Beyond MFA: A Game of Cat and Mouse

Cameron [00:00:04] Welcome to State of Identity, I’m your host, Cameron Ambrosi. Joining me this week is Joe Barton, Chief Executive Officer, at TeleSign. Joe, welcome to the podcast.

Joe [00:00:13] Thanks, Cameron, and it’s great to be here.

Cameron [00:00:16] I’ve known the team at TeleSign for a while now. Fantastic company and really excited to have you on. Would love to dove into what you are building at TeleSign. Some of your visions for this future of digital identity in the role that you hope to play in it. But before that, I do always love to ask my guests a little bit about their personal background, how they came to be in the leadership positions that they hold, and some of that journey into the digital identity space. So if you don’t mind me asking would love to hear, you know a little bit about how you came to be chief executive officer at TeleSign?

Joe [00:00:54] Well, thanks, Cameron. Happy to talk a little bit about it. I always joke that I got here, mostly by accident. I came upon the engineering side as a programmer, first in C, C++ and onwards. I was with a startup in Seattle in the late 90s, building unified communications systems before it was even called that got acquired by Cisco Systems. The huge networking company spent quite a bit of time helping them build out their industry-leading unified communications products. As their chief technology officer, Left went to another company as chief product officer, CEO, and then Public Company CEO. During that time, I acquired about 30 patents, maybe 20 in unified communications and 10 in the identity space. So after taking a little time off when I got to know TeleSign it just seemed like a great fit.

Cameron [00:02:09] Fantastic. And yeah, I mean, this communications layer and its intersectionality with digital identity in many ways, I think is a great entry part, if you will, into TeleSigns role in the digital identity space. For those listeners who might not be familiar with the company, TeleSign would you mind sharing just a quick 15000-foot overview of the platform? And then I think we can dive into some of the nuances that I’m excited to go deeper with you.

Joe [00:02:39] Yeah, absolutely. You know, I was saying our mission is actually to foster online trust to connect, protect and defend online platforms and experiences with their actual consumers, with people like you and me. We do this using sophisticated digital identity and programable communication solutions to make sure that from the time you, as an end-user, want to establish a relationship with an enterprise software platform or an online software platform, we’ve got you covered. So from account onboarding to every time you sign on to the app or the website, to every time you want to securely communicate at any time, you want to exchange something of value online and you want to make sure that it is secure and there’s no fraud involved. And yet it’s simple and easy to use and list signs. They’re making sure that interaction is terrific. So to your point camera, and that’s really why TeleSign science background in both communications and digital identity plays such a crucial role in making sure all of those experiences are simple, easy, and secure.

Cameron [00:04:04] You know, this communications layer, I think, is such a critical piece of the puzzle when it comes to digital identity, because in many ways, you know, our cell phones are smart, devices are digital proxies of ourselves. They go where we go. If you lose your device, you know about it fairly quickly. If someone takes your device, steals it from you, you know about it very quickly, typically. So you know the velocity. I like to say coming out of this channel in terms of how quickly you can recognize, you know, that a number has been compromised, that a device has been compromised, been stolen is quite high. And further, it’s you can be passive in many ways. And the amount of friction that you can put in front of the user is lower than, for example, making them go to wallet or scan or driver’s license things of that nature. But obviously, there’s an entire spectrum. From of ways in which you can support that interface between this telco layer, these digital devices and the broader, you know, identity ecosystem, multifactor authentication, obviously, you know, a core offering that you are putting out into the market and SMS, OTP, you guys were one of the pioneers in that space. Can you talk a little bit about your views on multifactor authentication, why it’s becoming so important in today’s landscape? And you know, is it still relevant for lack of a better word?

Joe [00:05:37] You know, it’s a great question. Security’s always evolving. So I, you know, I go back in time and think about in the beginning when we as a security industry told people that to be safe, they needed to create a password. Then we told them it was a very long password that they needed. Then we made people in our add security questions so we could ask them knowledge-based questions. What’s your mother’s maiden name? Then it was turned on to FAA. That’s kind of where two-factor authentication that’s where TeleSign I’ve really entered the industry as a pioneer, as you just mentioned now where we as an industry are telling people to turn on biometrics. And if I had to guess, it’ll probably be something blockchain-related next. So, unfortunately, this kind of reduces the industry to a game of adding a factor that makes it harder for someone to breach an account, but then they find a way around that factor. So you change factors or you add more factors, and it’s a never-ending game of cat and mouse. The reality is, and this is really, really key for TeleSign no factor is infallible and stacking. Many factors on top of each other might be safer, but it’s frustrating for users when they get challenged for several pieces of information, and it’s still not foolproof. The whole point of authentication is to create mutual trust between a user and a company trust that goes both ways. So we strongly believe that a better way to build and maintain trust is for companies to start adopting a continuous evaluation of digital signals to assess the risk at any given moment and only challenge users for more information when enough is changed in their digital identity footprint. That trust is suddenly suspect or it’s no longer there.

Cameron [00:07:49] When we think of eSIMs OTP, I think it’s a technology that in some ways has been unfairly maligned in other ways. I think some of the deployments that we have seen have been rightly criticized by bodies like Nest as potentially vulnerable and should be deprecated. But in other ways, it’s, you know, it’s kind of the zombie that refuses to die. I know people have been proclaiming the death of SMS OTP for going on five-six years now, and yet volumes remain, if not flat, continuing to grow. What do you see the role of SMS OTP playing in the future? Do you think we will eventually be moving away with it, or do we think it can still play a complementary role to some of these newer technologies that are emerging in the space?

Joe [00:08:38] You know, our take our take on that is very much once again, there are many, many, many factors and signals that we need to look at as we are as we’re understanding somebody’s security posture as part of continuous trust. When we decide to challenge somebody, you know, when I talk about it, I talk about factors as things we monitor. Challenge is when we actually go to the user and we ask them for something, we ask them for a password, their mother’s maiden name. We do a SMS OTP. Ask them to put their face in front of the camera. Those are actual, actual challenges. So I’m pretty confident that there’s not going to be a global one size fits all winning factor. If you’re doing continuous trust correctly with your customers. When you need to periodically challenge them for authentication, you need to do it in a way that is right for the customer and for the circumstance. So the right factor in the right challenge is going to depend on a lot of things. What technology are they using? What’s the infrastructure in the location where they’re based? What’s your relationship with them, etc. So in reality, face recognition or device biometrics might be great in a country that has fast, abundant, reliable three or four or five g and just consolidated around a couple of mobile platforms know maybe Android and Apple. But if you have a global customer base with countries that have sparse, extensive data and maybe a variety of different mobile platforms, then eSIM Mass OTP quality GSM. So TPY that’s looking at a lot of factors like TeleSign does remains a really important tool for. Years and years and years to come. So it’s the mix of factors that’s going to continue to change as the world changes. But there’s no one way of authenticating or challenging users that will be their right in every interaction. And I think some OTP from trusted quality vendors is going to be a key part of the puzzle for a long time into the future.

Cameron [00:11:20] Yeah, I couldn’t agree with you. And I like that notion of layering and look, even if you don’t necessarily want to push, you know, a user who’s logging into your platform on a recurring basis and SMS OTP challenge every time you know they hit the platform, there are very few tools that are as effective as eSIM. So Typekit as proving that linkage between a user and control of a mobile number and also as a way of rate-limiting, for example, the spin-ups of new accounts to protect against bot activity, for example. You know, can these types of hacks happen where you know, someone spins up a bunch of fake numbers to receive text messages and get past these types of challenges? Certainly. But I always like to talk about, you know, our role in protecting organizations from a cybersecurity perspective. It’s not to make a fundamentally impenetrable system that’s impossible. It is, you know, you need to make the wall high enough to deter the type of threat that you’re facing now. If it’s a nation-state-level threat, that’s obviously, you know, completely different ball of wax than just your run-of-the-mill script kiddies operating out of their parents basement in the Eastern Bloc. So I think Asma’s OTP definitely has a role, but it’s going to be a piece of that puzzle and not the complete puzzle. It’s not just, you know, the world’s easiest jigsaw with a giant piece the size of a small dog.

Joe [00:12:57] Yeah. You know, I think you’re exactly right, Cameron, and that’s why, you know, Atlassian today when we talk about a posture of continuous trust, something you said a minute ago really, really resonated with me. You know, as we monitor all of these digital signals that we’re looking at to understand somebody’s trust profile, we’re actually monitoring about 1200 global attributes across m illions pardon me across billions of phone numbers every month. And we’re still adding to the list all the time. The whole idea here is that most of the time, if your digital I.D., your digital footprint looks like what it’s supposed to do to our risk scoring platform, then we don’t want to bother you with anything. We want to just understand, as you said, as long as the risk is proportional to the activity, as long as we’re really sure that this is Cameron and you’re trying to order food or hail a taxi. We just want to let you through if we need to challenge you a bit more. This is a situation where we’re looking at 20 200 attributes and the vast majority of them look good. Then we’ll challenge you with an SMS, OTP get back, obviously that you typed in the right code from the right phone, on the right network, et cetera, et cetera, et cetera. And that becomes another factor with all those other attributes, which is very, very, very safe. I think using SMS, OTP naked without all those other factors, I can agree with some of the criticisms, but certainly the way, the way we’re doing it, we feel like it is a great universal challenge that works literally anywhere in the world.

Cameron [00:15:07] Yeah, you brought a few things together that I think are top of mind for a lot of folks. The first one being this notion of networked intelligence, right? I think we’re seeing leading platforms across the space really embrace this notion of, you know, sharing signals and bringing the intelligence that they have on their platform to bear in coalition with an entire network of folks. You know, you’re seeing it, whether it’s sift, whether it’s secure, whether it’s TeleSign Countless other platforms are really taking this very collaborative approach, which I think is fantastic because to your point, if you’re a good user and I’ve seen your device, you know, successfully logging into five or six different accounts in the past few days, that seventh, eighth, ninth interaction, we have a pretty good idea that like, you’re a trustworthy person. This is not an account takeover attack because all of these signals are jiving together like the geolocation looks good. The device idea looks good. The mobile number is one that we’ve seen before. All these patterns are locking together to send, you know, a green light out into space, saying, This is Cameron. We know him. We trust him. And more critically, for the growth of your customers, we do not have to make his user experience poor. I was signing up for a new account earlier today and just got a whole bunch of friction. I was on a desktop computer. I’m using an email address I use for all of my logins and things, and I was just thinking to myself, You know, I’m really, really annoyed. And if this wasn’t a product that I really wanted to purchase right now, I would have dropped out of this flow without a second thought. And they made me go to wallet. I just happened to have my wallet sitting on my desk, but if I didn’t, I probably would have closed that tab, abandon that transaction. Now, would that company realize that I abandoned that transaction because I didn’t have a wallet? You know, some more unscrupulous vendors that this platform might have been using very well might record that interaction. See me dropping out when I was challenged to provide information for my driver’s license and say, Aha, look at this fraudster who we stopped, you know, put this in their dashboard. We stopped a bad actor from getting into your platform because we asked him for his driver’s license and he couldn’t provide it. That means he was a fraudster, while in reality, it means a lot of people are just annoyed, like they’re busy, their wallets in the other room, their kids hanging off them and they go, Oh, you know, I’ll do this again tomorrow. They forget that’s a lost sale. I think we’re finally seeing organizations shift that posture towards what you’re talking about, which is, you know, saying yes to people as often as possible. How many good customers can I proactively identify using these signals? And wave them through my platform and into the transaction, allowing for a successful completion as opposed to putting up a moat with all sorts of guards and alligators and, you know, spiked bamboo pits that in reality are deterring as many good customers as they are in ensnaring bad actors.

Joe [00:18:18] You know, you are so right, camera Cameron, I experienced the same thing that you do where if it’s too frustrating, I simply won’t do it. I think that is the challenge. And what really gets me out of bed every morning for the industry is that what we need to do is make the experience much more secure than it is in the past and easier. One of my predictions for the near future is that the most digitally secure companies will be the ones where you’ll notice the security the least. And this will happen because they’ve adopted this posture of continuous trust monitoring, continuous monitoring of multi multi multi signals where I really know what you just said, for goodness sakes, it’s Cameron. From the email address. He’s used forever on a computer. He’s used forever on a block of IP addresses that is trustworthy. Nothing has changed in the last three or four days. He’s logged in from this stack numerous times in the past. It’s really a miss that you have the negative, negative experience you had under that situation.

Cameron [00:19:39] So it sounds like we’re in incomplete and violent agreement there. No chance of fomenting some, some fun conflict. So. You know, in terms of your perspective, and I think you’re in kind of a unique catbird seat here, seeing across industry what the trends are. You know, one of the evolutions that I’ve noted in my time in the industry is this continuing shift outward from, you know, highly regulated industries that were kind of forced to care about some of these identity issues more strongly to all sorts of industries that maybe previously didn’t realize that they needed to adopt kind of a digital identity-centric posture. And now, especially because of COVID, the lack of the ability to execute and against in-person channels has really, I think, open semis scared some people straight for lack of a better word. Or to be more blunt, you know, are you seeing this trend on your end and what types of new customers are you seeing coming into the platform? And have there been any new use cases for, you know, some of these connectivities and security products that you offer that have maybe surprised you in terms of new and innovative things that your customer base is doing with them?

Joe [00:20:54] But, you know, I’ll get to a surprising, innovative thing in just a minute. But, you know, it’s been a fascinating time in the last couple of years across the industry. I mean, COVID and COVID and all of the knock on effects of it, you know, have had such a toll on everybody in the world. One of the things that is done, of course, is it has accelerated digital transformation, the moving from physical transactions to digital and increasingly mobile transactions. I think we’ve leapt forward as a global society, probably five years in the last 18 months. It’s crazy. I was trying to explain to somebody non-technical in my family what I do the other day, and I had them actually get out their mobile phone and I said, You know, everything you do, from education to entertainment to gaming to paying bills to social networking, etc., literally all the videos on your phone now. I asked them, you know how the number of apps in this particular case, they had about five pages of 20 apps each. In other words, 100 applications. So the opportunity for TeleSign I and I was explaining is behind at least 75 percent of the apps on your phone is some sort of a customer relationship with a website or a company that was saying is there to make sure that that relationship is as secure as possible while being as an annoying as possible by having this continuous trust profile posture going on in the background, every time you touch that icon, every time you log in. We can help score your current security posture and hope that vendor decide whether they need to challenge you. Ask you for a password, ask you for a SMSs one time password authentication from a TeleSign, ask you your mother’s maiden name, et cetera, et cetera. So it’s really exciting that as the world has just massively moved online, the stakes have never been higher. The opportunities have never been higher. And we have the ability to make that both infinitely easier and more secure all at once. So what are some of the fun, really fun new use cases we’re seeing? Well, first of all, I’m excited that every vendor pardon me. You know, every company seems to understand the value of their relationship with a customer now. So I don’t have to explain to to to enterprises anymore. I used to have to explain to somebody that was, I don’t know, you know, a food ordering service where they would go, Gosh, you know, it’s only 20 bucks for the food. Why does it matter? Well, it matters because the lifetime value of your relationship with that customer is still hundreds, if not thousands of dollars. Losing that customer and having to attract a new one is hugely expensive. And if you let that customer get hacked, they’re leaving and they’re never coming back. Conversely, to your scenario a few minutes ago, Cameron, if you make it too annoying, they’re leaving and they’re never coming back. The sweet spot is to make it simple and secure. And I think the vast majority of customers are understanding that, and they’re turning to tell a sign and others in the industry to make that happen. Fun use case Alisyn, of course, straddles two industries. We’re talking about digital identity. We are also a leader in secure programable communications. The two ways those industries typically intersected in the past was number one OTP. Somebody would decide they wanted to challenge a user. We would do some of our security scoring. Then we would send a CMOs or other social texting message out through our communications platform. And the user would type it in, and we’d have an answer. What we’re seeing now is really, really interesting. We have a couple of customers now that want to send out discount codes, invitations, etc. that are very high value, meaning these are worth 50 bucks, one hundred and fifty bucks. And back to your is it worth enough to steal? The answer is yes. So instead of communicating, then authenticating, which is more our typical way of doing things where we would send out a coupon, a link and offer. And then when the user clicked, we would authenticate them. We’re actually turning the model on its head. We’re doing some of our digital identity and scoring algorithms on these very high-end coupons or offer codes. And if the user scores poorly, then we don’t even send the coupon code or the or the discount code. So it’s been really interesting watching people stack our various services in different ways to solve different problems.

Cameron [00:27:17] Yeah, I think that’s a really fantastic way of thinking about it. And you know, this holistic sense of identity, I think is at the core of that, right? You know, to your point around, for example, sending a high value coupon to a potential lead, the integration of understanding, OK, what is the value of this lead? What characteristics do they have? Is this a customer I really want? How much of a discount do I potentially want to offer them? And understanding is this the person who I think it is? These are all different facets of the same coin, if you will, right? Are you who you claim you are and are those attributes known to be true? And is this the person who we think it is should ideally all be handled in the same stack, right? The marketing piece, the cybersecurity piece, the ongoing customer identity and access management piece are all fundamentally identity challenges. And I think for the longest time, we saw those things broken out into distinct silos, both across industries as well as internally within organizations. And I think now we’re seeing the for lack of a better word, the worm begin to turn. Organizations are thinking about this more holistically. And I think you’re seeing tremendous benefits in that regard because there is value to be had from understanding and thinking about these things in parallel, because there’s tremendous, you know, confluence where signals picked up in the course of one of these answering. One of these questions are really helpful in answering the other questions that you might have in increasing the accuracy of these signals kind of across the full spectrum.

Joe [00:28:58] You know, you’re absolutely right. I mean, throughout my whole career in security and unified communications, you know, I think very deeply about what we all do in the real world, in the physical world, if you will, and there’s cues to be taken there for how we do things in the digital world. You know, we shouldn’t authenticate people in a very, very heavy way every single time we interact with them. Similarly, you know, we shouldn’t just interrupt people and throw coupons at the mouth at the wrong time and whatnot. So, you know, in the physical world, when you’re doing business with people, you know, during the get to know each other stage, you might present a driver’s license or other form of ID to prove who you are for setting up a high risk relationship like a bank account. You might ask for multiple forms of ID, but this is MFA in the physical world. But you know you’re not asking for multiple forms of identity every single time you see the bank teller that you’ve known for 20 years. And it’s situational. The bank teller might still ask you after 20 years for your I.D. if you want to make a large withdraw, but they’re not asking for your I.D. anymore if you want to make a deposit. There’s real news to be taken there for how these systems should be built in the digital world as well. If we have a long-term relationship of understanding these people both on the digital identity signal side and on the communication side, we can decide when to challenge, when to trust the right time of day to communicate without annoying in the right time to leave people alone. So I love the idea of thinking about this much more as an intelligent assessment age agent, making very similar decisions to what you and I make in the physical world without even realizing it.

Cameron [00:31:19] So one more question to bring us home here, and I know you had already shared some of these forward looking thoughts, but I do always have to ask my guests to dust off their crystal ball and share some predictions for the future. Would love to ask you to do that now. You know, what can we expect as we continue looking forward to the future here in the digital identity space? What do you expect to see in 2022 and beyond?

Joe [00:31:44] You know, as you said, we’ve already talked about talked about a couple of them. I already mentioned that I actually believe that the only way to stay ahead of the game, the only way to move faster than the bad actors is through this posture of continuous trust, continuous monitoring of many, many, many, many factors and only challenging the user, only asking them for additional information when you have to. So I think the systems that do that are going to be the winners going forward. People always ask me, Well, what about biometrics? What about the smart about that? But there is no one factor that’s going to win. I think the best systems are going to have these many, many, many factors that they’re monitoring simultaneously. I think while communications plays a big role, we’ve got to meet the end user where they want to be. Meaning if they want to interact over SMS, great. If they want to interact directly in applications, we need channels that enable that simply and easily if they want to interact on social mass messaging platforms like WhatsApp or Viber. We have to be there as well. So I think the winners are the people that keep the customers safe, keep it easy for the customer and are easy to integrate and manage for for the enterprise or online platform as well.

Cameron [00:33:30] Joe, thank you so much. For your time, really, really appreciate it. One last question for you. For folks listening who want to get in touch with you. Get in touch with the TeleSing team to learn more. You know, start consuming some of these fantastic signals that you guys can share with them. What’s the best place for them to go?

Joe [00:33:47] It’s a great question, Cameron. You can always come to always come to TeleSign. com and get in touch with us there. You can find me directly at Jo at TeleSign. com. Happy to take emails from anyone and either answer questions or chat with you directly or for somebody else in the company. That’s better. All do a nice, warm handoff and get you in touch with the right folks.

Cameron [00:34:16] Fantastic. Thank you again so much. Really, really appreciate it. And looking forward to continuing the conversation. Maybe next year.

Joe [00:34:23] Thanks so much, Cameron. It was a lot of fun. Can’t wait to talk again.