The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

30. Dominik Schürmann, Co-Founder and CEO of heylogin

Hello and welcome everyone to another episode of the security podcast in Silicon Valley. I'm here today with a very special guest, Dominique Sherman. Welcome to the show, Dominique. Thanks for being here, John.

No, thank you. So Dominique is the founder and CEO of HeyLogin. Before that, going all the way back, he was actually, he was a visiting researcher at Alto University, a research assistant at TU Braunschweig. You're also a visiting researcher at Alto University.

You did some freelance cryptography engineering work for a couple of years there, it looks like. That's awesome. You came back to TU Braunschweig as a scientific staff, where you focused in on difficult and open security problems, it sounds like, things like end-to-ending cryptic communications, you ended up starting a company, Kotech. Right.

You were the CEO and co-founder of Kotech. Yep. And now you are, heads down, focused on HeyLogin as co-founder and CEO of HeyLogin. Right, that's correct.

So actually, we started as Kotech in 2018. And I always say 2018 and 2019 were kind of the years of finding an actual problem that we should solve. So at one point, we found the problem of password management, and then we focused 100% of HeyLogin, and then we renamed the company. So actually, it's the same entity, but it's now called HeyLogin.

Awesome. So it's such a good pivot that they look like two distinct companies. Good job. I think usually sometimes when people do a pivot, it's much softer around the edges.

But it looks like, you know, from your experience in laser focus and security, maybe you wouldn't mind sharing with our audience just maybe a pinch about your childhood or maybe what parts of that shape who you are today. Yeah. Yeah. So I mean, I wasn't a popular kid, right?

But I started, actually, I started with Visual Basic for kids. It was a great book. I think I started at 14 years doing some programming using Visual Basic. And then I was deep down into modding of a computer game and stuff like that.

But when I really got started with cryptography was during my university time. So I was quite interested in political movements in Germany, like the Pirate Party, and got some involvement there. And political involvement sometimes leads to cryptography, I would say. Yeah.

Yeah. Something that does, doesn't it? Yes. So that got me involved into cryptography.

I did a lot of studies in cryptography during my university and bachelor and master. And then I focused even more doing my PhD and work as the scientific staff. My research was always like finding trade-offs between usability and security. So it's not that easy, but it's an interesting way to think about.

What we did, for example, studies with over 1, 000 people to find which kind of key fingerprints compare best. So stuff like that. Very nice. I imagine that you've come up with some interesting results there.

So different representations of key fingerprints. Yeah. It's really interesting. It was one of the best papers I did during my time.

This was one of the USNIC security papers. I did for sure. There was a colleague of mine. And the way you can think about key fingerprints is you can just do it hexadecimal.

Like in PGP, you can do it numeric, like in Signal. Or you can even have phrases, like in these backup phrases for the backup seats for Bitcoin. So a lot of different ways, but they all have some upsides and downsides. Like, for example, the phrases, they are only in English.

So they are not universally applicable. That's why Signal switched to numeric. And we also did some studies on how long people need to compare these fingerprints and stuff like that. So that was pretty amazing.

So as you were in your studies and you were focused on all of these difficult and open security problems, and really it sounds like the intersection between security and usability, was there something that started to emerge that was a truth that you really saw in the world that wasn't noticed by most people? Yeah, I thought about that question. So especially in the IT security space, there are a lot of people, especially at an older age, who think like an attacker. Security people are trained to think like an attacker.

And that means they are always trying to find corner cases. Like this is a very specific attack. And this means the system is not secure. So all these, like these sorts of processes leads to extreme choices in security protocols.

Especially if you design security protocols by a committee. Oh no, by a committee? Oh no. That's why some people call it desk by committee.

In Germany, there's a lot of examples like the ID cards in Germany there. It's some very interesting cryptography involved, but it's so difficult to implement that these ID cards don't work with most of Android phones, and they don't work with most card readers. So I think this is a bad way to go at security protocols. And I had some very, very interesting experiences over several years where I maintained the most widely used PGP implementation for Android.

It's called Open Keychain, which still has 300, 000 users. And I came from the same point of view. You need to take care of all the tech scenarios. But that just leads to no adoption.

So I think the big insight is here to find a trade-off. And if your security measures prevents adoption, then they don't help. Right. You have the most secure piece of software or hardware in the world.

And if nobody uses it, are we really making a difference in the world? Exactly. Yeah. Right.

That's a. . . That's a.

. . And like PGP is one of the worst examples, and it's not getting better. It's.

. . I'm a little bit following the current standardization process of the next PGP version, and it's a disaster. So from my point of view now, looking at it from a distance.

I'm sure there's a strong sense of appreciation for some of the dedication that's behind it. It's just. . .

Sure. Maybe if there was more of a balance between the usability and the grappling with those difficult security problems. I know it's very easy to get sucked into rabbit holes. Right.

I mean, I know some of these. . . Most of these people, personally, we had a lot of meetings of all the PGP implementation people, like Thunderbird guys, then the ProtonMail people.

But it's. . . Yeah.

It's a difficult subject. Just my point of view now is they're prioritizing the wrong stuff. And was this some of the creative juices that nudged you towards building Heylongup? I mean, we.

. . During my time as a PGP tool maintainer, we had a lot of insights. My co-founder then also got involved in this project.

That's why I know him. And we always try to innovate on this very broken standard. And at one point, we just thought, okay, it's not fixable. Let's do something else where we can design everything from the ground up.

And I think password managers are a very similar concept that is pretty. . . Let's say it hasn't changed a lot since its inception.

Like 1Password is 16 years old now. So in the IT world, that's a long time. Yep. So it's a similar space where there needs to be new thoughts and new ways to fix the problem.

Because if you look from the business point of view, more and more passwords are being used every day. I just saw a statistic that many B2B companies, on average, B2B companies have 110 software as a service platforms in use. So if you cannot connect them to a single salon, you need a password manager. So obviously, the market is growing.

But the tools are still targeted to an IT audience. And that's what we are trying to change. HeyLogin focuses on usability. And that's why we think differently in a lot of aspects of password management.

So HeyLogin is a password manager that is obsessed with the usability of the experience. Yeah. And trying to aim for security through usability. Because once you get the usability, you get the adoption, you get the ease of use.

You are actually taking the burden off the shoulder of the user. Right. Exactly. So one of our experience during our time as consultants in the early years, like 2018, 2019, was that even if companies deploy a password manager, their employees, which are forced to use it, just write down the master password on a piece of paper and put it on their desk.

Like, it's like a very similar problem as without a password manager. It's just moved to a different tool. It's the same problem. It's just transitively shipped to one password.

And now in security terms, you have a single point of failure for all your passwords. And it's still a one-factor solution. If you just use the master password, it's just one factor. Or something you know, so knowledge.

One password and code, they have an option for two-factor security, but most people don't enable it. So it's not like there is a huge adoption of these options. So again, for, I don't know, 90% of our users, it's just the master password. And that's where we are trying to think differently.

In Haylogin, there is no master password, no password at all. Everything is end-to-end encrypted using the smartphone of the user. So it's two-factor secure by default and even easier because you have just the factor of possession, the security chip in your smartphone. And the second factor is the pin or face unlock or fingerprint.

And these two factors are easier to remember and use in comparison to a master password. Yeah. Yeah, they are. I got the whiff that there's nothing really that I have to, well, maybe a pin, but like my face ID or a biometric is quite convenient.

A pin is easy to remember, though, I think. Yeah. And the pin is more secure than a master password because the pin is bound to your security chip in your phone and there is a limited number of tries. So it's more secure.

So help me with the user experience. If I'm on Haylogin and I'm on my desktop and I'm in, let's say, just Safari, then that password that I need to enter that's 100 characters long needs to go, does it go from my phone into my local machine somehow? Yeah. Yeah.

That would already be a deep dive, but I can try to explain in short term. If you just tease us a little bit. There are several cryptographic keys involved here, but let me just say the most important key is the one that is generated at first time use inside the security chip of your phone. And this key cannot be extracted from your phone.

And from this key, we derive several other cryptographic keys for different purposes. And so if you go to a website in Safari on your laptop and you need to log in and you click a button and then you get a notification on your phone. You can just swipe to log in. That's how we call it.

Swipe to log in. Swipe to log in. And then you're logged in on the desktop. So this is the user experience.

And when you're doing this, you just need to do it once per day. Then a temporary cryptographic key is generated for this browser instance for this day. And then the browser has access to the password vault for the specific time until this cryptographic key is revoked by your phone. So we don't need to transmit all passwords from the phone to the browser.

It's a little bit more complicated, but that allows us better responsiveness. Very nice. Okay, I like it. So it sounds like we've got a very high security bar here and things are expiring on a 24-hour basis, which is amazing, but still obsessed about the user experience and just log in on your phone.

I like that. I do like that. Because then now my computer is much more secure in the sense that any sensitive data is going to have a TTL, essentially. So I don't have to worry about future exposures to risk.

You can always also open the app on your phone and revoke it anytime you like if you don't like to follow the 24-hour protocol. What's your go-to-market strategy with Haylogin? Are you a B2C player? Are you B2B?

Are you top-down or bottom-up? Bottom-up. So I mean, 1Password, LastPass, Dashlane, they all have a private user plan. We currently don't have a private user plan because our private user plan is free.

You can just use it. It's for free. I don't think there is a lot of market left for B2C in this space. It's pretty saturated, huh?

Yeah. And people are. . .

I mean, the IT people who happily pay, they all already have a password manager. They don't easily switch to another paid password manager. But they may switch to a free plan and a better password manager. So it's kind of like the typical product-led growth strategy where you have a freemium plan and then do an upsell.

So that's what we do. Our B2B plan is the business model. So yeah, yeah, exactly. It sounds like you've got that and you've got your go-to market strategy locked in and everything.

And so, hey, maybe a software question. What's been the best day that you've had so far at Haylongin, your journey? Yeah. So when we got the first reviews of our B2B features, it was quite a great week.

We made some smaller marketing campaign to get the word out. And we get some pretty good deals for early adopters. And they wrote really, really good reviews. So that kind of proved our strategy and our usability.

There were some funny moments. Like I remember one review, we printed it out and hang it on the wall. It was like, he was quite happy with Haylongin. He said it's like the best user experience ever.

But then at the end, he wrote like, it's so easy to use that it doesn't feel so secure. It's quite funny. It's a compliment at the same time that it's. .

. Yeah. He's been so trained. Or maybe he or she has been so trained to expect that security means, you know, it's going to be difficult in some way.

It's going to be an impediment to the flow of your day, a roadblock, an obstacle or something. Yeah, that was pretty funny. It. .

. This is always what gives me hope that not just that we have smart people working on these difficult problems and we have a good handle in the direction that we want to take them, take these problems, but that we're focused on the human side of things, not just the technical side of things. Right. And when you get a review like that, I'm sure he replied, it's something that maybe in 20 years we can look back on and be like, oh, do you remember when password management was so bad?

Yeah. And he had reviews like this to try to break the mole and the stereotypes and negatives, like image around them. You know, I imagine this is why Tesla, the very first car that they built was basically a race car. You know, they're trying to break the stereotype electric cars slow, somehow like less of a car or whatever.

So break that stereotype arc with a very fast race car. Then go out and build the stand. It's almost kind of like what you're doing with security in the password management space. You're breaking the stereotype of password management has to be an interruption to the flow of the day.

So, you know, Adam and Ben. So regarding that topic, there is, so in my opinion, there is even a second side to that. Not just the product side, product development side, where we try to be more usable and different than the existing solutions. There is even the side of marketing.

So IT security products are often sold with what I call fear marketing. People should fear data leaks. They should fear what if people leave the company and take passwords with them. Like there is all these kind of scenarios.

Like the most costly ad Dashlane ever ran was a Super Bowl ad. So there is a guy in this ad. He dies and then he gets to the heaven, I think, or something. And then he is asked, what is the password?

It's again, it's kind of fear marketing. So it's, I don't think that's the right way to find traction in this market. I think you need a different angle on that. So that's why we try to go the way of showing how Haylogin provides more productivity for your employees.

And I'm with you there. Fear, fear mongering or even ambulance chasing never has never, I've never really seen a payoff in any long-term success. Okay. The worst day that you've ever had in your journey with Haylogin.

So, you know, when we started developing Haylogin in March 2020, we were able to start with a grant. We got a big grant from the German government that was pretty great to do the development. And nearing the end, we thought, okay, now it's time for chasing the first venture capital round. And we were pretty confident that it shouldn't be a problem.

That was quite naive. In retrospective, we had a pitch at a very, very local VC. It's like the VC for this specific German state we're in, in lower Saxony. It's partly governmental.

So we were confident, just do it and we get the money and it didn't really work out. So that was a really bad experience and it kind of grounded us. So yeah, I was down for a week at least. Yeah, expecting a round to be able to pull through and then having to fall apart can be detrimental to the business, but also to those that are shepherding the company through process and everything.

So I understand that completely. No, and thank you for sharing. Sure. Those are vulnerable moments for, not just for companies, but for the leaders in those companies too.

It also took a long time to, let's say, to take all the feedback and start a new round. Yeah. There was a lot of stuff that we needed to learn before. So we took an external consultant for this specific round and then it took some months until we started talking to VCs again.

And then we were better prepared. But yeah, it still took more time. Let's say. It sounds like you had a crash course in a MBA.

Yeah, some kind of, yes. Yeah. We had like three meetings per week with this consultant. So yeah, it was kind of a crash course.

But good, really. The growth mindset at work and at play, it's been able to pull you forward. Yeah, that's true. So if you fast forward into the future, and I'll let you decide how far into the future we want to look.

But what does success look like in your mind for Haylangen? Yeah. Yeah. Yeah.

So currently, we have a very conservative finance plan. We plan for cash flow positive next year. Without a lot of growth. I mean, the VC space currently.

. . Let's say I'm a little bit hesitant to raise another round right now. So.

. . I mean, given the current economic state of the world, of Germany in particular, of the region, energy prices, Ukraine, Belarus. Yeah, it's a difficult situation right now.

I mean, we started during COVID in March 2020. We're kind of used to it. But yeah, it got even worse, let's say. The state of the world.

Yeah. And you have to balance all of those responsibilities. I mean, being a leader of a company, there's people that depend on you for their livelihood. And you yourself, perhaps, have people that depend on you.

Yeah, definitely. Yeah, that's why we very currently just plan for a very. . .

Yeah, we plan for cash flow positive. The development team stays the same after a current round. We don't hire more developers. Because as you may know, just having one more developer doesn't mean you're faster in product development.

Right. Right. So what we do is put our money into sales and marketing and keep the current headcount in development. Yeah, I understand that entirely.

It's almost where that phrase came from. Nine pregnant women don't make a baby in a month. Yeah. I wish there was a phrase like that that was more applicable in a gender neutral sense.

But it's kind of a similar thing of what goes on in software development. Do you have pressure underneath you from the VCs to hire more, to spend more, and to not be cash flow positive? Or are they pretty supportive? Do you find that your VCs and the folks that are invested are back?

Or are they pushy? I think we have a pretty interesting combination of business angels and one bigger brand. So it's very, very local business angels, which live in this area here. Plus Mozilla, who invested in our company.

So the local business angels, let's say they have a pretty German perspective. So they are happy about being cash flow positive. They don't necessarily plan for growth. So on the other hand, Mozilla is not like the, it's not like Sequoia or some other VC.

There is not a lot of pressure right now. So that's good, let's say, for the current situation. No, that's very good. I think that might actually be more of the exception that I hear, but that's great that you've got true partners with your investors, not just folks trying to look at the profit on a very strict timeline.

And we're working with you and are flexible. So this is a good thing. And I'm happy for you. And for, hey, Longin, too.

Yeah, I hope you're so good. I'm sure. Well, especially with strong leadership at the helm. Dominique, thank you so much for your time today.

Thank you for sharing a few vulnerable moments and the inside look at HeyLogin and what drives it and distinguishes you from the other players in the space. I'm curious, would you like to leave any of our listeners with words of wisdom or maybe advice that you wish that you received at a younger age but never heard? You know that there is this idea of fail fast and try a lot of things and go to market early. I think it's only partly right.

I mean, for example, if you look at Figma right now, they also took a lot of years in the beginning to try different stuff before developing Figma. And then they took some time to get a basic version. So after trying a lot of stuff, you should at one point stick to something. And then it takes some time until you get the first user base.

So yeah, it's a marathon. And maybe a pivot or two. Yeah, maybe a pivot or two. Yeah.

I mean, if you look closely, you would probably find more than one pivot in our company. But it's like the big pivot in March 2020. So that's nice. Well, personally, I'm in the market for a new password manager because one password is so old.

And they recently, in their latest version, they stripped their peer-to-peer service where, you know, you can push passwords from your local network, from your local device onto your other local devices. And I just don't want my stuff in their cloud with only a password protecting it. So long story short, I'm in the market. And I'm definitely going to give HeyLogin a try.

And if anyone out there is listening and is curious to see what all of this is about and curious to see what a good user experience might actually feel like, I would highly encourage them to give it a spin to be a small part of that journey, to be a small part of history. It'd be very special, you know? Thanks. That's why a lot of us go into security.

You know, we notice something that's wrong with the world and we want to be a part of fixing it. Yep, definitely. Awesome. Okay, Dominic.

Well, thank you again. Thank you so much. And thank you to all of our listeners for tuning in to another episode of the Security Podcast in Silicon Valley.

‹ 31. Sergey Stelmakh, Head of Security Engineering at Yugabyte, on Innovation vs Security in Startups

29. Rod Schultz, VP of Product at Dust Identity ›