Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, and our host Marketing Empress Reece Guida about whether or not engineers hate authentication.

Transcription

Reese

Hello, and welcome to "Hot Takes" episode five. I'm Reese, the marketing person. This is Nelson, our founding engineer, and global sales engineering guru. And that is Jasson, our CTO. And today's hot take is thus, Nelson, Jasson, I heard a rumor that engineers do not like writing authentication. Is that true? Do engineers hate authentication?

Jasson

Engineers hate a lot of things.

Nelson

That is actually true.

Jasson

What do you think, Nelson?

Nelson

Well, I actually liked writing authentication code. I was bad at it when I started, so that's probably a reason why I shouldn't have done it, but then I got a little better. I think the cryptography aspect of it was always interesting to me, that's why I kind of I wanted to get into it and learned that better.

Jasson

And that's why you and Mike probably started this all. But for the rest of the world, yeah. No. I think, you know, what do engineers hate? Meetings, gatherings without agenda, forced fun time, and working on like kind of back officey/infrastructure of their products, right?

Think about it, the identity and access and authentication layer is necessary in any product, right? Like, what product can you build, what service can you build that doesn't require some sort of user authentication and tracking? Almost nothing, right? So if you do a really good job, what good happens? Nothing. Everyone's gonna basically say, "Great. Great. Great job doing what we expect you to be able to do." If you get it wrong, what bad can happen? Well, you can kill the company. You can shut off the revenue, right? Like, there's all sorts of downside risk. There's not really any sort of upside risk, right? And that kind of defines like supporting and background or back-office sort of activities.

I do think that permeates the mindset of a lot of engineers, as well as product managers when it comes to identity and off... They view it as a kind of an all downside risk, relatively upside risk. No one's terribly excited by it, and ideally so, right?

Most people wake up outta bed, get excited to go to work to build the thing that's going to push revenue for the business, open new markets for the business, expand to new customer and user types for the business, right? And, you know, the product folks tend to talk about that as like top line, pushing revenue or just pushing, you know, the overall effectiveness of the product.

The downside risk of getting authentication wrong, not only could it be catastrophic for the product, but it's hard. It's really, really hard to implement authentication correctly that is not exploitable. And if you needed any other sort of case and example, just start reading the news about how incidents start and how incidents work. And like, according to Verizon's DBIR, 80% of cyber incidents start with valid credentials use, right? That's a really polite way of saying you're not really getting a security result out of your identity stack. An identity stack that can't give me security results isn't really a good identity stack.

So it's not easy to get right, and there's not necessarily a benefit from getting it right, but there's definitely a cost from getting it wrong, at least from the engineer's perspective. So yeah. No. It's kind of like shoveling your dog poop, you've gotta, right? It's kinda expected of you. No one's gonna congratulate you when you do it, but they are gonna look at you in a pretty bad way if you don't.

Reese

Yeah. And as a user, you also dread authentication. creating passwords, password resets, recovery flows, 2FA. I think mutually for the people who build applications and the people who use them, there's some kind of dread with authentication, and I think that pervades this problem.

So Nelson, like when you were building Beyond Identity, did you think about how crappy user experience was and how crappy it was to build it? And you were like, let's make this more fun.

Nelson

Well, it became interesting. So the thing we were doing before had a lot to do with physical access to things, and we started with a point of you can use shared secrets. You can use passwords. So I think it immediately, well, if you leave the password out, what do you have? You need something that you can put on the device that's asymmetric in nature.

So it became very naturally this thing where that's the kind of authentication you have to do now, let's work with it. But I think Mike and I and the folks that joined later at that point had very little experience using that kind of stuff, so we had to learn fast. And then it became a very self-enforcing mechanism because you're forced to do public/private keys. What else can you do on top of that? And then Jasson joined us and showed us the light on in terms of security.

Jasson

The one thing I would like to tack onto there too is like up until now, I think a lot of people share the view that the authentication stack is a dreaded experience for everyone involved, users and customers, but it doesn't necessarily have to be right.

Like, if we play off one of the things Nelson just said, or maybe a little backup and tell a story. So the other day we all were here in the office. We needed to go get lunch quick. We felt all guilty for having eaten such slobbishly the night before. I think we did like a big cookout in the kitchen and whatnot, so we all said, "Hey, let's go do salad." And so there's a popular salad joint across the street. What is it, like, Sweetgreen?

Reese

Yeah.

Jasson

And so we go down to Sweetgreen and the COVID rules are still enforced. So they're not doing any sort of in-store orders, only in store pickups. I was like, "Oh crap." So I gotta download the app. So I download the app, I go to sign up for an account, and then it tells me, "Oh, you already have an account. What's your password?" So I then try and figure out what's my password. Then I go through the password reset problem. And then I got an error, so it asked me to go back and start again from another perspective...from another point in the process. And at that point, it's like, "Screw this. I'm gonna go across the street and get a sandwich from the deli."

And I know that's trivial and like, you know, Sweetgreen losing us not buying $20 worth of salad or $30 worth of salad that day is a drop in bucket, but for retail and eCommerce companies, shopping cart abandonment is a real thing. And especially when you're looking at like really, really high transaction flows or high revenue flows, a 1% to 2% shopping cart abandonment because someone doesn't wanna go through a password reset process, which does happen often, is material to the top line.

And maybe just boiling it down even simpler, if you do take user experience into consideration of your identity stack, you can potentially actually drive top line results for the business.

Reese

In a way where the user doesn't know it's there, doesn't get annoyed by it, and a way that's easy for the engineers to build and maintain.

Nelson

Don't piss off the user.

Reese

Yeah. Also, you know, at the end of the day, a salad is a salad, so maybe it was a good thing that you couldn't log in.

Jasson

Unfortunately, my COVID-19 would disagree with you.

Reese

And you guys are engineers, how do you get people like you to care about authentication aside from the revenue aspect of it, right? What about just the sheer joy of building something, how do you tap into that with an engineer in terms of building authentication?

Jasson

You wanna shoot first?

Nelson

Oh, man. I think when I look at a product that has great APIs and is well documented and showing me something new, and I have an opportunity to learn from it, I think that's always the kind of things that I gravitate to. And hopefully, with authentication, there's a lot that folks don't know, just how to implement great MFA. That's not a great subject for anybody, and I think the market says "Hey, Okta just acquired Altera for a ton of money and still MFA is something that's not widely deployed or widely adopted by users. If you can show developers how to create a better user experience and in the meantime have them play with some fun technology, that's always fun. So, it's great.

Jasson

I would say I try to appeal to their intellectual vanity, which is a fancy way of saying like, most engineers like puzzles. They like puzzles so much you could almost think of them like cats that you could toss a ball of yarn into and they would get caught up in the ball of yarn and totally be okay with it.

Authentication, specifically authentication protocols, are really interesting puzzles for engineers. And, you know, not every engineer truly is interested in this sort of thing, but a lot of them are. And posing authentication protocols as a challenge to break as well as to reinforce against certain types of breakage or attacks can actually be exciting for a lot of folks.

And when an engineer first approaches this sort of thing, like, they tend to kind of approach it as a try and see, a cut and shoot, a very empirical approach to how does authentication protocol work? How can I break it? How can I repair it? But for the ones that do get involved and interested, there are principles and there are techniques that underlie the theory of authentication, and privacy-preserving operations, and encryption and whatnot that, you know, once you learn those principles and understand those composition rules, you can actually go faster. And rather than work against like instances of the problem, you can start working on classes of a problem which is more powerful and whatnot.

And so like, it's, yeah, an appeal to their intellectual vanity. Like, ultimately, that still has to translate into code, but someone who is motivated by the core problem itself is usually going to go the extra mile versus someone who isn't.

Reese

Yeah. So you mentioned, you know, getting them into authentication protocols. What are you guys' favorite protocols and why?

Jasson

Favorite protocols. I don't know about favorite protocols, but some of the protocols that definitely were eye-opening for me very early on in grad school, just going through things like Baxter's algorithm and Spanning Tree. And it's not really crypto-related, it's much more related to kind of networking and topology discovery and whatnot, but those almost felt like the secrets of magic and understanding how networking worked.

And so, I went from there into authentication protocols specifically. Like, different types of authentication protocols, and how do you actually exchange some private information without revealing the private information, but proving to the third party that you can actually retain the private information.

So I think like the core protocol that underlies a lot of that is either HMAC and then also like Needham-Schroeder or a resolved Needham-Schroeder protocol kinda is in the guts of how Kerberos works. And when you look at that kind of core model, that core model also plays out. Not in the authentication, but in the delegation that you can now see in protocols like OLAF and OIDC.

So there is a pretty interesting like, intellectual genealogy between a lot of these things, but, yeah. No. The fascination for me, honestly, it started with the simplest things like Spanning Tree, Dijkstra's algorithm, shortest paths, all paths, you know, kind of classic computer science type stuff.

Reese

So it's cool to know your favorite protocols, Jasson, but it sounds like I need to get you and Nelson some yarn and just let you guys go wild.

Jasson

Well, I mean, wouldn't you agree, Nelson, like, engineers like puzzles?

Nelson

Absolutely.

Jasson

Like knitting. It's cocaine for the brain. Technically, cocaine is for the brain, but you know what I mean?

Reese

Or it's just yarn. You know, but I'll see you guys next week. Thanks for this Hot Take time. See you later. If you like what you're watching, subscribe.