Listen to Richard Stiennon, chief research analyst at IT-Harvest, and Jing Gu, senior product marketing manager at Beyond Identity, discuss ustomer identity and access management, plus hitting a balance between security and customer friction.

Transcript

Richard

Hello, and welcome to this EM360 podcast. My name is Richard Stiennon, I'm chief research analyst from IT-Harvest. In today's podcast, I'll be speaking with Jing Gu, who is senior product marketing manager at Beyond Identity. We'll be talking about customer identity and access management, CIAM, plus hitting a balance between security and customer friction. Welcome, Jing.

Jing

Hi, thanks for having me here.

Richard

Yeah. Jing, give us, you know, a quick background on yourself and Beyond Identity because you're a fairly new company and launched with a fairly big splash.

Jing

We did. We did. I think we launched in the middle of the pandemic, which was definitely an interesting thing. So yeah, I lead product marketing for the passwordless customer authentication product at Beyond Identity, which coincidentally is called Secure Customers. My job ultimately at its core is to keep the pulse on the market, make sure we're building products and launching them in a way that aligns with what companies can extract value out of.

A little bit on myself. I fell into marketing absolutely by accident. But ever since then, I've been working on API SDK-based products, essentially abstracting the core of a platform's product and services into consumable software development kits or APIs that other companies can embed into their products. I think it's a pretty exciting space and Beyond Identity for our Secure Customers product is the same logic, right?

We take our core magic of passwordless authentication, abstract the complexity out of it so that implementation is easy, seamless, and embedded in other people's native mobile and web applications. That is the overview. In terms of, you know, Beyond Identity, we have a singular platform. We offer three products on top of that platform. One, you know, as I mentioned is for the customer, securing customers' use case, one is for the workforce, which was the sort of our initial product, and we also have one for securing developers and dev tech ops.

Also an interesting product, but I think we're here to talk about securing customers today, so as a long-time sufferer of passwords and not by choice, excited to just kind of chat about how we're thinking about the problem and solving it.

Richard

Cool. And let's start by differentiating between the problem of our employees' access, which is always about network access and just authenticating with the right credentials no matter where you are, but customer identity is a much bigger problem, right? You could have millions of customers and only couple of hundred employees. So what role does customer identity and access management play when it comes to actually managing all these end-user customers' activities?

Jing

Yeah, the scale is very different. A company with 1,000 employees is typically an enterprise company. A company with 1,000 end users, oh, like you might just be a startup. So the scale's very different, which means the customer authentication and access management needs to be scalable and it needs to be reliable because it turns out customer authentication is the front door to your product and touches every milestone of the customer journey.

And what I mean by that is it impacts registration, login, and recovery, all of which are connected to revenue. You know, your marketing and sales team might do a lot of work to bring a customer to your front door. And what I hear a lot from just speaking with different companies is they measure how many visitors end up on their website, end up in their product, and then they can also measure the steep drop off when they hit a registration, login, or recovery page.

In terms of business metrics, that really hits the acquisition, engagement, and retention metrics. So this is not something to be taken lightly. And I do see the market kind of shifting from, oh, authentication, that's just something, you know, Bob from engineering can build in half a day. We need to take authentication pretty seriously because it turns out customers are interacting with this every day.

And I think another key difference is unlike employees, your consumers are completely unknown identities, completely unknown devices. There's no such thing as, you know, managed devices in the CIAM space. CIAM is C-I-A-M, which is the acronym for customer identity and access management. And customers, unlike employees, are very sensitive to friction and less loyal. You know, you can force your employees to kind of do MFA hoops, which is still not best practice, but when you force customers to do that, they drop off like flies.

Richard

Yeah. I've been thinking about this a lot recently because I'm contemplating my own SaaS offering with customers. And I think back to when Twitter launched, and back then a new social media platform has to grow to a million users quickly. They had practically no login requirement at all, other than choose your handle and your password. And they didn't have any controls on what the password was, so it could be anything. Until they got to a million users and hackers started playing around with that, right?

So how do you balance between the friction from asking people to authenticate and quite often, you know, I'll just be at a site where I'm ordering some bacon, whatever and I'll put in a long password or I'll use a password generator and makes this 40-character long random thing. And they'll come back and say, sorry, you need special characters and it's just talk about friction, I could just, oh, I'm just going back to Amazon, right? So how do you balance that and still have that strong authentication?

Jing

Yeah, that's a great question. Also, I love that you have a specialized bacon ordering place.

Richard

And I'm not gonna tell you who it is because I'm worried they'll run out of their, you know...

Jing

Holding out on us. So yeah, when it comes to security and friction, I think historically, every organization has struggled with thinking about it as, you know, when we increase security, there's a necessary increase in friction. And I think at the core of that is it's not the fault of companies and it's not the fault of users, right? It's just kind of the technology that's been available to us to work with.

The technology of passwords and shared secrets kind of mandates either you have a very complex password, which is high entropy and is very difficult for the human brain to wrap around, and then you have maybe slightly better security or, you know, a weak password and weak security. And we can get into how, you know, even the strongest passwords are weak because of the nature of shared secrets, but it does put people in kind of an impossible spot.

I think the right balance starts with a shift in mindset that the authentication, the burden in authentication should not be on users. It turns out now there's technology that can be deployed that eases the user effort while increasing security. And this comes about because of developments around, you know, local user biometrics on modern devices, proven security protocols, including TLS X.509 without certificate management. And also the fact that modern devices come with secure enclaves.

These secure enclaves, TPMs, HSMs are unbreachable and is sort of very... What am I trying to say here? I'm trying to say that it is widely available in modern devices. So when these things come together, it allows organizations to move away from authentication with phishable factors and symmetric secrets. And instead towards a passwordless world where asymmetric cryptography biometrics are working in the background to identify the user, make sure the device risk profile is under the threshold of what an organization would consider high risk and make that authorization decision in a pretty dynamic risk-based way.

So, a long-winded answer, but I think it comes down to the technology that was available, you know, in the last decade really puts us in a bad position because it's always a friction security trade-off. And instead, the technology today that combines all of the functionality of modern devices and security protocols can move us closer to a future where authentication doesn't have to be the burden of users and instead can be removed onto or offloaded to devices and proven protocols.

Richard

Yeah. Let's unpack that. And to make it easy, I'll ask the question as if I'm the operator of, you know, a retail site or something, and I want people to sign up because I'm gonna get their credit card from them and make it easy for them to buy from me, what's going on behind the scenes when they click on the register now button with Beyond Identity?

Jing

Ooh, that is a good question because on the surface, it can seem very similar to established user behavior. So you're on a website, you click register now, Beyond Identity is running in the background. What we do is we have a device to identity binding process. For the end-user, it's you're gonna go check your email, you're gonna click on a link, which feels very much like a magic link deployment, but what's actually happening in the background is Beyond Identity is constructing a private key in the device's local TPM.

And that private key can never leave that device. And then sending a public key up to our cloud. So that is the asymmetric cryptography part, where you have a private and public key working together. The public key, you know, even if there's a database breach, it's only leaking information that helps...you know, that's kind of like an identifier instead of something that actually authenticates that person.

So you have the private key, you have the public key, and then even on registration, we're sending up risk signals gathered from that device. And those risk signals can include geolocation, jailbroken status, biometric enablement status, all of the things that an organization can use to make risk-based enrollment decisions. And then the user, again, coming back to the user, that's what's happening in the background, public-private key construction, then the device security posture assessment. The user clicks on the link and they're both registered and they're logged in.

For every subsequent login after that initial registration, the user just has to indicate they wanna login, whether that's opening a mobile app or clicking login on a website. Then in the background, there is the private-public key matching, the risk assessment. The user at this point remember doesn't have to pick up a second device for one-time code or push notification. They just kind of sit there, you know? The device is doing its thing. It takes less than two seconds.

I haven't measured it specifically, but it's very quick. And then they're authenticated. But again, in the background, it's very strong cryptography unphishable factors. And the company has visibility and control into...well, not control into device, but the company has visibility into device risks so they can make risk-based decisions.

Richard

Got it. What if the same user wants to access the app from their phone and their laptop, or even a public terminal later?

Jing

Okay. Yes. So that credential, the passwordless credential can be extended across any device. So one thing we see here is that credential extension where you essentially extend it to another trusted device is a higher-risk action. So, typically, you know, during deployment, companies will prompt for a biometric step up because again, this is a higher security interaction that the user is trying to do. So the user is prompted for a biometric, face ID, finger ID. Then they can essentially scan a QR code, which is also time-based and extend their credential to any device they would like.

Richard

Got it. Once you have your credentials, it seems like the login is, you know, super transparent. Do you find that your customers have to do welcome back, you know, give them some notice that they're securely logged in to reinforce that yes, we are really secure?

Jing

Yeah. Yeah. It's funny because when I first started at Beyond Identity, there was a conversation within the company about, oh, like maybe we need to put some loading screens and make the copy say something very secure, or, you know, just make the user experience look and feel secure. Because one piece of feedback we got was, "Are you doing anything?" Like, it's so seamless that people are kind of like, is anything happening?

So, yes, there's considerations around the user experience with just communicating that, hey, like, something is happening in the background and this is secure. And if you wanna learn more, here are some resources where you can go to learn more. But the login experience is very seamless. And part of the magic of, you know, SDK API-based products is that the companies that we're working with, they have control over that experience.

They can integrate our product into their product experience, maintain look and feel of authentication. And if there's any specific communications they wanna push out to their customers, if there's any in-app education they want, that can all be sort of customized to their needs.

Richard

Awesome. Now, when I was first introduced to Beyond Identity, I was rather astounded at the scope of the vision, which was literally to do away with passwords across the world. And the way I was told you were gonna do it was, you know, make it easy to sign up to use Beyond Identity, and low cost or free for small organizations. And not surprising because of one of your chairman's history with Netscape back in the day, you know, which is this take over the world and we'll figure out how to make money later. So, what should, you know, potential customers expect when they come to a pricing model?

Jing

Sure. First of all, our founders, and I think the company, in general, are not cowards. We have a vision, we wanna get rid of the password, and we're gonna do it. And pricing is part of it, right? Because if it's cost-prohibitive, then you're also putting up barriers to adoption. And passwordless, I think already it's a growing...it's rapidly growing in adoption, but I do hear some hesitancy around passwordless. We can get into that in a minute, but pricing is part of it.

So we do offer a free plan. And the intent is, you know, if you wanna build passwordless authentication, you wanna test it out, you should be able to. And then in terms of Secure Customers, we price based on active monthly usage. Sorry, I said that in the wrong order, monthly active users. So that is defined as any user that has an authentication event within a given calendar month. That could be one registration, user registers once, and then they sort of, you know, forgot about your product and that's it, that counts as one active user.

Or you can have a user that authenticates or logs in three times a day, five times a day, that still counts as one active user. It's just a user that has an authentication event in a given calendar month. And that's our pricing model.

Richard

I love that. I love that it's balanced to the eCommerce world that is willing to pay more for more active customers. No question.

Jing

Right. It's designed to, you know, remove the hurdle to adoption and also not be prohibitively expensive for scaling, right? Like, if a company scales from a million users to 10 million users, that's amazing. Like, that's really amazing. And we want to make sure that our pricing is able to scale with them and support their business growth instead of being a hamper.

Richard

Right. Right. So let's get back to the friction reduction part of it because what happens with an eCommerce site when the friction goes away, but the security stays, what kind of results have you seen with an end-user customer?

Jing

Yeah, absolutely. So when organizations can get customer authentication right, it impacts revenue. Conversely, authentication can also negatively impact revenue. And there's kind of three key domains that it happens in. It's the user experience, it's security and platform scalability. So in terms of impact, it turns out that at registration, 67% of users will drop off at account creation due to password requirements, specifically in eCommerce contexts.

And also in eCommerce, 12% of shoppers will abandon cart when they're asked to create an account before purchase. So all of those numbers represent like lost revenue. It represents users that weren't successful in extracting value out of your platform and services. So when you can implement passwordless authentication, you can reduce the drop-off. You don't have to push users through password requirements, like special characters, letters, numbers.

There's also been a company that said, you know, we're going through an audit and the auditor said to us that we need to implement breached password protection or detection. So if a password has been previously breached, prevent the user from using that password. And, you know, the CISO just kind of sat there and looked at us and was like, you know, "When the auditor said that, in my head, I was thinking that with all the breaches in the world and password reuse, we are gonna get to a place where there's no password that the user can use."

So, you know, in the long-term, removing the password also helps with a lot of these sort of breach password protection and all of the bandaids that people have to put over shared secrets. At login, you know, over half of consumers are likely to leave a site if they're required to sign in with a password, again, huge drop-off. And across all industries, 33% of customers reset their passwords at least once a month, 76% claim that they abandon their carts due to issues related to resets.

Also, if you can hear my cat being a terror in the background, I can repeat all of that. I cannot control what this king of the jungle does in my apartment and he is activated today. Okay.

Richard

Oh, give him some catnip.

Jing

Okay. He's gone. Okay. So let me just rewind a little bit. Thirty-three percent of users reset their password at least once a month, 76% claim that they have abandoned cart related to reset issues. Again, all of this lost revenue, all of these lost customers can be mitigated by passwordless authentication. And when it comes to the security aspect, trust is very much earned. It's earned over time and it's easily broken. And consumers are less trusting than ever before.

So it's critically important that fraud and breaches don't happen to your platform basically, and turns out passwords account for 80% of breaches. And then the third sort of key area where deploying passwordless authentication can help is around platform scalability. A lot of organizations build authentication on an app-to-app basis, which ends up creating data silos and the maintenance efforts for their engineering team grows exponentially with each application.

So when you can implement passwordless authentication with a platform that's able to support that, essentially abstracting authentication from individual applications, you can also make sure that your services can reliably serve all of the users that you may have and take the development effort off of engineers, right? There was another company that said to us...what did he say? He said, one of the things that scares me the most as an engineering leader is when day-to-day software engineers are owning and enrolling security protocols instead of relying on what experts have put together.

So that is kind of the third area of offloading the security, offloading reliability and scalability of authentication specifically, and pushing that onto a platform that has uptime guarantees, that is reliable, and has all of this sort of infrastructure in place already to support enterprise workloads or seasonal spikes.

Richard

Awesome. But Jing, I've got so many more questions that we will just have to do in another episode. I wanna thank you so much for your great insights on the topic of customer identity and access management. And thank you to everyone who listened to our conversation. If you would like more information on what we've discussed today, make sure you head on over to beyondidentity.com, navigate your way down through products to Secure Customers. Thanks again, Jing.