The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

19. Aaron Painter, Founder and CEO of Nametag, On Redefining Authentication

Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I'm your host, John McLaughlin. I'm joined today by a very special guest, Aaron Ainger, the founder and CEO of Nametag, a new up-and-coming startup right here in the Valley. Aaron, thank you so much for joining.

Thanks, John. I'm really excited to be here. Would you like to share with our listeners just a bit about your background? I spent 14 years of my life at Microsoft.

I started in product management for Office back in the day we called it the system, and it was the incumbent of the individual Word, PowerPoint, and Excel. Probably now think of it as 365. But after a couple of years in the Seattle area, I quickly moved outside the U. S.

and spent most of the rest of my career in different international markets. Several years in France, in the U. K. , and even more exciting for me in some ways, a lot of that time was spent in emerging markets, helping to build Microsoft's presence in emerging countries across Africa, Southeast Asia, Central Eastern Europe, etc.

I then spent a couple of years in Brazil running the Windows franchise, and then ultimately five and a half years in China building kind of the enterprise business almost from the ground up. So I loved that incredible experience. I'm a huge Microsoft fan, particularly on the mission and values alignment side of things. I then left.

I wrote a book focused on customer and employee experience and the connection between the two, and then went to run a cloud computing consulting firm called CloudReach that was based in the U. K. and was at the time AWS's largest professional service partner, first and largest. And we expanded really quite quickly into Azure and GCP, built a managed service practice, some really powerful software assisting cloud migrations, things like that, all before starting Nametag in early 2020.

That's an amazing background. So international, too. Thanks. It'll be part of my life.

Now, if we go back even further, perhaps to your childhood, oftentimes there's things that happen to us, challenges that we face and we overcome. Is there anything that really helped shape who you are today? Yeah, I think one thing that was very formative for me is that as a kid, I moved quite frequently. My parents weren't in the military or something like that, but they were often, hey, let's move here.

They were adventurous and wanted to have new locales. Most of those have been in the U. S. , but every few years it felt like we moved to a new city.

And often for me, that meant a new school. And I quickly had to learn how to build trust. I had to kind of build a social network and a life in a new community. But I really reflect a lot on how do I build trust or meaningful relationships with people that would help me enjoy my time there and kind of enjoy my life and my childhood.

And for me, that was really formative because then as I grew into my professional career, as we were talking about, a lot of my life actually was moving to new countries. And I was moving somewhere new, often in a new job, sometimes in the same company, later or not. But I was in that same situation of how do I build trust in a new environment? And while when I was younger and it was, oh, you moved from the South to the North or vice versa, they would think, oh, you're a Yankee or you're a southerner.

And I had those sort of cultural expectations to deal with or manage through. In the professional world, it was sometimes even more challenging because I would move to a country and they would think, oh, you're from the corporate team or, you know, you're a foreigner, which I technically was. And there was this decision of, is he a spy to tell back to the headquarters how we're doing or is he actually here to help and to make a difference and to engage locally in the market? And so I had this recurring pattern from childhood through my professional career of having to land somewhere new and to build trust in a new context.

And I think that was really formative on ultimately what we're doing now with my company, Nametag. Yeah, that sounds very challenging. I'm happy that you had the opportunity, though, to learn that early and bring that valuable experience forward with you through your career. So when you think about trust, what's the, I mean, how do you approach that?

How do you, how would you recommend our listeners think about trust? Yeah, in the in-person world, I often think of trust as forms when you know who someone is. And that often there are different ways to build trust. In my book, I talk a lot about the importance of listening.

And when someone listens with an intent to understand, it shows respect. And typically when you have mutual respect, you have the foundation to build trust. And that serves me a lot. There's a lot of interesting threads there from a management context and a work relationship context.

But I find that concept of trust even harder online or over the phone. And that's where it's incredibly difficult. And in fact, this is what I spend most of my days trying to solve is solving that problem statement that it is incredibly hard to trust the identity of someone online or on the phone. You don't necessarily know who is someone's when they're calling.

And for me, that was very formative in founding Nametag because I had a bunch of friends and family members who had their identity stolen. And I was with them and started, let's figure this out, we'll get through this. It was the start of the pandemic and things were all remote. And so let's do calls together.

And we would call customer support teams. And these very well-intentioned, hardworking customer support teams. We were just dislodged, now working remote from all these crazy locations and trying to find a way to keep their job going. They were identity detectives, and they would start a call that was meant to be helpful, but trying to quiz my friend or family member on who they were.

And frankly, the tools they had to do it and the questions they asked was all in the security realm we think of as knowledge-based authentication. It was a joke. You know, what's your favorite color? What's the name of your cat?

They don't have a cat. Okay, what's the street you lived on in whatever year? Exactly. People couldn't think of what the answer was.

They didn't remember. Then they were embarrassed. They were frustrated. It got worse.

The CSR rep, the customer support person, is getting, all right, now maybe we need to go to tier two. You failed. You couldn't remember where you lived once upon a time. It was a horrible experience.

And at the end of the day, it wasn't any more secure. And I said, gosh, we can do almost anything from our mobile phones today, except actually prove who we really are. And when you call for customer support, that is one of these scenarios where it is so real and so critical to know authentically who is on the other end of the line, because that person is about to make account changes or transfer money or do really important transactions. And those digital accounts that we live with happen on the phone and they happen online.

And oddly, they're incredibly connected because online, we end up with a username and a password often to protect us. We've surrounded that with more things, you know, two-factor, multi-factor authentication. It's hard to use. It's difficult to set up.

And then things happen. You lose your phone. You got a new phone. You got locked out.

Something went wrong. And sure enough, you're back on the phone with customer support to again have that friendly customer support rep try and figure out if you're the person they're talking to to reset or to fix that account. It turns out it's a really bad customer experience that we all know. It also turns out to be incredibly insecure and a huge threat vector point.

Yeah, I couldn't agree more. And my favorite color changes. It's about my favorite something. Like, come on now.

I mean, we're both learning and growing and changing like over time. So especially for the old accounts, just forget it. I don't know. I could take a guess at what my old favorite color was, but it's not going to help me get into your website probably or faster your customer support, you know, quizzes.

I'm glad that someone of your caliber has noticed this problem and has stepped up to the plate and really is throwing everything that they've got behind it to try to think through the subtleties here. I'd always like to say that you know you've got a really good problem when you find a little knobby thing that seems to indicate that, you know, you turn it one way, you crank it one way, you get more security and you crank it back and you seem to get easier and nicer interfaces and less intrusive. But you know, I think of that, those knobs as kind of cop-outs. I always want both.

I want security that is strong, protects what I care about, but doesn't get in the way. And everyone is so much more than just a username and a password. Yeah, that's right. I feel really grateful that I was exposed to enough of these to find the problem statement, but I'm also really grateful I've been able to assemble an incredibly talented team of cybersecurity professionals, experts in cryptography and authentication, people who have spent much of their career defending even countries from nation-state threats.

And so this technical expertise that I was able to pair with the problem statement has meant we've been able to make something that we're incredibly proud of, not only in the security side, but on the user experience side. If not often, you get to brag about a cybersecurity product being really slick. And we're really proud of what we've been able to build, that it is sort of that there's less of that trade-off. You don't necessarily have to have the knob one or the other to your point.

It doesn't need to be a compromise necessarily. Yeah, I saw the demo with Brian and I was just blown away by how simple and seamless and I didn't have to download an app. And I was like, oh, we're optimizing for the user experience. That's refreshing in a B2C security place.

So I was absolutely elated. Maybe you'd be willing to share a truth that you see in the world that most people would regard as false or maybe they would miss. Yeah, I believe, particularly in this internet world today, that the internet has been built, maybe accidentally, maybe intentionally, but around anonymity. You know, the early days of computing were friendlier or smaller communities where you roughly knew someone from this academic institution or from this government organization.

And you could kind of identify and there's a sense of trust because the people that accessed the internet in the early days were similar in some ways. They at least were geeks, you know, at that level. As the internet has become almost everyone, almost everywhere, we've entered this point where anonymity has taken over. I'm a fan of saying a password is not the same thing as a passport, yet we often treat them as such.

And the fact that I can go spin up a new Gmail address and be anyone I want or create a new account and, oh, I did something bad or I'm, I don't like the way I'm coming across. Let me just switch my identity and be a different person. I think there's value in that. I think there's value in anonymity.

But as our digital lives have become ones that were life fully on these sorts of approaches, I think you need another option. I think you need to be able to build communities and have platforms where they're not anonymous, where it is very sure who the person is who is accessing an account. And I, it's frustrating for me in some ways and also exciting, but because I live in this world of almost imagining how things can be different, and I get to talk with all these really neat companies that have either built things or are building things, and they're trying to use that element of trust and safety and knowing who the person is to differentiate their platform, their product, their business.

And they're doing it to try and stop fraud, to stop ID theft, to stop crime, all things that are just getting worse and worse in today's solutions. And so I, I believe that safe communities know their members, and I believe that platforms have a responsibility to know who's who the real identity of a person is who's using that platform. So that's something that I see and I see so clearly and I get emphatic about, but I, I think most people miss, although it feels like every day in the news, there's a headline that more and more people are starting to get it. Is this, this is great.

Is this where the name tag came from? Yeah, you know, the name tag is interesting because it's a physical embodiment of who a person is. You know, when you go to, you go to check in for a flight, they don't ask for your email address. They ask for your ID.

And that's how you get security and you theoretically go behind the TSA secure zone and it's a safer space because everyone's sort of been identified. When you go to a conference in the real world, they give you a physical name tag to wear, but someone's checked you in. Someone said, you know, you're probably from this company. Can I see your ID?

Okay, you were invited because of this. You registered. And that event organizer sort of has a responsibility to make sure the people that are inside wearing a name tag that you know who they are and so that community can start to build trust and get to know each other in a respectful way. And so how do you take that physical experience and bring that idea of wearing a name tag in the physical world into the virtual world with that same sense of confidence and assurance that you can build a safe online community like you might do in the physical world?

That's what that was sort of the origin of it. I love it. It makes perfect sense. And it flows perfectly into the product and the experience and the conceptual model of the entire company and the vision.

Thanks. What's what's the best day that you've had on your journey? Yeah, one of the best experiences we had was creating an evolution in our experience using this technology called App Clips from Apple or Instant Apps from Android. It was, we got a lot of feedback.

Our earliest incarnations had users download essentially an authenticator app, an identity authenticator app. We bound the identity of the person into that app, stored to the phone, made it super easy and reusable. And we have kind of a version of it's even radically more modern and advanced today. But Apple in 2019 created this App Clip technology that allowed users essentially to download an app or a mini app, as I like to call them, is sidestepping the app store.

It's delivered over the air in a few megabyte package that delivers a lot of the functionality of a full app without that download and without that experience. And for us, this was an incredible breakthrough in particularly in making that user experience wildly simple and seamless. And so for us being able to then have all the security properties of an app, you know, if you're a the Pandora app or the Spotify, you're hundreds of megabytes. Facebook app originally was huge when you download.

All right. So when you think about an app clip for them, they're like, what am I going to do with 5, 10, 15 megabytes? Not a big deal. For us, we were able to create that experience in this mini package that takes advantage of all the native security functionality of a phone.

And there are all these incredible things, cameras, depth mapping, app at the station, like all these great, the secure enclave, these features we can use and leverage to have something that's really secure, but that just pops up and feels almost like it's a part of the phone asking you to do something. That day that we figured out how to get that work that we took that live, our kind of our first version of the app clip and later with instant apps was so fulfilling. And just a moment of excitement for all of us because we felt like we had really innovated on the experience and it was like the one piece we felt like we had been missing.

And then I'll tell you really candidly, a bit vague on purpose, but we were really excited last week. Our lead iOS developer was at recently WWDC Apple's developer conference and just spent time with all the teams building this and all the subsequent teams. And it's the first time they'd met someone by the end of the event. Everyone had known about it.

They were all so excited. They ran back in and were sharing with all their friends. Oh my gosh, this was sort of the dream app clip, right? When we built this framework, we hoped people would be able to innovate on it in this way.

And we had felt on the outside, we'd felt really proud of what we built. And we, you know, the closest other app clip you find is like toast. You know, if you're paying the restaurant checkout bill and it launched Apple pay, which is fantastic. I love that.

But wow, we were able to pack so much security and functionality. in advanced stuff into this AppClip experience. And it was just neat, again, privately, no public statement from them, but of their excitement for what we had built because we were really proud and we were getting that feedback from so many in the market. But it was neat to kind of go behind the scenes with them and to feel their excitement too.

I love it. And that passion can feed off of each other. So they can go off and build the next great thing. And you guys can build on top of what they built so far.

So was that like a, I know Apple is a very secretive company and everyone is speculating about what they're building. Did you have insight that something like that was coming or you just went for it and we built the app and you kind of were hoping that you could simplify the experience even more and then it showed up and it was a pleasant surprise? Yeah, I had another friend who had started a company and was playing with similar technologies in early 2020. And he exposed that to me and said, teach me more of this.

I want to understand it. And he was using a very different use case, but I think he saw it early and was helped pass some of that knowledge on. And it became, wow, that's foundational technology, but what do you do with it? And they were trying to do one thing, you know, a toast to something else.

Etsy actually has a flavor of an AppClip browsing items on Etsy. And we said, hey, can we run with that and unpack it in a whole other way? I think, you know, just guessing here a little bit, I think Apple might have had a few reasons for creating that technology, but one of them, the vision was more in-person use cases. And they debuted in 2019, at late 2019.

And then with the pandemic, that didn't really come to fruition because people weren't out and about doing in-person use cases, scanning QR codes in person, certainly for a while. QR codes have probably been one of the greatest resurgences of the pandemic and something that was popular in other countries. We've now certainly accelerated use of in the U. S.

, but I think it was something they almost had this false start of because it was meant to be used in person. That didn't happen and the world just didn't notice it, I think, at the same pace that we probably follow other cool Apple technologies. Did they do a WWDC announcement on this technology in particular? On AppClips?

Yeah, and they did, and they've been consistent with it. And they've done some, I don't know how much they actually publicly share it on their update in this last WWDC, but they're continuing to innovate in that space. I think they're continuing to have, you know, you'd expect normal kind of feature upgrades and builds. There's some suspicions out there that it helps connect into their metaverse strategy and what that might be in kind of an augmented reality AR use case, being able to launch an AppClip from there.

I think Apple too is continuing to build more native functionality, Apple-branded properties inside Apple, and having an ecosystem where developers can use some of those same tools is probably a really wise move to kind of spur innovation. So a lot of potential rationale for them on why they built it and continue to invest in it. But we're really excited to be able to use it. And that was probably one of the greatest days when we were able to take a use case in that space live into the market.

Yeah, and a great use of the technology too. You're bridging the gap between the physical, actual, real world. That was, I think one of our big insights is that so much today in the security realm, you know, in the world of authentication, validates the wrong thing. It's not bad, but it validates devices.

And we have this philosophy that we should be validating people and not devices. And there is a difference. And even when you get into the use case then of, well, is someone holding this phone? The reasons that is a more secure experience for sure.

But again, you get into, I lost my phone. What if it's someone on a different phone? And then people jump quickly off to biometrics. Oh, biometrics is great because someone only has one voice or one fingerprint or one way they walk or gait detection or other things.

But then you even get into provisioning challenges. You know, if I happen to use Vanguard and my voice is my password, that's wonderful. But if you happen to have my credentials and you go set up your voice as my password, that's probably not so great for me. And it's incredibly difficult to, again, validate the person at that setup or provisioning phase.

And so many of those steps are separate. And then this other world is identity validation. It's not fundamentally new to be able to scan your ID and do a selfie. And there are companies out there that have been working on that technology for years, but it's not reusable and it's one time.

And so this premise that when you access a service, you know, think of a bank account, maybe you go through a KYC flow and you scan your ID and they're checking a regulatory box. That's great. But then when you log into that bank or you call to transact on the phone, they're back to the silly security questions or to low security ways, invalidating a device or some other knowledge-based question instead of you as a person. And that's what we wanted to do to bring together those two worlds of identity validation and MFA into something that was reusable.

So what's the worst day that you've had so far in your journey there at NameTag? Yeah, it's interesting. We got started in market late last summer with a COVID verification solution. And this was really a tough thing for us because we were really excited about building what we now call sign in with ID.

And this, you know, it's an alternative to usernames and passwords and the core flow. But we had a bunch of companies, probably in the span of a week, come to us and say, hey, I know you're doing other stuff, but you're. . .

You need to be good at validating people's IDs. Can you help us with this COVID vaccine verification space? And as you know, it's all common if you go in, you know, during that period of show your vaccine everywhere you went, you would show a vaccine card, either on paper or maybe digital over time. And then you would show your ID and some hosts or hostesses at a restaurant or wherever you were going had to compare the two and they became like the customer support identity detective, quizzing you, do your names match?

Does this look the same? Oh, I don't have my ID. Ridiculous. A bad experience and unfortunate that it had to be that way.

But employers said, I can't go through that same hassle. I don't want my HR teams who are already taxed with remote work and all these other things having to be those sort of detectives. So we created technology to scan the data on a CDC vaccination card, essentially OCR it and a bunch of ML insights as to what we pick up and how we match it to and then compare it to the government issued ID. And it allowed employers then to have one report of, okay, who in my organization has been vaccinated?

I don't want the PII. Just tell me what I need to know so I don't take on unnecessary risk. Right. And we created this and we launched this.

We called it COVID proof. And it became actually this really wonderful thing for a lot of companies. And they come and they sign themselves up. Still, we have event organizers that come and do this still all the time.

People hosting events. It was a great application of our technology. We gave most of it away for free or very low cost. It helped improve all of our vision models, led to the insight on user experience and app clips.

But it was frustrating and it was a little bit scary because, so this isn't our core business. I don't want to forever be in the COVID verification business. And the first day we launched, I remember we had this incredible excitement because we had a bunch of companies already using it and it picked up really well and grew really fast. But I had this fear.

I'm like, oh my goodness, are we going to become known as like this COVID company? And by the way, some people don't like COVID or don't like vaccine verification. And, you know, are we almost convoluting our name tag brand into that space? But at the flip side, I felt like we were helping a lot of people.

We were helping people get back to work and doing the right thing. But it was a real existential moment for me and a lot of the team on when we launched that, it was both good and a little bit scary about what it might mean for the future. That was a harder period. That sounds tough.

Those existential questions, like what is meaningful? I'm glad that you navigated them and that you nonetheless, even with the challenges, helped a lot of people get back out into the world, reconnect and scale. You know, I always say that computers should always do the dirty work. And the more that we can push into that space where the computer is doing the dirty work, then the better and easier the lives of everyone will get.

I guess like that paperwork of juggling all of your IDs and then the CDC thing is part of that. Or it became part of that through COVID. That's right. I believe firmly, as we all do probably, we're in this space.

I believe in what technology can do and the power of automation. I think another flavor, though, we really tried to inject because how do you do that in a world of privacy and also make users in control, allow them to be in control of their data and what they share and when and how they hold it. And we tried to be really progressive in this space of, and we have an opt-in model. So there's not an opt-out.

Oh, I no longer, I don't want to share. Don't use my data for this. We are truly, we only share when the user consents to share information. So we tried to build that as core and fundamental, which we're really proud of.

But it's, I believe in that same spirit. If things can be automated, and it's shocking to me still how many companies I speak to who are doing modern things in very modern companies, Web3 and others, and they are doing incredibly manual processes, which turns out around identity verification is not efficient and not necessarily fair in a lot of ways, let alone time consuming and expensive and other things. And it's not working. I think that's been our biggest learning.

Today's methods, all the approaches we've taken on security and authentication and MFA and IDV, fraud is at an all-time high. Identity theft is at an all-time high across every platform in every industry. And so what we're doing today isn't working. And I would argue it's time for a different solution.

Definitely. I love that spirit. You know, it's funny. Someone asked me once, like, what makes a really great engineer?

And I thought about it for a second. The response, I think, surprised them. I said laziness. Because if you could, if you keep doing the same thing, like over and over and over again, and you're an engineer, you're not writing a script or something, like, all right, come on, what's going on?

And the fundamental drive there behind that is really not wanting to do the same thing over and over. Solve the bigger problem. Solve it once and for all. Solve it for everybody.

You know, and to share that, I think it's really insightful. That I appreciate that, you know, your share and the huge problem that NameTag is taking on and bridging the gap between the real world and our digital. I think a lot. A lot of the interesting technology that will come out is going to be around bridging that gap.

And it's unfortunate that we have a gap, but there is a gap. I think we would be fooling ourselves if we pretended that there was no gap. Maybe the gap will always, there will always be some piece of that, but we can always strive to get rid of it. It doesn't need to be.

And just because you know someone is, doesn't mean you can't have a pseudonym. It doesn't mean you can't have an alias, right? It doesn't mean you can't protect your privacy and what you share. You know, in my classic ones, even in real life kind of thing, in person, you know, it's crazy that you go into a bar and they just need to know, are you over 21 in the U.

S. ? And you as an unsuspecting person are giving over your ID. Maybe you don't want to share your home address, you know, to that not always friendly bartender, bouncer person.

Like, they just need to know you're over 21. They don't need all the other information on my ID. There has to be a better way to help protect the privacy and protect the in-person safety of people that still satisfies the requirement of is someone over 21. And those sorts of scenarios in person are just as relevant online.

You know, it might be one thing for the platform to know the name of a person. Just because you've scanned your ID doesn't mean they need all that data. Or maybe the platform doesn't even need to know. They just need to be able to say, hey, this ID has been checked and we have a guarantor of that.

And you can give a real green checkmark kind of in a verified profile context that the ID of the person has been checked and that you know who they are, such that others can trust them. Which also means that if something's go wrong, you know, or harassment occurs or inappropriate behavior occurs on a platform, can you not only correct it and make sure that person is kind of dealt with or managed the right way in line with that platform's policies, but you can also prevent that the same person doesn't come back and just under a new username. And I believe enormously in the importance of platforms knowing who their users are to create these sort of safer online communities.

Yeah, a lot of the security practices that we want to deploy as security professionals just doesn't work if you can create as many identities as you want. And I love putting both the company in a position where it has a much better, much stronger foundation of who people are that are using the platform, but still letting the end user, our customers, us, the human being, remain in control of information. That's actually a really good point about the bouncer. You know, they're just trying to check to see if you're 21 and boom, there's all of your information right there on your ID.

People don't even think about it, do they? But there's a lot of safety issues there. And if you're talking about the fraud space, that'd be a great job for a fraudster. Just get a job as a local bouncer at your local bar and there's a bunch of valid identities for you.

When we look at the future, though, you fast forward into that future, you see a better future. I love the vision that you have with name tag. But what does success really look like? Yeah, I'm incredibly passionate about our vision of building a more trusted human internet.

And I see a world where, you know, signing with ID is something that becomes a standard that sites are using, not just on the web, but in their app and in their phone call and customer support. And even when they show up in person and, you know, scan a QR code at a door, you know, to unlock it or register as a visitor or other. I think this idea of having a digital reusable form of identification that a user is in control of has potential to impact so many industries today. And that's one of the really fun parts.

I spend most of my day in talking with different companies that are trying to figure out either how do we disrupt ourselves because, wow, this becomes a big differentiation point in the spirit of trust and safety. Or new companies that are starting that say, gosh, I don't know why we sign documents, for example, with an IP address. Like, that doesn't really give you confidence that that person signed, you know. Maybe there's a better way.

And the same thing goes from document signatures to online dating, you know, to gig worker economies and home health care workers. And just the list goes on and on where these industries are all thinking, oh, my goodness, how can we be different and solve some of these fraud problems and offer our end users more trust and safety by knowing authentically who they are? And so I see very clearly a world where that changes and where users have a sense of comfort and trust on the platforms that they're using or else they make room for new platforms to emerge. Amazing.

So you've mentioned trust many times, and I love that we're focusing on trust. Sometimes founders and CEOs in general will have to drive change by connecting it to some monetary payout, like a demonstration ROI on the vision in the future and instigate sort of the shift because it is asking folks to do a little bit of work to adopt a new standard. And so not to say, like, what's in it for them, but what's what are they investing in? And you've mentioned fraud a couple of times.

Do you find that the potential customers that you speak with and the ones that you sign, do they say, do they use this technology and see a large? How in terms of their ROI in the fraud department? Yeah, this has actually been one of our complexities in a way, and in some ways it's good. When we talk to a given company, different stakeholders in that company or departments get excited about their own thing.

And so there is a value play for each of that. You know, partly if it's finance-oriented, wow, yes, this cuts down on the cost of fraud. If it's someone working on a customer support team, they say, oh, wow, maybe I need less reps. My reps can be more efficient.

And actually, my reps maybe won't be as dissatisfied and unhappy because they can actually be helping people as opposed to interrogating identity. So you hit finance metrics in one case. You hit core customer support business metrics in another. You know, we have a lot of customer experience CMO-type teams who say, wow, you mean I can reconfirm the identity quickly every time someone comes up?

So there's maybe minor friction in the first setup, not arguably more than setting up an authenticator app or something like this. But you mean the next time they come, they have a fast pass to log in? Wow, I love that from an experience perspective. You know, a CISO says, oh, wow, this cuts down a lot of my threat vectors, right?

We have HR teams now who are saying, you know, I'm not really sure who we're hiring. And they're coming with cases of fraud where an employee, you know, applies for a job online. They, in the U. S.

at least, need I-9 verification a few days after they start. But day one, they show up and they're stealing corporate resources and then disappearing, right? And they have no idea who actually they hired and came into the network. And so HR leaders are saying, hey, can I use this for one of my hiring processes?

Can I use this before someone starts as part of a job pre-qualification flow? And so what we're finding is different business teams all have their own set of metrics that we're checking the box on simply by introducing this concept that you can know the real identity of the person who's engaging with your company, your product, or service, or other things. That's amazing. Spectacular.

So there's lots of different applications of this very broad technology standard, really. So I'm curious, some of the ways that people manage this problem today is they use something like password manager. And you've mentioned how, you know, we're both, I think, passionate about, we are not passwords. I'm excited to see the day where we don't need passwords on any sites anymore.

And what do you see happening with things like password managers? I find them a huge convenience in my life today because my life revolves around passwords. And I couldn't imagine having the same password I use in different places. But that's because I'm a security professional, like many on this podcast who listen.

Yes. One of the challenges, though, with going passwordless is often that people then just trust the device. And so you move into this world of passkey, for example, or WebAuthn and some of the innovations from FIDO, I think are fantastic in helping to make those experiences sort of more express and solving the issues of continuity across devices. And it stepped forward in eliminating the password.

But they're still validating the device and they're not validating the person. And that is a fundamental different belief that we have. Now, maybe if you're logging into, you know, pick your favorite news site, CNN, New York Times, whatever, they might like to really know who you are. Separate from that, you might not really care about who they think you are when you're logging into that.

And passwordless would be a huge convenience. Where we find that we're really unique is when trust matters. I use a password manager every day today because there isn't necessarily a better solution. And passwordless technology can be a great way to access sites and applications where we would say trust is less critical.

Things like passkey and FIDO's advances are really valuable. And I think take us all towards a more passwordless future in a healthy way. But fundamentally, they still validate devices instead of validating people. And it's fine to validate a device in passwordless again if it's a low value site or something that you're just checking in for news or information.

It's completely different when you're doing that to access a financial account or a gig worker profile that maybe is your livelihood or a gamer profile that that is your livelihood in your daily life. There are things where validating the person makes an enormous difference. And we're focused on scenarios where trust matters and where validating the person matters versus the mere convenience of having a passwordless passkey or otherwise. Amazing.

I love it. I'm excited to live this future. I hope it's not too far off. Would you like to leave our listeners with any parting words of wisdom?

Yeah, I would encourage you to reach out. I love brainstorming these areas. I loved talking security, privacy, identity. I believe identity is fundamental in cybersecurity.

And I think all too often we focus on many other things and identity is handled as a separate effort when I really believe they could be connected. If there was one thing I'd suggest you go look into, go look into how your organization handles account recoveries. What do you do on customer support when someone calls and says they're locked out? Because the number of companies that I speak to who are realizing that is a threat vector they hadn't otherwise known about, it's becoming massive because it's unfortunately.

. . Easy thing to get around. So go look into that.

I think it will bring benefits to all and hopefully you can help develop a better solution for it. We can be a part of that. Of course, that'd be a lot of fun. And more so, any use cases people have in mind, things where they think trust matters and they want to be able to identify their customers or users or employees, again, please reach out because it's a really exciting area and we love to partner and brainstorm.

Are there instructions for developers to integrate this onto their websites and into their apps right on your website that they can try from? We do. We have a really cool demo and trial site, and we've got really clear API documentation. It's all from getnametag.

com, so check us out there. We've also got a lot of content we've been producing there on our blog and on some social channels in the security and identity space. So please feel free to check that out. And again, we'd love feedback on it and other comments that we can think about and make us better as we all sort of learn and move forward here.

Amazing. Thank you so much, Aaron, for joining me on the Security Podcast of Silicon Valley. I have all of the gratitude in the world for your undertaking all of this. It's a very challenging problem.

And being the change that you want to see in the world, that's great. And putting to use your value of trust and letting that be your product and the future that we can all share together. I appreciate that, John. I'm a big fan of you and of the podcast, so it was really an honor.

Thank you. No, thank you again. And thank you to all of our listeners. And stay tuned for another episode next time.

‹ 20. Benoit Chevallier-Mames, Team Lead of Machine Learning at Zama, On Open Source Homomorphic Encryption

18. Anders Eknert, Developer Advocate at Styra, On Evolved Authorization ›