AI for Founders Podcast: Agentic AI, Deepfakes and the End of Passwords
.png)
TL;DR
Full Transcript
Welcome back to AI for Founders. I'm Ryan Estes. There's a war raging online, not between hackers and corporations, but between humans and machines pretending to be human. Passwords are failing, deepfakes are rising, and identity itself is up for grabs.
Today on AI for Founders, I'm talking with two experts on the frontlines. Jasson, CEO of Beyond Identity, a cybersecurity company backed by over two hundred million dollars to make passwords obsolete. And Josh from Brandt Hospitality Group, who's deploying this kind of tech in real world, high turnover environments where security meets simplicity. We're diving into how AI impersonation is forcing a total rethink of authentication, not just proving who you are, but proving who's really acting when code agents and AI systems start making decisions for all of us.
If you're a founder building an AI, SaaS, or cybersecurity, or just tired of MFA nightmares, this one's for you. You'll learn how to future proof your identity systems, give your AI agents their own digital passport, and maybe even glimpse what happens when your credentials live under your skin. Now don't just listen, upgrade your intelligence feed. Subscribe to the AI for Founders newsletter at AI for founders dot co.
This is weekly drops of founder frameworks, big AI insights, and behind the scenes tools we don't share anywhere else. It's where the smartest founders come to sharpen their edge. Sign up, forward it to your smartest friend, and pretend it was your idea all along. And if this episode makes you think differently about identity, leave us a review.
Give us five stars if you'd let your AI clone manage your inbox. This episode is brought to you by Kitcaster, the podcast booking agency trusted by over eight hundred founders and counting. Kitcaster helps you get booked on the top podcasts that reach your ideal audience Without the cold emails, the back and forth scheduling, or the guesswork, you show up, share your story, and build real influence in your industry. Whether you're fundraising, hiring, or scaling your brand, podcast interviews are one of the fastest ways to drive awareness, build trust, and close deals.
I've seen it firsthand. Founders we work with have landed partnership, raised millions, and created massive growth just by showing up on the right shows. Ready to get booked? Head over to Kitcaster dot com and apply today.
That's Kitcaster by Moberst.
Hey, everybody. You know what's crazy? I've been sitting on a gold mine this entire time and I didn't even know it. My Gmail inbox, literally thousands of warm contacts who already know and trust me.
But here's the problem every founder faces. How do you turn those relationships into revenue without feeling like a sleazy salesperson? That's exactly why I've been using Warmstar dot ai. And honestly, it's been a game changer for my business.
This AI platform connects your email, analyzes all your existing contacts, and helps you identify who in your network might actually be interested in what you're doing. Then it writes personalized outreach messages that don't sound robotic or pushy. The best part? You review every single message before it goes out.
No spray and pray nonsense. This is relationship based selling done right. My listeners know I only recommend tools I actually use, and Warm Start has literally helped me reconnect with people I'd lost touch with and turn those conversations into real business opportunities. If you're a founder struggling with outreach, check out warmstar dot ai and use code AIFF to get fifty dollars off your first month.
Trust me, your existing network is worth way more than you think.
Alright. Welcome back, everybody. We're about to have a great conversation about personal identity, AI, and a lot of other different topics. I'm really excited.
We've got Jasson today and Josh. Jasson is with Beyond Identity. Josh is with Brandt Hospitality Group, and what we're gonna be talking about is Beyond Identity to get going. Now this is a cybersecurity company founded in twenty nineteen with a mission to eliminate passwords, thank god, and make authentication truly phishing proof.
Now their technology binds user identity directly to a device using cryptographic keys, removing the weakest link in modern security, the password. Plus, I mean, we've all gotta be just absolutely beat to death with two factor authentication and all the passwords we've gotta remember. It's a mess. So they're backed by over two hundred million in funding and trusted by global enterprises beyond identity as redefining what Zero Trust really means in a world where identity is the new perimeter.
Welcome to the show, guys.
Thanks for having us.
You bet. Now let's get into the AI conversation first. And the one thing I was particularly interested in talking to you guys about is kind of we were talking about agentic support and everybody kinda feels like they need to have some kind of agentic plan. But now you're starting to see agentic tools basically increasingly impersonate humans intentionally. So either that's clone voices and synthetic identities, and we there's deep fake opportunities, but also just the ability to, like, do captchas and and perform tasks on our behalf. So just really interested in Beyond Identity's approach to basically extend to proving who is acting and how that will become more relevant as these agentic solutions that we're all building become more and more sophisticated.
So that's very simple short question with a very long and deep response.
I'll try and give you the menu version and we can choose our own adventure. You bet.
So the first thing is I would say there's the AI enabled adversary. And what is the AI enabled adversary to do?
And so we think about the AI enabled adversary, we're thinking of the ability to really kind of mimic victims, mimic targets, right, in voice, in speech, in writing, in appearance.
And so we have a line of use cases that we call reality check. And so the idea of that is how do you defend against the AI enabled adversary? And if we pull that thread just a little bit on mimicry, you'll start to think, well, wait a minute. I have seen a lot of products recently about detecting AI. Like, hey. This is a fake photo or this is a fake video.
And our response is that's the exact wrong solution for two reasons. Number one is when you dig into the technology, there is a bit of an arms race between detection and detection avoidance or synthesis. Right? So one person's detector is a great is the great training agent for the next person who's building the next generator, right, the next synthesizer.
So and you can see this, right, when detections come out, then their rate will be their detection rate will be high, then it'll fall pretty quickly. The second argument is a little bit more about, like, use. If we really believe AI is around the corner, and we should because it is. By the way, did you know I don't speak English?
I I this is real time AI. I don't actually look like this. I'm actually I actually have red hair and a tail, but I'm using AI. Right?
I I didn't wanna tell you guys, but I'm actually a porcupine. So Right? Look at how great it looks.
I mean So what does it even mean to detect the presence of AI when there are all these valid use cases that we know are coming that are gonna be helpful in things like customer service, customer support, human interaction?
So a better question is where is this content coming from? Who authorized the production of the content? What's the strength of trust of the identity behind that? And we believe that's answerable by device bound hardware backed identity.
We can get into a lot more of what that means in a little bit. The other thread is I'm not necessarily defending myself against an AI adversary. I'm using AI. And what kind of vulnerabilities does this now expose me to that I may not be used to?
And what we're actually finding is AI is not necessarily introducing new vulnerabilities. It's taking existing vulnerabilities and expanding their surface area by an order of multiple magnitudes.
And and so we think there's similar solutions to, like, solving that problem around device bound hardware backed identity. What you need to do is you need to give your agent's identity. You need to actually string that back to your users. Like, your user authorizes an agent for a period of time with permissions.
Those both should actually be certified. Those both should be cryptographically related. Those both should be tracked even if an agent lives like a firefly kinda comes and it goes away. So we I'd say we break it into those two buckets, tools the adversary is gonna use and then tools the developer is gonna use.
And, you know, our mission is how do we enable the business? How do we make it possible to go fast and build with AI without, you know, expanding the universe of vulnerabilities that we know good and well of, like credential expansion, like data leakage, like injection?
Yeah. You you know, and this is maybe it's good to review kind of the the core of your technology, you know, being cryptographic hardware connected to identity. So talk a little bit about how this is better and different than the passwords we're so used to.
Sure.
What matters the most in terms of security to the typical person listening to this audience is probably their money. It's their bank.
It's how they make payments.
When you pay with a modern credit card, when you pay with Apple Pay, when you pay with a mobile phone, you're not using a password action. What you're using is you're using single device, multifactor authentication that's based on a hardware backed device bound credential. The merchant over Bluetooth sends a receipt or a bill to your phone or your credit card if you're using tap and pay. Your credit card or your phone then looks at that bill and prompts you, hey, Brian, do you wanna sign this?
And if you say yes, gonna say smile or it's gonna ask for a PIN. That's your second factor. It's gonna ascribe a hash of that factor to the bill. And then it's going to use a key in that enclave on that phone or in that credit card to essentially sign over the bill and that second factor.
And because that key is hardware bound, that becomes your first factor, your possession. That is then transmitted wirelessly back to the merchant, and the merchant can use that to clear a monetary transaction later on in that day.
That key cannot be stolen digitally. It's physically locked in that enclave. It's never in the general purpose memory of your phone.
This is what it means to be device bound and hardware backed.
The finance industry and the mobile payments industry worked all of this out over the last ten years. And because the CPU manufacturers don't want to build specialized chips, we all now get this capability for free. Every laptop you buy has this. Every drone you buy has this. Every mobile device you buy has this capability.
They're generally only being used, at least until we showed up, for mobile payments or things like Secure Boot, Microsoft Secure Boot. We take advantage of that hardware to create a unique key that represents you on that device, and we can use a signature from that key to prove possession. Just like the mobile payments example, we can use a biometric or a local PIN as a second factor.
And, you know, just like when you get on an airplane, you have to prove you're the right person and you're safe enough to be on the airplane. Right? No guns, no knives, no bombs.
We will also ascribe or append to that bill the security posture of your device in that moment. Are you safe enough for the data that you're actually asking for? So in that moment, what I've just described, it's a little bit technical, but their credential never moves, right? And eighty percent of all security incidents today are based on credential movement or the exploitation on credentials that can move, whether they're password, whether they're your TOTP tokens, QR codes, etcetera. We eliminate that movement. We drastically reduce that surface area. And and that's kinda how, at least at a high level, we break that initial attack chain.
Well, when you say, are you safe enough? Do you do you have a knife in your pocket? Like, is that like a score? Is that a range? How do you kind of determine that?
So we have a policy engine that really lets customers kind of draw their own risk profile. Right? So for instance, we have a customer who they're a retail organization.
They use this in their purchasing app. They're mostly concerned with ATO. And so they've written policy rules that basically say, give me some proof this device isn't jailbroken, and that's all I want you to do.
We have some other customers that let's call them national security customers. And they wanna understand that their specific EDR of choice, CrowdStrike or SentinelOne, is running. They wanna know that it's running with the right rules. They wanna know every process that ever asked for authentication. They wanna know what loader loaded the process into memory, from what executable, was the executable signed, was it signed by an OEM that's actually on their secure SBOM.
So, you know, you can really dial the knob up or down. It's very customer dependent. And, like, it's kind of one of our philosophies is we wanna put the controls in front of the customer, and it's kind of on them to to decide what risk is acceptable in what facet of their business.
This episode is brought to you by Moburst, the AI first growth engine trusted by iconic startups like Calm, Robinhood, Reddit, Uber, and Google. Moburst is a digital full service mobile first marketing agency that helps companies to scale and become category leaders. Whether you're finding product market fit or ready to accelerate growth, Moburst delivers creative, data driven solutions that help with scale and efficiency and impact. At MoBurst, we're not just guessing what works, we're predicting it.
As an AI first agency, MoBurst uses cutting edge tools to analyze user behavior, adapt creative in real and uncover hidden growth opportunities. The result, marketing that's faster, smarter, and built to convert. From early stage startups to global brands, we've helped hundreds of companies overcome complex challenges, unlock new audiences, and optimize every metric that matters. At MoBurst, we believe that creative thinking, advanced technology and data are the core drivers of success at scale.
If you're serious about scaling your business with precision and purpose, it's time to talk to Moberst. Visit Moberst dot com and let's build something category defining together.
Now you and I know startups aren't built in boardrooms. They're built in the wild. During three AM, bug fixes, botched launches, and that one meeting where everything almost fall apart. That's what Code Story is all about. It's a podcast where tech founders break down the make or break moments behind their products. What went wrong, what went right, and what nearly wrecked everything.
Hosted by Noah Labhart, Code Story goes past the highlight reel and into the honest stuff. Late pivots, brutal bugs, and somehow coming out alive with a product people actually love. If you're in the build stage or the scale stage or the please let this feature work stage, I can relate, this show will speak to your soul. Listen to Code Story at codestory dot co or wherever you get your podcasts, just search Code Story, it'll be right at the top.
Because great startups aren't born, they're forged one hard moment at a time. CodeStory dot code. Sure. Is the the the risk profile the the more, or the less risk tolerant you are, the more obnoxious it is to actually get the the passwords to go through?
Is that kind of like to simplify Yes. Dramatically?
Yes. No. So so there's definitely there's definitely a way to probe the user. Right? So for instance, you can ask for continuous user verification in the policy engine, and that would pop pop back to the user every time every time it happened.
We do see customers use that for like highly sensitive operations. So imagine an imagine an SRE or DevOps engineer who works in a critical data center. You don't really want them to have long lived session timers. You really do want them.
It's okay for them to pay for friction. And in that scenario, we also have them do what's called double device authentication. So they'll pop a YubiKey in as well. And so they're proving off a signature of the laptop and a signature of the YubiKey and doing the posture.
But all of the posture checks that I've mentioned don't actually have to interact with the end user. They can actually occur silently. So that's kind of one of the keys is most businesses don't feel the need to actually stick their fingers in their workers' eyes for a security reason if they can verify the controls they expect are running on the device and the device is behaving in the way they expect.
Yep.
Cool. Josh, how about you guys? How are you utilizing? It sounds like there's kind of some like variability in here with the tools to kind of serve a lot of different customers' needs.
How are kind of you using Beyond Identity with So got our start with it actually because of a requirement for our cybersecurity insurance.
You know, every year, I felt that crazy long questionnaire.
And when we got it back one year, they said, hey, you got to make sure you're doing MFA on all these access points. And the big, of course, hassle factor with MFA is that, you know, pulling out your phone every fifteen minutes to press something or enter a code or click Okay or whatever that might be. And we, as a hotel operator, we work with several major brands. And so like Marriott Hilton, IHG, and Hyatt, they all have their own MFA that they use to access their system. So, we're already exposed. So, our typical users, at least in our corporate office, might have three or four authenticators that they're using just with their brands based on whatever they need for that identity.
And then if they're on the finance side, every single bank has their own little aspect of it. Think one user I counted up, had fifteen different MFAs that they had to keep track of, which is just crazy. And so I'm just like, well, anytime we add something to like our operation, especially for like a line level folks, we need to try and make it as easy as possible. Otherwise, it's going to create more of a challenge for them than we want. And so we were really looking for a solution that could be as frictionless as possible. And we'd actually gone down the path with another vendor was we're ready to sign and then that kind of fell apart at the end due to some changes that they had on their end. And we came across Beyond Today, I'm not sure how we missed them in the first RFP go around, but we're glad we did and they spun something up really quick.
And we'd said, hey, this would be a great fit for our users because we have nontechnical frontline workers that need to log into things and we're coming from an industry that's historically behind. We actually well, I can tell you this now because I think everybody's over it, but until like two years ago, there was generic credentials out on pretty much any brand. You could probably go to if you had worked in that hotel, you'd probably go behind the front desk and log in. But they've gotten rid of that because they realized like, hey, it's important to, you know, everyone should have their own login.
But it's just still a password based login type of aspect. So, we were looking for that solution to do that. So, how we've used it is it is a little bit of a lift, but we use it across for all of our users.
Once we get them enrolled, once we get over that hump, then it's a seamless experience for them. They pop up, they're logged in on their workstation, they put it in, they're logged in, they have what they need from the brand side. Now on the Brandt side, whoever that franchise partner is, you know, they still have to use their username and password and go through the MFA with that. But on the Brandt side, once we've gotten them enrolled with that passkey on that device, they're golden, like, literally until we replace the device or they replace their device, their phone sometimes people forget to. You know, it's bound to the actual device itself, so you can't just rely on a backup to restore it. You got to actually put that PASCA on a new phone.
And that's why, like, what we've really found the most useful of it is these line level folks who are not technical can have this incredible level of security that usually is reserved for much more structured positions.
It sounds like the app kind of changed management then just kind of lands on Apple because everybody's used to like double clicking the side and they can like scan things.
So they're using their phone, you know, in a way that's native and Yeah.
For us, you know, a lot of it, we use shared workstations. So, you know, at a reception desk of a hotel, you know, once they've got that if they go through the effort of putting that PASCA on that device, they don't even have to use their phone, you know, as long as they've logged in that pin code that they create is their second factor with the device that we know that they should be using. And so they're just in. But yes, they can use their we do allow the I think it's called roaming authentication where they can scan a QR code on their mobile phone where they've got the PAS key embedded there and log in as well.
Well, okay. I'm totally getting it. Thanks for that. Now, what's interesting is that like when Sam Altman launched agent mode for ChatGPT, like the first use case he had was like, book my hotel for my trip to Las Vegas.
And it just went in there and filled out everything and did all the passwords and boom, boom, boom. And it booked him a room. Now maybe you guys did like I did as I I went to do that, and he couldn't pass captchas. He couldn't get he couldn't get past security.
Is there a world in in particularly if we're talking about, like, kind of device bound agentic solutions that that Beyond Identity fits into this modality where I built my agent, my personal secretary agent to book my accommodations and my flight, and it can actually use my device bound authenticator to get it to go all the way through?
So would say, so there's a couple of things you wanna break that down in.
Number one is we are actually working on what we call agentic identity.
And we actually have some POVs of it occurring right now. And the idea is the agent is gonna have its own identity. And when a user, like in your example, goes to authorize an agent, what's actually happening under the hood, imagine a blockchain for a minute. You have a user who authenticates and proves that they're the right person on the right device. And in a business scenario, maybe also you're concerned with their posture. Maybe in a consumer scenario, you're not.
The agent, you wanna know what agent it is running on what device with what posture. And those two vectors become linked, cryptographically linked, because you're really wanting to say this user on this device with this posture authorizes this agent on this device with this posture with these permissions for a period of time to go off and to go do something of interest.
And so we're actually, we have a couple POVs of this happening right now. And the problem that this is trying to solve is how do I actually have evidence? How do I have audit of exactly what happened after the fact? Because agents are like fireflies. They come and they go. They disappear like that. And there's a lot of valid reasons for that.
You always wanna be able to reconstruct who authorized it on what behalf to actually do what.
The other part of the conversation is reaching out to a site and doing something on their behalf. That either requires something called password vaulting if the site doesn't really participate, right? You don't really wanna be putting your passwords into agents.
And I get it all sorts of reasons why this, but like at a high level analogy, if you think back to like computer architecture, you know, there's this classic lesson that you learned that you don't mix control and data. If you think back to compilers, there's this classic lesson of no language can analyze itself. That's why you have a type language or a kind language. If you look at networking, there's always a control layer versus a data layer. It's a separation of responsibilities.
When we build agents, those separation of control and data kind of get muddled. When you think about a template that a lot of agents are working from, that template kind of mixes, hey, here's some data and here's what I want you to do with it.
Or it ends up getting mixed in the context window of the model itself.
And so like, this is kind of fundamentally where the problem arises, where it just becomes really, really hard to know, am I bringing in data that can actually inject control?
Do I have data that can leak out of the context through some other query? If the context is long lived and I can't actually track user authorizations into the agent, then short of guardrails, it's very, very hard to control that sort of leakage. So I need to be careful. I could go forever on this topic. Number one, it's a fascinating set of technical problems. But if I were to back up a little bit, you need to give your agent's identity.
If you can, you need to actually latch that into your identity and you need to employ policy to try and separate those two things out and really understand data flow for the purposes of data leakage and injection.
We're very close to that. In fact, I would say there's, at least in the enterprise world, there's working examples of that already, at least with us. On the consumer side, I think it gets a little bit more certainly possible, but mysterious when you consider the security aspects.
Very important time to kind of go over that right now, especially where we're at right now because I think a lot of organizations, even big organizations have said, oh my gosh. We've got n eight n subscriptions for everybody and Zapier subscriptions for everybody. Figure out how we can make agents to make everything better. We don't wanna get left behind when truly kind of the security measures and, like, the data policies are just kinda out the window.
And so now they're kinda backing up. It'd be like, wait. Wait. Wait. What are people doing now?
So Yeah. So they're they're maybe now they're like, well, we spent a hundred and fifty two hours building these agents. Are we getting any thing out of them? So people are like reexamining.
Like, this is this is kind of the backside of that agentic, you know, pendulum that swung eight weeks ago, which is fascinating. And largely, something that you said, actually, I wanted to dive into a little bit more, which is they're like fireflies. They pop in and they pop out, and you have to give them identity. Now I think some of this, just the word that were was adapted for them, agents.
And then they're like, oh, see, you have an employee agent. See, it has a face and it has a voice, and so you kinda personify this computer software that like, oh, it's like a robot in the computer. But truly, it anything? Is it a thing?
Or is it just a firefly that pops in? It's there for a minute, and then it's gone, and then it's like, okay. Well, who's responsibility or responsible for the actions of that agent?
Ultimately, it's the company that built it. I think that answer is very clear.
But but yeah. So what is an agent?
I would say A, this is a topic that a bunch of people will debate. I'll tell you what I think it is.
I think of an agent almost as like think of it as an executable, right? It's clearly running on a different type of operating system, right?
And it's running on different type of hardware. So when you think about agents, agents are using LLMs to manage a context window, to try and manage the manipulation of data with the ejection of control.
If an LLM wasn't trained on your data, you've got to bring data to it to do anything of interest, right?
And so the way you bring data to the LLM is obviously you can tell it in the prompt. You can inject it through legacy services. You can inject it through rag searches. You can inject it through MCP services.
You quickly get to limitations when you're building these sorts of things. But like everything I just described, you could see metaphors or parallels in computing, right? So like think of computer architecture. I have registers.
I have reservation stations. I have ALUs and comparators and these sorts of things. And when you think about how you build agents and the substrate that executes these agents, it's similar but different. And so I do wonder if there are parallels to be drawn from it.
But when we say you want to give an agent identity, what we really mean is an instance of a class of an agent has to be uniquely identifiable even when that instance is dead and long removed. You need to be able to attribute what models was it using, what legacy services was it using, what MCP services was it using? What RAG services was it using? On what device was it running?
And what was the security posture of the device? Those all come together in what we call the agent's identity vector. And of course, we want that to be sealed under this thing called an attestation. So it's tamper evident, as in if someone were to try and change the record in the future, it would be obvious that they tried to change the record.
And the other thing is an agent is always acting on behalf of someone. In your consumer example, it was acting on behalf of Altman.
But in a lot of the scenarios that I think are probably more near, at least for my customers, it's acting on behalf of really that customer, not necessarily any individual person. It may be acting on behalf of that customer's customer for a moment in time.
And so you have to be able to track that relationship so that you can understand permissions and potential permissions violations. And really, the permissions of the data is it flows through that kind of messy ecosystem, which is the agent ecosystem.
Weird times.
You didn't see any of this company when you started this company? Like, okay. We gotta create identity for agents. We have to define what an agent is, and we gotta make sure there's some accountability and and record of what it did before it pops out of existence. Pretty crazy.
Some of some of it, yes. Some of it, no. When we started this company, we we knew we wanted to to to really solve some hardcore security problems in a way that was highly usable, which is kind of the the hallmark of what security products are not. Right? Security products usually slow organizations down. And so we anticipated automated workloads. We anticipated running on unattended machines.
We anticipated kind of cross domain signings, like kinda like that dual vector I described of the user and the agent.
We absolutely did not anticipate an agent in the in the current, you know, sense of agentic AI.
No, that's just been the fun of the last few years, right?
Totally. You guys have seen absolute explosive growth.
Was that something you foresaw in the beginning? Twenty twenty, you're like, oh, triple, triple, double, double? Or what do you attribute the kind of massive growth you guys have experienced?
Well, no one ever starts a startup thinking they're going to fail.
Right?
Especially when you start a startup with somebody like TJ or Jim Clark or whatnot. These guys are famous for, what was it? I think the first company talk, Jim showed up and gave his idea of helping us up was to tell Netscape stories. And he's like, my first year, we did fifty million dollars in revenue. In my second year, we did two fifty million dollars in revenue. In my third year, we did half a billion in revenue. And we IPO ed at month eighteen.
So there's your targets.
So I mean, clearly Jim captured a moment in time that was special. But like, do think we are at an interesting moment in time right now with what's happening with, you know, the big world of capital A and capital I and then of course the small world of just helping organizations move into that space with their eyes open around security problems, right? Not expanding that surface area, but also not slowing down development.
Yeah.
Yeah. Cool. And congrats for all that success. But we're looking at the future, You know?
What's gonna be more important? A passkey or my Social Security number?
A passkey, clearly. Look.
The government's always gonna want to track you, and and and so you're always gonna have identifying numbers, whether it's that employee ID or whatnot.
But in terms of the importance of kind of like device bound, So passkey is an interesting proxy. A lot of people will that name will stick in people's brains. The technical jargon, if you stick your face under the water, is device bound attestation. And that's a way to kind of prove that it's person's kind of logical asset on a very specific targeted device.
Most of us I'd say most of the world right now just thinks of passkeys as helping a person log into Google or log into Amazon. But as we move into this world of AgenTex, as we move into this world of mimicry, as we see the AI slop, understanding the provenance of data is going to be incredibly important. When I say provenance, I mean things, the equivalent of like watermark. Now, watermarks are really easy to remove, right?
So we're not talking about solving the problems of pulling a provenance off. We're talking about the providence of putting things on. So how do I know this data came from this person on this device? Well, let's drill in more.
How do I know this data came from the actual camera sensor on this device? How do I know it wasn't actually molested in some way by an insider at the certificate authority before they issued my certificate?
So this concept of data providence, think is gonna become much more important given everything that's happening in the world of AI. And device bound attestation or what a passkey does, I think is gonna move from just being about humans and automated accounts to almost be about anything that produces data. So you can almost always track things back to their point of origin. And and I think some of this is validated when you actually look at the big silicon manufacturers and what capabilities they're starting to bake into their their devices.
It's almost impossible to buy consumer grade electronics today without a hardware enclave, which is how you do this device bound attestation.
And, you know, we're already seeing people call out this concept of molested data in terms of, so ACME. ACME is a protocol for certificate enrollment. And very clearly in the opening lines of ACME, it's like, look, we can't trust TLS for our security properties because the way tools are built today, TLS is not end to end. It's from your computer to your company's proxy.
It's from that proxy to Cloudflare CDN. It's from Cloudflare CDN to Amazon's application layer load balancer. It's from that load balancer to maybe you have a service mesh controller in your Kubernetes cluster. Then it gets unraveled again across some sort of message broker, and maybe it ends up at some microservice or some monolithic service that's actually gonna reply to it.
All those hot points I just mentioned have your secrets in data, right? Most of those hot points are probably not managed by your engineers. They're probably managed by Cloudflare, Akamai, Amazon, F5 Networks, right?
We've all read the news. We all know all of those companies have had security incidents of one shape or another, F5 being the most recent.
So yeah, providence of data and not relying on, or realizing that you kind of have to build your security at a layer above transport or TLS. I think that's coming. I think that's coming fast.
Pass keys will enable it, but essentially you're, you know, the camera on your phone's gonna have a pass key. The microphone on your phone's gonna have a pass key. Anything that generates data is gonna have some way of attesting to the providence of that data.
Just a matter of time if we're thinking about data creation, you know, as the technology gets closer to us, AirPods, you know, wearable glasses, AR, Neuralink, it's like getting inside of us. Right? So, like, the the cameras will be our eyes. The the microphone will be our mouth, you know, speakers. So I guess the speakers would be your mouth, the microphone would be your ear, I don't know.
But I guess the point is like twenty years from now is Beyond Identity a hardware company that does implants on infants Just like sets them up for authentication So one of our founders has already taken that step and he actually has enclaves in his body.
No kidding. No, true statement. He can open doors and do other things with a wave of his hand.
He's going full Jedi.
Look, security space is full of interesting people, the startup space is full of interesting people.
When you combine those two, you get boundary pushers. And yeah, look, I have no idea what the world's gonna look like in twenty years. It's hard to think about what the world's gonna look like in five years, but we can certainly see patterns, right? We can see human brain interfaces already, right?
We can see, so let's think about Neuralink for a minute. I'm just spitballing. I don't know these people. I've never talked to the company.
But I could absolutely believe that data providence from some sort of human implant is very, very important from a security's perspective, whether it's a neural interface or think about any other sort of diagnostic capability.
How do I know this came from this person? How do I know it wasn't manipulated or doctored in some way?
We know a huge part of the criminal element, right, as it was demonstrated over the last three years, doesn't care about the general health and safety of the world, right, especially if it's not their locale, right? We've seen those emergency rooms get shut down. We saw these things get shut down. If ransomware could start encrypting medical data, could start essentially testing the veracity of where did this thing come from pay up, or I'm not actually going to reveal the origin. Like, more there's a lot more crazy scenarios in front of us than in behind us, which is again why I think provenance of data is probably going to become a first class thought in any data producing platform.
That's encouraging.
Yeah. If you're fans of, what is it?
The Expanse, Snow Crash, all of these dystopian science fiction novels, it turns out they're probably pretty accurate at least on the problems of the future that we will end up facing.
But the good news is there are solutions to these problems, right? Like you can't actually attribute the providence of information.
I mean, actually, I guess the biggest good news that at least Beyond Identity has to say is if a credential doesn't move, it can't be stolen. And if you use a hardware backed device bound credential, it literally cannot move. It's never in memory.
Totally. Now now that we're sufficiently terrified of our robot overlords coming for us Yeah. Who would be in the best position? Who are the best customers right now for Beyond Identity? Is it like an early stage startup or is it dependent on kind of the providence of the data and the security of the data? Who are the best customers and who should definitely be considering this right now?
Well, from a technical perspective, the best customers for us are people who already have an identity system.
If you don't have an identity system of record, you probably shouldn't start with us.
The typical deployment of our product, we plug into your identity stack and we help defend your organization. We don't displace your identity stack.
We have put a lot of tooling in place to make that as easy as possible.
Some new things that Josh, unfortunately, you didn't get to experience as a longtime customer, But but, yeah, auto enrollment through an MDM is actually being demoed now.
But from a business perspective, it's really anyone who wants to eliminate eighty percent of their SOC incidents. Right? If you follow the average by whether whether it's CrowdStrike's threat report, Mandiant's threat report, or Verizon DBIR's threat report, eighty percent of the incidents that are hitting your organization are identity related, and we stop them.
Amazing.
Cool. And Josh, I mean, you guys seem pretty forward acting. At least you could identify some of these problems early on and and take steps to remediate against them. Like, what are the next twelve, twenty four months? What's what's big in security in IT for hospitality?
Well, I think for us, we're just trying, like, I mean, I'm speaking first just for Brett, like what our goals are is just really to get that adoption level up because it is a little bit of a lift, you know, to get it's a mind shift of like, hey, you know, you get a new employee, we have a lot of line level employees that kind of there's turnover that happens in our industry.
And, you know, so people come in and they're not used to using it, like a device bound PASI like this. It's a little bit of a mind shift for them. Same thing with, like, leaders to get them, like, on board, like, we're opening a new hotel, like, Hey, we don't use a password. This is how it works.
You know, it's kind of like, we just recently opened a hotel in Denver area. And I remember the GM or the agent, one of them was like, Wow, this is really great. Like, it's like auto magic. Like, once they're enrolled, you know, it just worked.
But then when they got over to the Brandt side and stuff, like, Hey, how do I get this to work, you know, on this utility? I'm like, Oh, I'm sorry, that can't work because it's not a Brandt application. That's like our partner's application from the brand.
And so unfortunately, like, there's no way that you can use our passkey to authenticate into their system. So I would if I had a wish list of what I could control outside of Brandt, I would love for some of these organizations, especially like in the franchise model where we're working with a brand that's providing, you know, a lot of resources on internet, their applications and all of that that they're developing and working on and they're making secure.
But the thing is, they're using their own identity structure. It'd be really great if there was, in the future, a way that we could create some kind of trust model where, like, hey, Brandt Hospitality Group uses Beyond Identity, this is our IDP, so we can trust automatically, you know, those things that are happening on the Brandt level so that we could integrate that in. Like, that would be a phenomenal win for us because things are changing so fast and it is hard to keep up when you've got one way of doing something in one way and we're trying to be a little bit more forward thinking with the device mount passkey, but then we have a Brandt partner that's still using, you know, Duo push or I mean, not to pick on Duo, but, you know, a push or, you know, you got to get, you know, put this app on and pick this character or whatever it is.
It would be great if there was some kind of convergence that could happen so that we could use trust, you know, in between our different identity structures to allow that to happen.
So, think I diverged a little bit from your main question as far as, like, what our security things are in the next twelve, twenty four months, but really to sum it up is just we're trying to really hone in on that Beyond Identity passkey and making sure that all of our applications that we use do support like single sign on through SAMLAR or OIDC or something like that so that we know that they're when they are logging in, they're authenticating against that passkey and not with a legacy password. And I think that's the biggest challenge that we face is as we're working with vendors from a large, you know, vendors that have around for twenty years and our legacy platforms that they're trying to modernize.
And then there's new vendors that are coming up and like, hey, we've got this great solution to solve this new problem, you know, that you're dealing with in hospitality. And then we ask like, do you support, like, you know, how does your identity structure work? And they don't support single sign on or have any mechanisms for us to integrate that into our passkey. Well, that's kind of it's getting to a point where now we're like, get that fixed first before you come talk to us because we're not interested in adding another password to our folks after we've finally done the work of eradicating them across all of these applications that we use.
Totally. You're like, dude, we're we're injecting your credentials subcutaneously.
We're Yeah.
Well, hopefully in the future now. If we don't start out doing that during open enrollment, that would be a little bit deterrent probably in our in our world.
You never know. People catch on. The you just gotta get a couple influencers doing it, then everybody's doing it. I tell you I mean, just if we're talking about, like, I got a a Nissan Aria, you know, which is an electric car and they're so cool.
They're like spaceships. Just if I have my keys on me and I walk by it, it like blinks at me and says hi. So a lot of this like device location stuff, it's like if I could put that into my hand, it would be great. And then I can just wave my hand and remember Kit from Knight Rider?
Now I could just talk to my car and it could come find me. We're getting closer and closer.
Jasson?
A paradigm shift that has to happen with people. Everyone's so used to the idea of like, Hey, I started a company, this is my username, and this is my password. And the idea that now you get a passkey and it's bound to something, it's a mental shift. I was just going through North Dakota that's where my driver's license was issued.
They just got the mobile driver's license deployed, like, I think October first. So I was super excited about that signed up right away. And I was excited to try it at the TSA because I know that they, you know, have those fancy readers now. So I'm at the Fargo airport and they've got it and I go online and I see they've got their signed digital ID and I'm all excited to give it a try.
And I'm like the guy's like, Driver's license? And I'm like, Oh, I've got it on my phone. He's like, No, driver's license. I'm like, But you're signed.
I'm like, But I didn't want argue with TSA because that's, like, worse than carrying a bump. And so I just gave him my driver's license. And it was early in the morning, and there was a flake crew in front of me. So they went in, and one of them got random.
And of course, that defaults to you if you're the next in the TSA pre check line. So I'm the guy who's like swabbing my shoes, just said, Hey, can I ask you a question? And I just asked him, I said, Hey, saw you guys have that sign. I have the, you know, we just got the mobile driver's license, but it sounds like your system doesn't actually support it yet?
Was a little bit, you know, like, What's the story there?
And then the supervisor overheard and she's like, oh, she said, actually, we do have it. I just don't think anyone's ever come through with it yet. And so, like, they'd been trained on it, but they didn't really know how it worked.
They'd maybe, like, seen it, but nobody's actually ever tried it yet.
And she said, Do you mind going back and testing it? I'm like, Well, I just finally got through. I don't really want to do this all over again. And she No, no, I'll escort you.
So she took me back there and the guy has a super long line, I'm sure they were annoyed too. Like, why is this guy back again? But like we did it and it literally took like two seconds and the guy's like, Oh, that's amazing. You know, the on like the TSA agent who was doing the ID checks, he liked it because it made his life so much faster and more efficient.
But like his mind, he was still so trained to be like, Hey, no phones. I need the ID because that's just what it is. And I think that's just a small glimpse of the change that's going to happen. I think people just have to get used to the idea of like, your phone is no longer I mean, I don't know how to say this properly, but that secure enclave that now exists in these electronic devices where you can store these cryptographic information solves so many problems.
But there's such a mindset with people because of before, we issued unsecured things and bad stuff happened if you went on your bank on your phone or you put in your, like, Social Security number on your phone, you know, like in an unsecured way. And so there has to be this mental shift of like, hey, this is the way the world's trending and this is how we do it. So how do we use the proper syntax and, like, trading to kind of help people through that transition?
Because, like, it is a total shift of how they've done things.
So you guys, this has been great. I really appreciate the time. I know we're slim for time right now. I wanna give a couple of shout outs to some charitable organizations that you guys support to make sure that we're giving them some love.
I wanna give a shout out to stone wood n y dot org, which is a first harvest food pantry. So it looks like it's it's making sure that food pantries are are stocked with local harvests, which looks really cool. Also shout out to vetdogs dot org, which are service dogs for veterans. I come from a Marine family and veterans are near and dear to my heart.
So definitely, you know, service. Who doesn't want a golden retriever or any kind of a Labrador at that point? You know what I mean? So like definitely shout out to them for for taking care of our vets and then Safe House Project, which is sex trafficking detection training, a survivor led training designed to empower you to spot, report, and prevent sex trafficking where you live or work.
So shout out to those organizations. Gentlemen, I really appreciate the time. Thank you so much.
Hey, founders. Let me ask you this. Are you building with AI or getting left behind by it? If you're serious about scaling smarter, faster, and bolder, you need to check out AI for Founders dot co.
It's your go to resource for cutting through the noise and actually using AI to grow your startup. Each week, AI for Founders drops a sharp, no fluff newsletter, dives deep with expert guests on the podcast, and hosts monthly workshops where you can get your hands dirty with the real tools and strategies. Whether you're Preseed or Series B and beyond, launching something new or just staying sharp, AI for Founders gives you the edge you need to win in twenty twenty five and beyond. Hit AI for Founders dot co to subscribe to the newsletter, tune into the podcast, and grab your spot in the next workshop.
And it's all free. Build smarter, move faster, think bolder with AI for founders. Now back to the show.
TL;DR
Full Transcript
Welcome back to AI for Founders. I'm Ryan Estes. There's a war raging online, not between hackers and corporations, but between humans and machines pretending to be human. Passwords are failing, deepfakes are rising, and identity itself is up for grabs.
Today on AI for Founders, I'm talking with two experts on the frontlines. Jasson, CEO of Beyond Identity, a cybersecurity company backed by over two hundred million dollars to make passwords obsolete. And Josh from Brandt Hospitality Group, who's deploying this kind of tech in real world, high turnover environments where security meets simplicity. We're diving into how AI impersonation is forcing a total rethink of authentication, not just proving who you are, but proving who's really acting when code agents and AI systems start making decisions for all of us.
If you're a founder building an AI, SaaS, or cybersecurity, or just tired of MFA nightmares, this one's for you. You'll learn how to future proof your identity systems, give your AI agents their own digital passport, and maybe even glimpse what happens when your credentials live under your skin. Now don't just listen, upgrade your intelligence feed. Subscribe to the AI for Founders newsletter at AI for founders dot co.
This is weekly drops of founder frameworks, big AI insights, and behind the scenes tools we don't share anywhere else. It's where the smartest founders come to sharpen their edge. Sign up, forward it to your smartest friend, and pretend it was your idea all along. And if this episode makes you think differently about identity, leave us a review.
Give us five stars if you'd let your AI clone manage your inbox. This episode is brought to you by Kitcaster, the podcast booking agency trusted by over eight hundred founders and counting. Kitcaster helps you get booked on the top podcasts that reach your ideal audience Without the cold emails, the back and forth scheduling, or the guesswork, you show up, share your story, and build real influence in your industry. Whether you're fundraising, hiring, or scaling your brand, podcast interviews are one of the fastest ways to drive awareness, build trust, and close deals.
I've seen it firsthand. Founders we work with have landed partnership, raised millions, and created massive growth just by showing up on the right shows. Ready to get booked? Head over to Kitcaster dot com and apply today.
That's Kitcaster by Moberst.
Hey, everybody. You know what's crazy? I've been sitting on a gold mine this entire time and I didn't even know it. My Gmail inbox, literally thousands of warm contacts who already know and trust me.
But here's the problem every founder faces. How do you turn those relationships into revenue without feeling like a sleazy salesperson? That's exactly why I've been using Warmstar dot ai. And honestly, it's been a game changer for my business.
This AI platform connects your email, analyzes all your existing contacts, and helps you identify who in your network might actually be interested in what you're doing. Then it writes personalized outreach messages that don't sound robotic or pushy. The best part? You review every single message before it goes out.
No spray and pray nonsense. This is relationship based selling done right. My listeners know I only recommend tools I actually use, and Warm Start has literally helped me reconnect with people I'd lost touch with and turn those conversations into real business opportunities. If you're a founder struggling with outreach, check out warmstar dot ai and use code AIFF to get fifty dollars off your first month.
Trust me, your existing network is worth way more than you think.
Alright. Welcome back, everybody. We're about to have a great conversation about personal identity, AI, and a lot of other different topics. I'm really excited.
We've got Jasson today and Josh. Jasson is with Beyond Identity. Josh is with Brandt Hospitality Group, and what we're gonna be talking about is Beyond Identity to get going. Now this is a cybersecurity company founded in twenty nineteen with a mission to eliminate passwords, thank god, and make authentication truly phishing proof.
Now their technology binds user identity directly to a device using cryptographic keys, removing the weakest link in modern security, the password. Plus, I mean, we've all gotta be just absolutely beat to death with two factor authentication and all the passwords we've gotta remember. It's a mess. So they're backed by over two hundred million in funding and trusted by global enterprises beyond identity as redefining what Zero Trust really means in a world where identity is the new perimeter.
Welcome to the show, guys.
Thanks for having us.
You bet. Now let's get into the AI conversation first. And the one thing I was particularly interested in talking to you guys about is kind of we were talking about agentic support and everybody kinda feels like they need to have some kind of agentic plan. But now you're starting to see agentic tools basically increasingly impersonate humans intentionally. So either that's clone voices and synthetic identities, and we there's deep fake opportunities, but also just the ability to, like, do captchas and and perform tasks on our behalf. So just really interested in Beyond Identity's approach to basically extend to proving who is acting and how that will become more relevant as these agentic solutions that we're all building become more and more sophisticated.
So that's very simple short question with a very long and deep response.
I'll try and give you the menu version and we can choose our own adventure. You bet.
So the first thing is I would say there's the AI enabled adversary. And what is the AI enabled adversary to do?
And so we think about the AI enabled adversary, we're thinking of the ability to really kind of mimic victims, mimic targets, right, in voice, in speech, in writing, in appearance.
And so we have a line of use cases that we call reality check. And so the idea of that is how do you defend against the AI enabled adversary? And if we pull that thread just a little bit on mimicry, you'll start to think, well, wait a minute. I have seen a lot of products recently about detecting AI. Like, hey. This is a fake photo or this is a fake video.
And our response is that's the exact wrong solution for two reasons. Number one is when you dig into the technology, there is a bit of an arms race between detection and detection avoidance or synthesis. Right? So one person's detector is a great is the great training agent for the next person who's building the next generator, right, the next synthesizer.
So and you can see this, right, when detections come out, then their rate will be their detection rate will be high, then it'll fall pretty quickly. The second argument is a little bit more about, like, use. If we really believe AI is around the corner, and we should because it is. By the way, did you know I don't speak English?
I I this is real time AI. I don't actually look like this. I'm actually I actually have red hair and a tail, but I'm using AI. Right?
I I didn't wanna tell you guys, but I'm actually a porcupine. So Right? Look at how great it looks.
I mean So what does it even mean to detect the presence of AI when there are all these valid use cases that we know are coming that are gonna be helpful in things like customer service, customer support, human interaction?
So a better question is where is this content coming from? Who authorized the production of the content? What's the strength of trust of the identity behind that? And we believe that's answerable by device bound hardware backed identity.
We can get into a lot more of what that means in a little bit. The other thread is I'm not necessarily defending myself against an AI adversary. I'm using AI. And what kind of vulnerabilities does this now expose me to that I may not be used to?
And what we're actually finding is AI is not necessarily introducing new vulnerabilities. It's taking existing vulnerabilities and expanding their surface area by an order of multiple magnitudes.
And and so we think there's similar solutions to, like, solving that problem around device bound hardware backed identity. What you need to do is you need to give your agent's identity. You need to actually string that back to your users. Like, your user authorizes an agent for a period of time with permissions.
Those both should actually be certified. Those both should be cryptographically related. Those both should be tracked even if an agent lives like a firefly kinda comes and it goes away. So we I'd say we break it into those two buckets, tools the adversary is gonna use and then tools the developer is gonna use.
And, you know, our mission is how do we enable the business? How do we make it possible to go fast and build with AI without, you know, expanding the universe of vulnerabilities that we know good and well of, like credential expansion, like data leakage, like injection?
Yeah. You you know, and this is maybe it's good to review kind of the the core of your technology, you know, being cryptographic hardware connected to identity. So talk a little bit about how this is better and different than the passwords we're so used to.
Sure.
What matters the most in terms of security to the typical person listening to this audience is probably their money. It's their bank.
It's how they make payments.
When you pay with a modern credit card, when you pay with Apple Pay, when you pay with a mobile phone, you're not using a password action. What you're using is you're using single device, multifactor authentication that's based on a hardware backed device bound credential. The merchant over Bluetooth sends a receipt or a bill to your phone or your credit card if you're using tap and pay. Your credit card or your phone then looks at that bill and prompts you, hey, Brian, do you wanna sign this?
And if you say yes, gonna say smile or it's gonna ask for a PIN. That's your second factor. It's gonna ascribe a hash of that factor to the bill. And then it's going to use a key in that enclave on that phone or in that credit card to essentially sign over the bill and that second factor.
And because that key is hardware bound, that becomes your first factor, your possession. That is then transmitted wirelessly back to the merchant, and the merchant can use that to clear a monetary transaction later on in that day.
That key cannot be stolen digitally. It's physically locked in that enclave. It's never in the general purpose memory of your phone.
This is what it means to be device bound and hardware backed.
The finance industry and the mobile payments industry worked all of this out over the last ten years. And because the CPU manufacturers don't want to build specialized chips, we all now get this capability for free. Every laptop you buy has this. Every drone you buy has this. Every mobile device you buy has this capability.
They're generally only being used, at least until we showed up, for mobile payments or things like Secure Boot, Microsoft Secure Boot. We take advantage of that hardware to create a unique key that represents you on that device, and we can use a signature from that key to prove possession. Just like the mobile payments example, we can use a biometric or a local PIN as a second factor.
And, you know, just like when you get on an airplane, you have to prove you're the right person and you're safe enough to be on the airplane. Right? No guns, no knives, no bombs.
We will also ascribe or append to that bill the security posture of your device in that moment. Are you safe enough for the data that you're actually asking for? So in that moment, what I've just described, it's a little bit technical, but their credential never moves, right? And eighty percent of all security incidents today are based on credential movement or the exploitation on credentials that can move, whether they're password, whether they're your TOTP tokens, QR codes, etcetera. We eliminate that movement. We drastically reduce that surface area. And and that's kinda how, at least at a high level, we break that initial attack chain.
Well, when you say, are you safe enough? Do you do you have a knife in your pocket? Like, is that like a score? Is that a range? How do you kind of determine that?
So we have a policy engine that really lets customers kind of draw their own risk profile. Right? So for instance, we have a customer who they're a retail organization.
They use this in their purchasing app. They're mostly concerned with ATO. And so they've written policy rules that basically say, give me some proof this device isn't jailbroken, and that's all I want you to do.
We have some other customers that let's call them national security customers. And they wanna understand that their specific EDR of choice, CrowdStrike or SentinelOne, is running. They wanna know that it's running with the right rules. They wanna know every process that ever asked for authentication. They wanna know what loader loaded the process into memory, from what executable, was the executable signed, was it signed by an OEM that's actually on their secure SBOM.
So, you know, you can really dial the knob up or down. It's very customer dependent. And, like, it's kind of one of our philosophies is we wanna put the controls in front of the customer, and it's kind of on them to to decide what risk is acceptable in what facet of their business.
This episode is brought to you by Moburst, the AI first growth engine trusted by iconic startups like Calm, Robinhood, Reddit, Uber, and Google. Moburst is a digital full service mobile first marketing agency that helps companies to scale and become category leaders. Whether you're finding product market fit or ready to accelerate growth, Moburst delivers creative, data driven solutions that help with scale and efficiency and impact. At MoBurst, we're not just guessing what works, we're predicting it.
As an AI first agency, MoBurst uses cutting edge tools to analyze user behavior, adapt creative in real and uncover hidden growth opportunities. The result, marketing that's faster, smarter, and built to convert. From early stage startups to global brands, we've helped hundreds of companies overcome complex challenges, unlock new audiences, and optimize every metric that matters. At MoBurst, we believe that creative thinking, advanced technology and data are the core drivers of success at scale.
If you're serious about scaling your business with precision and purpose, it's time to talk to Moberst. Visit Moberst dot com and let's build something category defining together.
Now you and I know startups aren't built in boardrooms. They're built in the wild. During three AM, bug fixes, botched launches, and that one meeting where everything almost fall apart. That's what Code Story is all about. It's a podcast where tech founders break down the make or break moments behind their products. What went wrong, what went right, and what nearly wrecked everything.
Hosted by Noah Labhart, Code Story goes past the highlight reel and into the honest stuff. Late pivots, brutal bugs, and somehow coming out alive with a product people actually love. If you're in the build stage or the scale stage or the please let this feature work stage, I can relate, this show will speak to your soul. Listen to Code Story at codestory dot co or wherever you get your podcasts, just search Code Story, it'll be right at the top.
Because great startups aren't born, they're forged one hard moment at a time. CodeStory dot code. Sure. Is the the the risk profile the the more, or the less risk tolerant you are, the more obnoxious it is to actually get the the passwords to go through?
Is that kind of like to simplify Yes. Dramatically?
Yes. No. So so there's definitely there's definitely a way to probe the user. Right? So for instance, you can ask for continuous user verification in the policy engine, and that would pop pop back to the user every time every time it happened.
We do see customers use that for like highly sensitive operations. So imagine an imagine an SRE or DevOps engineer who works in a critical data center. You don't really want them to have long lived session timers. You really do want them.
It's okay for them to pay for friction. And in that scenario, we also have them do what's called double device authentication. So they'll pop a YubiKey in as well. And so they're proving off a signature of the laptop and a signature of the YubiKey and doing the posture.
But all of the posture checks that I've mentioned don't actually have to interact with the end user. They can actually occur silently. So that's kind of one of the keys is most businesses don't feel the need to actually stick their fingers in their workers' eyes for a security reason if they can verify the controls they expect are running on the device and the device is behaving in the way they expect.
Yep.
Cool. Josh, how about you guys? How are you utilizing? It sounds like there's kind of some like variability in here with the tools to kind of serve a lot of different customers' needs.
How are kind of you using Beyond Identity with So got our start with it actually because of a requirement for our cybersecurity insurance.
You know, every year, I felt that crazy long questionnaire.
And when we got it back one year, they said, hey, you got to make sure you're doing MFA on all these access points. And the big, of course, hassle factor with MFA is that, you know, pulling out your phone every fifteen minutes to press something or enter a code or click Okay or whatever that might be. And we, as a hotel operator, we work with several major brands. And so like Marriott Hilton, IHG, and Hyatt, they all have their own MFA that they use to access their system. So, we're already exposed. So, our typical users, at least in our corporate office, might have three or four authenticators that they're using just with their brands based on whatever they need for that identity.
And then if they're on the finance side, every single bank has their own little aspect of it. Think one user I counted up, had fifteen different MFAs that they had to keep track of, which is just crazy. And so I'm just like, well, anytime we add something to like our operation, especially for like a line level folks, we need to try and make it as easy as possible. Otherwise, it's going to create more of a challenge for them than we want. And so we were really looking for a solution that could be as frictionless as possible. And we'd actually gone down the path with another vendor was we're ready to sign and then that kind of fell apart at the end due to some changes that they had on their end. And we came across Beyond Today, I'm not sure how we missed them in the first RFP go around, but we're glad we did and they spun something up really quick.
And we'd said, hey, this would be a great fit for our users because we have nontechnical frontline workers that need to log into things and we're coming from an industry that's historically behind. We actually well, I can tell you this now because I think everybody's over it, but until like two years ago, there was generic credentials out on pretty much any brand. You could probably go to if you had worked in that hotel, you'd probably go behind the front desk and log in. But they've gotten rid of that because they realized like, hey, it's important to, you know, everyone should have their own login.
But it's just still a password based login type of aspect. So, we were looking for that solution to do that. So, how we've used it is it is a little bit of a lift, but we use it across for all of our users.
Once we get them enrolled, once we get over that hump, then it's a seamless experience for them. They pop up, they're logged in on their workstation, they put it in, they're logged in, they have what they need from the brand side. Now on the Brandt side, whoever that franchise partner is, you know, they still have to use their username and password and go through the MFA with that. But on the Brandt side, once we've gotten them enrolled with that passkey on that device, they're golden, like, literally until we replace the device or they replace their device, their phone sometimes people forget to. You know, it's bound to the actual device itself, so you can't just rely on a backup to restore it. You got to actually put that PASCA on a new phone.
And that's why, like, what we've really found the most useful of it is these line level folks who are not technical can have this incredible level of security that usually is reserved for much more structured positions.
It sounds like the app kind of changed management then just kind of lands on Apple because everybody's used to like double clicking the side and they can like scan things.
So they're using their phone, you know, in a way that's native and Yeah.
For us, you know, a lot of it, we use shared workstations. So, you know, at a reception desk of a hotel, you know, once they've got that if they go through the effort of putting that PASCA on that device, they don't even have to use their phone, you know, as long as they've logged in that pin code that they create is their second factor with the device that we know that they should be using. And so they're just in. But yes, they can use their we do allow the I think it's called roaming authentication where they can scan a QR code on their mobile phone where they've got the PAS key embedded there and log in as well.
Well, okay. I'm totally getting it. Thanks for that. Now, what's interesting is that like when Sam Altman launched agent mode for ChatGPT, like the first use case he had was like, book my hotel for my trip to Las Vegas.
And it just went in there and filled out everything and did all the passwords and boom, boom, boom. And it booked him a room. Now maybe you guys did like I did as I I went to do that, and he couldn't pass captchas. He couldn't get he couldn't get past security.
Is there a world in in particularly if we're talking about, like, kind of device bound agentic solutions that that Beyond Identity fits into this modality where I built my agent, my personal secretary agent to book my accommodations and my flight, and it can actually use my device bound authenticator to get it to go all the way through?
So would say, so there's a couple of things you wanna break that down in.
Number one is we are actually working on what we call agentic identity.
And we actually have some POVs of it occurring right now. And the idea is the agent is gonna have its own identity. And when a user, like in your example, goes to authorize an agent, what's actually happening under the hood, imagine a blockchain for a minute. You have a user who authenticates and proves that they're the right person on the right device. And in a business scenario, maybe also you're concerned with their posture. Maybe in a consumer scenario, you're not.
The agent, you wanna know what agent it is running on what device with what posture. And those two vectors become linked, cryptographically linked, because you're really wanting to say this user on this device with this posture authorizes this agent on this device with this posture with these permissions for a period of time to go off and to go do something of interest.
And so we're actually, we have a couple POVs of this happening right now. And the problem that this is trying to solve is how do I actually have evidence? How do I have audit of exactly what happened after the fact? Because agents are like fireflies. They come and they go. They disappear like that. And there's a lot of valid reasons for that.
You always wanna be able to reconstruct who authorized it on what behalf to actually do what.
The other part of the conversation is reaching out to a site and doing something on their behalf. That either requires something called password vaulting if the site doesn't really participate, right? You don't really wanna be putting your passwords into agents.
And I get it all sorts of reasons why this, but like at a high level analogy, if you think back to like computer architecture, you know, there's this classic lesson that you learned that you don't mix control and data. If you think back to compilers, there's this classic lesson of no language can analyze itself. That's why you have a type language or a kind language. If you look at networking, there's always a control layer versus a data layer. It's a separation of responsibilities.
When we build agents, those separation of control and data kind of get muddled. When you think about a template that a lot of agents are working from, that template kind of mixes, hey, here's some data and here's what I want you to do with it.
Or it ends up getting mixed in the context window of the model itself.
And so like, this is kind of fundamentally where the problem arises, where it just becomes really, really hard to know, am I bringing in data that can actually inject control?
Do I have data that can leak out of the context through some other query? If the context is long lived and I can't actually track user authorizations into the agent, then short of guardrails, it's very, very hard to control that sort of leakage. So I need to be careful. I could go forever on this topic. Number one, it's a fascinating set of technical problems. But if I were to back up a little bit, you need to give your agent's identity.
If you can, you need to actually latch that into your identity and you need to employ policy to try and separate those two things out and really understand data flow for the purposes of data leakage and injection.
We're very close to that. In fact, I would say there's, at least in the enterprise world, there's working examples of that already, at least with us. On the consumer side, I think it gets a little bit more certainly possible, but mysterious when you consider the security aspects.
Very important time to kind of go over that right now, especially where we're at right now because I think a lot of organizations, even big organizations have said, oh my gosh. We've got n eight n subscriptions for everybody and Zapier subscriptions for everybody. Figure out how we can make agents to make everything better. We don't wanna get left behind when truly kind of the security measures and, like, the data policies are just kinda out the window.
And so now they're kinda backing up. It'd be like, wait. Wait. Wait. What are people doing now?
So Yeah. So they're they're maybe now they're like, well, we spent a hundred and fifty two hours building these agents. Are we getting any thing out of them? So people are like reexamining.
Like, this is this is kind of the backside of that agentic, you know, pendulum that swung eight weeks ago, which is fascinating. And largely, something that you said, actually, I wanted to dive into a little bit more, which is they're like fireflies. They pop in and they pop out, and you have to give them identity. Now I think some of this, just the word that were was adapted for them, agents.
And then they're like, oh, see, you have an employee agent. See, it has a face and it has a voice, and so you kinda personify this computer software that like, oh, it's like a robot in the computer. But truly, it anything? Is it a thing?
Or is it just a firefly that pops in? It's there for a minute, and then it's gone, and then it's like, okay. Well, who's responsibility or responsible for the actions of that agent?
Ultimately, it's the company that built it. I think that answer is very clear.
But but yeah. So what is an agent?
I would say A, this is a topic that a bunch of people will debate. I'll tell you what I think it is.
I think of an agent almost as like think of it as an executable, right? It's clearly running on a different type of operating system, right?
And it's running on different type of hardware. So when you think about agents, agents are using LLMs to manage a context window, to try and manage the manipulation of data with the ejection of control.
If an LLM wasn't trained on your data, you've got to bring data to it to do anything of interest, right?
And so the way you bring data to the LLM is obviously you can tell it in the prompt. You can inject it through legacy services. You can inject it through rag searches. You can inject it through MCP services.
You quickly get to limitations when you're building these sorts of things. But like everything I just described, you could see metaphors or parallels in computing, right? So like think of computer architecture. I have registers.
I have reservation stations. I have ALUs and comparators and these sorts of things. And when you think about how you build agents and the substrate that executes these agents, it's similar but different. And so I do wonder if there are parallels to be drawn from it.
But when we say you want to give an agent identity, what we really mean is an instance of a class of an agent has to be uniquely identifiable even when that instance is dead and long removed. You need to be able to attribute what models was it using, what legacy services was it using, what MCP services was it using? What RAG services was it using? On what device was it running?
And what was the security posture of the device? Those all come together in what we call the agent's identity vector. And of course, we want that to be sealed under this thing called an attestation. So it's tamper evident, as in if someone were to try and change the record in the future, it would be obvious that they tried to change the record.
And the other thing is an agent is always acting on behalf of someone. In your consumer example, it was acting on behalf of Altman.
But in a lot of the scenarios that I think are probably more near, at least for my customers, it's acting on behalf of really that customer, not necessarily any individual person. It may be acting on behalf of that customer's customer for a moment in time.
And so you have to be able to track that relationship so that you can understand permissions and potential permissions violations. And really, the permissions of the data is it flows through that kind of messy ecosystem, which is the agent ecosystem.
Weird times.
You didn't see any of this company when you started this company? Like, okay. We gotta create identity for agents. We have to define what an agent is, and we gotta make sure there's some accountability and and record of what it did before it pops out of existence. Pretty crazy.
Some of some of it, yes. Some of it, no. When we started this company, we we knew we wanted to to to really solve some hardcore security problems in a way that was highly usable, which is kind of the the hallmark of what security products are not. Right? Security products usually slow organizations down. And so we anticipated automated workloads. We anticipated running on unattended machines.
We anticipated kind of cross domain signings, like kinda like that dual vector I described of the user and the agent.
We absolutely did not anticipate an agent in the in the current, you know, sense of agentic AI.
No, that's just been the fun of the last few years, right?
Totally. You guys have seen absolute explosive growth.
Was that something you foresaw in the beginning? Twenty twenty, you're like, oh, triple, triple, double, double? Or what do you attribute the kind of massive growth you guys have experienced?
Well, no one ever starts a startup thinking they're going to fail.
Right?
Especially when you start a startup with somebody like TJ or Jim Clark or whatnot. These guys are famous for, what was it? I think the first company talk, Jim showed up and gave his idea of helping us up was to tell Netscape stories. And he's like, my first year, we did fifty million dollars in revenue. In my second year, we did two fifty million dollars in revenue. In my third year, we did half a billion in revenue. And we IPO ed at month eighteen.
So there's your targets.
So I mean, clearly Jim captured a moment in time that was special. But like, do think we are at an interesting moment in time right now with what's happening with, you know, the big world of capital A and capital I and then of course the small world of just helping organizations move into that space with their eyes open around security problems, right? Not expanding that surface area, but also not slowing down development.
Yeah.
Yeah. Cool. And congrats for all that success. But we're looking at the future, You know?
What's gonna be more important? A passkey or my Social Security number?
A passkey, clearly. Look.
The government's always gonna want to track you, and and and so you're always gonna have identifying numbers, whether it's that employee ID or whatnot.
But in terms of the importance of kind of like device bound, So passkey is an interesting proxy. A lot of people will that name will stick in people's brains. The technical jargon, if you stick your face under the water, is device bound attestation. And that's a way to kind of prove that it's person's kind of logical asset on a very specific targeted device.
Most of us I'd say most of the world right now just thinks of passkeys as helping a person log into Google or log into Amazon. But as we move into this world of AgenTex, as we move into this world of mimicry, as we see the AI slop, understanding the provenance of data is going to be incredibly important. When I say provenance, I mean things, the equivalent of like watermark. Now, watermarks are really easy to remove, right?
So we're not talking about solving the problems of pulling a provenance off. We're talking about the providence of putting things on. So how do I know this data came from this person on this device? Well, let's drill in more.
How do I know this data came from the actual camera sensor on this device? How do I know it wasn't actually molested in some way by an insider at the certificate authority before they issued my certificate?
So this concept of data providence, think is gonna become much more important given everything that's happening in the world of AI. And device bound attestation or what a passkey does, I think is gonna move from just being about humans and automated accounts to almost be about anything that produces data. So you can almost always track things back to their point of origin. And and I think some of this is validated when you actually look at the big silicon manufacturers and what capabilities they're starting to bake into their their devices.
It's almost impossible to buy consumer grade electronics today without a hardware enclave, which is how you do this device bound attestation.
And, you know, we're already seeing people call out this concept of molested data in terms of, so ACME. ACME is a protocol for certificate enrollment. And very clearly in the opening lines of ACME, it's like, look, we can't trust TLS for our security properties because the way tools are built today, TLS is not end to end. It's from your computer to your company's proxy.
It's from that proxy to Cloudflare CDN. It's from Cloudflare CDN to Amazon's application layer load balancer. It's from that load balancer to maybe you have a service mesh controller in your Kubernetes cluster. Then it gets unraveled again across some sort of message broker, and maybe it ends up at some microservice or some monolithic service that's actually gonna reply to it.
All those hot points I just mentioned have your secrets in data, right? Most of those hot points are probably not managed by your engineers. They're probably managed by Cloudflare, Akamai, Amazon, F5 Networks, right?
We've all read the news. We all know all of those companies have had security incidents of one shape or another, F5 being the most recent.
So yeah, providence of data and not relying on, or realizing that you kind of have to build your security at a layer above transport or TLS. I think that's coming. I think that's coming fast.
Pass keys will enable it, but essentially you're, you know, the camera on your phone's gonna have a pass key. The microphone on your phone's gonna have a pass key. Anything that generates data is gonna have some way of attesting to the providence of that data.
Just a matter of time if we're thinking about data creation, you know, as the technology gets closer to us, AirPods, you know, wearable glasses, AR, Neuralink, it's like getting inside of us. Right? So, like, the the cameras will be our eyes. The the microphone will be our mouth, you know, speakers. So I guess the speakers would be your mouth, the microphone would be your ear, I don't know.
But I guess the point is like twenty years from now is Beyond Identity a hardware company that does implants on infants Just like sets them up for authentication So one of our founders has already taken that step and he actually has enclaves in his body.
No kidding. No, true statement. He can open doors and do other things with a wave of his hand.
He's going full Jedi.
Look, security space is full of interesting people, the startup space is full of interesting people.
When you combine those two, you get boundary pushers. And yeah, look, I have no idea what the world's gonna look like in twenty years. It's hard to think about what the world's gonna look like in five years, but we can certainly see patterns, right? We can see human brain interfaces already, right?
We can see, so let's think about Neuralink for a minute. I'm just spitballing. I don't know these people. I've never talked to the company.
But I could absolutely believe that data providence from some sort of human implant is very, very important from a security's perspective, whether it's a neural interface or think about any other sort of diagnostic capability.
How do I know this came from this person? How do I know it wasn't manipulated or doctored in some way?
We know a huge part of the criminal element, right, as it was demonstrated over the last three years, doesn't care about the general health and safety of the world, right, especially if it's not their locale, right? We've seen those emergency rooms get shut down. We saw these things get shut down. If ransomware could start encrypting medical data, could start essentially testing the veracity of where did this thing come from pay up, or I'm not actually going to reveal the origin. Like, more there's a lot more crazy scenarios in front of us than in behind us, which is again why I think provenance of data is probably going to become a first class thought in any data producing platform.
That's encouraging.
Yeah. If you're fans of, what is it?
The Expanse, Snow Crash, all of these dystopian science fiction novels, it turns out they're probably pretty accurate at least on the problems of the future that we will end up facing.
But the good news is there are solutions to these problems, right? Like you can't actually attribute the providence of information.
I mean, actually, I guess the biggest good news that at least Beyond Identity has to say is if a credential doesn't move, it can't be stolen. And if you use a hardware backed device bound credential, it literally cannot move. It's never in memory.
Totally. Now now that we're sufficiently terrified of our robot overlords coming for us Yeah. Who would be in the best position? Who are the best customers right now for Beyond Identity? Is it like an early stage startup or is it dependent on kind of the providence of the data and the security of the data? Who are the best customers and who should definitely be considering this right now?
Well, from a technical perspective, the best customers for us are people who already have an identity system.
If you don't have an identity system of record, you probably shouldn't start with us.
The typical deployment of our product, we plug into your identity stack and we help defend your organization. We don't displace your identity stack.
We have put a lot of tooling in place to make that as easy as possible.
Some new things that Josh, unfortunately, you didn't get to experience as a longtime customer, But but, yeah, auto enrollment through an MDM is actually being demoed now.
But from a business perspective, it's really anyone who wants to eliminate eighty percent of their SOC incidents. Right? If you follow the average by whether whether it's CrowdStrike's threat report, Mandiant's threat report, or Verizon DBIR's threat report, eighty percent of the incidents that are hitting your organization are identity related, and we stop them.
Amazing.
Cool. And Josh, I mean, you guys seem pretty forward acting. At least you could identify some of these problems early on and and take steps to remediate against them. Like, what are the next twelve, twenty four months? What's what's big in security in IT for hospitality?
Well, I think for us, we're just trying, like, I mean, I'm speaking first just for Brett, like what our goals are is just really to get that adoption level up because it is a little bit of a lift, you know, to get it's a mind shift of like, hey, you know, you get a new employee, we have a lot of line level employees that kind of there's turnover that happens in our industry.
And, you know, so people come in and they're not used to using it, like a device bound PASI like this. It's a little bit of a mind shift for them. Same thing with, like, leaders to get them, like, on board, like, we're opening a new hotel, like, Hey, we don't use a password. This is how it works.
You know, it's kind of like, we just recently opened a hotel in Denver area. And I remember the GM or the agent, one of them was like, Wow, this is really great. Like, it's like auto magic. Like, once they're enrolled, you know, it just worked.
But then when they got over to the Brandt side and stuff, like, Hey, how do I get this to work, you know, on this utility? I'm like, Oh, I'm sorry, that can't work because it's not a Brandt application. That's like our partner's application from the brand.
And so unfortunately, like, there's no way that you can use our passkey to authenticate into their system. So I would if I had a wish list of what I could control outside of Brandt, I would love for some of these organizations, especially like in the franchise model where we're working with a brand that's providing, you know, a lot of resources on internet, their applications and all of that that they're developing and working on and they're making secure.
But the thing is, they're using their own identity structure. It'd be really great if there was, in the future, a way that we could create some kind of trust model where, like, hey, Brandt Hospitality Group uses Beyond Identity, this is our IDP, so we can trust automatically, you know, those things that are happening on the Brandt level so that we could integrate that in. Like, that would be a phenomenal win for us because things are changing so fast and it is hard to keep up when you've got one way of doing something in one way and we're trying to be a little bit more forward thinking with the device mount passkey, but then we have a Brandt partner that's still using, you know, Duo push or I mean, not to pick on Duo, but, you know, a push or, you know, you got to get, you know, put this app on and pick this character or whatever it is.
It would be great if there was some kind of convergence that could happen so that we could use trust, you know, in between our different identity structures to allow that to happen.
So, think I diverged a little bit from your main question as far as, like, what our security things are in the next twelve, twenty four months, but really to sum it up is just we're trying to really hone in on that Beyond Identity passkey and making sure that all of our applications that we use do support like single sign on through SAMLAR or OIDC or something like that so that we know that they're when they are logging in, they're authenticating against that passkey and not with a legacy password. And I think that's the biggest challenge that we face is as we're working with vendors from a large, you know, vendors that have around for twenty years and our legacy platforms that they're trying to modernize.
And then there's new vendors that are coming up and like, hey, we've got this great solution to solve this new problem, you know, that you're dealing with in hospitality. And then we ask like, do you support, like, you know, how does your identity structure work? And they don't support single sign on or have any mechanisms for us to integrate that into our passkey. Well, that's kind of it's getting to a point where now we're like, get that fixed first before you come talk to us because we're not interested in adding another password to our folks after we've finally done the work of eradicating them across all of these applications that we use.
Totally. You're like, dude, we're we're injecting your credentials subcutaneously.
We're Yeah.
Well, hopefully in the future now. If we don't start out doing that during open enrollment, that would be a little bit deterrent probably in our in our world.
You never know. People catch on. The you just gotta get a couple influencers doing it, then everybody's doing it. I tell you I mean, just if we're talking about, like, I got a a Nissan Aria, you know, which is an electric car and they're so cool.
They're like spaceships. Just if I have my keys on me and I walk by it, it like blinks at me and says hi. So a lot of this like device location stuff, it's like if I could put that into my hand, it would be great. And then I can just wave my hand and remember Kit from Knight Rider?
Now I could just talk to my car and it could come find me. We're getting closer and closer.
Jasson?
A paradigm shift that has to happen with people. Everyone's so used to the idea of like, Hey, I started a company, this is my username, and this is my password. And the idea that now you get a passkey and it's bound to something, it's a mental shift. I was just going through North Dakota that's where my driver's license was issued.
They just got the mobile driver's license deployed, like, I think October first. So I was super excited about that signed up right away. And I was excited to try it at the TSA because I know that they, you know, have those fancy readers now. So I'm at the Fargo airport and they've got it and I go online and I see they've got their signed digital ID and I'm all excited to give it a try.
And I'm like the guy's like, Driver's license? And I'm like, Oh, I've got it on my phone. He's like, No, driver's license. I'm like, But you're signed.
I'm like, But I didn't want argue with TSA because that's, like, worse than carrying a bump. And so I just gave him my driver's license. And it was early in the morning, and there was a flake crew in front of me. So they went in, and one of them got random.
And of course, that defaults to you if you're the next in the TSA pre check line. So I'm the guy who's like swabbing my shoes, just said, Hey, can I ask you a question? And I just asked him, I said, Hey, saw you guys have that sign. I have the, you know, we just got the mobile driver's license, but it sounds like your system doesn't actually support it yet?
Was a little bit, you know, like, What's the story there?
And then the supervisor overheard and she's like, oh, she said, actually, we do have it. I just don't think anyone's ever come through with it yet. And so, like, they'd been trained on it, but they didn't really know how it worked.
They'd maybe, like, seen it, but nobody's actually ever tried it yet.
And she said, Do you mind going back and testing it? I'm like, Well, I just finally got through. I don't really want to do this all over again. And she No, no, I'll escort you.
So she took me back there and the guy has a super long line, I'm sure they were annoyed too. Like, why is this guy back again? But like we did it and it literally took like two seconds and the guy's like, Oh, that's amazing. You know, the on like the TSA agent who was doing the ID checks, he liked it because it made his life so much faster and more efficient.
But like his mind, he was still so trained to be like, Hey, no phones. I need the ID because that's just what it is. And I think that's just a small glimpse of the change that's going to happen. I think people just have to get used to the idea of like, your phone is no longer I mean, I don't know how to say this properly, but that secure enclave that now exists in these electronic devices where you can store these cryptographic information solves so many problems.
But there's such a mindset with people because of before, we issued unsecured things and bad stuff happened if you went on your bank on your phone or you put in your, like, Social Security number on your phone, you know, like in an unsecured way. And so there has to be this mental shift of like, hey, this is the way the world's trending and this is how we do it. So how do we use the proper syntax and, like, trading to kind of help people through that transition?
Because, like, it is a total shift of how they've done things.
So you guys, this has been great. I really appreciate the time. I know we're slim for time right now. I wanna give a couple of shout outs to some charitable organizations that you guys support to make sure that we're giving them some love.
I wanna give a shout out to stone wood n y dot org, which is a first harvest food pantry. So it looks like it's it's making sure that food pantries are are stocked with local harvests, which looks really cool. Also shout out to vetdogs dot org, which are service dogs for veterans. I come from a Marine family and veterans are near and dear to my heart.
So definitely, you know, service. Who doesn't want a golden retriever or any kind of a Labrador at that point? You know what I mean? So like definitely shout out to them for for taking care of our vets and then Safe House Project, which is sex trafficking detection training, a survivor led training designed to empower you to spot, report, and prevent sex trafficking where you live or work.
So shout out to those organizations. Gentlemen, I really appreciate the time. Thank you so much.
Hey, founders. Let me ask you this. Are you building with AI or getting left behind by it? If you're serious about scaling smarter, faster, and bolder, you need to check out AI for Founders dot co.
It's your go to resource for cutting through the noise and actually using AI to grow your startup. Each week, AI for Founders drops a sharp, no fluff newsletter, dives deep with expert guests on the podcast, and hosts monthly workshops where you can get your hands dirty with the real tools and strategies. Whether you're Preseed or Series B and beyond, launching something new or just staying sharp, AI for Founders gives you the edge you need to win in twenty twenty five and beyond. Hit AI for Founders dot co to subscribe to the newsletter, tune into the podcast, and grab your spot in the next workshop.
And it's all free. Build smarter, move faster, think bolder with AI for founders. Now back to the show.
TL;DR
Full Transcript
Welcome back to AI for Founders. I'm Ryan Estes. There's a war raging online, not between hackers and corporations, but between humans and machines pretending to be human. Passwords are failing, deepfakes are rising, and identity itself is up for grabs.
Today on AI for Founders, I'm talking with two experts on the frontlines. Jasson, CEO of Beyond Identity, a cybersecurity company backed by over two hundred million dollars to make passwords obsolete. And Josh from Brandt Hospitality Group, who's deploying this kind of tech in real world, high turnover environments where security meets simplicity. We're diving into how AI impersonation is forcing a total rethink of authentication, not just proving who you are, but proving who's really acting when code agents and AI systems start making decisions for all of us.
If you're a founder building an AI, SaaS, or cybersecurity, or just tired of MFA nightmares, this one's for you. You'll learn how to future proof your identity systems, give your AI agents their own digital passport, and maybe even glimpse what happens when your credentials live under your skin. Now don't just listen, upgrade your intelligence feed. Subscribe to the AI for Founders newsletter at AI for founders dot co.
This is weekly drops of founder frameworks, big AI insights, and behind the scenes tools we don't share anywhere else. It's where the smartest founders come to sharpen their edge. Sign up, forward it to your smartest friend, and pretend it was your idea all along. And if this episode makes you think differently about identity, leave us a review.
Give us five stars if you'd let your AI clone manage your inbox. This episode is brought to you by Kitcaster, the podcast booking agency trusted by over eight hundred founders and counting. Kitcaster helps you get booked on the top podcasts that reach your ideal audience Without the cold emails, the back and forth scheduling, or the guesswork, you show up, share your story, and build real influence in your industry. Whether you're fundraising, hiring, or scaling your brand, podcast interviews are one of the fastest ways to drive awareness, build trust, and close deals.
I've seen it firsthand. Founders we work with have landed partnership, raised millions, and created massive growth just by showing up on the right shows. Ready to get booked? Head over to Kitcaster dot com and apply today.
That's Kitcaster by Moberst.
Hey, everybody. You know what's crazy? I've been sitting on a gold mine this entire time and I didn't even know it. My Gmail inbox, literally thousands of warm contacts who already know and trust me.
But here's the problem every founder faces. How do you turn those relationships into revenue without feeling like a sleazy salesperson? That's exactly why I've been using Warmstar dot ai. And honestly, it's been a game changer for my business.
This AI platform connects your email, analyzes all your existing contacts, and helps you identify who in your network might actually be interested in what you're doing. Then it writes personalized outreach messages that don't sound robotic or pushy. The best part? You review every single message before it goes out.
No spray and pray nonsense. This is relationship based selling done right. My listeners know I only recommend tools I actually use, and Warm Start has literally helped me reconnect with people I'd lost touch with and turn those conversations into real business opportunities. If you're a founder struggling with outreach, check out warmstar dot ai and use code AIFF to get fifty dollars off your first month.
Trust me, your existing network is worth way more than you think.
Alright. Welcome back, everybody. We're about to have a great conversation about personal identity, AI, and a lot of other different topics. I'm really excited.
We've got Jasson today and Josh. Jasson is with Beyond Identity. Josh is with Brandt Hospitality Group, and what we're gonna be talking about is Beyond Identity to get going. Now this is a cybersecurity company founded in twenty nineteen with a mission to eliminate passwords, thank god, and make authentication truly phishing proof.
Now their technology binds user identity directly to a device using cryptographic keys, removing the weakest link in modern security, the password. Plus, I mean, we've all gotta be just absolutely beat to death with two factor authentication and all the passwords we've gotta remember. It's a mess. So they're backed by over two hundred million in funding and trusted by global enterprises beyond identity as redefining what Zero Trust really means in a world where identity is the new perimeter.
Welcome to the show, guys.
Thanks for having us.
You bet. Now let's get into the AI conversation first. And the one thing I was particularly interested in talking to you guys about is kind of we were talking about agentic support and everybody kinda feels like they need to have some kind of agentic plan. But now you're starting to see agentic tools basically increasingly impersonate humans intentionally. So either that's clone voices and synthetic identities, and we there's deep fake opportunities, but also just the ability to, like, do captchas and and perform tasks on our behalf. So just really interested in Beyond Identity's approach to basically extend to proving who is acting and how that will become more relevant as these agentic solutions that we're all building become more and more sophisticated.
So that's very simple short question with a very long and deep response.
I'll try and give you the menu version and we can choose our own adventure. You bet.
So the first thing is I would say there's the AI enabled adversary. And what is the AI enabled adversary to do?
And so we think about the AI enabled adversary, we're thinking of the ability to really kind of mimic victims, mimic targets, right, in voice, in speech, in writing, in appearance.
And so we have a line of use cases that we call reality check. And so the idea of that is how do you defend against the AI enabled adversary? And if we pull that thread just a little bit on mimicry, you'll start to think, well, wait a minute. I have seen a lot of products recently about detecting AI. Like, hey. This is a fake photo or this is a fake video.
And our response is that's the exact wrong solution for two reasons. Number one is when you dig into the technology, there is a bit of an arms race between detection and detection avoidance or synthesis. Right? So one person's detector is a great is the great training agent for the next person who's building the next generator, right, the next synthesizer.
So and you can see this, right, when detections come out, then their rate will be their detection rate will be high, then it'll fall pretty quickly. The second argument is a little bit more about, like, use. If we really believe AI is around the corner, and we should because it is. By the way, did you know I don't speak English?
I I this is real time AI. I don't actually look like this. I'm actually I actually have red hair and a tail, but I'm using AI. Right?
I I didn't wanna tell you guys, but I'm actually a porcupine. So Right? Look at how great it looks.
I mean So what does it even mean to detect the presence of AI when there are all these valid use cases that we know are coming that are gonna be helpful in things like customer service, customer support, human interaction?
So a better question is where is this content coming from? Who authorized the production of the content? What's the strength of trust of the identity behind that? And we believe that's answerable by device bound hardware backed identity.
We can get into a lot more of what that means in a little bit. The other thread is I'm not necessarily defending myself against an AI adversary. I'm using AI. And what kind of vulnerabilities does this now expose me to that I may not be used to?
And what we're actually finding is AI is not necessarily introducing new vulnerabilities. It's taking existing vulnerabilities and expanding their surface area by an order of multiple magnitudes.
And and so we think there's similar solutions to, like, solving that problem around device bound hardware backed identity. What you need to do is you need to give your agent's identity. You need to actually string that back to your users. Like, your user authorizes an agent for a period of time with permissions.
Those both should actually be certified. Those both should be cryptographically related. Those both should be tracked even if an agent lives like a firefly kinda comes and it goes away. So we I'd say we break it into those two buckets, tools the adversary is gonna use and then tools the developer is gonna use.
And, you know, our mission is how do we enable the business? How do we make it possible to go fast and build with AI without, you know, expanding the universe of vulnerabilities that we know good and well of, like credential expansion, like data leakage, like injection?
Yeah. You you know, and this is maybe it's good to review kind of the the core of your technology, you know, being cryptographic hardware connected to identity. So talk a little bit about how this is better and different than the passwords we're so used to.
Sure.
What matters the most in terms of security to the typical person listening to this audience is probably their money. It's their bank.
It's how they make payments.
When you pay with a modern credit card, when you pay with Apple Pay, when you pay with a mobile phone, you're not using a password action. What you're using is you're using single device, multifactor authentication that's based on a hardware backed device bound credential. The merchant over Bluetooth sends a receipt or a bill to your phone or your credit card if you're using tap and pay. Your credit card or your phone then looks at that bill and prompts you, hey, Brian, do you wanna sign this?
And if you say yes, gonna say smile or it's gonna ask for a PIN. That's your second factor. It's gonna ascribe a hash of that factor to the bill. And then it's going to use a key in that enclave on that phone or in that credit card to essentially sign over the bill and that second factor.
And because that key is hardware bound, that becomes your first factor, your possession. That is then transmitted wirelessly back to the merchant, and the merchant can use that to clear a monetary transaction later on in that day.
That key cannot be stolen digitally. It's physically locked in that enclave. It's never in the general purpose memory of your phone.
This is what it means to be device bound and hardware backed.
The finance industry and the mobile payments industry worked all of this out over the last ten years. And because the CPU manufacturers don't want to build specialized chips, we all now get this capability for free. Every laptop you buy has this. Every drone you buy has this. Every mobile device you buy has this capability.
They're generally only being used, at least until we showed up, for mobile payments or things like Secure Boot, Microsoft Secure Boot. We take advantage of that hardware to create a unique key that represents you on that device, and we can use a signature from that key to prove possession. Just like the mobile payments example, we can use a biometric or a local PIN as a second factor.
And, you know, just like when you get on an airplane, you have to prove you're the right person and you're safe enough to be on the airplane. Right? No guns, no knives, no bombs.
We will also ascribe or append to that bill the security posture of your device in that moment. Are you safe enough for the data that you're actually asking for? So in that moment, what I've just described, it's a little bit technical, but their credential never moves, right? And eighty percent of all security incidents today are based on credential movement or the exploitation on credentials that can move, whether they're password, whether they're your TOTP tokens, QR codes, etcetera. We eliminate that movement. We drastically reduce that surface area. And and that's kinda how, at least at a high level, we break that initial attack chain.
Well, when you say, are you safe enough? Do you do you have a knife in your pocket? Like, is that like a score? Is that a range? How do you kind of determine that?
So we have a policy engine that really lets customers kind of draw their own risk profile. Right? So for instance, we have a customer who they're a retail organization.
They use this in their purchasing app. They're mostly concerned with ATO. And so they've written policy rules that basically say, give me some proof this device isn't jailbroken, and that's all I want you to do.
We have some other customers that let's call them national security customers. And they wanna understand that their specific EDR of choice, CrowdStrike or SentinelOne, is running. They wanna know that it's running with the right rules. They wanna know every process that ever asked for authentication. They wanna know what loader loaded the process into memory, from what executable, was the executable signed, was it signed by an OEM that's actually on their secure SBOM.
So, you know, you can really dial the knob up or down. It's very customer dependent. And, like, it's kind of one of our philosophies is we wanna put the controls in front of the customer, and it's kind of on them to to decide what risk is acceptable in what facet of their business.
This episode is brought to you by Moburst, the AI first growth engine trusted by iconic startups like Calm, Robinhood, Reddit, Uber, and Google. Moburst is a digital full service mobile first marketing agency that helps companies to scale and become category leaders. Whether you're finding product market fit or ready to accelerate growth, Moburst delivers creative, data driven solutions that help with scale and efficiency and impact. At MoBurst, we're not just guessing what works, we're predicting it.
As an AI first agency, MoBurst uses cutting edge tools to analyze user behavior, adapt creative in real and uncover hidden growth opportunities. The result, marketing that's faster, smarter, and built to convert. From early stage startups to global brands, we've helped hundreds of companies overcome complex challenges, unlock new audiences, and optimize every metric that matters. At MoBurst, we believe that creative thinking, advanced technology and data are the core drivers of success at scale.
If you're serious about scaling your business with precision and purpose, it's time to talk to Moberst. Visit Moberst dot com and let's build something category defining together.
Now you and I know startups aren't built in boardrooms. They're built in the wild. During three AM, bug fixes, botched launches, and that one meeting where everything almost fall apart. That's what Code Story is all about. It's a podcast where tech founders break down the make or break moments behind their products. What went wrong, what went right, and what nearly wrecked everything.
Hosted by Noah Labhart, Code Story goes past the highlight reel and into the honest stuff. Late pivots, brutal bugs, and somehow coming out alive with a product people actually love. If you're in the build stage or the scale stage or the please let this feature work stage, I can relate, this show will speak to your soul. Listen to Code Story at codestory dot co or wherever you get your podcasts, just search Code Story, it'll be right at the top.
Because great startups aren't born, they're forged one hard moment at a time. CodeStory dot code. Sure. Is the the the risk profile the the more, or the less risk tolerant you are, the more obnoxious it is to actually get the the passwords to go through?
Is that kind of like to simplify Yes. Dramatically?
Yes. No. So so there's definitely there's definitely a way to probe the user. Right? So for instance, you can ask for continuous user verification in the policy engine, and that would pop pop back to the user every time every time it happened.
We do see customers use that for like highly sensitive operations. So imagine an imagine an SRE or DevOps engineer who works in a critical data center. You don't really want them to have long lived session timers. You really do want them.
It's okay for them to pay for friction. And in that scenario, we also have them do what's called double device authentication. So they'll pop a YubiKey in as well. And so they're proving off a signature of the laptop and a signature of the YubiKey and doing the posture.
But all of the posture checks that I've mentioned don't actually have to interact with the end user. They can actually occur silently. So that's kind of one of the keys is most businesses don't feel the need to actually stick their fingers in their workers' eyes for a security reason if they can verify the controls they expect are running on the device and the device is behaving in the way they expect.
Yep.
Cool. Josh, how about you guys? How are you utilizing? It sounds like there's kind of some like variability in here with the tools to kind of serve a lot of different customers' needs.
How are kind of you using Beyond Identity with So got our start with it actually because of a requirement for our cybersecurity insurance.
You know, every year, I felt that crazy long questionnaire.
And when we got it back one year, they said, hey, you got to make sure you're doing MFA on all these access points. And the big, of course, hassle factor with MFA is that, you know, pulling out your phone every fifteen minutes to press something or enter a code or click Okay or whatever that might be. And we, as a hotel operator, we work with several major brands. And so like Marriott Hilton, IHG, and Hyatt, they all have their own MFA that they use to access their system. So, we're already exposed. So, our typical users, at least in our corporate office, might have three or four authenticators that they're using just with their brands based on whatever they need for that identity.
And then if they're on the finance side, every single bank has their own little aspect of it. Think one user I counted up, had fifteen different MFAs that they had to keep track of, which is just crazy. And so I'm just like, well, anytime we add something to like our operation, especially for like a line level folks, we need to try and make it as easy as possible. Otherwise, it's going to create more of a challenge for them than we want. And so we were really looking for a solution that could be as frictionless as possible. And we'd actually gone down the path with another vendor was we're ready to sign and then that kind of fell apart at the end due to some changes that they had on their end. And we came across Beyond Today, I'm not sure how we missed them in the first RFP go around, but we're glad we did and they spun something up really quick.
And we'd said, hey, this would be a great fit for our users because we have nontechnical frontline workers that need to log into things and we're coming from an industry that's historically behind. We actually well, I can tell you this now because I think everybody's over it, but until like two years ago, there was generic credentials out on pretty much any brand. You could probably go to if you had worked in that hotel, you'd probably go behind the front desk and log in. But they've gotten rid of that because they realized like, hey, it's important to, you know, everyone should have their own login.
But it's just still a password based login type of aspect. So, we were looking for that solution to do that. So, how we've used it is it is a little bit of a lift, but we use it across for all of our users.
Once we get them enrolled, once we get over that hump, then it's a seamless experience for them. They pop up, they're logged in on their workstation, they put it in, they're logged in, they have what they need from the brand side. Now on the Brandt side, whoever that franchise partner is, you know, they still have to use their username and password and go through the MFA with that. But on the Brandt side, once we've gotten them enrolled with that passkey on that device, they're golden, like, literally until we replace the device or they replace their device, their phone sometimes people forget to. You know, it's bound to the actual device itself, so you can't just rely on a backup to restore it. You got to actually put that PASCA on a new phone.
And that's why, like, what we've really found the most useful of it is these line level folks who are not technical can have this incredible level of security that usually is reserved for much more structured positions.
It sounds like the app kind of changed management then just kind of lands on Apple because everybody's used to like double clicking the side and they can like scan things.
So they're using their phone, you know, in a way that's native and Yeah.
For us, you know, a lot of it, we use shared workstations. So, you know, at a reception desk of a hotel, you know, once they've got that if they go through the effort of putting that PASCA on that device, they don't even have to use their phone, you know, as long as they've logged in that pin code that they create is their second factor with the device that we know that they should be using. And so they're just in. But yes, they can use their we do allow the I think it's called roaming authentication where they can scan a QR code on their mobile phone where they've got the PAS key embedded there and log in as well.
Well, okay. I'm totally getting it. Thanks for that. Now, what's interesting is that like when Sam Altman launched agent mode for ChatGPT, like the first use case he had was like, book my hotel for my trip to Las Vegas.
And it just went in there and filled out everything and did all the passwords and boom, boom, boom. And it booked him a room. Now maybe you guys did like I did as I I went to do that, and he couldn't pass captchas. He couldn't get he couldn't get past security.
Is there a world in in particularly if we're talking about, like, kind of device bound agentic solutions that that Beyond Identity fits into this modality where I built my agent, my personal secretary agent to book my accommodations and my flight, and it can actually use my device bound authenticator to get it to go all the way through?
So would say, so there's a couple of things you wanna break that down in.
Number one is we are actually working on what we call agentic identity.
And we actually have some POVs of it occurring right now. And the idea is the agent is gonna have its own identity. And when a user, like in your example, goes to authorize an agent, what's actually happening under the hood, imagine a blockchain for a minute. You have a user who authenticates and proves that they're the right person on the right device. And in a business scenario, maybe also you're concerned with their posture. Maybe in a consumer scenario, you're not.
The agent, you wanna know what agent it is running on what device with what posture. And those two vectors become linked, cryptographically linked, because you're really wanting to say this user on this device with this posture authorizes this agent on this device with this posture with these permissions for a period of time to go off and to go do something of interest.
And so we're actually, we have a couple POVs of this happening right now. And the problem that this is trying to solve is how do I actually have evidence? How do I have audit of exactly what happened after the fact? Because agents are like fireflies. They come and they go. They disappear like that. And there's a lot of valid reasons for that.
You always wanna be able to reconstruct who authorized it on what behalf to actually do what.
The other part of the conversation is reaching out to a site and doing something on their behalf. That either requires something called password vaulting if the site doesn't really participate, right? You don't really wanna be putting your passwords into agents.
And I get it all sorts of reasons why this, but like at a high level analogy, if you think back to like computer architecture, you know, there's this classic lesson that you learned that you don't mix control and data. If you think back to compilers, there's this classic lesson of no language can analyze itself. That's why you have a type language or a kind language. If you look at networking, there's always a control layer versus a data layer. It's a separation of responsibilities.
When we build agents, those separation of control and data kind of get muddled. When you think about a template that a lot of agents are working from, that template kind of mixes, hey, here's some data and here's what I want you to do with it.
Or it ends up getting mixed in the context window of the model itself.
And so like, this is kind of fundamentally where the problem arises, where it just becomes really, really hard to know, am I bringing in data that can actually inject control?
Do I have data that can leak out of the context through some other query? If the context is long lived and I can't actually track user authorizations into the agent, then short of guardrails, it's very, very hard to control that sort of leakage. So I need to be careful. I could go forever on this topic. Number one, it's a fascinating set of technical problems. But if I were to back up a little bit, you need to give your agent's identity.
If you can, you need to actually latch that into your identity and you need to employ policy to try and separate those two things out and really understand data flow for the purposes of data leakage and injection.
We're very close to that. In fact, I would say there's, at least in the enterprise world, there's working examples of that already, at least with us. On the consumer side, I think it gets a little bit more certainly possible, but mysterious when you consider the security aspects.
Very important time to kind of go over that right now, especially where we're at right now because I think a lot of organizations, even big organizations have said, oh my gosh. We've got n eight n subscriptions for everybody and Zapier subscriptions for everybody. Figure out how we can make agents to make everything better. We don't wanna get left behind when truly kind of the security measures and, like, the data policies are just kinda out the window.
And so now they're kinda backing up. It'd be like, wait. Wait. Wait. What are people doing now?
So Yeah. So they're they're maybe now they're like, well, we spent a hundred and fifty two hours building these agents. Are we getting any thing out of them? So people are like reexamining.
Like, this is this is kind of the backside of that agentic, you know, pendulum that swung eight weeks ago, which is fascinating. And largely, something that you said, actually, I wanted to dive into a little bit more, which is they're like fireflies. They pop in and they pop out, and you have to give them identity. Now I think some of this, just the word that were was adapted for them, agents.
And then they're like, oh, see, you have an employee agent. See, it has a face and it has a voice, and so you kinda personify this computer software that like, oh, it's like a robot in the computer. But truly, it anything? Is it a thing?
Or is it just a firefly that pops in? It's there for a minute, and then it's gone, and then it's like, okay. Well, who's responsibility or responsible for the actions of that agent?
Ultimately, it's the company that built it. I think that answer is very clear.
But but yeah. So what is an agent?
I would say A, this is a topic that a bunch of people will debate. I'll tell you what I think it is.
I think of an agent almost as like think of it as an executable, right? It's clearly running on a different type of operating system, right?
And it's running on different type of hardware. So when you think about agents, agents are using LLMs to manage a context window, to try and manage the manipulation of data with the ejection of control.
If an LLM wasn't trained on your data, you've got to bring data to it to do anything of interest, right?
And so the way you bring data to the LLM is obviously you can tell it in the prompt. You can inject it through legacy services. You can inject it through rag searches. You can inject it through MCP services.
You quickly get to limitations when you're building these sorts of things. But like everything I just described, you could see metaphors or parallels in computing, right? So like think of computer architecture. I have registers.
I have reservation stations. I have ALUs and comparators and these sorts of things. And when you think about how you build agents and the substrate that executes these agents, it's similar but different. And so I do wonder if there are parallels to be drawn from it.
But when we say you want to give an agent identity, what we really mean is an instance of a class of an agent has to be uniquely identifiable even when that instance is dead and long removed. You need to be able to attribute what models was it using, what legacy services was it using, what MCP services was it using? What RAG services was it using? On what device was it running?
And what was the security posture of the device? Those all come together in what we call the agent's identity vector. And of course, we want that to be sealed under this thing called an attestation. So it's tamper evident, as in if someone were to try and change the record in the future, it would be obvious that they tried to change the record.
And the other thing is an agent is always acting on behalf of someone. In your consumer example, it was acting on behalf of Altman.
But in a lot of the scenarios that I think are probably more near, at least for my customers, it's acting on behalf of really that customer, not necessarily any individual person. It may be acting on behalf of that customer's customer for a moment in time.
And so you have to be able to track that relationship so that you can understand permissions and potential permissions violations. And really, the permissions of the data is it flows through that kind of messy ecosystem, which is the agent ecosystem.
Weird times.
You didn't see any of this company when you started this company? Like, okay. We gotta create identity for agents. We have to define what an agent is, and we gotta make sure there's some accountability and and record of what it did before it pops out of existence. Pretty crazy.
Some of some of it, yes. Some of it, no. When we started this company, we we knew we wanted to to to really solve some hardcore security problems in a way that was highly usable, which is kind of the the hallmark of what security products are not. Right? Security products usually slow organizations down. And so we anticipated automated workloads. We anticipated running on unattended machines.
We anticipated kind of cross domain signings, like kinda like that dual vector I described of the user and the agent.
We absolutely did not anticipate an agent in the in the current, you know, sense of agentic AI.
No, that's just been the fun of the last few years, right?
Totally. You guys have seen absolute explosive growth.
Was that something you foresaw in the beginning? Twenty twenty, you're like, oh, triple, triple, double, double? Or what do you attribute the kind of massive growth you guys have experienced?
Well, no one ever starts a startup thinking they're going to fail.
Right?
Especially when you start a startup with somebody like TJ or Jim Clark or whatnot. These guys are famous for, what was it? I think the first company talk, Jim showed up and gave his idea of helping us up was to tell Netscape stories. And he's like, my first year, we did fifty million dollars in revenue. In my second year, we did two fifty million dollars in revenue. In my third year, we did half a billion in revenue. And we IPO ed at month eighteen.
So there's your targets.
So I mean, clearly Jim captured a moment in time that was special. But like, do think we are at an interesting moment in time right now with what's happening with, you know, the big world of capital A and capital I and then of course the small world of just helping organizations move into that space with their eyes open around security problems, right? Not expanding that surface area, but also not slowing down development.
Yeah.
Yeah. Cool. And congrats for all that success. But we're looking at the future, You know?
What's gonna be more important? A passkey or my Social Security number?
A passkey, clearly. Look.
The government's always gonna want to track you, and and and so you're always gonna have identifying numbers, whether it's that employee ID or whatnot.
But in terms of the importance of kind of like device bound, So passkey is an interesting proxy. A lot of people will that name will stick in people's brains. The technical jargon, if you stick your face under the water, is device bound attestation. And that's a way to kind of prove that it's person's kind of logical asset on a very specific targeted device.
Most of us I'd say most of the world right now just thinks of passkeys as helping a person log into Google or log into Amazon. But as we move into this world of AgenTex, as we move into this world of mimicry, as we see the AI slop, understanding the provenance of data is going to be incredibly important. When I say provenance, I mean things, the equivalent of like watermark. Now, watermarks are really easy to remove, right?
So we're not talking about solving the problems of pulling a provenance off. We're talking about the providence of putting things on. So how do I know this data came from this person on this device? Well, let's drill in more.
How do I know this data came from the actual camera sensor on this device? How do I know it wasn't actually molested in some way by an insider at the certificate authority before they issued my certificate?
So this concept of data providence, think is gonna become much more important given everything that's happening in the world of AI. And device bound attestation or what a passkey does, I think is gonna move from just being about humans and automated accounts to almost be about anything that produces data. So you can almost always track things back to their point of origin. And and I think some of this is validated when you actually look at the big silicon manufacturers and what capabilities they're starting to bake into their their devices.
It's almost impossible to buy consumer grade electronics today without a hardware enclave, which is how you do this device bound attestation.
And, you know, we're already seeing people call out this concept of molested data in terms of, so ACME. ACME is a protocol for certificate enrollment. And very clearly in the opening lines of ACME, it's like, look, we can't trust TLS for our security properties because the way tools are built today, TLS is not end to end. It's from your computer to your company's proxy.
It's from that proxy to Cloudflare CDN. It's from Cloudflare CDN to Amazon's application layer load balancer. It's from that load balancer to maybe you have a service mesh controller in your Kubernetes cluster. Then it gets unraveled again across some sort of message broker, and maybe it ends up at some microservice or some monolithic service that's actually gonna reply to it.
All those hot points I just mentioned have your secrets in data, right? Most of those hot points are probably not managed by your engineers. They're probably managed by Cloudflare, Akamai, Amazon, F5 Networks, right?
We've all read the news. We all know all of those companies have had security incidents of one shape or another, F5 being the most recent.
So yeah, providence of data and not relying on, or realizing that you kind of have to build your security at a layer above transport or TLS. I think that's coming. I think that's coming fast.
Pass keys will enable it, but essentially you're, you know, the camera on your phone's gonna have a pass key. The microphone on your phone's gonna have a pass key. Anything that generates data is gonna have some way of attesting to the providence of that data.
Just a matter of time if we're thinking about data creation, you know, as the technology gets closer to us, AirPods, you know, wearable glasses, AR, Neuralink, it's like getting inside of us. Right? So, like, the the cameras will be our eyes. The the microphone will be our mouth, you know, speakers. So I guess the speakers would be your mouth, the microphone would be your ear, I don't know.
But I guess the point is like twenty years from now is Beyond Identity a hardware company that does implants on infants Just like sets them up for authentication So one of our founders has already taken that step and he actually has enclaves in his body.
No kidding. No, true statement. He can open doors and do other things with a wave of his hand.
He's going full Jedi.
Look, security space is full of interesting people, the startup space is full of interesting people.
When you combine those two, you get boundary pushers. And yeah, look, I have no idea what the world's gonna look like in twenty years. It's hard to think about what the world's gonna look like in five years, but we can certainly see patterns, right? We can see human brain interfaces already, right?
We can see, so let's think about Neuralink for a minute. I'm just spitballing. I don't know these people. I've never talked to the company.
But I could absolutely believe that data providence from some sort of human implant is very, very important from a security's perspective, whether it's a neural interface or think about any other sort of diagnostic capability.
How do I know this came from this person? How do I know it wasn't manipulated or doctored in some way?
We know a huge part of the criminal element, right, as it was demonstrated over the last three years, doesn't care about the general health and safety of the world, right, especially if it's not their locale, right? We've seen those emergency rooms get shut down. We saw these things get shut down. If ransomware could start encrypting medical data, could start essentially testing the veracity of where did this thing come from pay up, or I'm not actually going to reveal the origin. Like, more there's a lot more crazy scenarios in front of us than in behind us, which is again why I think provenance of data is probably going to become a first class thought in any data producing platform.
That's encouraging.
Yeah. If you're fans of, what is it?
The Expanse, Snow Crash, all of these dystopian science fiction novels, it turns out they're probably pretty accurate at least on the problems of the future that we will end up facing.
But the good news is there are solutions to these problems, right? Like you can't actually attribute the providence of information.
I mean, actually, I guess the biggest good news that at least Beyond Identity has to say is if a credential doesn't move, it can't be stolen. And if you use a hardware backed device bound credential, it literally cannot move. It's never in memory.
Totally. Now now that we're sufficiently terrified of our robot overlords coming for us Yeah. Who would be in the best position? Who are the best customers right now for Beyond Identity? Is it like an early stage startup or is it dependent on kind of the providence of the data and the security of the data? Who are the best customers and who should definitely be considering this right now?
Well, from a technical perspective, the best customers for us are people who already have an identity system.
If you don't have an identity system of record, you probably shouldn't start with us.
The typical deployment of our product, we plug into your identity stack and we help defend your organization. We don't displace your identity stack.
We have put a lot of tooling in place to make that as easy as possible.
Some new things that Josh, unfortunately, you didn't get to experience as a longtime customer, But but, yeah, auto enrollment through an MDM is actually being demoed now.
But from a business perspective, it's really anyone who wants to eliminate eighty percent of their SOC incidents. Right? If you follow the average by whether whether it's CrowdStrike's threat report, Mandiant's threat report, or Verizon DBIR's threat report, eighty percent of the incidents that are hitting your organization are identity related, and we stop them.
Amazing.
Cool. And Josh, I mean, you guys seem pretty forward acting. At least you could identify some of these problems early on and and take steps to remediate against them. Like, what are the next twelve, twenty four months? What's what's big in security in IT for hospitality?
Well, I think for us, we're just trying, like, I mean, I'm speaking first just for Brett, like what our goals are is just really to get that adoption level up because it is a little bit of a lift, you know, to get it's a mind shift of like, hey, you know, you get a new employee, we have a lot of line level employees that kind of there's turnover that happens in our industry.
And, you know, so people come in and they're not used to using it, like a device bound PASI like this. It's a little bit of a mind shift for them. Same thing with, like, leaders to get them, like, on board, like, we're opening a new hotel, like, Hey, we don't use a password. This is how it works.
You know, it's kind of like, we just recently opened a hotel in Denver area. And I remember the GM or the agent, one of them was like, Wow, this is really great. Like, it's like auto magic. Like, once they're enrolled, you know, it just worked.
But then when they got over to the Brandt side and stuff, like, Hey, how do I get this to work, you know, on this utility? I'm like, Oh, I'm sorry, that can't work because it's not a Brandt application. That's like our partner's application from the brand.
And so unfortunately, like, there's no way that you can use our passkey to authenticate into their system. So I would if I had a wish list of what I could control outside of Brandt, I would love for some of these organizations, especially like in the franchise model where we're working with a brand that's providing, you know, a lot of resources on internet, their applications and all of that that they're developing and working on and they're making secure.
But the thing is, they're using their own identity structure. It'd be really great if there was, in the future, a way that we could create some kind of trust model where, like, hey, Brandt Hospitality Group uses Beyond Identity, this is our IDP, so we can trust automatically, you know, those things that are happening on the Brandt level so that we could integrate that in. Like, that would be a phenomenal win for us because things are changing so fast and it is hard to keep up when you've got one way of doing something in one way and we're trying to be a little bit more forward thinking with the device mount passkey, but then we have a Brandt partner that's still using, you know, Duo push or I mean, not to pick on Duo, but, you know, a push or, you know, you got to get, you know, put this app on and pick this character or whatever it is.
It would be great if there was some kind of convergence that could happen so that we could use trust, you know, in between our different identity structures to allow that to happen.
So, think I diverged a little bit from your main question as far as, like, what our security things are in the next twelve, twenty four months, but really to sum it up is just we're trying to really hone in on that Beyond Identity passkey and making sure that all of our applications that we use do support like single sign on through SAMLAR or OIDC or something like that so that we know that they're when they are logging in, they're authenticating against that passkey and not with a legacy password. And I think that's the biggest challenge that we face is as we're working with vendors from a large, you know, vendors that have around for twenty years and our legacy platforms that they're trying to modernize.
And then there's new vendors that are coming up and like, hey, we've got this great solution to solve this new problem, you know, that you're dealing with in hospitality. And then we ask like, do you support, like, you know, how does your identity structure work? And they don't support single sign on or have any mechanisms for us to integrate that into our passkey. Well, that's kind of it's getting to a point where now we're like, get that fixed first before you come talk to us because we're not interested in adding another password to our folks after we've finally done the work of eradicating them across all of these applications that we use.
Totally. You're like, dude, we're we're injecting your credentials subcutaneously.
We're Yeah.
Well, hopefully in the future now. If we don't start out doing that during open enrollment, that would be a little bit deterrent probably in our in our world.
You never know. People catch on. The you just gotta get a couple influencers doing it, then everybody's doing it. I tell you I mean, just if we're talking about, like, I got a a Nissan Aria, you know, which is an electric car and they're so cool.
They're like spaceships. Just if I have my keys on me and I walk by it, it like blinks at me and says hi. So a lot of this like device location stuff, it's like if I could put that into my hand, it would be great. And then I can just wave my hand and remember Kit from Knight Rider?
Now I could just talk to my car and it could come find me. We're getting closer and closer.
Jasson?
A paradigm shift that has to happen with people. Everyone's so used to the idea of like, Hey, I started a company, this is my username, and this is my password. And the idea that now you get a passkey and it's bound to something, it's a mental shift. I was just going through North Dakota that's where my driver's license was issued.
They just got the mobile driver's license deployed, like, I think October first. So I was super excited about that signed up right away. And I was excited to try it at the TSA because I know that they, you know, have those fancy readers now. So I'm at the Fargo airport and they've got it and I go online and I see they've got their signed digital ID and I'm all excited to give it a try.
And I'm like the guy's like, Driver's license? And I'm like, Oh, I've got it on my phone. He's like, No, driver's license. I'm like, But you're signed.
I'm like, But I didn't want argue with TSA because that's, like, worse than carrying a bump. And so I just gave him my driver's license. And it was early in the morning, and there was a flake crew in front of me. So they went in, and one of them got random.
And of course, that defaults to you if you're the next in the TSA pre check line. So I'm the guy who's like swabbing my shoes, just said, Hey, can I ask you a question? And I just asked him, I said, Hey, saw you guys have that sign. I have the, you know, we just got the mobile driver's license, but it sounds like your system doesn't actually support it yet?
Was a little bit, you know, like, What's the story there?
And then the supervisor overheard and she's like, oh, she said, actually, we do have it. I just don't think anyone's ever come through with it yet. And so, like, they'd been trained on it, but they didn't really know how it worked.
They'd maybe, like, seen it, but nobody's actually ever tried it yet.
And she said, Do you mind going back and testing it? I'm like, Well, I just finally got through. I don't really want to do this all over again. And she No, no, I'll escort you.
So she took me back there and the guy has a super long line, I'm sure they were annoyed too. Like, why is this guy back again? But like we did it and it literally took like two seconds and the guy's like, Oh, that's amazing. You know, the on like the TSA agent who was doing the ID checks, he liked it because it made his life so much faster and more efficient.
But like his mind, he was still so trained to be like, Hey, no phones. I need the ID because that's just what it is. And I think that's just a small glimpse of the change that's going to happen. I think people just have to get used to the idea of like, your phone is no longer I mean, I don't know how to say this properly, but that secure enclave that now exists in these electronic devices where you can store these cryptographic information solves so many problems.
But there's such a mindset with people because of before, we issued unsecured things and bad stuff happened if you went on your bank on your phone or you put in your, like, Social Security number on your phone, you know, like in an unsecured way. And so there has to be this mental shift of like, hey, this is the way the world's trending and this is how we do it. So how do we use the proper syntax and, like, trading to kind of help people through that transition?
Because, like, it is a total shift of how they've done things.
So you guys, this has been great. I really appreciate the time. I know we're slim for time right now. I wanna give a couple of shout outs to some charitable organizations that you guys support to make sure that we're giving them some love.
I wanna give a shout out to stone wood n y dot org, which is a first harvest food pantry. So it looks like it's it's making sure that food pantries are are stocked with local harvests, which looks really cool. Also shout out to vetdogs dot org, which are service dogs for veterans. I come from a Marine family and veterans are near and dear to my heart.
So definitely, you know, service. Who doesn't want a golden retriever or any kind of a Labrador at that point? You know what I mean? So like definitely shout out to them for for taking care of our vets and then Safe House Project, which is sex trafficking detection training, a survivor led training designed to empower you to spot, report, and prevent sex trafficking where you live or work.
So shout out to those organizations. Gentlemen, I really appreciate the time. Thank you so much.
Hey, founders. Let me ask you this. Are you building with AI or getting left behind by it? If you're serious about scaling smarter, faster, and bolder, you need to check out AI for Founders dot co.
It's your go to resource for cutting through the noise and actually using AI to grow your startup. Each week, AI for Founders drops a sharp, no fluff newsletter, dives deep with expert guests on the podcast, and hosts monthly workshops where you can get your hands dirty with the real tools and strategies. Whether you're Preseed or Series B and beyond, launching something new or just staying sharp, AI for Founders gives you the edge you need to win in twenty twenty five and beyond. Hit AI for Founders dot co to subscribe to the newsletter, tune into the podcast, and grab your spot in the next workshop.
And it's all free. Build smarter, move faster, think bolder with AI for founders. Now back to the show.
Trending Resources
.jpg)
How Beyond Identity & Nametag Stop Identity Fraud at Onboarding & Recovery
November 19, 2025
.jpg)
New: Self Remediation Features to Reduce Help Desk Tickets and Improve UX
November 13, 2025
.jpg)
NYDFS Part 500 in 2025: Key Deadlines, New Requirements, and Compliance Strategies
October 28, 2025
From Reactive to Proactive: A Practitioner's Guide to Zero Trust After the F5 Breach
October 17, 2025
.jpg)
FIDO Is Not Enough for Enterprise Security
October 9, 2025
.jpg)
CVE-2025-59363: OneLogin Breach Highlights Urgent Need to Secure Non-Human Identities
October 2, 2025
.jpg)
The Unpatchable User: The Case for Continuous Device Security
October 1, 2025
.jpg)
Goodbye Legacy Microsoft MFA: Future-Proofing with Modern Authentication
September 25, 2025
Make Identity-Based Attacks Impossible
August 11, 2025
Meeting CJIS Compliance with WDL
May 27, 2025
PCI DSS Compliance with Beyond Identity
March 6, 2025
.jpeg)
Online Job Board Safety: How and Why To Avoid a Scam
March 7, 2024
ChatGPT's Dark Side: Cyber Experts Warn AI Will Aid Cyberattacks in 2023
February 29, 2024
Improving User Access and Identity Management to Address Modern Enterprise Risk
February 20, 2024
Okta Cyber Trust Report
January 5, 2024
Securing Remote Work: Insights into Cyber Threats and Solutions
October 30, 2023
Networking Dinner with MightyID and Tevora
December 9, 2025
Alphinia CISO Mastermind Dinner
December 1, 2025
Myriad360 Client Appreciation Celebration
November 20, 2025
GuidePoint Security Movie Premeire of Wicked
November 19, 2025
.png)
How AI Is Accelerating Threats: The Inside Scoop on Emerging Phishing GPTs
November 18, 2025
GuidePoint Security 3rd Annual Houston Golf Outing
November 13, 2025
GuidePoint Security's Pinehurst Golf Outing
November 12, 2025
GuidePoint Security Public Sector Vendor Fair
November 5, 2025
