Creating a unified cross-enterprise authentication layer

Episode 330

State of Identity Podcast

5/19/23

Episode 330

Creating a unified cross-enterprise authentication layer

Secfense Chief Technology Officer, Marcin Szary, joins host Cameron D’Ambrosi to explore the current authentication landscape. They discuss why FIDO Alliance has been a truly transformative moment for the death of the password, how Secfense sets itself apart in a crowded and competitive landscape, and Marcin’s predictions for the future.

Host:

Cameron D'Ambrosi, Senior Principal at Liminal

Guest:

Marcin Szary, Chief Technology Officer

Links:

Share this episode:

Cameron D’Ambrosi [00:00:16] Welcome everyone to the State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Marcin Szary, Chief Technology Officer at Secfense. Marcin, thank you so much for joining us. And I apologize in advance for butchering the pronunciation of your name now.

Marcin Szary [00:00:30] Hello, everyone. Cameron, thanks for having me on the show. Thank you. Don’t worry about the mispronunciation. I don’t mind.

Cameron D’Ambrosi [00:00:38] Fantastic. Well, thank you for humoring me and for making time this afternoon. I have been excited about this conversation. You know, identity. There’s an intersectionality of digital identity. And cybersecurity remains one of the most dynamic areas of the digital identity market landscape. And certainly in 2023, even as we’ve seen that capital markets cool off a little bit, one area, in particular, continues to draw intense investor interest, and that is cybersecurity, you know, specifically platforms that can help wrap around this notion of, you know, access identity across the full breadth of their perimeter. So this is a relevant conversation. And the markets have shown us that even as things are retrenching a little bit, the demand for better solutions in this authentication space, in the cybersecurity space, our demand is so, so high—so a relevant conversation and so excited to have you.

Marcin Szary [00:01:48] Yeah, I’m glad to have the conversation too.

Cameron D’Ambrosi [00:01:51] So in short, from a 15,000-foot level, for someone who is not familiar with the Secfense platform, what’s your elevator pitch? How do you explain what you do in a brief way?

Marcin Szary [00:02:02] Well, we help large organizations like non-pure tech companies from the regulated space like banking insurance, government agencies with the very heterogeneous I.T. environment. We help them create a unified, strong authentication layer onto their entire infrastructure, which is a pain it meets. It will save them a lot of money and manpower. And so that’s what we do with our tech.

Cameron D’Ambrosi [00:02:34] So, you know, I think this is an area that is of intense interest to both me personally and professionally, as well as I think the broader digital identity community right now, which is, you know, where are we in terms of getting rid of passwords? It’s been this almost ongoing joke, like the death of the password, the death of the password, the death of the password. It’s still alive. We’ve pumped many, many bullets into its body and it’s still getting up and walking across the room and trying to bite us in the face. You know, if you had to put a progress point, a measure of like, how far have we come and maybe how far do we have left to go when it comes to getting all organizations globally away from relying on a single authentication factor that is a shared secret. What would you say the current state is and how do you feel about our progress so far?

Marcin Szary [00:03:32] The death of passwords was prophesied so many times that it’s like a joke when anyone brings it up in the conversation that, okay, this time it will happen. And I do remember it like 20 years ago that Bill Gates said the password almost 20 years ago. Bill Gates said the passwords are dead. But yeah, obviously, we still leave and read them all day long. I mean, all the time. But, iPhone, this time it actually may work. In the end, it’s because things where this time we’re done differently. And then I’m talking about the Fido alliance and the open specification and why. I mean, the difference in the approach may help us get rid of the passwords completely. Hopefully, I’ll I’m right and I won’t be just five years from now. Another guy was claiming that, okay, this time it will work. But I mean yeah it may work for many reasons and so may maybe I’ll just of course, Fido was and was discussed with your prominent guests before me and but I think we can just bring what is Fido, right. This is like the transformative force or maybe like a few words. What is Fido? So this is this. Eventually, all the big tech and non-stick guys have decided to create this open standard for strong authentication. And so with the help of Google, Apple, Microsoft, and Visa, MasterCard, and all the other Big B guys, they’ve contributed to the specification, to the technology readiness, etc. So at the end of the day, we have this ready for the masses. Cryptography, like real strong authentication for the masses. That’s the sum it up and it’s hopefully it will stay with us for long and we’ll eradicate passwords eventually.

Cameron D’Ambrosi [00:05:36] And, when you said, this time we think we’ve got it right and that this might actually be what successfully transitions us away from the password. You alluded to the FIDO layer and open standards and getting all the big tech players on board. Do you think from a consumer perspective that consumers are in a different place when it comes to adopting these technologies? Or has it always been about ubiquity and getting a coherent mass of companies, putting passwordless options in front of consumers in order to get kind of this wave to break? Where do you think the critical piece that’s going to drive widespread adoption is stemming from?

Marcin Szary [00:06:22] You know, the critical thing has already happened. And I mean, I don’t want to sound but using a password but passkey seemed to be there. The step that was needed for the mass consumer adoption and learning more about passkey. So FIDO standards was it was built around this crypto-based identity that you would create online, but they usually required either physical key, a dedicated physical key that may be problematic when you lose it or you have at least two, etc.. But you also could have used your local like biometrics in your phone to create virtual identities online. But again, if your phone has died, you’d have a problem. Bus guys have introduced this like an intermediary layer. You could create secure identities on your phone, then they migrate to your computer, etc.. So it completely removes the friction. And this the problem that most consumers may have in mind with when thinking about transitioning to passwordless. So that’s super important and anyone in the industry is talking about, Perskie said there is a reason for that. And so yeah, there are other things before that, but Passkey should, in my opinion, is like the strongest accent and in that path.

Cameron D’Ambrosi [00:07:53] And, that’s a great point around this evolution of authentication in some ways. Right. A password. The fundamental challenge with a password is not well, there’s many problems with passwords, but the fundamental one is it’s not really bound very well to you as an individual. Right. It’s this notion of a shared secret that theoretically only you know. The problem is it ends up getting stored a bunch of places, which means you’re very clearly not the only one who knows it. When you move to a passkey, we can bring in factors. You know something you have, right? You’re going to get that Fido two passkey maybe stored in the secure enclave of your hardware device, which means you can prove possession of a very specific thing. And then you can layer on, you know, biometrics on that device as well. So now you’re bringing in something you are factor, which is really getting us closer to that end state of actually authenticating the user and not authenticating this piece of abstract knowledge that is the password. How are you at SEC fence thinking about this binding of the credential to the individual, you know, across the lifecycle when you’re both creating the identity as well as when you’re doing account recovery? Because I think in many ways that’s the most interesting part of past keys to me is the fact that you kind of have to fundamentally rethink this entire user journey to be, you know, to make sure you’re giving this authenticator to the right person and then can give it back to the right person when they maybe need to come in and reset it after they drop their phone in the toilet or something like that.

Marcin Szary [00:09:31] Yeah, yeah, sure. Shared Secrets was always a problem, but actually, there wasn’t even it wasn’t the problem only for passwords. If you think about the OTP-based MFA, it also. Is built around shared secrets. You wouldn’t think about it in the same way as you would think with passwords. Passwords are hashed, but in most cases, the ODB seeds are stored, in most cases in plaintext. So that MFA build that it was supposed to be helping you. But in fact, it doesn’t solve the truth problem of this secret. And as you as you as you mentioned, the secret is shared with the application with the application owners that the that you create accounts in and malicious reverse proxies may intercept them, etc.. So many, many ways you can lose that shared secret in your browser by malicious browser extension, etc.. Sharing a secret was never a good idea in the seventies, but it’s not a good idea right now. So on the contrary, fight of two based, the credentials are based on this public cryptography. So there’s never a secret being revealed to the third party. And that changes everything Fido Fido do beyond security is also is also very privacy aware of technology. So all the identities that you create are in complete isolation. And so if you again, if you bring passwords back. We suffered all suffered from this pain that before maybe before password. Yes, we had some password that we liked. And then with the proliferation of applications, people tend to create a variant of the passwords across multiple applications. And we also we also had email accounts with those passwords down to specific applications you could create and you can manage those identities and you could have you could like bind it back again to a single persona with Fido, two credentials, it was the Fido two specification. It was designed in a way that identities cannot can never be bound to a physical person. So even to give you an example, the Uber keys or security keys in general, they are not allowed to have serial numbers. So the your browser or whatever party talking to your key is never in a position of revealing the true number of your key. Of course, it may. It may reveal batch number. So you can create this attestation rules. You can filter out the keys that you want to have in a system. But we will never create a situation where you can actually point to a specific that that generated the identities. So I think that that’s super important. Among the. So you bring the you bring that the. Hmm. You mentioned that the identities sometimes there are situations where the digital identity should be about a physical persona to a physical real person. And there is a market for that. We have all the we have all these KYC vendors. They can make that chain of trust whenever possible. But in many cases, you don’t have to know from the perspective of the application owner. You don’t really have to know the real person behind the account that is that the person is having in your application. So this privacy layer is, I think is super important. That’s the you know, the standard was built with this in mind. That was one of the three pillars security, privacy, inconvenience, three pillars that vital to us was built on. And it’s unprecedented. So even if you lose a key, if you lose the phone, no one will actually be able to recreate your identities without the, like, unlocking authenticating. I mean, no identities are not stored on the device. Period.

Cameron D’Ambrosi [00:14:04] So from a buyer perspective, this is a really interesting time as well because there’s a lot of different options, a lot of choices for deploying Fido to right to your earlier point. The beauty of Fido two is that it is based on open standards, fully, you know, interoperable, right, using Web often. How is the tech fence really differentiating itself from competing MFA platforms? And how are you, you know, reaching out to buyers? What do you think your edge is in winning business in a crowded authentication landscape?

Marcin Szary [00:14:40] That’s a good question. And this is before actually building the product. We wanted to wait to build the product and then try to sell it, try to push it on the market. Instead, we investigated customers from various verticals, but we focused on enterprise, highly regulated markets. I mean, customers from enterprise, customers from highly regulated markets. And it turned out that if you look at such a company, such organizations, if you look at their infrastructure, it’s as if you were looking at the grains. When you cut the roots, you could see the entire history of the organization. So take a bank, for example. You could see the history of mergers, acquisitions in that infrastructure. And what I mean by that is there is enormous heterogeneity in certain markets and certain types of customers. So we are not a best fit for anyone. We solved the problems of customers of a certain size and complexity. So if you look at that infrastructure and there is a regulation that you have to meet either external regulation or new regulations to gain more credibility for your customers or you want, you’re aware enough as a CE so that you want to introduce strong authentication across the board without leaving any application. It’s actually becoming a challenge because of such heterogeneity. The differences in the tech stack, the multiple identity sources. So all this complexity, sometimes we look at our customers’ infrastructure and it looks like a Tetris game, and you have to maneuver with these blocks to create this good strategy of implementing MFA. So of course, there are identity providers that can fit that confederated identity. There are solutions that would give you toolboxes so that you can use their SDK or API. But in many cases, we found that there is a part of the organization in almost every customer that we target from this segment when there are hundreds of applications left unprotected. They were designed for password-based schema and they cannot be touched because they cannot be tracked. Or if you want to integrate, if you want to change them, that would take a lot of money, manpower, and resources in general. So if there is this upcoming regulation that you have to meet, sometimes these may take years to fulfill those requirements. So in that case, instead of looking at the differences in the app, we introduce this intermediary layer on top of the entire infrastructure. We come with zero knowledge, so we don’t have any pre-built modules for applications. We assume that we need to learn about your apps, your tech stack. We assume that we do not. We are not connecting to your identity providers. We decouple identity from all that, from authentication enhancements. What we can do is once we become this man in the middle in the white hat and we can see all your traffic that is flowing through it, through your apps, through your apps and back and forth between your use, your workforce, and your apps. We can understand those applications just by observing the traffic or by injecting our JavaScript engine into the apps. Once we understand the context, we can learn those apps and we can create the custom-tailored layer that would protect that app without affecting the app itself. So that changes the game of integration. We save sometimes millions of dollars. There’s a post-mortem analysis after our deployment, and sometimes it’s a matter of millions of dollars saving compared to traditional deployment when you would engage specialists from security, application, networking, etc. There’s this shortage of people anywhere, and they have a lot of stuff to do. They don’t want to add extra stuff on their shoulders. So that’s where we bring the most value.

Cameron D’Ambrosi [00:19:18] When I speak with buyers about Passwordless, I think the most interesting thing to me is more than any technology I’ve certainly ever talked about in the enterprise setting. There is true unanimity of opinion, almost to a man or woman. Everybody says I 100%. I need passwordless technology. I’m definitely going to deploy it. But then when you ask them, well, so you’re deploying it right now, they say, well, you know, maybe or, you know, maybe it’s going to be in the next 1 to 3 years. What do you think those biggest barriers like, what are the humps that buyers are still needing to get over when it comes to finally taking this leap? You know, is it just budget? Is it just time? Is it because we’re heading into a potential economic downturn and folks are battening down the hatches? Like what? What is going to get us over the line? We’ve talked a lot about this death of the password, how maybe we’re going to finally get it done. What do you think is going to be the straw that breaks the proverbial password camel’s back here?

Marcin Szary [00:20:17] Hmm. That’s a good observation. I might be biased. I look at those customers’ problems from the perspective of cell phones. And I try to get the broader view. So given mine that we have all the building blocks in place. That’s right. If you want to build an application right now, there should be no excuse for not bringing passwordless. Every mobile device is supporting it natively. Windows hello can support it can become this bridge to Fido. No extra. So everything is in play. Your browser supports that. So from the consumer perspective, everything is in place. If you build the application, you can use webOS then to enrich your application with Passwordless authentication ceremony. But so this should be fine if you build your application from scratch and you’re responsible for a single application, let’s say, like all the tech giants, they should already have passwordless. In my opinion, they should. There should be no reason for not having passwordless. But for some reason, they still use like YouTube. If only so we can add an extra layer of authentication. But they don’t go fully passwordless yet. Maybe it’s still too early. For some reason, they did some risk analysis. I don’t know. But if you look at the Enterprise and again I said I might be a little biased, there is this complexity I’ve mentioned. And so you can have an identity provider from either Microsoft or Okta or other big players, and they can become your source of truth for identities. And if you have obligations that can be easily federated via SAML, IDC, whatever federation standard you would use, there should be no friction for that for the deployments, and especially if you consume a lot of SaaS applications. Most of these SaaS-facing enterprises, they should have these federation standards built-in. So you can create this single sign or strategy when your single source of truth is the only place that you should be upgrading to a passwordless. But it turns out that’s the ideal world. Like is the illusion of we don’t live in the ideal world. Organizations are not built like lots of musicians are not like this. And so even if you have partially migrated to the passwordless world, you would have these hundreds of apps still difficult to upgrade. For those reasons I brought up previously and many others, I guess. But it’s really I think it should be the passwordless transition should be happening right now. I mean, I think a lot of teams in enterprise and non-enterprise customers are already doing this. And we are just in this transitioning space. And so I think if we had this conversation maybe two, three months from now, maybe it would be discussing it differently. Maybe more and more Passwordless first applications would be more present, and especially after Fido2 is present and available for customers. And give you an example, there’s recently, there was a huge news that all this division of ANZ Bank has implemented U2F as a way of authentication. So, they’ve advertised that as Fido-based authentication. So people initially thought that that’s going to be like a passwordless authentication based on Fido. But then it turns out that it’s a U2F like an extra layer for communication. So not fully PASSWORDLESS. And the problem is that people have realized that it’s not a solution for banking systems. They still cannot authorize the transaction because they would not know the context. Right. So you can authenticate, but then it doesn’t really make sense. You want to authorize a transaction of sending like X amount of dollars to another account. U2F right now does not give you a context. Even if you use phones. There are some hacks you can actually hack the UI to give that to bring the context. But it’s not built-in yet. And I think that might be a critical thing. So if it was already available like this authentication path, if it was available on any phones, then banks would have this incentive to transition to Fido. And because they would save a lot of money for sending like four SMS passwords, they send one thing, passwords to authorize transactions. There are millions of dollars being in SMS codes being sent every month. So that could be the force that could change habits at the global scale. And then people, first of all, they might think, okay, if the bank is using it, if I can use it to not only authenticate to the banking system, but then I can authorize the transaction. You know, I got used to the ceremony. Maybe that’s the way I could authenticate and then authorize critical transactions in any obligation, etc. So maybe I’m just guessing.

Cameron D’Ambrosi [00:26:13] I love it. Hey, you know, these are the kind of insights that our listeners want to hear. One is prognostications from those close to the source, if you will. So, you know, let’s keep our prognostication hat on. I’m fond of asking folks to make predictions for the future of the space in general. We’ve talked a little bit about a lot of forward-looking things, but more broadly speaking, what are you excited to see over the course of the next year in the digital identity space, in the authentication space? Any other predictions that you would like to share with our audience soon?

Marcin Szary [00:26:55] I don’t know for sure, but I have a gut feeling that I would do some stuff without integration, and then you could. So again, I might miss a bit in the authentication space. It will likely disrupt any other spaces, and the issue should not be the exception. Right now, we can see the price of fishing, like perfectly pitched fishing email campaigns with the greater conversion rate compared to those written by people. So that’s one thing. And maybe that’s another force that would push us towards real MFA unfeasible solutions. And I mean, when I’m talking about phishing, I mean phishing aimed at stealing credentials. Not the ones that are supposed to convince you to install some malware. But the most popular kind of phishing is the one that would try to steal your credentials either by leading, by guiding you to some malicious page or to guide you through the even more dangerous through malicious reverse proxy. So all non-fatal MFA solutions will be defeated. And so this is probably something that is already affecting the authentication world in a good way. Right now we see more victims due to the phishing campaigns. But again, it might drive this adoption of real MFA authentication. Beyond that. Hmm. Yeah. I hope Fido2 will stay for good with us. It’s not like a wave that will fade. But this is something that will transform the way we authenticate. And wearables would play more significant roles. I don’t know. I’m not a prophet. So I’m really excited about the future, though. But I don’t know what else I could add to that.

Cameron D’Ambrosi [00:29:46] I think that’s fantastic, and I think you’re completely spot on with regard to I think we’ve opened Pandora’s box, so to speak, and we’re not really sure what’s going to leap out. So exciting developments there. And we’ll see what happens. To bring it to a close, for folks who are listening, who want to learn more about Secfense, want to reach out to you and the team to deploy Secfense or learn more about it, what is the best place for them to go?

Marcin Szary [00:30:19] You can visit us on Secfense.com, that’s fence with an ‘S’ at the end, and we will happily provide a demo. We can do a poc deployment. They are suited for enterprise customers. They don’t engage too much. It’s like a go super easy process, and that’s the best way. If you go to Secfense.com, there is a contact form, you can reach out to us from there.

Cameron D’Ambrosi [00:30:48] Amazing. Well, Marcin, thank you so much for your time. Greatly, greatly appreciated. Fantastic insights. And again, this is one of the most exciting areas of the digital identity landscape right now. So always great to have a true expert to share their thoughts with us.

Marcin Szary [00:31:05] Thank you, Cameron. This was a pleasure. Thank you very much.

Cameron D’Ambrosi [00:31:08] All right. Speak with you soon.

 

Episode 331

Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.

Episode 329

Measuring the reach of digital advertising and smartphone app performance is a difficult task made more challenging by tightening data privacy regulations. Edik Mitelman, SVP & GM of Privacy Cloud at AppsFlyer joins host Cameron D’Ambrosi to discuss the current state of the consumer data landscape, how platforms must balance first- and third-party data usage, and why the death of cookies is a tremendous opportunity.

Episode 328

John Bambenek, Principal Threat Hunter at Netenrich, joins host Cameron D’Ambrosi for a deep dive into the current trends across the cybersecurity landscape, from ChatGPT and deepfake offensive threats to leveraging data analytics across your XDR, SIEM and SOAR technology stacks for improved defenses.

Episode 327

Vyacheslav Zholudev, Chief Technology Officer of Sumsub, discusses the current state of the identity verification market with podcast host Cameron D’Ambrosi. They explore the factors driving platforms to move beyond basic identity verification and into other aspects of the digital identity lifecycle. They also discuss the challenges of implementing artificial intelligence in regulated use cases such as anti-money laundering (AML) transaction monitoring.

Episode 326

Host Cameron D’Ambrosi is joined by guest Marcus Bartram, General Partner and founding team member at Telstra Ventures, to dive into his company’s digital identity investment thesis, its transition from corporate VC to an independent fund, Strata Identity’s right to win, and the expanding role of identity in the cybersecurity landscape.

Episode 325

Identifying whether another company is trustworthy remains a critical challenge for organizations. Fraud and abuse strike businesses of all sizes, contributing to a lack of trust that pervades the broader internet. Join host Cameron D’Ambrosi and LegitScript CEO Scott Roth as they discuss the key to building the missing commercial identity layer and establishing online trust.

Filter by Content Type
Select all
Research
Podcasts
Articles
Case Study
Videos
Filter by Category
Select all
Customer Onboarding
Cybersecurity
Fraud and Risk
Go-to-Market
Growth Strategy
Identity Management
Landscape
Market Intelligence
Transaction Services