Podcast 103 | Going Passwordless with Frank Villavicencio

Podcast 103 | Going Passwordless with Frank Villavicencio
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Jeff Steadman

You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management, and making sure you know who has access to what. Let’s get started. 

Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. I think we’ve had a lot of great conversations over the last couple of years, and we’ve brought back one of our greatest hits from the past. His name is Frank Villavicencio. He is the chief product officer with Greenshades Software. He’s also a strategic adviser for HYPR. Welcome back to the show, Frank. 

Frank Villavicencio
Thank you. Thank you, Jeff. Thank you, Jim. It’s an honor to be back.
Jeff Steadman
Thank you so much for joining us. You were back on the show in August 2020, way back in episode 59 — ancient times considering where things are at now. What’s new? What’s changed over the last several months since we last talked with you?
Frank Villavicencio

Many things, starting with I have a new job. Back then, I was at ADP, and now I’m with Greenshades. More recently, I signed up as a strategic adviser for HYPR. 

Jeff Steadman
So, you’re chief product officer with Greenshades. What does that mean? What’s that in layman’s terms, so I can understand it?
Frank Villavicencio
Greenshades focuses on HR, payroll and tax for employers. I have a very, very smart, really focused product team, and we deliver products that help HR departments process payroll and the most important things around their workforce. Our end users are accessing online, whether with mobile or web — many of them through mobile devices today. We manage all of that interaction. We obviously have to secure it — part of what we do. No matter how far you want to run from identity, you always have to solve the identity problem. 
Jeff Steadman
And then you’re also doing some work, I think, with HYPR, which is a player in the passwordless space, and we’re certainly going to talk about passwordless quite a bit. What can you tell us about the work that you’re doing with HYPR as a strategic adviser? How’d you get roped into that? 
Frank Villavicencio

We had a relationship back in the day when I was at ADP. We were exploring different options, and they came up a promising option. So, we established a relationship back then. When I left ADP, they approached me and thought that I could play a role in helping them craft the solution, the messaging and the product capabilities around the kind of problems that I have been historically solving. So, we thought that was very synergetic, and so far, it’s been an exciting ride. 

Jim Mcdonald

Hey, Frank. We all knew that cows moo, right? 

Frank Villavicencio

 I think, if I’m not mistaken, that was the closing remark from our last episode. I thought about how I fumbled that question, Jim, over the almost a year since. So, you remember how “Cows moo” came to be, right? This is a cliché by now, but it was — 

Jim Mcdonald

 I do remember. You’re so known for these one-liners, but not everybody maybe heard the original episode. So, why don’t you give that story really quick? 

Frank Villavicencio

So, “Cows moo” comes from — I was at an advisory engagement with a client, and the question that we were talking about was, we failed this identity project, and we had engaged this vendor, and the vendors told us to do it this way, and then it didn’t lead to the proper outcome. To that, I said, “Well, your problem is that cows moo. A vendor is going to lead you down a path where, obviously, it will maximize the value they can provide, but that doesn’t necessarily mean that they’re going to solve the problem the way you want it solved, because you’re asking a cow to do something other than moo, and cows moo. That’s all they do.” 

Jim Mcdonald
I call these one-liners. I don’t even call them catchphrases, because a catchphrase is something that you say all the time. You might say these things one time and just floor everybody in the room. So, the last time we had you on, you dropped a one-liner that I’ve probably repeated more times than you, which is, “Passwords are the herpes of IAM” — this awful condition that most people, once they get it, they can’t get rid of it. Have we gotten any better? Or are we getting worse when it comes to passwords? We keep seeing all of these ransomware attacks. Ransomware attacks have been around since we got into IT. That’s been an attack vector, but it’s front page news nowadays. Is the password problem getting better, or worse? 
Frank Villavicencio

I would say worse. I think that to elevate the whole purpose of the IAM to another level, I remember, at some point, I coined this term passworditis, which I use to describe this disease that you can contract by having too much dependency and too much reliance on passwords. Common symptoms include your accounts being stolen, your password getting brute force attacked or account stuffing, or a whole lot of password-reset calls. So, if you suffer from any of that, most likely, you have passworditis. That’s a way to think about it. 

We have a passworditis epidemic that is not getting any better. We have the technology — we have had it for a while — and what we haven’t overcome is this mind-set change that needs to happen. Even end users would prefer a passwordless option if we were to give them one, but I think we’re too attached to this password being the initial point, the default mechanism, to authenticate end users. Until we change that mind-set, I don’t think we will conquer this disease. 

The thing is, I’m very outspoken. I have been on the topic of passwordless for no less than four years. I remember Identiverse in Chicago — I think it was 2018 — my topic was “Moving to a Passwordless World.” The idea was, this is not necessarily rocket science. This is how you could get from point A to point B, and most of this is attainable. What I’m left with is this sense that people aren’t comfortable. We spend a lot of time researching end users in UX research, and the conclusion, pretty much in all cases, is that end users are OK to let go of the password if you give them another choice. That choice needs to be less frictional, for sure, and, ideally, more secure. So, you’re looking for more security and more convenience. 

There are many choices. There are many choices. You could argue in the sense of how secure they are, but I would probably say that no matter what you choose, it’s going to be more secure than the password. From a baseline perspective, you’re already assured to move up. Now, convenience, etc., you would have to research some more and offer not just one, but multiple choices that the user can pick from. The net-net is, you have to make the effort — you the deployer, you the product developer, you the technology provider, the CISO, the organization that is providing the experience to the end user. We can’t expect the end users to do this on their own. 

At some point, it was Google or Facebook that gave away two-factor authentication as an option in the app. You can voluntarily sign up — it’s not required — and it’s something between 5% and 10% of users that actively opt in despite everything that we’ve seen. So, it is too frictional for the end user. 

Jim Mcdonald
I was reading an article very recently. It was written by the CISO at Microsoft, and he made a good point: “The only people who like passwords are the hackers.” They love passwords. Users hate passwords, corporate security hates passwords. Does anybody, other than the hackers, like passwords? 
Frank Villavicencio

No, but we somehow still refuse to just take it upon ourselves to remove them. I don’t know if I would say it’s inertia or laziness or attachment. I’m not going to get very philosophical here, but there is something that is absolutely not technology, there is something that is absolutely not cost, that is preventing us from making that leap. You do the math — and we’ve done that in the past: The cost of a password compared to any alternative is something like ten to one in terms of cost. A password call, depending on your organization, could be anywhere between $15 and $35 a password-reset call. Imagine that. Imagine how much you could save, how much room there is to move to something that is a win for the end user, a win for security. 

You were talking earlier, Jim, about ransomware. That is very common, very frequent now. It’s humbling to see where it’s going, what’s happening. Many organizations are now setting aside money in the form of bitcoins to pay off for ransomware. It’s a foregone conclusion that you will be attacked, that it will be successful, and you would have to pay the ransom. Then, you look at the majority of the attacks. The majority of the attacks end up being a compromised credential, and the majority of those are passwords. If we applied a fraction of that energy to eliminating the password, I think we would just gain so much in avoiding all of this nonsense.

Jim Mcdonald

 I have to follow up on that one and do a little sidetrack on ransomware. I’ve read about what you’re talking about in terms of companies getting ahead of the game — getting a bitcoin wallet, setting aside money, because they’re expecting to get ransomed at some point. I read an article the other day where it was saying something like governments are a key focus for ransomware, and I’m thinking to myself, “No, they’re not.” The reason is, they don’t pay the ransom. To me, it seems like companies are paying the ransom. It’s really easy to sit in my ivory tower and say, “Don’t pay the ransom,” but that is what keeps the bad guys going. If these attacks weren’t successful, if they weren’t getting millions of dollars, they wouldn’t do them. 

Frank Villavicencio

Then think about this — the Colonial Pipeline, just to pick one out of the pool. I switched to an electric car many years back, so I didn’t feel it, but many of my friends were telling me that they could see the price of gas increasing as this was unfolding. It’s not like you have much time to figure out what to do after the attack, so paying the ransom, sometimes, is the only logical option. It’s easy for us to judge that from the outside, but I invite everyone to consider the possibility of investing a fraction of that into removing passwords altogether. I read the article you were referencing, Jim, about the Microsoft CISO, and I thought it was commendable, the statements made. 

Having said that, I still go back to something that resonates. Maybe I’m just too biased to detect this, but you see, we talk about multifactor authentication, we talk about two-factor authentication, and that’s technology that has proven to be effective, and all of that. It does add friction, and therefore, the low adoption that you see on Google, Facebook and so forth, but when we design multifactor authentication, from the onset, everyone defaults to first factor is a password, second factor is something else — a text message, a onetime code of some kind, or maybe a biometric — but the first one is a password. 

Why? Let’s just, for a moment, challenge that. In our last episode, I was talking about “How do we get away from passwords?” One of my suggestions was, if you’re going to do two-factor authentication, just reverse the order: Start with the nonpassword factor first, then consider adding a risk evaluation, and then the next factor — if you like it so much, fine, let it be a password. Ultimately, you would see that you don’t want it, you don’t need it, no one’s going to call you back that they want their passwords. The point being, again, it’s a paradigm. All of us — I’ll just throw myself in — are defaulting to no matter what, there is a password involved. The best we can do is just add another factor to it. No, that’s not true. We could do better. 

Jeff Steadman

We’ve talked an awful lot about this disease — the condition of passwords — and passwordless is a potential treatment for this. I wonder, is it the solution, or is it a solution when it comes to managing passwords, because maybe this is an area that could certainly see some improvement — reprioritizing where the MFA authentication actually takes place? I think most people are used to typing in an ID, a password, and then getting a code and typing that in, or acknowledging a push notification, or whatever it may be. Maybe it’s time to refactor the way that that works and start with the MFA, and then challenge from there. 

So, that could be an option. It doesn’t get rid of the password, but maybe it lessens the usage of it. Then, there’s some benefits of that, right? You can potentially use stronger passwords — passwords that don’t change as often or always needed. 

Frank Villavicencio
Right — passphrases.
Jeff Steadman

Yes, exactly. I’m wondering, from a passwordless solution, right now, given where we’re at, I see it as a solution and not the solution. As much as I would love to see it become the solution, I just don’t know if we’re there yet. 

Frank Villavicencio

We want people to access sensitive information online securely and conveniently — that being the statement, the ultimate goal. Then, in the process of authenticating, establishing who you are, we have a password. Eliminating the password moves us closer to that ideal end state. So, it’s a step. It’s not the destination. 

If you remember last August, when we talked, I was saying that once you eliminate passwords from the flow, you land at new problems that you have to go tackle, but I would much rather we focus on those problems than where we are today, because it still would be a win for everybody. My thinking is that we’re just holding this up in a mind-set or in a paradigm that needs to go away. If we were just to say, “Well, look, assume there is no password” — for example, you run a development team, a product development team, and you’re launching a new app. At some point in your development, you’re going to say, “Well, sure, we need to authenticate the user.” Ninety-nine percent of the time, people would automatically put username, password. Then, you have to think about, “Well, I’m going to write test cases.” So, test cases have to be written to figure out the password, the error messaging, this, that and the other. Of course, I have to put in a password-recovery flow. So, that’s a whole bunch of hours of development, testing, and so on and so forth. 

Then, you get your pen-testing team involved, because they have to make sure that this is secure. Then you’ve got to get it audited, and, depending on the sensitivity of the app, you get external auditors that will tell you if your password policy is noncompliant and you have to force every 90 days, people changing passwords, these complex rules and all of that — hours and hours of wasted money that shouldn’t have been wasted in the first place. 

The point is, no passwords. We’re going to have to figure out another way to authenticate the users, and from there on, everything gets simpler. You move into another dimension. You would have to think about, “Well, can I assume that the user has a phone number? A mobile device? Can I assume that there is a smart app or a mobile app that I can use to do that second factor? Are there other mechanisms that I can use?” Then, “If I assume this, then this should be true. If I can’t assume that for 100% of the cases, what’s the next best alternative?” On and on. 

We did some interesting studies — I think, Jim, you’ll appreciate this one — where I partnered with my UX team, and part of what we were testing was, assume we have all of these options. We wanted to test which ones would be more intuitive to the end user. So, we designed this login experience where different options, passwordless options, would come up at the top. The ones we preferred would come up, and we just wanted to see how intuitive this was to the end user. 

Of course, one of those options ultimately was a password, but I remember I presented this at a client conference, and I told them how much I love working with the UX team because we use iconography to communicate the intent. So, you have onetime code, and then you have this little cell phone icon with a code in there. You have a push notification with a fingerprint, so you have a little fingerprint thing in there, and voice communicate— like, it will call your number and voice over the onetime code, so it’s a little speaker thing in there. Then, of course, it came to passwords, and we were iterating what would be the right icon to show the intent. So, I forced that to be the poop emoji, because I think that captures the essence of what a password really is or should feel like. So, of course, when we tested this out, no one clicked on the poop emoji. Success. 

Jeff Steadman
Success. All right, so you’ve sold me on “I want to go passwordless.” How do I get started? I know that you’re working on this at Greenshades, this journey to go passwordless, at least for some part of your organization, or maybe customers. Can you talk a little bit about how you got started, because I think this is really key where a lot of — I don’t know anybody who’s going to argue and say, “I don’t want to be passwordless.” I think people like the idea of it, but they don’t know where to start. How did you go about getting this in place for the use cases that you’re looking to solve it for? 
Frank Villavicencio

The first thing is, you have to embrace UX. You’ve got to start developing empathy for the end user and understand who they are, how they operate and what they do every day. People don’t wake up in the morning thinking, “I just want to log in.” They log in because they have to do something. What is that something they need to do? You need to deeply understand what that interaction is. 

For example, in our cases, we know that about 41% of our end users are using a mobile device, so we can assume that a big chunk of the transactions could be, instead of a password, a notifi out to that device. We require emails not just for authentication, but we’re going to send you notifications around things to approve when you get paid, etc. So, we have an email. In many cases, it’s a corporate email, which happens to be protected by a stronger authentication mechanism. Why don’t we just anchor on that? We can argue here — I know that many people would be saying, “Well, you’re not going to send a onetime code to an email, are you?” I would say, “Well, for a corporate email address, it’s still more secure than a password.” We could all disagree on that, but the data that we have would say that that’s still a win even then. 

The key here, Jeff, is you don’t want to take everything away day one. You want to start thinking about what options are viable for you. We did research a few years ago that was very interesting. We were trying to prove that in the corporate world, most people end up — we could assume that people have a mobile device at work. That was the premise of the research, and the researchers asked very interesting questions. We established that for the majority of the workers, not only do they use a cell phone at work, some of them also take it to the bathroom. That came up in the research, and many of them have two because sometimes, they have a corporate-issued cell phone. So, you have two — not one, two — at work. 

Then, we asked this very interesting question: “Imagine that you left your house, you’re going to the office” — back in the day when people actually went to offices — “and you’re halfway there, and then you realize you forgot your cell phone, your mobile device. What happens next?” Like 80% would go back home, pick up the phone and come back, even if you’re going to get to the office late. Same question, but this time, what you left at home was your wallet — 80% the other way: People would still make it to the office before going back and picking up their wallet. So, that affinity with the mobile device is huge, and I think we should use that to empower the end user. 

At Greenshades, we manage a very diverse worker population, but I would describe them as predominantly deskless workers, so they don’t have a desk. They don’t have a computer at their desk. They are exclusively mobile. Now, the majority of them are actually hourly workers, so when they log in, they’re looking to punch in. So, for Christ’s sake, make that simple, because every second you add — they will remember their password, and then forget it, and then recover it — that’s time they’re not clocking in, so that’s money they’re not earning, if you think about it that way. You have to understand the psychology of that end user. You’ve got to get intimate with what’s driving them — what are they trying to do — and then of course, come up with the right options. 

My sense is that you don’t take the password on the first go. You give an option, let those options play out, learn, figure out how they’re working, correlate that with what you would expect to see. What would you expect to see? Well, reduction in fraud. OK, are we seeing that? Great, reduction in phone calls or password resets. If you see them, that means you’re moving in the right direction. Keep iterating, and then you will end up in a place where most likely, you don’t need the password. 

In the type of offering that we provide, we have an interesting mix of what you would call consumer and enterprise. Meaning, these are employees of our client — technically, enterprise, but they’re end users. So, to us, they are almost consumers. What is interesting is, you could, in many cases, use the fact that they are authenticating into their enterprise, so we can federate them into our app — again, a paradigm change. If you federate into our app, to us, you eliminated a password. We don’t have to worry about that. So, we effectively eliminate a password, and whatever the enterprise uses to authenticate on their side, well, that remains. We’re just leveraging that. I think that’s another way to think about how you eliminate passwords. That’s another option to do it. 

Jim McDonald

Frank, I want to talk about the user experience, or the customer experience, but even before that, I want to point out something to the folks that are listening — that you’re not just here as a strategic adviser from HYPR pushing product. Your prior employer, when you were at ADP — I was a longtime ADP user.

The authentication experience went from horrible — I mean horrible — to not that bad. When it was password based, it was horrible. As a recent user, it really wasn’t that bad. So, you’ve actually implemented the things you’re talking about — making passwordless an option. You’ve done this in the real world, so you’re speaking from experience. But let me keep going here, because there’s one other point that I want to make, which is that ADP is — as far as complex, large-scale identity and access management “problems to solve” — as big as it gets. Hundreds of thousands of customers, hundreds of millions of users. 

Look, I’ve worked with organizations all the time who, when they face those corner cases, they say, “Well, something like passwordless won’t work because we’ve had these corner cases. Yes, sure, it’ll work for 98% of our user population, but this other 2% — so, we have to design a dummy solution that will work for 100%.” I think that’s the trap that a lot of folks fall into, where they’re solving for the corner cases rather than solving for the 98%, and then having a fallback solution. OK, those 2%, they can use a password, because still, if you solve 98% of the problem, you’ve reduced your attack surface quite significantly. 

Frank Villavicencio

Tremendous. Again, think about the end user for a sec here. The thing that I invite everyone to explore is to consider the other side of things for a moment: You are protecting, let’s just say for now, the paycheck of that worker. For whatever reason, that account gets hacked, and now, their paycheck gets rerouted — they direct-deposit it, and they get rerouted to the wrong account. 

Now, that person is not getting paid, and it’s a severe inconvenience for that person not to get paid because they probably have mortgage payments and things anchored on that paycheck hitting, so they have to go tackle that. While they’re busy working, now they have to go tackle this. The employer has to do whatever repairs they need to, and the provider gets involved and all of that, such that we can remedy the situation and potentially go chase the bad guys, and in many cases, return the money, but boy, is that intense. Isn’t that damaging? Isn’t that stressful for that person? 

If you think about people who live paycheck to paycheck — again, deskless workers, hourly workers — they tend to be in that segment of the population that a paycheck is significant. Missing a paycheck is catastrophic. So, we all need to think about our responsibility in preserving the wellness of that person — even the mental health of that person. Imagine the stress of someone. I hope that everyone that tackles problems like this feels that sense of accountability, that sense of “You’re impacting that person’s life.” If a person cannot clock in, they’re not getting paid, and that is on you. So, to understand it to that level would help you then be more open to exploring. 

Like you said, you can’t solve it for 100%. You have to think about this as a multilayer problem: Solve it for the majority. Give options to the rest. Yes, you do have exceptions, but don’t penalize everyone just because you’re solving for 100% and not 95%. 

Jim, we did the research on this, so let me tell you the story. This is interesting. We had a password self-service flow that gave you three options: You can send a onetime code to the cell phone, to the email, and/or security-questions challenge. If you still believe that stuff exists in the wild, there are still places where that happens. Now, the success rate of the OTP via text message was something like 70+%; email was a little less because sometimes, we would have the wrong email address or it would go into the spam folder. The challenge questions were like 20% or something, so it was a horrible thing, and they were chosen only like 5% of the time. So, people would prefer a onetime code when they were self-servicing their password. 

Then, we started doing this other analysis, and we found that some population — people who reset their passwords — were what we called sporadic users. They wouldn’t come every day. They would come maybe once a year, or every six months. Every time they come, we have them go through this process. They will forget their password — it was locked anyway, so they had to then go through the self-service, the recovery. So, here is the story: This user comes in every so often. Every time they come, they automatically, almost inevitably, end up in the forgot-password flow. Ninety-five percent of the time, they would pick an OTP through their cell phone, and they’ll succeed over 70% of the time. Then, they come right back out of there into the login page, so that we would then ask them to create a new password, and then this whole process would repeat again three to six months from now. 

That’s silly. So, we did something interesting, which was, at the moment you reset the password, we just simply say, “Do you want to create a new password, or do you just want to login right now?” Then, it was a disproportionate amount of people that wanted to log in right now. That proves a point that people are not going to be missing their passwords. No one is going to call you. I challenge end users calling the help desk saying, “Look, I love my password. I want it back. Give it to me.” 

Jeff Steadman

They’re real gluttons for punishment if they’re doing that. Yes, I think of the strategy that some people have where instead of using a password manager or something where they’re having to keep track of their hundreds, if not thousands, of accounts, they just generate something random, log in once, and they don’t remember it. Then, the next time they need to log in, they just click “Forgot password” and go into it. Probably something that isn’t good for a day-to-day account, but maybe if it’s something that you only access a couple of times a year, sure, why not? 

Frank Villavicencio

Yes. A possible thing is — and we’re talking about diseases and herpes, so yes, it’s a little thing, you’ve got a pill you can take here and there, and it would ease up the pain, and you would pretend that you don’t have that disease, but it is not a solution. It’s just a Band-aid. A few years ago, if you remember, there was one of them that got hacked, so imagine all of that problem, but then you have to make sure that it works in all of your devices, which is a very, very difficult claim to make. They don’t necessarily work very nicely on native mobile apps, and most of our users end up being in the mobile space. If you’re going to do that, you might as well just invest in passphrases. I’m not necessarily going to advocate passphrases — I think we should eliminate the whole thing — but if you’re going to stay with passwords, at least end up there: passphrases. That’s statistically much better.

Jeff Steadman

So, we’ve been talking an awful lot about going passwordless and getting this instituted, and I think that we see a lot of vendors in this place. HYPR is certainly one of them, but we also know things like 1Kosmos, and there’s Secret Double Octopus, and a whole bunch of other crazy-named ones. Then, there’s also the big players: Microsoft, Okta, Ping. They all claim to have a passwordless approach. I don’t know if it’s necessarily truly passwordless, because I think it’s more of a push-notification prompt that is probably doing the authentication, but this brings up the question “Why do I need to pay extra for a ‘passwordless technology’ if I’m already using Okta or Ping?” Is it good enough, or is there enough of that value-add on an extra product that really then takes it that extra weight to get it further along the passwordless journey? 

Frank Villavicencio

Jeff, you have to think about this on a time continuum. The reality is, many of those vendors that are established came from a world where the primary goal was to do a single sign-on, and then multifactor authentication or even passwordless authentication came as an afterthought. It was added on. If you were to start today, you have FIDO 2.0, and that’s the best technology you can offer today in the realm of passwordless. From an end user perspective, passwordless is passwordless, but when you think about the security and convenience, if you were to just plot it in a chart, then FIDO 2.0 is further up to the right. My prediction is, that’s where it goes. At the limit, that’s where we go. 

Today, if you do two-factor with a push, you’re already on the bleeding edge. Yesterday, it was a bleeding edge just to send a text message to your cell phone, and before that, it was a magic link into your email. So, we’re progressing, but I think at the limit, FIDO 2.0 satisfies the most that we have to deal with. I think that’s a more sustainable, long-term, scalable solution native to the device. So, do you care about that? Well, if you’re thinking long term, you probably wouldn’t. You’d want to invest in that technology today, you want to implement it sooner so you can get most value right away before it becomes mainstream, and then you would be scrambling to adopt it down the road. 

There are specific nuances when it comes to the sensitivity of the transactions. We don’t need to get into the technical details, but FIDO 2.0 and those technologies prove to be more secure for financially sensitive transactions than other alternatives. If you’re doing this, now you think about, “I care a lot about security, and I want to do it in a way that is convenient to the end user,” filter for those too, you end up right there. So, at the moment, it would be more of those that care about that specific distinction, but at the limit, this will become mainstream. This will be like, “That’s how you do it.” 

There are some interesting developments that make this interesting. We were doing research, many applications: You develop a web front end, and then a mobile app companion. With the adoption of mobile apps, there’s application fatigue, so not everybody downloads the mobile app. With FIDO, you have something, an option called appless. It’s native in the device. You can still use two-factor on the device with biometric without having to develop a new app. That’s a huge win from a usability and security perspective. So, we’ll see. As you know, I’m very passionate about this. I think that companies like HYPR are setting a high standard for where this problem should be addressed and how it should be addressed that ultimately, I believe, will become mainstream. 

Jeff Steadman

As we start to wrap up the conversation here around passwordless, I’m curious: From your perspective, what’s the most sensible approach to getting rid of passwords? From what I’ve gathered from this whole conversation, it’s not an overnight success. It is a journey, and there are various iterations that you’re going to go through and options that you’ll provide to whoever your customer is of your current password experience. What is something that people who are listening today can take away and say, “How should I start positioning my organization to really drive toward passwordless? Let’s stop talking about it, and let’s start doing it.” 

Frank Villavicencio

I would invite everyone to consider or research the items — don’t take it at face value, but consider how many of those end users that you serve carry, or interact with you on, a mobile device. Just get a real sense of that yourself. Then, consider, for example, for the kind of business, the kind of engagement that you are driving anyway, you do need to engage with them, and you collect their cell phone and email. You may be already required to do that anyway, but you’re not using that to facilitate a stronger, passwordless login. That’s a missed opportunity. So, start there. Start analyzing the kind of demographic, the interaction points and the data requirement. You may already have more than what is necessary to get going. 

Jim Mcdonald

Frank, I’m wondering if you had an opportunity to listen to episode 100. We had Victor Barris on the call, and he waxed poetic about the history of Identropy, and your name came up a couple of times, but specifically, your name came up around being one of the main proponents of the corporate culture. Frank, you’re one of the most passionate people I know. I know at one time, you were very passionate about corporate culture and what it meant, and in my experience at Identropy, it was revolutionary. I’m wondering, are you still passionate about that? Are you still driving that and talking about the importance of corporate culture? 

Frank Villavicencio

Absolutely. I mean, that’s part of my responsibility here at Greenshades. I think that there is no way a company can succeed unless you pay attention to culture. And you have a choice: You can do nothing — let the culture emerge — or you actively work to create the culture and cultivate the culture that you want. Identropy was, to me, a fascinating – I listened to that episode, and it was emotional because I remember many of those episodes and many of those steps in the journey. They talk about FedEx Day. I remember we borrowed that idea from Atlassian, and the late Tony Hsieh at Zappos, we borrowed a lot of what they did there, and he helped us. 

You have to do something to cultivate it, and make it so that for the employee, for the individual, coming to work becomes a rewarding experience. It can’t be that you just come in, do the work and nothing happens. You have to have this affinity with what you’re doing. There has to be a sense of purpose, and you have to feel good about working at a place that you identify with, your coworkers, but that’s not an accident. You’ve got to work at it. So, I do that here. I have an opportunity to do that here at Greenshades. I think we have an amazing culture. I’m very happy to fit in, and having been given the chance to shape it and help mold it.

Jeff Steadman

 I think that’s probably a good spot that maybe we can leave it for this week, but before we go, any final words of wisdom, Frank? 

Frank Villavicencio

I would just say, let’s make sure you consider the end user — develop empathy for the end user — and consider how you could help eliminate passwords today. 

Jeff Steadman

Jim, what about yourself? 

Jim Mcdonald

 I’ve got a book recommendation for everybody. I’ve been reading Hacking Multifactor Authentication by Roger A. Grimes. If you get a chance, buy a copy of the book. It’s really interesting stuff. 

Jeff Steadman

There’s always good reading material out there, and that’s definitely one conversation I’ll be looking forward to. We’ll have a bunch of links in our show notes today for some of the things we’ve talked about, so you can connect with Frank on LinkedIn, you can learn more about what Greenshades does from their perspective, but also HYPR.com, certainly a player in the passwordless space. We’ll put a link in there to that article that was referenced around the Microsoft CISO and how they’re looking to get rid of passwords, and we’ll put a link also to the book that Jim just mentioned. So, lots of stuff for people to check out there. 

As always, thank you, everybody, for listening. If you like what you heard, be sure to subscribe and give it a five-star rating, or a thumbs-up, or whatever the best thing is. If you didn’t like it, send it to an enemy — that’s cool too. As long as people are listening, we don’t care. With that, we’ll go ahead and leave it for this week. Frank, thank you so much for joining us. Jim, thank you as always, and we’ll talk with everyone in the next one. 

Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at Identityathecenter.com


Ready to work with us?