The SolarWinds and Colonial Pipeline hacks had one thing in common – they both started with a single compromised password. For Thomas “TJ” Jermoluk, co-founder and CEO of Beyond Identity, these high-profile breaches that compromised tens of thousands of customers highlight just how outdated passwords have become.
“People have known passwords are a problem for 10 years but in the last two years it’s become heightened by all the bad actors that are out there,” Jermoluk tells Verdict.
In Jermoluk’s view, the days of passwords are numbered and Beyond Identity, a startup aiming to rid the world of passwords with its “passwordless” authentication method, is hoping to make that happen sooner rather than later.
He founded the company in 2020 with Jim Clark, co-founder of Netscape whose web browser was dominant during the 1990s. The pair have collaborated through their careers, including at Silicon Graphics.
The launch of Beyond Identity has coincided with a flurry of other new startups that have made the identity and access management market a crowded place. ForgeRock, Identity Automation, Okta and OneLogin are just some of many companies providing technologies to ensure the right person is accessing an IT resource at the right moment.
Tech giants such as Oracle, Salesforce and IBM also provide their own solutions. All these companies are chasing a slice of a market that will be worth $24.76bn by 2026, according to Fortune Business Insights
But Jermoluk believes a consolidation of the market is on the horizon because investors who “don’t necessarily understand the technology” are pouring money into identity and access management startups. And once they’ve pumped up these companies, then the carnage will occur.
“Naturally, a ton of money is flowing into startups to solve the problem,” says Jermoluk. “Do I think they’ll all survive? No, absolutely not. There’s going to be the quick and the dead, so to speak.”
He adds: “It’s a typical cycle of Silicon Valley that we’re in now and there will be a big fallout in the next two years.”
How would Beyond Identity fare in Jeromluk’s predicted market consolidation?
“We’re not interested in getting bought,” he says. “We definitely want to be a standalone company. That’s why I’m here.”
The company is open to making some “small acquisitions along the way”, but it is very much early days.
He adds: “This isn’t a technology flip. This is definitely building a company built to last.”
“Passwords are a pain in the ass”
Beyond Identity’s founders believe their passwordless solution can replace the decades-old text password with biometrics, such as facial recognition or a fingerprint scanner.
But it is Beyond Identity’s underlying architecture that, according to Jermoluk, sets it apart. It works on the principle of public and private cryptographic keys in which the private key is stored on the user’s device and cannot be accessed by anyone else, while the corresponding public key is stored on Beyond Identity’s cloud infrastructure.
“Instead of taking a password to get into a company’s internal perimeter, you’re now using your own identity, your own device to be able to say that the perimeter of your company includes you,” says Jermoluk.
Underpinning this is x.509 certificates – the same technology used in TLS, which encrypts data sent over the internet and is most recognisable as the padlock symbol in web browsers.
In other words, the biometric authentication remains on the device, while a traditional password leaves a machine and travels over a network for validation against a database. This “shared secret” makes passwords risker, says Jermoluk – and that’s before considering the human factor.
People are prone to reusing passwords, making them vulnerable to credential stuffing attacks where attackers try using one compromised password to hack into multiple accounts.
“It’s not just that [passwords] are a pain in the ass, because they are,” says Jermoluk. “You can’t remember them, websites are constantly asking you to change them, so you write them down or reuse them for other accounts – a real pain.”
Security professionals advise against using the same password and recommend using multifactor authentication and a password manager.
But Jermoluk believes these are just “band-aids” because the password is “still there”.
Beyond Identity has three ways to use its solution: downloading an authenticator, embedding the software into another app, or support directly in a browser extension.
Its platform is geared towards two audiences – enterprises and customer solutions. It is focusing on business customers first and since it launched commercial operations this year it is “well on our way to our first 50” paying customers.
Snowflake is among them, having switched all 4,000 of its employees to Beyond Identity’s solution in the same week it went public in September 2020.
“If we had gone down during that and nobody could log in, it would have been a bit of an issue,” says Jermoluk. “So we’ve implemented quite a robust engineering environment to guarantee that our service will stay up and be available.”
Other customers include Vertex, Koch, Taulia, Battelle, CloudPlus and Albert Einstein College of Medicine.
Beyond Identity’s service is hosted on cloud giant Amazon Web Services and uses regional and in-cloud redundancies. It also has a dedicated team of 30 DevOps in Dallas working on security and operations. In total, Beyond Identity has 150 employees globally.
“If our service goes down, you can’t log in. We are a critical part of the infrastructure, we’re keenly aware of that.”
If the camera or fingerprint scanner malfunctions, Jermoluk says it would revert to a locally stored pin, which is “not a shared secret”. He compares this to the FBI being unable to break into someone’s iPhone because the pin isn’t a “shared secret like a password”.
“We’re not WeWork – we’re not buying aeroplanes to fly to Tahiti”
Jermoluk says Beyond Identity is aiming to become profitable in “the next couple of years”. For now, it is depending on venture capital and has raised a total of $105m across two funding rounds. Its backers include New Enterprise Associates and Koch Disruptive Technologies.
“We still have most of that in the bank,” says Jermoluk. “We’re not a company that has a lot of extravagant marketing expenses and we’re not like WeWork – we’re not buying aeroplanes and flying to Tahiti.”
Most of the company’s costs are currently diverted to hiring people. “We’re pretty cost-efficient that way so we’ve got plenty of money to last,” says Jermoluk.
While the password remains a fundamental part of IT security, Jermoluk is confident that its days are numbered. And he sees Beyond Identity as an opportunity to help make that a reality.
“At my age, I’ve been very lucky, I’ve had a lot of success,” says Jermoluk. “I chose to step back into this because it’s a really big problem. If I can help solve that, it would be quite a nice legacy of a company that’s really doing something good for the industry.”