The SolarWinds and Colonial Pipeline hacks had one thing in common â they both started with a single compromised password. For Thomas âTJâ Jermoluk, co-founder and CEO of Beyond Identity, these high-profile breaches that compromised tens of thousands of customers highlight just how outdated passwords have become.
âPeople have known passwords are a problem for 10 years but in the last two years itâs become heightened by all the bad actors that are out there,â Jermoluk tells Verdict.
In Jermolukâs view, the days of passwords are numbered and Beyond Identity, a startup aiming to rid the world of passwords with its âpasswordlessâ authentication method, is hoping to make that happen sooner rather than later.
He founded the company in 2020 with Jim Clark, co-founder of Netscape whose web browser was dominant during the 1990s. The pair have collaborated through their careers, including at Silicon Graphics.
The launch of Beyond Identity has coincided with a flurry of other new startups that have made the identity and access management market a crowded place. ForgeRock, Identity Automation, Okta and OneLogin are just some of many companies providing technologies to ensure the right person is accessing an IT resource at the right moment.
Tech giants such as Oracle, Salesforce and IBM also provide their own solutions. All these companies are chasing a slice of a market that will be worth $24.76bn by 2026, according to Fortune Business Insights
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataBut Jermoluk believes a consolidation of the market is on the horizon because investors who âdonât necessarily understand the technologyâ are pouring money into identity and access management startups. And once they’ve pumped up these companies, then the carnage will occur.
âNaturally, a ton of money is flowing into startups to solve the problem,â says Jermoluk. âDo I think theyâll all survive? No, absolutely not. Thereâs going to be the quick and the dead, so to speak.â
He adds: âItâs a typical cycle of Silicon Valley that weâre in now and there will be a big fallout in the next two years.â
How would Beyond Identity fare in Jeromluk’s predicted market consolidation?
âWeâre not interested in getting bought,â he says. âWe definitely want to be a standalone company. Thatâs why Iâm here.â
The company is open to making some âsmall acquisitions along the wayâ, but it is very much early days.
He adds: âThis isnât a technology flip. This is definitely building a company built to last.”
“Passwords are a pain in the ass”
Beyond Identityâs founders believe their passwordless solution can replace the decades-old text password with biometrics, such as facial recognition or a fingerprint scanner.
But it is Beyond Identity’s underlying architecture that, according to Jermoluk, sets it apart. It works on the principle of public and private cryptographic keys in which the private key is stored on the userâs device and cannot be accessed by anyone else, while the corresponding public key is stored on Beyond Identityâs cloud infrastructure.
âInstead of taking a password to get into a companyâs internal perimeter, youâre now using your own identity, your own device to be able to say that the perimeter of your company includes you,â says Jermoluk.
Underpinning this is x.509 certificates â the same technology used in TLS, which encrypts data sent over the internet and is most recognisable as the padlock symbol in web browsers.
In other words, the biometric authentication remains on the device, while a traditional password leaves a machine and travels over a network for validation against a database. This âshared secretâ makes passwords risker, says Jermoluk â and thatâs before considering the human factor.
People are prone to reusing passwords, making them vulnerable to credential stuffing attacks where attackers try using one compromised password to hack into multiple accounts.
âItâs not just that [passwords] are a pain in the ass, because they are,â says Jermoluk. âYou canât remember them, websites are constantly asking you to change them, so you write them down or reuse them for other accounts â a real pain.â
Security professionals advise against using the same password and recommend using multifactor authentication and a password manager.
But Jermoluk believes these are just âband-aidsâ because the password is âstill thereâ.
Beyond Identity has three ways to use its solution: downloading an authenticator, embedding the software into another app, or support directly in a browser extension.
Its platform is geared towards two audiences â enterprises and customer solutions. It is focusing on business customers first and since it launched commercial operations this year it is âwell on our way to our first 50â paying customers.
Snowflake is among them, having switched all 4,000 of its employees to Beyond Identityâs solution in the same week it went public in September 2020.
âIf we had gone down during that and nobody could log in, it would have been a bit of an issue,â says Jermoluk. âSo weâve implemented quite a robust engineering environment to guarantee that our service will stay up and be available.â
Other customers include Vertex, Koch, Taulia, Battelle, CloudPlus and Albert Einstein College of Medicine.
Beyond Identityâs service is hosted on cloud giant Amazon Web Services and uses regional and in-cloud redundancies. It also has a dedicated team of 30 DevOps in Dallas working on security and operations. In total, Beyond Identity has 150 employees globally.
âIf our service goes down, you canât log in. We are a critical part of the infrastructure, weâre keenly aware of that.â
If the camera or fingerprint scanner malfunctions, Jermoluk says it would revert to a locally stored pin, which is ânot a shared secretâ. He compares this to the FBI being unable to break into someoneâs iPhone because the pin isnât a âshared secret like a passwordâ.
“Weâre not WeWork â weâre not buying aeroplanes to fly to Tahiti”
Jermoluk says Beyond Identity is aiming to become profitable in âthe next couple of yearsâ. For now, it is depending on venture capital and has raised a total of $105m across two funding rounds. Its backers include New Enterprise Associates and Koch Disruptive Technologies.
âWe still have most of that in the bank,â says Jermoluk. âWeâre not a company that has a lot of extravagant marketing expenses and weâre not like WeWork â weâre not buying aeroplanes and flying to Tahiti.â
Most of the company’s costs are currently diverted to hiring people. âWeâre pretty cost-efficient that way so weâve got plenty of money to last,â says Jermoluk.
While the password remains a fundamental part of IT security, Jermoluk is confident that its days are numbered. And he sees Beyond Identity as an opportunity to help make that a reality.
âAt my age, Iâve been very lucky, Iâve had a lot of success,â says Jermoluk. âI chose to step back into this because itâs a really big problem. If I can help solve that, it would be quite a nice legacy of a company thatâs really doing something good for the industry.â