Subscribe to the Liminal Newsletter
Stay updated with the latest news, data and insights from Liminal
On this week’s State of Identity podcast, host, Cameron D’Ambrosi sits down with Aaron Goldsmid, VP of Product for Twilio Communications Platform. They discuss verified identity as a primitive of the internet and the digital “anti-fragile identity” becoming better than in real life.
Cameron D'Ambrosi, Senior Principal at Liminal
Aaron Goldsmid, Vice President of Product at Twilio
Cameron D’Ambrosi [00:00:03] Welcome, everyone, to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Aaron Goldsmith, vice president of product for Twilio communications platform. Aaron, welcome to State of Identity.
Aaron Goldsmid [00:00:14] Thanks for having me. Excited to be here.
Cameron D’Ambrosi [00:00:17] So much to talk about. And, you know, I think Twilio sits at the intersectionality of so many trends that we ourselves at Liminal have been calling out in the digital identity space. But before we get into that, you have, let’s call it multiple decades of leadership experience, you know, kind of sitting between those layers of the consumer Internet, fintech, cybersecurity. You worked at some pretty cool orgs previously. Would you mind giving us just a quick stroll down memory lane in terms of, as I like to call it, you know, those on ramps to digital identity? Like where where did digital Identity kind of first start bubbling up for you in terms of interest at a career level? Sure.
Aaron Goldsmid [00:01:04] So I kind of describe my career in sort of three acts. The first was some pretty hard security stuff was doing was cryptography out of college, was doing some, you know, government level encryption stuff, anti-piracy, helping it to make it hard to cheat on Xbox games. But really some hard core, hard core security stuff in in sort of the depth of the operating systems at Microsoft. I would say ACTA was really more in sort of the consumer space. Big consumer growth companies. So product leadership at Audible, which is Amazon’s second large subsidiary. I looked after the Facebook Messenger team for a while at Facebook, all of their games business and then the growth team at Twitter. And then the third act really in sort of the fintech space. So a marketplace lender, two marketplaces, one called Prosper, which is online lending, and then the other Kiva, where I would say like kind of this the I would say the fruition of the identity bug really, really took hold where while I was there, we launched something called Kiva Protocol, which was a blockchain based self-sovereign identity system, which was the national digital identity for Sierra Leone.
Cameron D’Ambrosi [00:02:22] That’s amazing in, you know, I think in in many ways it’s pretty easy to draw that plot of those points on your career trajectory and see that it’s kind of making an arrow in many ways that is pointing squarely at digital identity. And, you know, I think speaks to the growth and adoption of kind of digital identity focus by platforms. You know, in many ways when I talk about digital identity, I talk about, you know, in my career trajectory, having worked in digital identity for the bulk of my career, just nobody to called it digital identity. We were doing things that now we would consider to be squarely in the purview of of identity. And at the time, I think it was broken out a bit more granularly, maybe with a bit more myopia. So that brings us to the present day. You know, you’re leading this team at Twilio, which I think for many of our listeners might, you know, they might be gravitating in their in their mental picture towards some of those pure play, you know, communications platform as a service capabilities which I think positions Twilio quite interestingly in the digital identity space because of, you know, the touchpoints that you have with the consumer and what that means when it comes to being able to provide, you know, really best in class digital identity data. So maybe before we get truly into the weeds, I would love to hear, you know, what’s in your purview when it comes to, you know, the Twilio platform and and your approach to digital identity. Sure. Absolutely.
Aaron Goldsmid [00:03:56] So I.
Cameron D’Ambrosi [00:03:57] Look after.
Aaron Goldsmid [00:03:58] Product for our communications platform, which includes the sort of flagship program messaging product, as well as sort of all of our advanced communications and OTA channels. And specifically, I think most relevant here, what we call trusted activation, which is the the OTP, the one time password two factor off verification. I think that’s why we describe it as if you ask my son what I do for a living, it’s that I send people six digit codes. I text people six digit codes all day, which is, which is, you know, in a significant portion of the traffic that goes through Twilio system, which is we are doing a lion’s share of the world’s phone verification, which gives us, I think, an inherent insight and right to play in this space. And then most recently, we did an acquisition earlier this year, which we’re very excited about. That kind of helps to marry the identity data that lives within carrier networks that is sort of authoritative, entrusted with with being able to sort of enrich, enrich the data that we see in terms of our OTP business.
Cameron D’Ambrosi [00:05:16] Yeah. And I think again, talking about, you know, the this market landscape and the intersectionality of trends with this moment in time where we’re thinking so much about how we transition away from the password moving towards, you know, Fido to device bound pass keys. You know, I talk often these days when we’re giving color to participants, asking, you know, what does all this mean and where are we headed? I think a couple of things. The first is the move. To device based authentication really puts a lot of pressure on getting it right the first time. You know, you are giving this device the proverbial keys to the castle and making sure that, you know, I think this is Aaron and I think this is his device becomes even more important when that device is now serving as his authenticator. And then I think the second piece is, you know, when we start thinking about account recovery and those mechanisms that, you know, might might be edge cases, you know, most people, when you move to Passwordless, I think you’re going to have a pretty great out of the box experience and are not going to go around, you know, losing their phone, smashing their phone, having their phone stolen every day. But I think a big piece of why Fido two is so exciting is it allowed for recovery mechanisms, aside from write down this 16 digit, you know, recovery passphrase or seed or have a second backup device configured at all times to use as a failsafe. These types of mobile identity and mobile intelligence signals I think are going to be mission critical for both making sure that initial binding happens as well as that account recovery process is as robust as possible. You know, how are you thinking about these challenges from the the Twilio perspective? And I wanted to unpack more of, you know, I think this innate advantage that Cpaas platforms like Twilio have, which is this, you know, almost crowdsourced data from all of those other touch points, even unrelated to something like a passwordless onboarding session, the way you can kind of get this flywheel spinning because of these touch points that you have with consumers, maybe even outside of the OTP context 100%.
Aaron Goldsmid [00:07:39] So so first, I think that in the context of the FIDO thing, like it is, it is, it is the authentication mechanism that we all wanted, right, is inherently building on the sort of biometrics in the device. It’s, it’s seamless. And we think of this as sort of this historical kind of zero sum game between conversion or user experience and security or assurance or risk, depending on which which language you like to use. And the great thing about the fighter experience is it does both. I like it just easier. However, it presupposes, it doesn’t prove. It just is. This the person that originally signed up for this service or originally authenticated The token is all a test tube. It doesn’t say if that person is who they said they were. And so if you take that one step back, you’re trying to figure out what is the root of identity. Right. You go one step back. It’s the two. It’s the two. Right. But that even that is incomplete. And we’re looking at sort of saying, how can we attach this back? So you’re no longer verifying the device, you’re verifying the human attached to the device. Right. Which is I mean, to be fair, my phone and I are pretty much inseparable at this point. Like, I know there are very few places I don’t I don’t have it. And if I don’t have it, I know pretty quickly. And so it is it is it is a good proxy in that way. But things like using carrier billing records as as that, using in the eurozone where they’re looking for national digital identities, being able to sort of triangulate those gold standard rates of trust to the to to to the phone the phone to the human right and then over time. You know, this is where we start talking about the sort of antifragile patterns, as in every time a human is seen on our cross, our network, that identity becomes more robust. Unlike the case where I get my password renewed every ten years, or I hand someone driver’s license in a bar. You know, it could be a sibling. It can be someone who looks like me, you know. And these are these are sort of where we are seeing this human behave as a normal human. Who said that? Who we did prove against that gold standard multiple times across their lifespan frequently. And so, you know, in terms of. The root of trust, it is just fundamentally stronger. And then in terms of that experience, it is done in such a way. And by using authoritative data, it doesn’t break the wonderful sort of consumer experience that comes with a, you know, biometric off. Right? It isn’t the take a selfie of your driver’s license and then your self. Now, in terms of, you know, sort of the like. How do we handle the edge cases? This is, I think, absolutely critical, right? There is there is ways to sort of essentially walk back that route of trust to something where we can re verify it. Right. Can we re verify the device? Can we re verify a second device? Can we re verify the phone number? We prove that the phone number hasn’t been swapped. Can we make sure you know all of these things are true? And we have the technology to do that in a way that is. Almost zero touch to the consumer. So you’re not generating the support cost. You’re not losing that. You’re not you’re losing that transaction. They’re not you know, life isn’t getting in the way. And you know that that’s pretty critical because, you know. I mean, I can’t tell you how many businesses when I was running growth teams that I would sort of say like, oh, you want to you can find 15 to 20% conversion increase by just fixing your forgotten password flow, because there, you know, people life gets in the way. And so, you know, we see this really coming, coming together where, I mean, ideally it’s like your your digital identity becomes a primitive of the Internet and frankly, even better than your in real life identity.
Cameron D’Ambrosi [00:11:44] Yeah. And, you know, I think that’s the paradox in some ways of this intersectionality between the Internet and identity. You know, it’s a common trope, you know, in digital identity circles, talking about the lack of an identity layer as the original sin of the Internet. But then on the other hand. We’ve had obviously maybe even a more robust identity layer than we have in real life. It was just pseudonymous write you by definition, this this construct of username and password was a critical piece because you have to to use a platform. You need an account. That account was authenticated against username and password. In many ways we knew, you know, who was coming into the platform. You had this pretty robust method of authenticating folks. The challenge was maybe the user experience wasn’t great. And then where the wheels came off, so to speak, was we didn’t really have a robust mechanism of making those identities kind of portable across the different sites and silos that data lived in. And those ties between your in real life identity and your kind of digital avatars were fundamentally fragile or nonexistent and lacked, you know, good methods of of tying those together. You know, I’d love to say we’ve solved all of that. I think what’s been going on with certain identity stacks at the peak of the public consciousness right now may be underscoring that we still haven’t really come up with the ideal solutions for this. Or maybe, you know, certain executives who lead certain companies may just not wish to listen to those around them who could point them in the right direction. But that’s, you know, a whole different a whole different story for the different day. Where do you see this heading in terms of how can we forge I really like that term in an antifragile identity online and maybe mitigate some of the challenges we have with with real life physical identity use cases with some of this technology.
Aaron Goldsmid [00:13:56] So I think there’s a few things. I think one is we need to fundamentally acknowledge that consumer identity and sort of enterprise identity are very different things, right? A company knows who you are, right? They have assigned you an account which you have created user and password. That route of trust is is essentially during your employee onboarding. But in the consumer space, it’s when you sign up for an app, right? You sign up for a new service. You’re just putting you’re filling out a registration form. That registration form could be perfectly valid. It also could be full of garbage. Um, I think we’re learning online identity impersonation on certain things at the blue checkmark, hard problems like really fundamentally hard problems. And we can see how quickly that can devalue a social experience, a commerce experience, a marketplace, anything that’s regulated financial services, health, education, etc.. And so, you know, the thing is, is that remembering there’s sort of a you know, I was an anecdote for my from my nonprofit days is that we were having to verify a borrower in a, um, a rural village that had no connectivity. And there was something really kind of nifty that folks would do is they, they, they bring this individual out and they’d sort of ask the sort of community around them on the count of three status human’s name, and on the count of three that they all said the same name. It was like. Was it guaranteed? Was it? Was it sort of like a secure reed of trust? No. But like, for most purposes, it was actually quite good. And so taking something like that, which is if you appear to be the same person across many, many, many consumer touchpoints. The chance of that being who you are. Because, I mean. I mean. Sure. Now, now the bot or the troll or the fake identity becomes essentially the domain of like a Jason Bourne esque backstop. Right. Like, you need to have a lot of of, you know, effort in there, especially when you start tying it into, you know, who pays for the cell phone bill or, you know, does this tax to a you know, you know, does it does it match up to what a bank has about you or any of the financial institutions or credit report or stuff like that? When you put all these things together. What happens is that. You know, essentially you create a bifurcated system where known good users get the trusted traveler TSA precheck global entry experience. Just go straight through no friction nothing else. And for those folks that where that’s not true doesn’t mean they’re like they’re excluded from. From these experiences. It just means they have they have a little bit more friction on the thing. But what it allows for, which is really great in this moment of time, it’s not only just talking about infinitely secure or higher assurance concepts of identity, but you’re also talking about consumer experiences that are convert at much higher rates that are much more delightful. And in that you’re you’re. You know, especially in a mode where, you know, many of these companies who are trying to solve these problems, the consumer states are simultaneously working to a double bottom line, which is they want to make sure their platform is safe and secure, but at the same time, they need to grow responsibly. And, you know, the the economics of of growing a user base has changed dramatically over the last 6 to 12 months. And so being able to do that without, you know, oh, too many bad folks are getting in, add more friction. We’re not converting it enough. Pull out the security stuff. You know, get getting that to the point where it’s just net better. And you know, I really do see. You know, folks like Twilio because of where we sit as the nexus, as a sort of of communications, and we get to see a lot of touch points and, you know. Also the sort of, you know, natural sort of one foot in the carrier operator land and one foot in sort of the consumer Internet land. Like, we’re in a great position, not not just to translate technologies. I mean, we just brought something to market. We want that our signal converts called Silent Network off, which is a painless SMS or painless OTP that uses the same thing that you do when you turn off airplane mode and re authenticate to a network. You know, this is all this is new. This is amazing. It’s actually been in the standards for a while. But there was a disconnect in terms of being able to translate the technology that existed in the telephony stack to the consumer Internet. You do that. You look at the fact of where we sit as an access point. I think we’re we’re really excited about how we can in very privacy, safe ways. Essentially try and build that identity layer as a primitive for the Internet, which I can only imagine if you think about what HBC did for e-commerce and the commercial Internet, what this could do for the next generation, I think it unlocks the next ten years of growth.
Cameron D’Ambrosi [00:18:57] I couldn’t agree with you more. And I think people I mean, maybe discount is is harsh and maybe it will maybe even sounds harsher if I just call it ignorance. But the degree to which people now, I think have airbrush out of their mind, the fact that putting your credit card number into the Internet was once seen as like a controversial and, you know, risky thing, right? Like now it’s just absolute second nature that when a site says, hey, give me your credit card and billing information, you dump it in or, you know, maybe you’re using a PayPal or maybe using an Apple Pay. It’s second nature. And most folks, I don’t think, hesitate. That was absolutely not the case. And I’m hopeful that we can kind of see a similar trajectory on the identity front, both in terms of the ubiquity of identity across applications on the Internet, as well as being able to, you know, build up and, you know, grasping for for the right analogy, but kind of, you know, build up that level of trust with the average consumer that doing a form of identity verification, hopefully and, you know, maybe a privacy preserving way is something that is thought of as second nature and that we’re empowered with the tools to put identity into play across applications. Now, where I think most people innately understand that it would be of benefit. And right now, the barriers. To your point, I think are coming from the growth side of the business, which is saying, whoa, whoa, whoa. Like, we know that our platform could benefit from this, but at what cost? Like, are we going to, you know, absolutely snuff our growth rate by looking to kind of tighten the loop around, you know, imposters and fraudsters or or just unverified identities coming through our platform?
Aaron Goldsmid [00:20:47] And I think the there there’s a a third access to the right. So there’s there’s the consumer saying I think this is good but is it. You know, or a company saying we’re in the trust. There’s also one around the friction. It’s like, how much cognitive dissonance does it create, right? The first time you used a face ID, you’re like, okay, this is just cool. Right. You were very comfortable with it. You know, I think to your point, once you became comfortable with putting your identity, your credit card information in, it’s just like, you know, autocomplete, all of these things. Once you once you remove cognitive dissonance, it also impacts the sort of change curve for consumer behavior. And so one of the things and that’s sort of one of our primary principles is like. Let us do all the work. So so the consumer doesn’t have to bother with it. Still, they’re still very cognizant of what’s going on. Still privacy preserving. But like. It’s just easier. Right. You know, it’s one of those the first time you you use an NFC payment or such payment, Right. Like I was in London recently, you know, hitting, hitting my phone against the tube. You’re just like, this is just this is just net better. Like creating lowering that friction. And I do think. What really becomes great is like what becomes the Internet when privacy is a real identity on social networks, material, the safety or you know, of of of a rideshare app or vacation rental when you know the person is really the person they say they are. You know, we’re just scratching the surface of, you know, your ability to to do online banking. Right. Like this is just what. Where and and the dozens of of of new experiences in scenarios that we haven’t even conceived of yet that great entrepreneurs are going to come from. If something like this exists and is easy.
Cameron D’Ambrosi [00:22:48] Right. I mean, I think that ease is so, so critical. And and we glossed over this a little bit. But, you know, I think the deployment of these new silent off capabilities and the ability to deploy them at scale, I think is really going to to open some doors, although I think in some ways as OTP, it’s kind of become the new punching bag as far as like comparisons of passwords, you know, when is this finally going to die? And it creates all these vulnerabilities and liabilities. I think some of that is is overblown. And I think now, especially with the ability to do things like checking for SIM swaps and the power of, you know, that network effect that we talked about, it is possible to deploy Esims OTP in a responsible way that mitigates a bunch of the risks. And I think, you know, the device manufacturers with SMS, OTP, Autofill have in some ways made the user experience quite delightful. You know, like I don’t know when I log into Razzi for example, that’s still their primary authentication mechanism. Even when I log in to the website to make a reservation, they just immediately send you an SMS OTP and log you in. And I think it works quite great. But I think that, you know, the capability for that to be done in a silent fashion really unlocks a lot of potential and speaks to the role that I think, you know, platforms like Twilio can continue to play to some degree. You know, you talked a lot about, you know, being at this nexus, I think to to use what I consider the buzzword of 2022 to be orchestration. You know, you guys are sitting on top of all these tremendous signals and in many ways can serve as that orchestration layer that helps a platform decide, you know, what path do we want to take to get an identity lock on this person? What signals can we pull in? What do we have, What do we need and help them in an intelligent way, decide, you know, what is the best path to getting us to the level of assurance that we need and not go past that? You know, you can always add on assurance, but in many cases, I think people view right now their current options as kind of do nothing or do a full identity verification. And I don’t think that necessarily has to be the calculus. I think it is much more shades of gray as opposed to black and white. And there’s going to be net benefit in terms of adoption of even a low level of identity for many of these platforms that I think have been hesitant thus far. Again, going back to these, you know, growth focused reasons, they think, well, this is really going to put a damper on my monthly active users and therefore I can’t afford to do it. And I hope that we can kind of break the break through there.
Aaron Goldsmid [00:25:33] By remaining violent agreement as as as we do in these chats. You know, one thing I also want to point out is there’s also the friction on the on the part of the merchant or the app. Right. So, you know, really implementing four or five different identity schemes and doing segmentation and sort of having those radiations that we’re just talking about. That’s a lot of work to build, right? That orchestration is a very expensive endeavor. And so I think the reason we see so so it’s it’s it’s like it’s easy and it’s ubiquitous and I can move on to the next thing as a developer in one of these companies. And really the thing companies or whatever the current acronym for them is. They are in only companies with that level of certification and that level of resourcing can really do the sort of the segmentation and do all the sort of complex things that create those better experiences and create the higher insurance. And we see that as sort of where we can provide a lot of democratization, which is, you know, our solutions are already omnichannel. They are getting much smarter. You go to one API and you get five or six different versions of this. That number is going to get better, right? So you can you can do it over WhatsApp or you can do it over so network also you can do it over a so you can do it over phone and so on and so forth. But at the end of the day is, you know, I think in this to, you know, Stripe or Braintree or like no one will ever write another credit card entry form ever again. Like, that problem has been solved and solved well. And so, you know, the the mom and pop or the garage startup now has equal footing with with an Amazon in terms of that experience. We want to do that for the identity stack and for the verification stack. And I think. You know, I think I think we’re well positioned and I think we can be of service to a lot of folks to do that.
Cameron D’Ambrosi [00:27:27] So, you know, what’s what’s next? You know, you guys have just made this exciting acquisition. I think you’re you’re rolling out a bunch of interesting new capabilities to the platform and think you have a perspective that that gives you a pretty good look at. You know what we can maybe prognosticate is is coming down the pike in terms of trends from the buyer side. So maybe a bit of an open ended question, but like what are you getting the most excited about with regard to the future of the digital identity space, whether that’s technology trends, what buyers are looking for, what you guys have in store for us over at Twilio in terms of the product roadmap? Sure.
Aaron Goldsmid [00:28:05] I think the the two things that I am most excited by. So like one is is. This this sort of identity as a primitive, the Internet thing, right? Like being able to create real identity the same way you can create a connection. I think that’s incredibly powerful. I dance a little bit of a longer, longer thing there, but there is some products we have that are in in pilots and betas right now that speak to that right now. So it’s like, you know, a match where it’s like you fill the registration form. We use zero knowledge proof to compare that to the carrier billing record, first name, last name or separate. So if it’s a partner or a family member, you can solve for those things. That’s a long. We’re going to we’re going to lock in a lot of value for our customers and their consumers along the way. But that’s a long that’s a long con. Right. There’s there’s a that’s a that’s a five or ten or 15 year project to really get the ubiquity of identity later for the Internet. I think the other thing is, is a little bit to the point I just made, which is. We want to make this technology accessible to every developer, to every builder, to every merchant. Make it easy. Make it so that you don’t that that it is as frictionless for the for the person who has to write the code or build the system as it is for the person who is consuming it, the end consumer. And through that democratization, we think that will materially accelerate the overall assurance of of the Internet and help people grow more responsibly. Like to call trusted activation like activate users, make, you know, not just your cost of acquisition and your cost of acquisition for a real human that’s not a bot and, you know, has a real LTV. And so being able to take all of these technologies and package them up so that you still remain control of, of the experience and sort of, you know, have had the sort of. Ability to kind of be precise about what you want to use, but it’s easy to implement where it is, just as easy as building an SMS OTP, which right now is an API call.
Cameron D’Ambrosi [00:30:20] I love it. So we are unfortunately at time here. My producer is about to kick in the door and give me the old vaudeville hook, but I like to leave room for what I call the shameless plug moment. For our listeners who are getting excited about all of the possibilities that they see for the deployment of Twilio’s digital identity offerings in their product stack. What’s the best place for them to go to engage, Reach out to you, reach out to your team, learn more about the platform.
Aaron Goldsmid [00:30:49] Yeah, sure. It’s lots of exciting things. It’s I think it’s truly outcomes trusted activation and that’s where and yeah.
Cameron D’Ambrosi [00:30:56] You heard it here folks Twilio dot com slash trusted activation will go ahead and drop that in the show notes below as well if you don’t feel like typing all of that out. Aaron always a pleasure. Sometimes it can be fun to argue with people. I think sometimes it’s even more fun to just be on the the same wavelength as someone. I think this was definitely the case for this conversation. You’re always welcome back and looking forward to catching up with you again soon.
Aaron Goldsmid [00:31:25] Thanks so much for having me. It was a real joy.
Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.
Secfense Chief Technology Officer, Marcin Szary, joins host Cameron D’Ambrosi to explore the current authentication landscape. They discuss why FIDO Alliance has been a truly transformative moment for the death of the password, how Secfense sets itself apart in a crowded and competitive landscape, and Marcin’s predictions for the future.
Measuring the reach of digital advertising and smartphone app performance is a difficult task made more challenging by tightening data privacy regulations. Edik Mitelman, SVP & GM of Privacy Cloud at AppsFlyer joins host Cameron D’Ambrosi to discuss the current state of the consumer data landscape, how platforms must balance first- and third-party data usage, and why the death of cookies is a tremendous opportunity.
John Bambenek, Principal Threat Hunter at Netenrich, joins host Cameron D’Ambrosi for a deep dive into the current trends across the cybersecurity landscape, from ChatGPT and deepfake offensive threats to leveraging data analytics across your XDR, SIEM and SOAR technology stacks for improved defenses.
Vyacheslav Zholudev, Chief Technology Officer of Sumsub, discusses the current state of the identity verification market with podcast host Cameron D’Ambrosi. They explore the factors driving platforms to move beyond basic identity verification and into other aspects of the digital identity lifecycle. They also discuss the challenges of implementing artificial intelligence in regulated use cases such as anti-money laundering (AML) transaction monitoring.
Host Cameron D’Ambrosi is joined by guest Marcus Bartram, General Partner and founding team member at Telstra Ventures, to dive into his company’s digital identity investment thesis, its transition from corporate VC to an independent fund, Strata Identity’s right to win, and the expanding role of identity in the cybersecurity landscape.