Passwordless Authentication and MFA

Cameron D’Ambrsoi [00:00:03] Welcome everyone to State of identity. I’m your host, Cameron Ambrosi joining me this week. We have Saif Malik, co-founder of Keyri, Saif. Welcome so much.

Saif Malik [00:00:14] Cameron, it’s always great talking to you and thanks for having me today.

Cameron D’Ambrsoi [00:00:17] It is my pleasure. We had the pleasure of catching up yesterday and maybe spent a bit too much time rabbit-holing on everything but you know Keary and digital identity, we were into headphones and drum kit, microphones, all sorts of fun stuff and maybe we’ll get to dabble a little bit of that today. But before we do that, you know, would you mind giving us just a quick hit as to your background?

Saif Malik [00:00:44] Sure, Cameron. Happy to. You know, we’ve been in conversations for a while, but just a quick background. I come from heavy academic background in electrical engineering. Applied Mathematics actually had my first start up in high school coming into college. And then at Penn, you know, I focused on software and hardware work quite a bit, you know, worked at this nanotech project, which was had a biotech application, worked on building a telescope for measuring background radiation, which is a NASA funded project, too. That was kind of fun, but ultimately also built a home automation device protocol using the Zigbee Wireless Communication, which was popular at that time, using your PalmPilot to control home automation stuff. And this is pre nest and pre iPhone days, so it was kind of exciting. But soon realized that the creativity and product development stuff was there, but not much knowledge on business and how to build strong, scalable companies. So moved into investment banking for a bit of time and that’s where my love for cybersecurity came about and I went deeper into it.

Cameron D’Ambrsoi [00:01:56] I love it, and I guess that’s a perfect time to transition into, you know, Keyri and the platform and what you’re building there. I think it sells you a little bit short to say it’s purely about authentication to some degree. There’s so many different ways to skin a cat when it comes to authentication. You know, what have you built with Keary and what is the unique differentiator that that, you know, is setting you apart from the countless other off platforms out there today?

Saif Malik [00:02:24] Yeah, that’s that’s a great question, Cameron. Before I touch on that, I also want to just kind of highlight the evolution of coming into identity security. I think I was lucky to be at a place advising security companies where when you work with high growth, high growth businesses or early stage companies, so you really have to go very deep into product and tech and kind of figure out what is it tech really solving, what’s the evolution of the landscape. And, you know, as an example, I was doing API security four years ago way before all the investment dollars are flowing into that space. And when I moved to identity security, you know, we saw a few things that were broken. A lot of stuff was heavy on data reliance, looking at offline identity data attributes and different silos, kind of trying to come together to help fight identity fraud. But and but at the same time, you know, accounting or fraud was still happening. Accounting fraud was still happening. And the users simply didn’t have a good way of doing. I’m afraid it was either too cumbersome and people would choose not to do it at all. This is a great time. When I met my co-founders, Grant and Zane and our band obviously have their own journeys coming in to identity security. But Zane in particular was the victim of a password breach. Back in the day, he lost his bitcoin, which would have been significant value today, and he had been separately building a communication protocol based on cryptographic keys. So all the stars aligned and the three of us came together to start Keary. And really the idea was, look, let’s make a better MFA solution that was not just secure, but it was extremely easy and user friendly and could be deployed in a consumer environment. Then we looked at the landscape. We saw a bunch of companies that were extremely easy to use. So for example, username and password providers, or on the other end of the spectrum, you had yubikey, which were extremely secure, but not a consumer grade solution. And the idea was to kind of merge those two concepts, really not balance them out, but kind of merge that to provide the best and the easiest to use solution for MFA. And you know, you’ve talked about Bosphorus authentication. A lot of people claim to do possible this off, but it’s not necessarily the same. Neither is all MFA the same. But I think the real way to do it is really to use cryptographic keys, which kind of take you away from this concept of a shared secret, shared secret being a password or an OTP. And as we’ve seen with the recent data breaches and security hacks that have happened, it’s always the OTP, OTP being compromised, right? Either from an SMS or an email channel or if it’s an authenticator app, all of those other types can be easily compromised or gained access to. Same thing happens with push notifications. Lapses has become really popular hacking into video talked to Microsoft over recently how for abusing the push notification concept. So when you talk about a real phishing resistant proper passwordless MFA, I think the only real way of doing it is to use cryptographic keys. You have your private key on your hardware, phone and hardware security module, which cannot be tampered or extracted. And on the other end, with the art server of the company that you’re logging into, who controls the public key? And so any of those two keys kind of think of them as a lock and key when they come together. Can you decrypt a package and really authenticate a user? So I think that at the very core of it is the distinct principle of behind query.

Cameron D’Ambrsoi [00:05:55] So, you know, the use of QR codes in the query solution I think is inherently fascinating for a number of reasons. I think the first of which is this QR code renaissance to some degree that I think we’re seeing in the U.S. market in particular. You know, I think I look back to the launch of Apple Pay and then I don’t know if you remember this, but there was the the M.S. IX coalition, spearheaded by Walmart, that had kind of rejected support for Apple Pay because they didn’t want to pay for the additional basis points. And they tried to roll out their rival solution called currency that was based on using QR codes for the connectivity between the user’s device and the the point of sale system as opposed to RF ID. And at the time, I think a lot of people kind of, you know, laughed at them saying, you’re using QR codes. This isn’t, you know, new technology. People aren’t going to use it. You know, this is this is old hat. Of late, we’ve really seen a resurgence in QR codes, certainly, you know, in markets like China, where QR code is kind of the most ubiquitous form of digital payment connectivity, but also in the U.S., both in terms of kind of advertising experiential things as well as other platforms that are really realizing, you know, everybody now has a smartphone with a camera in it. QR code is inherently, you know, secure and kind of cross-platform more critically in terms of compatibility, which really makes it kind of the ideal solution for deploying, you know, a cross-channel MFA solution. How did you come about, you know, deciding to go the QR code route to kind of anchor the platform on?

Saif Malik [00:07:40] I love that question on the preamble. Cameron, you stole some of my own words and I think you hinted on it. Quite a few key factors in China. Like you said, it’s very liquid. A lot of people use them payments. In Singapore, for example, the government introduced a sing pass, which is a government controlled ID. If you go to the website, you’ll see this beautiful QR code that you can scan to log in. And we had folks like Binance and WhatsApp that were early adopters of QR for integration. And I think generally just looking at your pack, because QR codes are so a bit curious, people are quite familiar with them. You can scan them with your camera app. You don’t have to go digging around into a native scanner. Just put up your phone and scattered. It’s very user friendly. It’s kind of like the evolution of that has been trickling back into the west, from the east. We’ve seen companies in the Middle East be very excited about QR code usage, especially when it comes to art. Same thing in Europe and in North America. We’ve seen companies like Discord, for example, implement QR code at Citibank as well. So there are lots of positive tailwinds directing the use of QR codes. And with the pandemic, like you said, you know, people are comfortable scanning QR codes and they’re getting quite used to it and it just made sense to use that as a centerpiece for us to communicate between two devices. The fact that you can use your camera phone, like I said, just makes it a very, very simple user experience. You just put up your phone. It’s got a QR code that you see on your desktop, and then that QR code basically on our side is really just establishing a connection between the desktop which has a session ID on a QR code and the phone that scans it. That’s the only role that the QR code plays. So if you’re thinking about security, the real action happens is on the SDK when it kicks in and is able to then utilize the private key that sits on that phone and also the biometrics of the user to really sign an off payload and then send it back to the server. Server in a secure, encrypted communication channel. So this, this, this worry people have that QR codes are insecure. It’s I guess is somewhat somewhat valid. I don’t want to completely discount people’s fears. QR codes in the physical realm can be a lot more dangerous. You should be aware of the context that you’re scanning that QR code, and if you’re sitting in a restaurant, your QR code takes you to a place you enter credit card that should raise alarm bells. The QR code should be showing you a menu. Similarly, on a on a desktop environment or a web application. If you scan a QR code for the purposes of logging in, you should know where the QR code is taking you, taking you, and for what purpose. And in that scenario, normally when you scan a QR code with a native scanner, you you see the URL or if it’s doing a deep linking, it will show you the name of the application. Those two things cannot be spoofed, so you do have some comfort as to where the QR code would take you. And in our unique case, because of the architecture, the way we’ve built it, our SDK only kicks in when the QR code is linked to the valid URL and has already been predetermined and established and has that right connectivity with the banking application on your phone.

Cameron D’Ambrsoi [00:10:49] So what are the biggest barriers you see in terms of on that consumer side, driving, you know, familiarity and comfort with a fundamental shift away from the current authentication paradigms? You know, we at Liminal have really called out consumer education as a critical, critical piece of, you know, this passwordless journey that we’re all on together. You know, what role do you see vendors playing? What role do you see the platforms playing? And then maybe, I guess you could say standards, bodies kind of being the third leg of that stool. You know, whose responsibility is it to kind of drive adoption of these platforms and the underlying education that’s going to be necessary to get folks, you know, not just engaging with these types of solutions, but really enjoying the experience.

Saif Malik [00:11:42] Yeah, I think. It’s all three of them, right? The vendors, the industry experts, the standard, standard creating bodies that are pushing the evolution here into this posture, this world that we’re going into. I think the good thing is that users are quite aware that username and password are extremely cumbersome. Either you forget a password or you have to use complicated characters to create one, or you have to deal with mess. OTP And if you’re traveling internationally, you’re ISIS is not working. Everybody has felt the pain of using a username and password and with all the data breaches that have happened quite aggressively in the 5 to 6 years or even even more than that, people have seen their credentials get compromised and they’re out there. So they can’t really trust they don’t use passwords and the reuse of password to really protect them when it comes to account security and more so, especially in a banking context, right, where money is involved, consumers are a lot more thoughtful about how they think about security. You know, people want MFA. Now, banks in the U.S. didn’t provide MFA before. In Europe, it was different because of Psd2. We had programs in place, but in North America it’s picking up quite a bit and cybersecurity being such a sort of topic that’s in your face with a lot of activity happening, both from all the new companies that are developing products. Also with all the data breach is happening, there’s a lot of education that’s guiding people to think about better solutions. From there. When you talk about password less, I think it’s up to the standards and up to the vendors to really educate the users and the companies that we’re selling into, to then be able to write a message to the consumer that this is how you would interact with the system. This is the reason why you’re doing so. It’s much more secure. We’re all about your account security and that has multiple benefits. And the user thinks that, yes, this company cares about me and is actually guiding me towards a better solution. And that’s hopefully increases adoption for that consumer, for that fintech or financial application, and it has a virtuous cycle to it. So the more education helps and the consumer feels more trust along with it.

Cameron D’Ambrsoi [00:13:56] What is next for you know, our industry as a whole would love to hear your thoughts on where we’re going and how we’re going to continue to see, hopefully, convergence of platforms around a more unified approach to digital identity. You know, I think we’re seeing point solutions become platforms more broadly. Like, do you think that’s going to be the case with the authentication space as well? Or, you know, how do you see the rest of this kind of market space playing out?

Saif Malik [00:14:29] Absolutely. Cameron And I think about four or five years ago, perhaps we were on separate rows, were collectively focusing on identity. I remember you guys were called one identity at that time, and I was also doing a lot of work in identity landscape, trying to see where the consolidation would happen. And there were so many silos, right? You had these offline data aggregators to identity verification players. There’s a whole separate set of folks doing authentication and then a whole bunch of companies doing fraud prevention and detection, user entity, behavior analytics. There was so much going on and none of them were really solving the problem as such, especially by implementing security, by design. Everyone was all about, let’s collect a lot of data that’s monitor it for anomalies and aberrations so we can provide better security. But I think since then, the industry itself has kind of come together quite nicely with some elements of verification, KYC and auth coming together on authentication itself, disparate systems of different ways of authenticating kind of coming together and that also then connecting with IAM solutions that provide the identity database and management to offer better authentication solutions for their end consumers. So it’s almost like the whole journey, the customer journey from start to finish, from account onboarding to verifying your offline identity, to then authenticating and then managing the risk for high value transactions and whatever subsequent events there may be where identity assertion is needed, that all that entire journey needs to kind of be looked at together. And in my mind, I’m a big believer that more consolidation will happen around verification, authentication and fraud prevention and all these to be done through better, better technology, better MFA that is embedded within applications rather than just being a heavy focus on data collection.

Cameron D’Ambrsoi [00:16:20] You know, any anything else you wanted to hit on in terms of. I guess the broader trends in the market space, like I think we’re at such a fascinating inflection point in terms of so many kind of competing forces buffeting both users and platforms, whether that’s enhanced data privacy regulation, you know, the rollout of Fido two and the continued push towards Passwordless as well as, you know, on the on the user side, increased user expectations for the amount of security that platforms deliver as well. As, you know, I think user experience expectations have never been higher. Apple and other platforms, I think, are continually raising the bar in terms of just what consumers expect out of world class workflows and onboarding experiences. And that’s dragging. That that that floor up as well as raising the ceiling kind of proverbially so. Are these trends that you expect to continue and where do you really see a lot of the growth in the space coming from in terms of the demand side?

Saif Malik [00:17:28] Yeah, that’s a great point. Cameron, actually, when we talked to potential fintech customers, one of the biggest pain points is on account onboarding because they have to deal with cumbersome password creation, secret questions or any other friction that you add in the user’s experience to log into your platform will inevitably drag the consumer away. And when you look at the fintech vertical itself, there’s been so much competition that has come about in the last five, six years, everyone trying to be an all encompassing financial services provider through their application. When you’re dealing with that, so within that and you’re operating in that competitive environment, I think it’s important for you to think about giving your consumers the best possible solution from the very start of their customer journey, which really begins with log in. And we’ve seen that be one of the driving forces for a lot of the forward thinking fintechs to adopt better passwordless MFA Solutions. I mentioned Binance earlier on similar to that, a couple of other crypto exchanges that we’re working with that are also thinking about how do we best grab customers attention by giving them the best user experience and also making sure they feel comfortable with their system, that they are secure and have the best solution in place for their for their account security integrity. So that’s been a good, good driving force for us. Obviously, we know cost is an issue for companies that are trying to solve for, you know, password reset, call center costs. That’s also driving things. And from a company side, I think collectively right now, like you said, it’s a complicated space where there quite a lot of possible solutions out there. But I think there’s a lot of noise in the market, too. I firmly believe that, you know, you have to think about a phishing resistant and a face solution, not just any possible solution. And when it comes to phishing resistant things that are being sort of put forward by Fido or using they’re using the cryptographic key concept. Those will be the dominant factors. And, you know, consumers always use their cell phones to log into everything that’s already core to their to their identity. And just leveraging your phone leveraging your biometrics on your phone just makes a lot of sense to provide the best experience to consumers. So I think that’s the. The consolidation and the combined view that I see happening and but around authentication. I think now that you have these cryptographic keys and hardened devices and proper device lineage where you can have these audit trails when folks logged into environments, that also lends itself to providing better fraud protection. Account takeovers, obviously. So for because of the use of these private keys and biometrics. But on account of fraud, too, there’s a lot of stuff that happens around promotion of abuse, people creating multiple fake accounts, and then they can build their credit history or abuse and debit cards and whatnot and then disappear. I think if you had proper control about the devices that are logging into your systems that are creating accounts, you can limit those account opening situations. You can also limit account sharing, sharing situations. You can also monitor what’s an emulator, what’s not an emulator. So it’s a lot of security benefit that comes through, having better authentication architecture in the backend, which is again tied to a trusted device such as a cell phone. So I think some of those concepts will continue to kind of come together. And so you have platform offering all of these benefits with with better technology and security by design.

Cameron D’Ambrsoi [00:20:54] Couldn’t have said it better myself. So shameless plug opportunity for folks who are listening and are inherently intrigued you know, by the value proposition that Keyri is is offering or or just want to get in touch with you to, you know, chat or buy query. What’s the best place for them to go?

Saif Malik [00:21:12] Yeah, that’s great. I mean, more than happy to do that plug. We’ve been very diligently and hard at work building our self-serve platform. We really believe that your authentication should be used if averaged everywhere. We don’t want to make a cumbersome solution that takes, you know, weeks and months to onboard. So we work really hard to develop a developer friendly solution where you can just go access our dashboard. I would encourage folks to check out dot com and through the dashboard you can access our API keys, you can access all the detailed documentation and that will help you get up and running as quickly as possible. And one thing I would mention here is that, you know, part of that process to make integration easy is having robust documentation, which you’ll see on our website. But we also make sure we have documentation in place for integrating with existing IAM solutions that people might be familiar with, like super base Firebase, Cognitive Zero, being identity forged rock. So we want to be able to enable you to use that existing tech stock that you have for managing your identity databases, but then be able to plug in our QR off on top of it. So hopefully we’ve made your lives easier, but if you have any questions, please reach out to me by email. Address is easily available on LinkedIn or you can go to our website, just ping us. We’re very actively monitoring that and working closely with a lot of developers to really take in their product feedback and continue enhancing the features and the integrations that we have in place to to make our solution a lot more easily adoptable across the board.

Cameron D’Ambrsoi [00:22:50] I love it. Well, thank you so much for your time. I greatly, greatly appreciate it. And, you know, looking forward to following up with you on, you know, your continued success and growth.

Saif Malik [00:23:00] Yeah, absolutely. Thank you so much for taking the time. I hope people obsess about the customer journey and security as much as we do our query, which is why we’ve dedicated ourselves to building this off product driven by QR codes today. But there’s more in the works app. This logins using platform biometrics when using rip offs. And so a couple of key things we have in mind to offer the best customer journey possible. So if you ever want to talk about it or want to discuss security, we’re always available and we’d be happy to continue conversations.

Cameron D’Ambrsoi [00:23:32] Amazing. Thank you again. And for folks looking to find those URLs, look for them in the show notes below.