:31:41,900 --> 00:31:43,600 As a credential, can't leave the device. 586 00:31:43,600 --> 00:31:45,700 It can't be ported from that device. 587 00:31:45,800 --> 00:31:51,000 We disrupt the Roll movement or disrupting valid credential 588 00:31:51,000 --> 00:31:55,600 misuse by housing, it in that security p.m. but recognizing 589 00:31:55,600 --> 00:31:58,700 one of the benefits of passwords was the portability that you can 590 00:31:58,700 --> 00:32:01,900 be used from any device and still have that happen. 591 00:32:02,100 --> 00:32:05,900 We brought all of that down to the Beyond identity solution. 592 00:32:06,200 --> 00:32:10,500 So leveraging standards like x509 and TLS creating a notion 593 00:32:10,500 --> 00:32:13,700 of a personal certificate Authority, making it easy for 594 00:32:13,700 --> 00:32:16,300 the device itself to authenticate. 595 00:32:16,700 --> 00:32:20,600 And thus, it's the analogy is, it's like, airport, security, 596 00:32:20,900 --> 00:32:23,500 you have to show an ID. So we know it's really Jeff for 597 00:32:23,500 --> 00:32:27,200 its really Jim. We then still have to go through 598 00:32:27,200 --> 00:32:30,900 the intro of the metal detectors. 599 00:32:31,300 --> 00:32:32,800 Do the same thing with authentication. 600 00:32:32,900 --> 00:32:35,700 Make sure it's you make sure it's your device, but make sure 601 00:32:35,700 --> 00:32:39,100 that device is trustworthy at the plate of authentication. 602 00:32:39,800 --> 00:32:43,900 So Curtis a conceptual of ones and some of those PK is of quite 603 00:32:43,900 --> 00:32:45,900 frankly goes a little bit over my head. 604 00:32:46,300 --> 00:32:50,400 So, Is definitely very technical conversation, right? 605 00:32:50,400 --> 00:32:54,000 But at a conceptual level, you mentioned The Binding of a 606 00:32:54,000 --> 00:32:55,800 device. So, how does The Binding of a 607 00:32:55,800 --> 00:32:59,600 device to a human improve? Or strengthen? 608 00:32:59,700 --> 00:33:02,600 That authentication experience. Yeah. 609 00:33:03,000 --> 00:33:07,000 When you really look at it that the device itself as opposed to 610 00:33:07,000 --> 00:33:11,100 just being familiar like oh I've seen Kurt use this device before 611 00:33:11,100 --> 00:33:14,300 or it's part of a database, the strength of actually binding and 612 00:33:14,300 --> 00:33:18,100 identity in a device together. In my opinion, kind of becomes a 613 00:33:18,108 --> 00:33:22,200 building block of of zero trust. You know you verify the 614 00:33:22,200 --> 00:33:25,300 identity, you actually bind it to the device that it's trying 615 00:33:25,300 --> 00:33:28,800 to access and then that can be transmitted and carried with you 616 00:33:28,800 --> 00:33:31,500 throughout the Journey of the transactions. 617 00:33:31,800 --> 00:33:35,100 If you look at most two attacks today, they're really hitting on 618 00:33:35,100 --> 00:33:36,900 those two factors, right? They're either trying to 619 00:33:36,900 --> 00:33:40,300 compromise the identity and pretend they are. 620 00:33:40,300 --> 00:33:43,200 Somebody. They are not really through 621 00:33:43,200 --> 00:33:46,400 stolen passwords or other even attacks on MFA. 622 00:33:46,700 --> 00:33:49,200 They're going after the device itself, whether that could be 623 00:33:49,200 --> 00:33:53,300 malware or, you know, laying ransomware down through that. 624 00:33:53,500 --> 00:33:57,000 So, most zero, trust initiatives that we've started today are 625 00:33:57,000 --> 00:34:00,200 kind of looking at the various components, a single-threaded 626 00:34:00,200 --> 00:34:03,600 indicators of risk, you know, is this Kurt. 627 00:34:03,700 --> 00:34:07,500 But what if Kirk's trying to access from a computer in the 628 00:34:07,500 --> 00:34:10,000 library? That's covered in malware and 629 00:34:10,500 --> 00:34:14,600 don't know who's been used it before or it's my kids laptop 630 00:34:14,600 --> 00:34:16,500 with Tick-Tock and everything else on it and do. 631 00:34:16,600 --> 00:34:18,500 Know if that thing's been compromised. 632 00:34:18,800 --> 00:34:24,100 So you also have often seen a lot of organizations, especially 633 00:34:24,100 --> 00:34:27,600 3 went to the whole work from home through this pandemic, 634 00:34:27,600 --> 00:34:30,699 really focus on mobile device management. 635 00:34:30,699 --> 00:34:35,100 MDM or end point detection and response EDR tools because they 636 00:34:35,100 --> 00:34:37,800 needed more visibility into those devices and what was 637 00:34:37,800 --> 00:34:40,100 coming in or pushing them through the VPN. 638 00:34:40,500 --> 00:34:43,400 But many of those are very intrusive technologies that go 639 00:34:43,400 --> 00:34:47,400 beyond in enable you to really see a lot The information and 640 00:34:47,400 --> 00:34:50,800 data on those devices. In frankly, putting cameras in 641 00:34:50,808 --> 00:34:53,100 dressing rooms can cut down on shoplifting, right? 642 00:34:53,100 --> 00:34:56,699 But do we really want to have that as a mechanism for 643 00:34:56,699 --> 00:34:59,200 security? Some people feel the same way 644 00:34:59,200 --> 00:35:01,800 about these. I don't want this on my personal 645 00:35:01,800 --> 00:35:04,500 device. So, you know, from our 646 00:35:04,500 --> 00:35:09,900 perspective, it was like, let's bring these factors together and 647 00:35:10,300 --> 00:35:15,700 really completely change the notion of having just looking at 648 00:35:15,700 --> 00:35:18,700 the security posture. Juror is disk encryption on his 649 00:35:18,700 --> 00:35:21,300 firewall enabled. Is it a personal device or a 650 00:35:21,300 --> 00:35:23,700 corporate device? Is that been jailbroken? 651 00:35:23,700 --> 00:35:25,300 Is it that malware running on it? 652 00:35:25,400 --> 00:35:28,100 But bringing that at the point of authentication. 653 00:35:28,300 --> 00:35:30,800 So that's why I was saying it's like the airport analogy. 654 00:35:31,400 --> 00:35:34,500 I know it's me. I also know it's my bag and I'm 655 00:35:34,508 --> 00:35:38,100 going to screen that bag. But unlike airport security, I 656 00:35:38,100 --> 00:35:39,500 want it to be done without friction. 657 00:35:39,500 --> 00:35:42,500 So from an end-user have launched an app, this runs in 658 00:35:42,500 --> 00:35:45,600 the background making sure passes all that but we can 659 00:35:45,600 --> 00:35:51,300 actually At the point of authenticating verify that only 660 00:35:51,300 --> 00:35:54,500 a laptop with disk encryption enabled can access patient data. 661 00:35:54,800 --> 00:35:57,200 And if it's personal device, maybe it just should get office 662 00:35:57,200 --> 00:36:00,800 suite or email, but I wanted to be a corporate device of 663 00:36:00,800 --> 00:36:03,900 corporate managed device that has more of this secured 664 00:36:03,900 --> 00:36:09,300 lockdown capability before accessing AWS or, you know, 665 00:36:09,700 --> 00:36:12,600 GitHub or any other more sensitive applications. 666 00:36:13,500 --> 00:36:15,900 That's really is kind of where we need to evolve this too, and 667 00:36:15,908 --> 00:36:17,700 that's what we feel. So when we can really kind of 668 00:36:17,700 --> 00:36:21,000 make those one and bind those together, it's a lot different 669 00:36:21,000 --> 00:36:23,900 than just looking at them as individual statistics and then 670 00:36:23,900 --> 00:36:26,300 you can look at things like the location in the network, you 671 00:36:26,300 --> 00:36:28,900 know, if I know it's Kurt's device and it's trustworthy at 672 00:36:28,900 --> 00:36:31,400 the point of authentication. Do I really care if it's coming 673 00:36:31,400 --> 00:36:33,700 from a Starbucks that I haven't seen before? 674 00:36:33,700 --> 00:36:35,200 Because I have good high assurance. 675 00:36:35,700 --> 00:36:38,000 And let's look at the rest of the indicators from like a 676 00:36:38,000 --> 00:36:43,200 behavioral analytic standpoint. So what somebody's doing is it a 677 00:36:43,207 --> 00:36:46,000 risky action? Is it looked a typical than what 678 00:36:46,000 --> 00:36:49,300 they do then Yeah, but it's like them re-verify or let them step 679 00:36:49,300 --> 00:36:53,300 up the authentication. So I do believe there's all the 680 00:36:53,300 --> 00:36:55,800 aspects of kind of really looking through the broad zero 681 00:36:55,800 --> 00:36:58,900 trust but this notion of really kind of bringing that identity 682 00:36:58,900 --> 00:37:01,600 and the device together as one, we just feel greens, such a 683 00:37:01,607 --> 00:37:06,100 higher level of assurance that then doing that in 684 00:37:06,100 --> 00:37:08,400 authenticating with the asymmetric cryptography and 685 00:37:08,400 --> 00:37:10,000 certificates, and not a password. 686 00:37:10,400 --> 00:37:12,500 The end user doesn't even know what's happening behind their, 687 00:37:12,500 --> 00:37:13,900 you bring. It's one of the rare times we 688 00:37:13,900 --> 00:37:16,400 can bring higher level security and better. 689 00:37:16,600 --> 00:37:18,300 Our user experience at the same time. 690 00:37:19,300 --> 00:37:23,800 I feel like this is an area that couldn't exist, you know, a 691 00:37:23,800 --> 00:37:25,600 decade ago. I feel like this is an area 692 00:37:25,600 --> 00:37:28,300 where the modern advances in technology. 693 00:37:28,400 --> 00:37:31,600 And the, you know, the sheer power of computing, right? 694 00:37:31,600 --> 00:37:33,500 That you have at your fingertips, at these days, 695 00:37:33,500 --> 00:37:36,000 right? Is your phone might be the most 696 00:37:36,000 --> 00:37:40,200 powerful device you have, you know, in your, in your entire 697 00:37:40,200 --> 00:37:41,700 life, right? It might be stronger than even 698 00:37:41,700 --> 00:37:44,400 your computer. And when we start talking about 699 00:37:44,400 --> 00:37:48,600 cryptography and being able to act, as you know, certificate 700 00:37:48,600 --> 00:37:50,900 Authority, Like this is this is the type of stuff you weren't 701 00:37:50,900 --> 00:37:54,400 going to see on your old you know, Blackberry or Windows 702 00:37:54,400 --> 00:37:57,200 phone or things like that. And you know, I think this is 703 00:37:57,200 --> 00:37:59,100 where the zero trust part comes in as well, right? 704 00:37:59,100 --> 00:38:01,500 We're talking a lot, a lot of things you just described are, 705 00:38:01,900 --> 00:38:04,100 you know, typically what I see like under conditional or 706 00:38:04,100 --> 00:38:05,800 adaptive authentication rules, right? 707 00:38:05,800 --> 00:38:09,700 Taking a bunch of different signals and then figuring out. 708 00:38:09,700 --> 00:38:11,700 What do you want to do with that information, right? 709 00:38:11,700 --> 00:38:14,600 Is it safe? Do you re you know, do you meet 710 00:38:14,600 --> 00:38:17,600 the level of assurance that you want and maybe there's different 711 00:38:17,600 --> 00:38:18,900 levels of assurance? Yeah, I'm fine. 712 00:38:19,000 --> 00:38:21,400 I'm trying to get to the cafeteria menu, who cares. 713 00:38:21,400 --> 00:38:22,900 Right. But would it be wide open? 714 00:38:23,200 --> 00:38:26,400 But if I'm trying to get to the secret sauce for or the, you 715 00:38:26,400 --> 00:38:29,100 know, the recipe, for KFC chicken, right? 716 00:38:29,100 --> 00:38:30,700 Maybe there's a few few more Hoops. 717 00:38:30,700 --> 00:38:32,500 They need to jump through before to get to that. 718 00:38:32,500 --> 00:38:38,100 So I think it's interesting that I feel like the, the advances in 719 00:38:38,100 --> 00:38:41,100 the technology space have definitely enabled this because 720 00:38:41,100 --> 00:38:42,300 I go back to the original statement. 721 00:38:42,300 --> 00:38:44,700 I says, well Bill Gates said the Passover is dead like 10 years 722 00:38:44,700 --> 00:38:47,300 ago but I don't think it really could have been. 723 00:38:47,600 --> 00:38:49,700 I think what he meant real is, you know, the Password is really 724 00:38:49,700 --> 00:38:51,400 hidden behind something else, right? 725 00:38:51,400 --> 00:38:53,600 Biometrics, you know, whatever it may be. 726 00:38:54,000 --> 00:38:57,400 So I think that's kind of where I've seen the industry go, but 727 00:38:57,400 --> 00:38:58,700 I'm also a little bit of a skeptic. 728 00:38:58,800 --> 00:39:01,400 So, you know, I hear all this cool stuff. 729 00:39:01,400 --> 00:39:03,800 I want to go password less but I also hear from a lot of 730 00:39:03,808 --> 00:39:05,900 different vendors and I think this is where the distinction 731 00:39:05,900 --> 00:39:08,500 comes into. So you know, Microsoft, you 732 00:39:08,500 --> 00:39:10,000 know, touts password list through Windows. 733 00:39:10,000 --> 00:39:13,500 Hello, you know, Apple has it through their various mechanisms 734 00:39:13,500 --> 00:39:18,500 of teach it, touch ID and face ID and if I'm a skeptical C, so 735 00:39:19,300 --> 00:39:21,200 You know, I guess the question I'm going to ask is, ok. 736 00:39:21,200 --> 00:39:23,100 So what is the value proposition here? 737 00:39:24,200 --> 00:39:27,400 Why do I need an ad on a syndication product? 738 00:39:27,500 --> 00:39:33,200 Like a scoreless, when Microsoft or octave or ping or whoever? 739 00:39:33,200 --> 00:39:35,800 Right is telling me they already have this as part of their 740 00:39:35,800 --> 00:39:39,000 solution, is that something that you can kind of help me 741 00:39:39,000 --> 00:39:42,600 understand that context. Yeah, absolutely. 742 00:39:42,600 --> 00:39:47,200 I think obviously with the risk and vulnerability of passwords, 743 00:39:47,200 --> 00:39:51,100 this is an industry-wide movement to reduce that risk as 744 00:39:51,100 --> 00:39:54,600 much as we can. And everybody kind of trying to 745 00:39:54,600 --> 00:39:58,900 get into to help support. That is a good thing though, 746 00:39:58,900 --> 00:40:01,300 that's where I was saying it's but it goes beyond that, you 747 00:40:01,308 --> 00:40:04,200 know, just the elimination of passwords, it's a critical 748 00:40:04,200 --> 00:40:10,600 component to it but this notion of zero trust and device 749 00:40:11,100 --> 00:40:15,900 Evidence and security posture are critical aspects, that take 750 00:40:15,900 --> 00:40:19,100 that Beyond just kind of an authentication experience. 751 00:40:19,500 --> 00:40:22,600 And I think that's kind of been our different approach from a 752 00:40:22,600 --> 00:40:25,700 lot of the philosophy that you shouldn't have to have to pick 753 00:40:25,700 --> 00:40:28,800 up a second device in order to log in and even that of does 754 00:40:28,800 --> 00:40:30,100 avoid a password. Yeah, that's great. 755 00:40:30,100 --> 00:40:34,800 But we can bring that even one step further in our goals and 756 00:40:34,800 --> 00:40:38,200 initiatives out there as an industry being on that device 757 00:40:38,200 --> 00:40:41,000 gives the additional benefit of a better use. 758 00:40:41,200 --> 00:40:43,000 Our experience then you're right. 759 00:40:43,000 --> 00:40:46,500 We before we had TPMS and enclaves of these devices that 760 00:40:46,500 --> 00:40:49,200 really wasn't possible or as secure. 761 00:40:49,200 --> 00:40:53,200 But take, we saw this, you know, with with apple back in the 762 00:40:53,200 --> 00:40:56,800 tragedy of the San Bernardino shootings, they wanted to get 763 00:40:56,800 --> 00:40:59,600 access to the PIN code to get into that iPhone. 764 00:40:59,600 --> 00:41:01,500 And Apple was like, we can't do that. 765 00:41:01,500 --> 00:41:05,500 So the device security built in taking that but then kind of 766 00:41:05,500 --> 00:41:10,400 extending that through broader means was really kind of what we 767 00:41:10,400 --> 00:41:12,800 felt was. Was where the industry needed to 768 00:41:12,800 --> 00:41:15,300 move to. So yeah, you there are, you 769 00:41:15,308 --> 00:41:17,500 know, free features. You can get with a lot of these 770 00:41:17,500 --> 00:41:21,100 vendors and in my belief, a free feature can be a lot like a free 771 00:41:21,100 --> 00:41:25,000 puppy and really understand a lot of them require MDM or EDR 772 00:41:25,000 --> 00:41:28,000 to be in that equation, to give the device security, or you have 773 00:41:28,000 --> 00:41:31,100 to stand up your own certificate management system, or they'll do 774 00:41:31,100 --> 00:41:33,800 it for you, which comes at a cost, and that's not easy. 775 00:41:33,800 --> 00:41:37,800 So, really kind of where our thinking in the goal was, was 776 00:41:37,800 --> 00:41:39,800 that? Yeah, you can Leverage The, 777 00:41:41,100 --> 00:41:44,200 Enclaves and TPMS to really enable the private key. 778 00:41:44,200 --> 00:41:46,800 But the notion of a personal certificate Authority, how can 779 00:41:46,800 --> 00:41:49,900 an end-user do this without knowing they're doing? 780 00:41:49,900 --> 00:41:53,700 It is a critical ingredient. So I think as customers of these 781 00:41:53,700 --> 00:41:56,700 vendors it's great to see what kind of features they have. 782 00:41:56,700 --> 00:42:00,100 But the reason we felt that we could create a company and 783 00:42:00,100 --> 00:42:04,800 create a premium offering is its 100% focused on the delivery of 784 00:42:04,800 --> 00:42:07,400 the most secure authentication experience possible. 785 00:42:07,400 --> 00:42:10,600 Stop credential based attacks right in there. 786 00:42:11,800 --> 00:42:16,100 Tracks but make it a better experience for the end user so 787 00:42:16,100 --> 00:42:20,000 and don't do this just for the specific systems of that vendor. 788 00:42:20,000 --> 00:42:23,600 But in a hybrid environment and our philosophy was that the 789 00:42:23,600 --> 00:42:28,300 approach we're taking binding identity and the security 790 00:42:28,300 --> 00:42:30,800 posture of that device bringing that at the point of 791 00:42:30,800 --> 00:42:33,500 authentication. Our first foray was doing this 792 00:42:33,500 --> 00:42:36,200 for the workforce and we didn't want to replace the identity 793 00:42:36,200 --> 00:42:37,600 providers. We made it. 794 00:42:37,700 --> 00:42:42,000 So we could integrate directly into OCTA pain Forgerock 795 00:42:42,000 --> 00:42:46,900 Microsoft and working just as a delegated identity provider, to 796 00:42:47,200 --> 00:42:49,600 interact with that system, which means it doesn't disrupt. 797 00:42:49,600 --> 00:42:51,800 You don't have to change what you've done in those systems. 798 00:42:51,800 --> 00:42:56,600 You don't have to configure apis to make this work work with that 799 00:42:56,600 --> 00:42:58,500 environment. Then we took it through custom 800 00:42:58,500 --> 00:43:00,800 to customers as well and customer logins through 801 00:43:00,800 --> 00:43:04,000 interaction with Siam or even an SDK that can be embedded into 802 00:43:04,000 --> 00:43:06,600 the app. So we can provide this secure, 803 00:43:06,900 --> 00:43:09,500 easy form of authentication. Freakish frictionless, 804 00:43:09,500 --> 00:43:12,600 authentication for Customers and end users. 805 00:43:12,700 --> 00:43:18,000 So you're bringing up some some really good meaty topics which I 806 00:43:18,000 --> 00:43:22,900 think are the things that, you know, our listeners that I am 807 00:43:22,900 --> 00:43:24,700 practitioners. There were people who are 808 00:43:24,700 --> 00:43:29,100 evaluating and procuring and then having to deploy 809 00:43:29,400 --> 00:43:32,300 Technologies like password, listen, their environment. 810 00:43:32,300 --> 00:43:36,400 And so, we had Martin kupenga on the podcast last week and we 811 00:43:36,400 --> 00:43:40,900 talked about the POC process was the right way to conduct a POC. 812 00:43:41,100 --> 00:43:47,200 Not just Zeke something like the leadership cam Compass or the 813 00:43:47,300 --> 00:43:50,000 magic quadrant just take the solution. 814 00:43:50,000 --> 00:43:53,200 That's you know, ranked the highest in that analysis. 815 00:43:53,200 --> 00:43:56,100 It's really you know that can be a guide, right? 816 00:43:56,100 --> 00:44:00,700 That can be a data point but you need to conduct some kind of 817 00:44:00,700 --> 00:44:04,100 proof of concept. And so what I wanted to ask you 818 00:44:04,100 --> 00:44:07,900 is I mean I'm sure in your role. You've been involved with a lot 819 00:44:07,900 --> 00:44:12,100 of proof of Concepts where companies are evaluating 820 00:44:12,100 --> 00:44:14,500 pastoralists and what's your takeaway. 821 00:44:14,500 --> 00:44:17,100 And you know, some of the best ways to do that. 822 00:44:17,200 --> 00:44:18,400 What have you, where have you seen? 823 00:44:18,400 --> 00:44:22,900 Where a customer's just doing it right there. 824 00:44:23,200 --> 00:44:26,500 There there really evaluating pastoralists on the right way. 825 00:44:26,500 --> 00:44:28,000 They're asking the right questions. 826 00:44:28,300 --> 00:44:32,400 Whatever versus what's the wrong way to do it? 827 00:44:32,800 --> 00:44:34,600 Yeah. And I think part of its really 828 00:44:34,600 --> 00:44:37,700 going in to understand what your goals and initiatives are we 829 00:44:37,700 --> 00:44:39,900 were talking about this before password, plus means so many 830 00:44:39,900 --> 00:44:42,400 different things that That you're not going to find a 831 00:44:42,400 --> 00:44:46,100 laundry list of like RFP responses or checkbox items 832 00:44:46,100 --> 00:44:49,900 because if the systems are meant for very different things, one 833 00:44:49,900 --> 00:44:53,300 just to do multi-factor, authentication one to provide a 834 00:44:53,300 --> 00:44:56,000 full secure authentication experience. 835 00:44:56,000 --> 00:44:59,000 It really is going into it with your eyes open to what are you 836 00:44:59,000 --> 00:45:04,800 really trying to accomplish here and Belief that our goal is to 837 00:45:04,800 --> 00:45:07,500 really truly eliminate that password is really going to 838 00:45:07,500 --> 00:45:10,800 provide the better long-term experience really understanding. 839 00:45:11,000 --> 00:45:13,700 Where does that occur in? Can that occur? 840 00:45:14,000 --> 00:45:16,300 So going into it, there's there's two sides to this, you 841 00:45:16,300 --> 00:45:17,900 know, we want to improve the security. 842 00:45:17,900 --> 00:45:21,700 We also want to reduce the user friction and make that a good 843 00:45:21,700 --> 00:45:24,800 experience, and those have to be critical components of the proof 844 00:45:24,800 --> 00:45:27,500 of concept and you need to test this. 845 00:45:27,500 --> 00:45:29,500 What does it take to deploy the solution? 846 00:45:29,600 --> 00:45:31,800 Do you have to make configuration changes to your 847 00:45:31,800 --> 00:45:33,900 system? Teams or API changes to the 848 00:45:33,900 --> 00:45:36,900 applications, that you're authenticating to how easy can 849 00:45:36,900 --> 00:45:39,600 it get stood up? We challenge them to time us 850 00:45:39,800 --> 00:45:41,500 from the point. We start to the point we finish 851 00:45:41,500 --> 00:45:44,600 and see how quickly we can actually integrate into that 852 00:45:44,600 --> 00:45:48,400 system and not cause any disruption to your current 853 00:45:48,400 --> 00:45:51,000 environment. But also with the policy itself, 854 00:45:51,000 --> 00:45:53,500 as I mentioned, bringing that device security into it is 855 00:45:53,500 --> 00:45:56,700 something very unique that most solutions aren't doing is that 856 00:45:56,700 --> 00:45:59,200 something important to you? And how do you want that to 857 00:45:59,200 --> 00:46:01,200 occur? What policy makes sense really 858 00:46:01,200 --> 00:46:03,300 thinking through your Organization on. 859 00:46:03,500 --> 00:46:05,100 Where do we want to be more restrictive? 860 00:46:05,100 --> 00:46:08,800 Versus where do we want to be more open with that access as 861 00:46:08,800 --> 00:46:10,500 well? And the most important pieces 862 00:46:10,500 --> 00:46:13,500 testing this with end users and I say probably the most 863 00:46:14,500 --> 00:46:18,800 uncomfortable or awkward pocs or where only the IT people are 864 00:46:18,800 --> 00:46:21,400 testing it and it's the security people testing it. 865 00:46:21,400 --> 00:46:24,200 It's like put it in front of your end users who are the 866 00:46:24,200 --> 00:46:27,200 people who are your challenging call the help desk a bunch and 867 00:46:27,200 --> 00:46:30,400 see how easy it is for them. Because when you change the user 868 00:46:30,400 --> 00:46:33,400 experience, especially at the point of Of authentication, 869 00:46:34,200 --> 00:46:37,200 you're going to have it. That's changed Behavior, that's 870 00:46:37,300 --> 00:46:39,800 impact. And so even when it's easier, it 871 00:46:39,800 --> 00:46:43,200 can also be somewhat disruptive. We actually saw this through 872 00:46:43,200 --> 00:46:45,400 kind of some of the user experience testing we were doing 873 00:46:45,400 --> 00:46:48,000 early on because the whole notion and idea is that you 874 00:46:48,008 --> 00:46:52,100 launch the application and the redirect and the authentication 875 00:46:52,100 --> 00:46:54,100 and the price, the public he gets issue signing. 876 00:46:54,100 --> 00:46:56,700 It's a private key. None of that visible to the end 877 00:46:56,700 --> 00:46:58,100 user. They don't have to pick up our 878 00:46:58,100 --> 00:47:01,200 app or pick up a second device. So they were opening the app and 879 00:47:01,200 --> 00:47:03,000 all they were knowing if they were In and they never enter in 880 00:47:03,008 --> 00:47:05,000 a password. So, that calling saying, hey, 881 00:47:05,000 --> 00:47:07,200 something's wrong here. Somebody's in my account. 882 00:47:07,200 --> 00:47:09,800 So, we actually had to create some graphic showing that 883 00:47:09,800 --> 00:47:11,400 something's happening behind the scenes here. 884 00:47:11,400 --> 00:47:13,100 It's doing something so, you know. 885 00:47:13,300 --> 00:47:15,100 Oh, okay. I feel comfortable that was 886 00:47:15,100 --> 00:47:17,000 authentically almost. Brought it too far. 887 00:47:17,200 --> 00:47:20,000 So really understanding that user experience is just a 888 00:47:20,008 --> 00:47:23,500 critical piece and testing this with the right users we love the 889 00:47:23,500 --> 00:47:26,700 pocs because we feel once we take the password away from an 890 00:47:26,700 --> 00:47:28,700 end user is going to be real hard to give it back if they 891 00:47:28,700 --> 00:47:32,000 don't want to move forward. Yeah, no it absolutely. 892 00:47:32,100 --> 00:47:36,600 And that's I think a step that organization's needs to do more 893 00:47:36,600 --> 00:47:39,000 as organizational change management, really thinking 894 00:47:39,000 --> 00:47:43,300 about the impact, the customer experience that they're creating 895 00:47:43,300 --> 00:47:45,200 weather. Even for internal users. 896 00:47:45,200 --> 00:47:50,000 I remember when I first got into, I am the mindset was. 897 00:47:50,100 --> 00:47:52,300 Okay. What is the difference between? 898 00:47:52,300 --> 00:47:55,200 See, I am and I am, I'll see. I am you have to have a really 899 00:47:55,200 --> 00:47:57,800 good user experience. But for employees who gives a 900 00:47:57,808 --> 00:48:02,400 hoot, I think that mindset is shifting a lot because Think 901 00:48:02,400 --> 00:48:04,800 tools are better now, right? And that becomes a 902 00:48:04,800 --> 00:48:08,400 differentiator but, you know, I you've been great with your 903 00:48:08,400 --> 00:48:11,900 time, but I did want to ask one more question, which is, you 904 00:48:11,900 --> 00:48:15,000 know, selfishly from a consultant perspective, right? 905 00:48:15,000 --> 00:48:19,600 I'm still getting asked about self-service password reset. 906 00:48:19,600 --> 00:48:23,600 Hey should we be looking for a solution or how do we approach 907 00:48:23,600 --> 00:48:26,700 self-service password? Reset to me it seems like the 908 00:48:26,700 --> 00:48:30,000 answer ought to be. Why even if you haven't gotten 909 00:48:30,000 --> 00:48:31,600 there yet? Why go there? 910 00:48:31,600 --> 00:48:34,100 Why not? Just go right to Pastor list. 911 00:48:34,100 --> 00:48:39,300 So can pass wordless be his substitute for self-service 912 00:48:39,300 --> 00:48:43,900 password reset and if so, what are kind of are, there are 913 00:48:43,900 --> 00:48:47,800 trade-offs, I mean, can is, it is a good substitute for 914 00:48:47,800 --> 00:48:50,100 password, self-service? Password reset. 915 00:48:50,400 --> 00:48:54,100 Yeah, I think it's, you know, we often say, hey, you can't steal 916 00:48:54,100 --> 00:48:55,600 a bike if the bike doesn't exist. 917 00:48:55,600 --> 00:48:57,700 So the password doesn't exist, you can't steal it. 918 00:48:57,700 --> 00:49:00,100 But the yet also don't need to reset it anymore. 919 00:49:00,100 --> 00:49:06,100 And so it's actually kind of a True benefit that often prompts 920 00:49:06,100 --> 00:49:09,100 a lot of these organizations is that as much as they built. 921 00:49:09,100 --> 00:49:11,500 Many of these tools to do self service reset. 922 00:49:11,500 --> 00:49:16,000 It still is a major problem for these help desks. 923 00:49:16,000 --> 00:49:19,900 So yeah, if you rip that out all together you've got nothing left 924 00:49:19,900 --> 00:49:23,800 that needs to be reset. So absolutely can change the 925 00:49:23,800 --> 00:49:26,300 game. And I think part of it is as 926 00:49:26,300 --> 00:49:28,700 we've looked and, you know, you were asking before it's how 927 00:49:28,700 --> 00:49:30,700 we're different, you know, certainly logging on to 928 00:49:30,700 --> 00:49:33,100 corporate resources. Logging onto consumer. 929 00:49:33,100 --> 00:49:35,400 Resources are important. You nailed it Jim. 930 00:49:35,400 --> 00:49:38,200 There's been this mindset with well with our employees we can 931 00:49:38,200 --> 00:49:40,900 get away with a lot more. We can make it more painful but 932 00:49:41,100 --> 00:49:44,500 even that hits a level at some point but we're seeing it with 933 00:49:44,500 --> 00:49:46,300 other things. Like you know we're seeing us 934 00:49:46,300 --> 00:49:49,800 being asked to integrate with like the Cyber arcs and 935 00:49:50,100 --> 00:49:53,400 psychotics and Beyond trusts of the world for privileged access. 936 00:49:53,400 --> 00:49:55,900 So why should we be pulling these things? 937 00:49:55,900 --> 00:49:58,900 Out of a vault with MFA as well? If we can truly authenticate 938 00:49:58,900 --> 00:50:01,800 that experience and the new area we've been getting into is even 939 00:50:01,800 --> 00:50:05,500 with the Ups that you have developers who are signing code 940 00:50:05,500 --> 00:50:09,500 and interacting with these git repositories all the time and 941 00:50:09,500 --> 00:50:12,600 they do them from account. So you have Daffy Duck 123. 942 00:50:12,600 --> 00:50:15,300 And you don't know who that is. And obviously with things like 943 00:50:15,300 --> 00:50:18,600 supply chain security and we saw it with the solarwinds attack 944 00:50:18,600 --> 00:50:22,300 that you want to make sure, you know, who is signing code and 945 00:50:22,300 --> 00:50:23,800 what device they're doing it from. 946 00:50:23,800 --> 00:50:26,600 So we have applicability there, but believe me, you want to talk 947 00:50:26,600 --> 00:50:28,700 about an environment? You don't want to make friction, 948 00:50:29,000 --> 00:50:31,900 is your developers who are writing code and sign. 949 00:50:32,100 --> 00:50:34,500 Encode in. So kind of looking at all these 950 00:50:34,500 --> 00:50:38,800 different use, case scenarios the level of user friction is a 951 00:50:38,800 --> 00:50:42,300 critical component to it, but yeah, let's let's finally 952 00:50:42,300 --> 00:50:45,700 stopped the calls to the help desk and customer service for 953 00:50:45,700 --> 00:50:48,800 forgotten passwords. Or how many times have you 954 00:50:48,808 --> 00:50:51,500 gotten something from some service that said hey our 955 00:50:51,500 --> 00:50:53,900 password database looks like it may have been stolen. 956 00:50:53,900 --> 00:50:56,100 We don't know if your stuff has been but we were strongly 957 00:50:56,100 --> 00:50:58,000 recommend. You change your password so we 958 00:50:58,000 --> 00:51:01,800 create that spiral all over again to something new I have to 959 00:51:02,100 --> 00:51:04,600 Amber that I'm bound to forget as well. 960 00:51:04,600 --> 00:51:07,300 So yeah, the best way of eliminating. 961 00:51:07,300 --> 00:51:11,000 The problem is truly eliminating, the problem, right? 962 00:51:11,300 --> 00:51:14,300 That's a great answer. So Kurt, you've been super 963 00:51:14,300 --> 00:51:17,300 generous with your time. We always like to wrap up each 964 00:51:17,300 --> 00:51:20,800 episode on The Ledger note, right? 965 00:51:20,800 --> 00:51:23,100 Talk about something fun. And so we, when we were 966 00:51:23,100 --> 00:51:27,900 pre-gaming for this episode, you mentioned, you're from Boston, 967 00:51:28,300 --> 00:51:30,600 obviously, that's my favorite or maybe not. 968 00:51:30,600 --> 00:51:33,700 So obviously but that's my Everett donut shop, which is 969 00:51:33,700 --> 00:51:35,700 Dunkin Donuts, right? That's where it started in 970 00:51:35,700 --> 00:51:39,000 Boston, and I recommend it to Jeff that we could have an 971 00:51:39,000 --> 00:51:43,300 entire episode on doughnuts and so maybe we will do that at some 972 00:51:43,300 --> 00:51:46,400 point in the future. Let me know I'll be there donut 973 00:51:46,400 --> 00:51:52,000 at the center. Don't consider donor holes but 974 00:51:52,000 --> 00:51:54,200 I'm also I'm from Augusta Georgia, right? 975 00:51:54,200 --> 00:51:58,300 That's the epicenter of golf. I think of the golf world and at 976 00:51:58,300 --> 00:52:04,200 least one once a year it is and you Cindy, you're an avid 977 00:52:04,200 --> 00:52:07,900 golfer. So I wanted to ask you, what is 978 00:52:07,900 --> 00:52:10,600 the best part of your golf game? And what's the worst part of 979 00:52:10,600 --> 00:52:14,100 your golfing? What, what what gives you hope 980 00:52:14,100 --> 00:52:16,000 that? What keeps you coming back to 981 00:52:16,000 --> 00:52:17,900 the course? And then what is it? 982 00:52:17,900 --> 00:52:20,700 That tells you you're never going to be a scratch golfer. 983 00:52:21,500 --> 00:52:26,500 The greatest thing about golf is even when you're doing terrible 984 00:52:26,500 --> 00:52:29,100 all day long, you have that one great drive and it just gives 985 00:52:29,100 --> 00:52:31,800 you confidence. You can come back and think 986 00:52:31,800 --> 00:52:35,100 through Ooh, working on my game. I've really might driving has 987 00:52:35,100 --> 00:52:37,900 gotten much better and off the tee. 988 00:52:37,900 --> 00:52:40,700 I'm feeling far more comfortable than ever before and it's the 989 00:52:40,700 --> 00:52:43,900 old, you know, drive for show putt for dough. 990 00:52:44,400 --> 00:52:47,900 I can't putt for anything to save my life and I watched these 991 00:52:47,900 --> 00:52:51,000 Pros analyze, these greens and squatting down and yeah, I'm out 992 00:52:51,000 --> 00:52:54,100 there squatting down, staring at them and don't have a freaking 993 00:52:54,100 --> 00:52:55,400 clue what they're actually going to do. 994 00:52:55,400 --> 00:52:57,300 And I'm like, why did my putco that way? 995 00:52:57,300 --> 00:53:01,100 And it really started looking into it and just you know the 996 00:53:01,100 --> 00:53:03,800 worst thing you can do. Your golf game is go to a 997 00:53:03,808 --> 00:53:06,900 start-up because there's nothing you need to do than play more in 998 00:53:06,900 --> 00:53:10,000 a start-up doesn't really help you on on doing more of that but 999 00:53:10,000 --> 00:53:13,600 I just realize how many strokes I'm spending on the green and 1000 00:53:13,600 --> 00:53:17,600 three puting that it's why I don't and but I'll go back to 1001 00:53:17,607 --> 00:53:20,100 the range and just start hitting long balls again and feeling 1002 00:53:20,100 --> 00:53:22,100 really good about myself. So it gives me the confidence 1003 00:53:22,100 --> 00:53:26,200 that hey, I can do this but then when you really get down to it. 1004 00:53:26,200 --> 00:53:28,500 Yeah that's that's where it when you look at the pros and just 1005 00:53:28,700 --> 00:53:31,000 that big huge book, They're carrying in their back pocket. 1006 00:53:31,000 --> 00:53:33,900 I could never imagine Having one of those but you realize the and 1007 00:53:33,900 --> 00:53:35,300 that's what I love about the game, right? 1008 00:53:35,300 --> 00:53:38,600 It's out there. What the environment been to 1009 00:53:38,600 --> 00:53:41,800 Augusto, which is like, probably one of the greatest places I've 1010 00:53:41,800 --> 00:53:45,000 ever been to, in a gust, a national to see it, how 1011 00:53:45,000 --> 00:53:48,700 beautiful it is your Outdoors, you're interacting having good 1012 00:53:48,700 --> 00:53:52,700 communication and good time with friends and even the frustration 1013 00:53:52,700 --> 00:53:54,600 part. So you can kind of get past 1014 00:53:54,600 --> 00:53:57,800 again, but yeah, if I could learn how to putt and just save 1015 00:53:57,800 --> 00:54:01,200 so many of those Strokes, I think I could probably do a lot 1016 00:54:01,200 --> 00:54:03,200 better than just going. Back to the range and trying to 1017 00:54:03,200 --> 00:54:05,100 hit bombs, probably you. Jeff. 1018 00:54:05,200 --> 00:54:06,300 Yeah. I was listening to Kirk here 1019 00:54:06,300 --> 00:54:08,700 and, you know, I was listening on it's like, yeah hitting good 1020 00:54:08,700 --> 00:54:11,200 drives and can't Putt and I immediately thought of Happy 1021 00:54:11,200 --> 00:54:13,100 Gilmore. Yes. 1022 00:54:13,100 --> 00:54:15,700 So that you know, that he was the king of the master drive, 1023 00:54:15,700 --> 00:54:18,500 you know, I don't golf anywhere near as much as I used to. 1024 00:54:19,000 --> 00:54:22,600 And I actually took lessons when I was much younger in my, I 1025 00:54:22,600 --> 00:54:27,000 guess mid to late teens but I would say the strength of my 1026 00:54:27,000 --> 00:54:31,400 game is the 7 iron. That is the club that I can. 1027 00:54:31,400 --> 00:54:34,600 I can nail. L just about almost every time I 1028 00:54:34,600 --> 00:54:37,300 cannot hit a wood or a driver to save my life. 1029 00:54:37,400 --> 00:54:40,500 And it shows because that's where my lessons ended, I 1030 00:54:40,500 --> 00:54:42,800 learned how to hit irons and we were working our way up to the 1031 00:54:42,800 --> 00:54:45,600 woods and I stopped taking lessons and I never actually got 1032 00:54:45,600 --> 00:54:49,700 to, you know, the the driver, you know, the 3-wood 5-wood 1033 00:54:49,700 --> 00:54:53,800 etcetera, those sort of things. So I struggle mightily any of 1034 00:54:53,808 --> 00:54:55,000 those clubs. Yeah. 1035 00:54:55,000 --> 00:54:58,200 I'm okay of putting, I guess, you know, not perfect at it, but 1036 00:54:58,500 --> 00:55:01,100 I'm also not looking to beef but give me a 7-iron. 1037 00:55:01,100 --> 00:55:04,600 And, and a Cough afternoon and I'm all over it. 1038 00:55:05,500 --> 00:55:08,300 What I love is that combination of physical and thinking there's 1039 00:55:08,300 --> 00:55:11,300 a lot of thinking in it, but you talk about the lessons, it's 1040 00:55:11,300 --> 00:55:13,800 incredible. How much different advice you 1041 00:55:13,800 --> 00:55:15,500 can get that? You could just drive yourself 1042 00:55:15,500 --> 00:55:19,400 crazy that these little tiny nuances, can completely mess up. 1043 00:55:19,400 --> 00:55:22,200 A something that worked really well in the past. 1044 00:55:22,200 --> 00:55:25,300 So, yeah, I'm always debating, do I go take another lesson? 1045 00:55:25,300 --> 00:55:28,000 But I do my best to try to stay away from YouTube because I just 1046 00:55:28,000 --> 00:55:30,300 learned to many different things that never seemed to work. 1047 00:55:31,300 --> 00:55:33,200 A lot of Ting ideas, Jim. What about you? 1048 00:55:33,200 --> 00:55:36,100 But your golf game? Well, a lot of what Kurt was 1049 00:55:36,100 --> 00:55:41,800 saying was resonating with me. But I think I to Thoughts with 1050 00:55:41,800 --> 00:55:45,000 everything was one Topgolf. I've really enjoyed. 1051 00:55:45,000 --> 00:55:48,500 I think that's a fantastic time. And you're drinking beer, while 1052 00:55:48,500 --> 00:55:51,800 you're golfing to me. Is just that's the way to do it. 1053 00:55:52,000 --> 00:55:55,900 The second thing, just talking about a Augusta National and 1054 00:55:56,400 --> 00:55:59,500 professional golf in general, made me think back to the mass 1055 00:55:59,500 --> 00:56:03,200 of humanity following Tiger Woods as Went from hole to hole 1056 00:56:03,400 --> 00:56:06,200 and whatever you think of Tiger Woods, right? 1057 00:56:06,700 --> 00:56:10,800 The guy was the best golfer that I ever saw play. 1058 00:56:10,900 --> 00:56:16,000 I mean, you know, the way he could perform in the clutch was 1059 00:56:16,000 --> 00:56:22,000 just unbelievable, and I think that takes a special rare 1060 00:56:22,000 --> 00:56:25,500 individual who can have all the pressure in the world. 1061 00:56:25,500 --> 00:56:29,700 To you have to perform right now and to be able to do it almost 1062 00:56:29,700 --> 00:56:35,400 like podcasting. Almost almost yeah well I feel 1063 00:56:35,400 --> 00:56:37,900 I'm working with the Tiger Woods of podcasting here with the two 1064 00:56:37,900 --> 00:56:40,400 of yous flattery will get you everywhere. 1065 00:56:40,400 --> 00:56:42,700 So thank you very much and I think that's like actually an 1066 00:56:42,700 --> 00:56:46,200 excellent spot where you can leave it for this week before we 1067 00:56:46,200 --> 00:56:48,900 go any final thoughts. Kurt for folks who are listening 1068 00:56:48,900 --> 00:56:51,600 out there and you know, they're they're interested in password 1069 00:56:51,600 --> 00:56:54,300 lists, you know, what are some? Some key takeaways that they 1070 00:56:54,308 --> 00:56:55,700 should take away from this conversation. 1071 00:56:55,900 --> 00:56:59,200 Yeah, I think really looking at it from the notion as we were 1072 00:56:59,200 --> 00:57:02,300 talking about before password list versus password Dash, Us. 1073 00:57:02,300 --> 00:57:05,700 Let's get the herd immunity. Let's truly look to eliminate 1074 00:57:05,700 --> 00:57:09,000 these and frustrate the fishing thrush. 1075 00:57:09,000 --> 00:57:11,000 Frustrate the credentials stuffing. 1076 00:57:11,000 --> 00:57:13,700 Attackers by really eliminating that threat. 1077 00:57:13,700 --> 00:57:16,800 But, yeah, I'm a big believer in the, in the notion of zero 1078 00:57:16,800 --> 00:57:19,800 trust, we need to know the identity, the device, the 1079 00:57:19,800 --> 00:57:21,300 network, the location, the behavior. 1080 00:57:21,300 --> 00:57:24,000 But let's pull two of those identity and device together 1081 00:57:24,000 --> 00:57:26,400 bring those signals at the point of authentication. 1082 00:57:26,400 --> 00:57:29,600 And then the rest of the wrist signals we can look at from a 1083 00:57:29,600 --> 00:57:31,700 true behavioral analytics, to kind of assess. 1084 00:57:31,900 --> 00:57:33,300 Risk. I think we're moving in the 1085 00:57:33,300 --> 00:57:36,200 right direction and the bottom line authentication. 1086 00:57:36,200 --> 00:57:38,900 No longer can be the bouncer letting you in or keeping you 1087 00:57:38,900 --> 00:57:41,000 out. It needs to be continuous and 1088 00:57:41,000 --> 00:57:44,400 taking a look at these signals on a ongoing basis, is the only 1089 00:57:44,400 --> 00:57:47,500 way of really truing reducing the risk of their, it's okay to 1090 00:57:47,500 --> 00:57:50,200 get smarter and password list is a way to get smarter. 1091 00:57:50,200 --> 00:57:52,900 So good, thoughts there, Jim. How about yourself for this 1092 00:57:52,900 --> 00:57:55,800 week? I mean, it's it's what I talked 1093 00:57:55,800 --> 00:58:01,000 about earlier with the company's being compromised credentials 1094 00:58:01,000 --> 00:58:07,800 being sold for $1000. It just shows you the mass of 1095 00:58:07,900 --> 00:58:10,400 the massive scale of which is being done. 1096 00:58:10,600 --> 00:58:13,700 Pastor has to die. It's the only way that these 1097 00:58:13,700 --> 00:58:18,500 credentials are being sold for $1000, is that it's the simple 1098 00:58:18,500 --> 00:58:23,700 seamless off of people who've reusing passwords or using. 1099 00:58:24,000 --> 00:58:27,300 Common passwords. He's got a it's just an 1100 00:58:27,300 --> 00:58:29,900 insufficient control for your organization. 1101 00:58:29,900 --> 00:58:34,600 So, multi-factor authentication is step, one, getting rid of the 1102 00:58:34,600 --> 00:58:37,800 password is Step 2 and if you can go write this up to all the 1103 00:58:37,808 --> 00:58:41,900 better for you multi-factor. One of those doesn't have to be 1104 00:58:41,900 --> 00:58:45,800 a password, so let's like get away from thinking that it has 1105 00:58:45,800 --> 00:58:48,400 to be password. Plus something better, let's get 1106 00:58:48,400 --> 00:58:49,400 the password out of the equation. 1107 00:58:49,400 --> 00:58:51,800 You can still hit multi-factor but you don't need a password to 1108 00:58:51,808 --> 00:58:53,300 be one of them. That's a great point, right? 1109 00:58:53,300 --> 00:58:56,100 Password is Is not part of the MFA definition. 1110 00:58:56,600 --> 00:58:59,000 It's just something. So that's a good one to go. 1111 00:58:59,600 --> 00:59:01,800 That's a good way to end on. So why don't we go ahead and 1112 00:59:01,800 --> 00:59:03,900 leave it there. If you'd like to learn more 1113 00:59:03,900 --> 00:59:06,600 about Beyond identity, you can find them on the web at Beyond 1114 00:59:06,600 --> 00:59:09,000 identity.com. If you want to learn more about 1115 00:59:09,000 --> 00:59:12,900 us on the podcast itself, visit our Spanky new website that's 1116 00:59:12,900 --> 00:59:15,800 been redesigned and updated with all of our fancy new logos 1117 00:59:16,100 --> 00:59:18,900 identity at the center.com and you can also hit us up on 1118 00:59:18,900 --> 00:59:22,100 Twitter at idea. See podcast I'll have some links 1119 00:59:22,100 --> 00:59:25,600 to all of our LinkedIn. In the show notes as well as a 1120 00:59:25,607 --> 00:59:29,100 link to that article and dark reading that Jim had mentioned 1121 00:59:29,100 --> 00:59:34,600 about how cheap relatively $1000 for compromised company to get 1122 00:59:34,600 --> 00:59:37,100 their passwords. Please do not use that for a bad 1123 00:59:37,100 --> 00:59:42,600 things a thousand dollars in Bitcoin is like you know .000 1124 00:59:42,600 --> 00:59:46,900 three-point now and it just changed again and it just 1125 00:59:46,900 --> 00:59:49,700 changed again and stop trying to follow it. 1126 00:59:50,600 --> 00:59:52,100 All right we're gonna go and leave it. 1127 00:59:52,100 --> 00:59:53,500 Appreciate everyone's time this week. 1128 00:59:53,500 --> 00:59:54,600 Thanks. So much for joining us. 1129 00:59:54,600 --> 00:59:58,100 Kurt Jim thanks, as always. And for folks are listening, 1130 00:59:58,100 --> 01:00:01,800 thanks for listening, please like, subscribe rate, share, 1131 01:00:01,800 --> 01:00:04,200 whatever it is, share it with a friend share with an enemy don't 1132 01:00:04,200 --> 01:00:07,400 care as long as it gets shared, get out there with our folks and 1133 01:00:07,900 --> 01:00:09,600 we'll talk with everyone in the next one. 1134 01:00:13,800 --> 01:00:16,700 Thanks for listening to the identity at the center podcast. 1135 01:00:16,800 --> 01:00:19,100 If you like what you heard, don't forget to subscribe and 1136 01:00:19,100 --> 01:00:21,900 visit us on the web and identity at the center.com.