In this episode, I interview Bojan Simic, Co-founder & Chief Executive Officer of HYPR | The Identity Assurance Company.

Bojan shares the origin story of HYPR and how his company has evolved over the years to combat ever-changing cybersecurity threats. He discusses why HYPR re-branded to “The Identity Assurance Company” and how their enterprise clients leverage the HYPR platform to protect identities.

We also discuss the rapid adoption of FIDO2-compliant passkeys, the dramatic rise in genAI-based deep fake attacks, and how HYPR is positioned to shake up the status quo in enterprise authentication.

RESOURCES:

Connecting with Bojan Simic

Bojan Simic’s LinkedIn: https://www.linkedin.com/in/bojansimic/

HYPR’s Website: https://www.hypr.com/

Companies & Resources Discussed

HYPR helps organizations create trust in the identity lifecycle. The HYPR solution provides the strongest end-to-end identity security, combining modern passwordless authentication with adaptive risk mitigation, automated identity verification and a simple, intuitive user experience.

Getting Started With Passkeys - Crawl, Walk, Run a quick guide, from HYPR, providing an overview of passkeys, where to get started and how to take your deployment to the next levels. It includes recommended user flows for common scenarios in synced passkey deployments.

FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

Aspect Security was acquired by EY in 2018. Aspect Security was a provider of application security (AppSec) services and solutions, including enterprise-wide application security strategies that identify, quantify and address their organization’s application security risk.

Uber is a rideshare and food delivery service that suffered a substantial data breach in 2022.

Okta is an identity solution provider focused on workplace and customer identity. It suffered a substantial data breach in October 2023.

GitHub is a developer platform that allows developers to create, store, manage and share their code.

CrowdStrike is a global cybersecurity provider with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.

Zscaler is a cybersecurity and zero trust digital transformation solution provider. It delivers IT and security transformation with the CASB and SASE solutions.

Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

Google Workspace provides collaboration and communication tools for businesses.

Ping Identity  provides cloud identity security solutions to more than 800 of the world's largest companies, government organizations and cloud businesses.

Forgerock was merged with Ping Identity in August 2023. The Forgerock platform helps companies  manage and secure identities with identity orchestration, dynamic access controls, governance, and APIs in any cloud or hybrid environment.

Azure Active Directory/Entra Microsoft Entra ID is a unified identity and access management solution. It was formerly known as Azure Active Directory.

Big Brothers and Big Sisters of New York Founded in 1904, Big Brothers Big Sisters of NYC (BBBS of NYC) is the nation’s first and the city's largest youth mentoring organization. Its vision is that all youth achieve their full potential. Its mission is to build and support mentoring relationships to ignite the biggest possible futures for youth.

FULL EPISODE TRANSCRIPT

Steve Craig: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement Officer of PEAK IDV. For our audience, this is a video first series, so if you're enjoying the audio version, please check out the video recording on executiveseries.peakidv.com, where you can watch the full episode, read the transcript, and access any of the resources or links from today's conversation. I'm thrilled to speak with today's guest. He is Bojan Simic, Co-founder and CEO of HYPR. HYPR is known as the identity assurance company, and they are on a mission to improve the lives of security minded leaders, their employees, and customers by helping organizations create trust in the identity lifecycle.

Bojan co-founded HYPR in 2014. Prior to HYPR, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration testing. Bojan also serves as HYPR's delegate to the FIDO Alliance Board of Directors, empowering the Alliance's mission to rid the world of passwords.

He has a passion for deploying applied cryptography implementations across security critical software in both public and private sectors. Bojan, welcome to the podcast. Thank you for being on it today. 

Bojan Simic: Thank you for having me here, Steve. Really appreciate it. 

Steve: Absolutely. Well, before we get started, I do need to put my thinking cap on so I can get in the HYPR state of mind. [Bojan: There you go.] Thank you for the amazing swag. I picked this up at Authenticate and I won't wear it the whole time, but it's a very nice fitted-- fitted cap. So well-- well done on that. 

Bojan: I'm glad you enjoy it. 

Steve: Thank you. Can we kick off by maybe you sharing HYPR's elevator pitch? Tell us more about HYPR. 

Bojan: Yeah, you know, you-- you said earlier, it's all about creating trust in the identity lifecycle. And that's what we feel like is really lacking today in the cyber security space. There's lots of companies out there who focus on managing identity. There's very few companies who focus on securing it. And today we feel like it's more-- it's needed more than ever, especially in the age of AI assisted attacks and the hackers being more crafty than-- than usual. 

Steve: And your position now as the identity assurance company, what does identity assurance mean to you, Bojan?

Bojan: Yeah, when we looked at how do we position what we do as a business and the value that we bring to our customers, which is most important. We talk about the concept of identity assurance and-- and when we-- when we see the types of solutions and projects that organizations have undertaken in the last 10 years or so, many of them are focused on understanding identity, which is critical. But you know, when it comes to securing it and the things that organizations need to do in order to feel confident that a person is who they say they are every single moment of every single day, that's what identity assurance means to us.

Steve: Excellent. And can you walk me through the three pillars of your platform? I believe it's Authenticate, Adapt and, Affirm -- what each of those does. 

Bojan: Yeah, we're best known for our HYPR Authenticate product, which is our category leading passwordless authentication solution. It's what we've been deploying to large enterprises for almost a decade now. And, what we've done as part of building out that passwordless authentication capability -- and when you build out such an-- such a capability, you have to integrate with pretty much everything under the sun. If you-- if you think about where people use passwords today, it's everywhere. And so therefore, if you want to eliminate passwords, you have to integrate into all those downstream dependencies.

And so we built HYPR Authenticate as that base layer as that foundation for identity assurance. And what we've done over the last couple of years is we've added to that base layer and built on top of it, category leading identity verification capabilities that are very different than the traditional verification stack that you see that's mostly focused on document verification.

And then we built our risk engine, which is HYPR Adapt, which is able to look at all the key points of interface, such as the browser, the mobile device and the endpoint of a user's daily journey to be able to assess risk and then most importantly, take action whenever we identify risk. 

Steve: That's great background. Right before you started HYPR, I see you were working at a company called Aspect Security and you were doing pen testing, threat modeling, secure architecture. What was the ‘aha’ moment around that time where you decided, “Hey, let's-- let's start HYPR and start to focus on the authentication?”

Bojan: Yeah, when-- when I was working in the security space, mostly dealing with larger institutions, you know, we would spend a lot of time remediating different types of application level vulnerabilities. And I would see organizations spend, you know, millions of dollars and lots of resources on doing this. And then the next day they would get hacked because somebody used a poorly chosen password. And I just felt like, okay, if we're going to really make a dent in the way that the Internet is secured, the first thing we have to get rid of is the password and that's really what we went down to do. And at that same time, the FIDO Alliance was actually starting to become an actual thing and they had released the first iterations of those standards. And so it was kind of like a perfect moment in time where we saw new standards that were being brought to-- to light to address the concern around shared secrets and passwords. We were very much motivated to solve this problem because the work that we were doing. And then, three, user devices were actually coming out that enabled this. So this was also the time when the first phone with a touch ID and face ID was starting to come out and you could actually have an alternative to a person typing in a password, which is the biometric.

Steve: What was your initial problem set or solution set when you got started? When the first I don’t know, months or 1st year of the company.

Bojan: This was a long time ago, but, you know, the initial problem that we set out to solve -- and I think we accomplished that for many of our customers -- is let's reduce account takeover fraud. It is a major concern for just about every institution doing business on the Internet. And when we deployed passwordless and HYPR to our first customer, they saw an over 98% reduction in account takeover fraud because they deployed phishing resistant authentication. And that was a game changer for them. It was a game changer for us and anytime you're able to reduce any risk by north of 98% for a large company, it's a huge win. 

Steve: Now looking into your background with the company, when you started, you were CTO, and then for about seven years, you ran in that role. You raised a Series C in 2021, I see you took on the CEO role. What was that transition like working on the technology side into being chief executive? 

Bojan: You know, for me, it wasn't as big of a transition as I thought it would be. And even though I was the CTO, mostly running the product and-- and technology organizations here, I was also, you know, one of the people in the company who was closest to our customers. Because in order to deliver a great product with tremendous value, you have to be very close to the customer. And so I found myself in a situation, even as a CTO, where I was spending more than half of my time with customers and really understanding them and trying to solve their problems. So when that opportunity presented itself, you know, it wasn't as big of a transition as I thought it would have been. I certainly had to learn many more things around, you know, financials and P&L and all that type of stuff, which is critical to run a successful business. But, it's been a great journey so far. 

Steve: Catching up to more recent time in Authenticate, where I got that great hat, you had just announced that HYPR was expanding from passwordless authentication into identity assurance, and along came the rebrand. The press and a couple articles described as a pivot, but it seemed to me more like it was a natural evolution and you're still offering authentication. Can you-- can you share more about that expansion and what led to you deciding to-- to do more on the assurance front? 

Bojan: Yeah, I think to build a great business, you have to have a strong foundation and that our technical strong foundation was our passwordless authentication capability. And one of the products that we released last year is HYPR Affirm, our verification product. And we looked at, you know, building this product back -- I think 6 years ago now -- and we decided not to do it back then. Because we said, “Okay, you know, the great businesses that we have tremendous respect for in this industry do one thing extremely well and bring a ton of value to existing customers with it before adding on top of it.” So we decided to stick with passwordless for that time. We also saw that -- hey, it doesn't matter how good your identity  verification process is if the next thing you do is set up a password. You just shot yourself in the foot because the password is fundamentally insecure. So, you're right, it's not a pivot. It's much more of a expanding the vision story, which has been part of our-- part of our overall vision and strategy for many years now. It's just being, you know, external about it to-- to the outside world is-- is fairly new to us. 

Steve: What are some of the customers or markets that you're serving with HYPR Affirm? Use cases, perhaps. 

Bojan: It's typically used within the workforce. So we identify that when it comes to verifying employees or contractors identities. Most organizations still rely on the existing help desk model, which is, hey, if I-- if I got a new phone, I just set up my MFA on my new phone. I'll call up the IT help desk, I'll answer the date that I started and the last four of my social. And that is what's used to secure and bootstrap that credential. And we said, that's not acceptable because those are very easy things to figure out for hackers. 

And so what we decided to do was create HYPR Affirm, which integrates many different components of the identity verification process. It takes into account phone number verification, location verification, it can also do document verification if-- if necessary. But what's really cool about it is, it actually incorporates a text and video chat. So that your peers, people that you work with, or your manager, can actually approve you and attest that you are who you say you are in order to give you that new credential that is then issued to you. And we see this that as as being critical in the industry today.

It's mostly used within the financial services insurance sectors. And it's more important than ever in the age of AI assisted attacks and deep fakes. And there's also been many attacks in recent months and years around hackers, specifically social engineering IT helpdesk, to get a foothold into the organization. I think Uber was a recent one. And even Okta's more recent breach was associated to social engineering of an IT helpdesk person. 

Steve: Going a little bit deeper into workforce, what do you think is influencing that uptick or increase in workforce security attacks? And how has the landscape changed in the last few years?

Bojan: Yeah, it's crazy to me how most authentication or most-- most identity security controls have not changed in five years, the ones that are provided by the larger players in the space. But the hackers mechanisms for attack have changed substantially. So today there are fully automated phishing kits that can be pulled from GitHub for free and operationalized by teenagers.

They're not complicated tools to run, and they can target many organizations and many users within those organizations. At the same time -- and five years ago, this was largely a very manual time-- time intensive effort. What's changed, especially in the last year, is now those tools that have existed have been made available are now being operationalized by AI tools. I was talking about-- about this with a coworker of ours recently, where, you know, five years ago, we used to discriminate between phishing attacks and spear phishing attacks. We used to say, “Okay, spear phishing attacks are phishing attacks, but they-- they know a lot more about the specific individual and all that type of stuff. It's much more contextualized in nature.” Well, now an AI can look-- look up your social media, look up your, you know, information about where you work and-- and where you've worked before. And they can add all that context around every single phishing attempt that is sent. So the, the game has changed tremendously. And so it's much more critical today that we have more deterministic ways of verifying users' identities rather than the alternative. 

Steve: It's fascinating. And you make a great point about spear phishing because years ago you had to manually do that as a bad actor or fraudster. You're doing a lot of research and now these tools can be fully automated to go and, you know, whether it's a large language model or some other form of automation.

I'd like to understand better. The HYPR Affirm experience is this for onboarding scenarios or password lockouts. Can you help me better understand what the agent and help desk experiences and what the employee experience is like?

Bojan: Yes, so it's-- it's both lockouts, it's also for onboarding. We also see companies using it now for interviews. They've had instances where a person will interview for a job, let's say a software developer. They will do a really good job on the interview and then the person who shows up to the job two weeks later is not the person who interviewed. But they're a remote worker and, you know, it usually takes organizations months to actually figure out what's happened.

So the way HYPR Affirm works is, you just go to a website, you-- you enter your username, it will verify your phone number, it will verify your location correlated with your historical data. Then it will actually put you into a chat room with your peer or your manager. And you can have a regular conversation. You can also have a video chat within that context. As you're having a video chat with your manager, it will do face recognition on both you as well as your manager to make sure that it's you, before allowing you to proceed to the next step. To then, you know, change your password or sign up for MFA, or be given access to HR systems or so on. 

Steve: Can you describe.. you mentioned earlier some of the signals that you're leveraging, like the device or the location data or documents. Can you describe a little bit more how that works under the hood? Like how you're orchestrating those pieces, how they get leveraged by the enterprise? 

Bojan: Yeah, so HYPR Adapt is our risk engine product, and one of the nice things about us being focused on authentication for so long is we are essentially the front door to our customers. So we see when a user is authenticating on their mobile device, on their endpoint, their Mac, windows machine, as well as any browser that they're using, especially if they're doing BYOD. So what we're able to do is anytime a user is authenticating or accessing a system, we pull that data. So we pull who's accessing from what and how, and then we put that into a single risk engine, and we're able to correlate that user's actions.

So we can do stuff like, hey, this person just used their phone to log into their computer two minutes ago, and now their phone all of a sudden is in a different state. That shouldn't happen. Let's lock them out of their account and ask them to go through Affirm again to verify their identity. Because that should never occur.

So we can do things like that. The other capability that we've put into HYPR Adapt is to allow our customers to get more value out of their existing cyber security investments. So as part of the risk engine, our customers are able to pull in data from their endpoint protection systems, such as CrowdStrike, their their VPN systems, or even tools like Zscaler, to be able to correlate all of this data at once and then make decisions from an identity perspective.

Traditionally, when we've seen identity or risk tools raise an alert, it goes to some SIEM to be investigated and doesn't usually get to get looked at for, you know, hours or weeks. What we're able to do with a HYPR Adapt is, since we correlate data from all key points of interface, we're actually able to get significant accuracy. So when we ask a user to re-authenticate or to re-verify their identity, it is so accurate that it doesn't seem like it's counterproductive to the end user. 

Steve: Each of these pieces, the Affirm, Authenticate, Adapt, are they all inter-operating? Are-- they're all like from one singular platform? How does the data pass in between those layers and how does the customer roll those out?

Bojan: That's right, it's all-- it's all combined in one platform. So the user doesn't know that they're using three different things. It's just how we bucket it for our specific customers. So they understand where data resides and how. So Adapt is our risk engine product. It is the data lake essentially that-- that maintains all of the-- all the contextual data, and so actually what maintains all the policies.

And one of the cool things we've done with Adapt is actually we-- we wanted to create a risk engine product that-- that can-- that can be easily configured and can use open standards to create policies. So we've seen many other risk engines’ products in the past where if customers want to tweak the policies or configurations, they have to have an expert who knows how to use the product on hand to do that. Since we use open standards to create these policies and maintain them, we use Open Policy Agent (OPA), our customers can hire anybody who has experience with that standard to operate the tool, which reduces reliance on the vendor and gives them more-- more independence to do what they need to do.  

Steve: That's great. That's great. Adapt seems like a major differentiator for you. Are your customers generally using Adapt when they're using these other products or are they using them ad hoc?

Bojan: So typically customers will start with either Authenticate or Affirm. Depending on what the problem that they really want to solve the most. And then they'll layer Adapt on top of it. You know, we-- we approach everything from an identity perspective, from a crawl, walk, run approach. And we tell customers, “Like, if-- if you have to do one thing, the one thing you should do is deploy phishing resistant authentication. Like that's the most important thing that you can do. That's-- that's what-- what will give you the most bang for your buck and just go for it.”

Steve: Zooming out from the HYPR stack into the market, we're seeing more and more data breaches in the news, you referenced a couple of recent attacks. At the same time, I feel like on LinkedIn or those I speak with, there's this certain desensitization that's happening where it's-- it's so frequent that it just becomes noise. What are you hearing when you speak with a CISO or head of technology, these leaders are like… what's their temperature currently with-- with all the attacks going on?

Bojan: It started to change quite a bit, you know, and I think that-- I think the thing that's resulting in CISOs being more sensitive to noise recently is a couple of things. One is, well, the SEC now says you have to disclose breaches in a few days after they happen, right? And-- and all of a sudden that puts a lot of people on the hot seat. Because if you're a CISO and-- and you kind of tried to sweep things under the rug before a little bit, you know, or-- or make it not sound as big of a deal. Now it's a-- that's a much tougher thing to do. Because it's out there, it's public, you have to tell your CEO about it, right? Because they're going to be asked what the shareholders think.

So, you know, people are now having to pay attention to the noise a little bit more than they used to. And then two is, every CISO has to look at every attack vector out there. And now also think about how is this attack vector going to be different now that hackers have AI, right? Because all those things that were repetitive or just a pain to do or manual in nature in the past, now in AI, I can do it much easier. So now you have to think about how do your existing defenses scale. So when you see somebody else get breached in the market, you quickly start paying attention to how did it happen, right? Was it AI assisted behind the scenes or not? And if it was, what am I going to do immediately to try to prevent it from happening to me?

Steve: Well, if we can shift a little bit into passkeys because I-- I feel this is an important solution to this problem. You're on the FIDO Alliance board, you're a huge proponent of the FIDO2 standard. Can you describe for those that might be listening on this, like, how does this work? Like, what-- what's your perspective on it and maybe think if you're describing this to a high school class, like what is a passkey?

Bojan: Well, if I was describing to a high school class, I would just give a hour long lecture on applied cryptography and then we would just go into it, but no… Passkeys are essentially like passwords that you don't have to remember and that you can't write down and they stay on your phone, right? And-- and the best thing about a passkey versus a password from a security perspective, is you can't be tricked into providing it to somebody else on accident, right?

So the example I give is, “Hey, do you currently share your Netflix password with your friends?” Everybody says “Yes.” And I tell them, well, with a passkey, you can't, and then people usually complain a little bit, but they understand the security reasons behind it. 

Steve: For-- for an organization, what benefits do they see immediately when they migrate to offering a passkey?

Bojan: Well, there's-- there's two primary benefits. One is user experience based, right? So password resets and the costs associated with them. When you think about all the downstream dependencies there, you know, maintaining a help desk and so on and so forth. The user experience benefit is just tremendous because you don't have to worry about people remembering passwords for your site or for your services.

But the primary benefit is from a security perspective, and that is passkeys are what's called phishing resistant. And-- and really what that means is, people can't be tricked into providing a passkey to someone. And-- and most attacks out there today are phishing attacks or social engineering attacks that ultimately try to get people to provide a credential to an adversary over the phone, or email, or text, or some other communication channel.

With passkeys, you can't share them in that fashion. You can't type them, so therefore, they are far more secure. 

Steve: It's-- it's interesting when we were talking about data breaches… you know, not all data breaches are equal. Some cases it may be personal information, but the worst ones are when they have been storing plain text passwords. And then if there's password reuse involved, then other accounts are then susceptible to breach. And then it just becomes this, this wave of attacks. Clearly passkeys and going passwordless are better for the world. But there hasn't been… I mean, there's been some early robust adoption, but how long until we're completely passwordless, in your mind, in your vision?

Bojan: I think a similar question is being asked right now, like how long until we don't have, you know, gas powered cars anymore, right? I think-- I think there's a long tail of these things, but I think the majority of us will be using passkeys over the next five years for the majority of services that we care about, okay? If I have a, you know, a blog site or something that requires me to have an account, I'll use my social login or create some, you know, stupid password for that. But I think for the things that truly matter to us, for our identities, like our financial services sites, services, and-- and similar things, within five years, everybody will be doing it.

Like, we-- we currently work with some of the big banks here in the United States, and they're all at different stages of deploying passkeys, today. And so I think, you know, just like in 2015, when the iPhone with the Touch ID first came out, everybody was like, well, how long is this going to take till everybody has a biometric phone in their hand?

And now pretty much everybody does. Yes, you still go to some countries, or yes, you still go to some place, a restaurant sometime, and you see somebody with a flip phone. But, you know, those-- those are exceptions rather than the norm that they were seven, eight years ago.  

Steve: It's-- it's clear from the latest progress that the large enterprises are adopting this technology, even from the Authenticate conference, just this last October, they announced some really big names that were deploying it. But what do you think about smaller businesses? You know, small businesses are the backbone of the US and many places in the world. Do you think a smaller business with, I don't know, under 50 employees should be moving to this technology for their employees as well?  

Bojan: I think most smaller businesses leverage tools that are made available by large businesses. So, you know, Google has been a huge proponent and has been pushing their users to adopt passkeys, probably more than most and most smaller businesses leverage Google Workplace, for example, to, I think they have 76,000 small business customers or something like that, you know, across the country. So I think, you know, the bigger platform players who provide the technology services to these smaller businesses will adopt passkeys and; therefore, those people will as well… and even tools like WordPress, right? And lots of businesses manage their websites through tools such as that. They're starting to incorporate passkey capability into their services. 

Now, the interesting thing will be, where is the tipping point going to be for adoption? So right now, for most services, passkeys are available, but they are purely optional. It's going to be interesting to see when the tipping point comes, where passkeys are the default required option, rather than just an option. And I think that's-- that's something really to watch out for. 

Steve: And what happens in a passkey scenario if the consumer or the employees lost their device? If that passkey is just on the device, are they going through another verification workflow? Can you describe the recovery process? 

Bojan: So the default passkeys and the way that they-- they work… and this is fairly new in the last couple of years, in particular… is passkeys are synced through your Apple ID or your Google accounts. So everybody with a smartphone, you know, has a Google or Apple account, typically, at least in North America. And so when you create a passkey on one of your devices, that passkey is synchronized across your entire account. So that means when you, if you get a new phone, first thing you do is you transfer your Apple ID account to your new phone. That means all of your passkeys will also be synchronized to your new device, so that you don't have to go through an identity verification flow.

Now, if you lost all your devices all the time, you can't get access to your account, then you do have to go through a verification process. But that-- that's no different than today if you forgot your password on all your accounts, on all your devices. 

Steve: You'd have the same reset workflow. What are some of the potential risks for a company that's deploying passkeys if they continue to maintain passwords or they don't put passkeys as the primary option?

Bojan: Yeah, I think, you know, the-- the risk of phishing is-- is going to be more prevalent than ever. And-- and-- you know, I talked about… you mentioned earlier about the password spraying attacks and-- and how breaches have databases of passwords in them. Well, now there's a publicly available database, right? With like, what, over 20 billion passwords that have been stolen in different breaches over the last couple of decades. And now what-- what hackers can do and are doing is they're using AI to create permutations of those passwords, right? Because one example that I've seen recently is this guy had his-- his password was a combination of his kid's name and the year that his kid was born, right? So not a great password by any means, but that was his password and he may add a exclamation point or something to the end of it to make it a little bit more secure. But now if-- if you're just a-- if you're blindly trying to reuse that password into that person's different services, you may have very limited success. But an AI can now go and look up that person's other kids' names, their-- their years that they were born and try those combinations as well. And that is 100% an automated process, right? You don't need a human doing that anymore. So we're going to see phishing attacks and credential stuffing attacks being just so much smarter than they ever were before. That if businesses continue to use passkeys or passwords as they are and-- and don't deploy passkeys as the default option, they're going to have a really bad time. And if they are still providing passwords as an alternative, and somebody traditionally uses a passkey, but they come in and use a password, then you can put them through additional gates to make sure that it's really them because they shouldn't be doing that.

Steve: You bring a really valid point around the ability to take all of that data, apply data science, machine learning algorithms to it and make predictions. And so it's not just what's been breached already, but it's like this predictive where might they change the password, which is-- that's really scary. 

I want to shift a little bit, though, and talk about the broader identity and access market. I was browsing some of your partnerships. And when I think about IAM, CIAM, I think Okta, Ping, ForgeRock. How does HYPR play into those ecosystems? 

Bojan: Yeah, this is… I have a bit of a, you know, a controversial approach to-- or a thought process on-- on how on the value that those businesses are bringing. So all of those businesses that you mentioned are phenomenal. They've-- they have tremendous customer bases. They bring significant value to their customers from an identity management perspective. Lots of those products are phenomenal directories with rules built around them and so on and so forth. But they traditionally do not focus on identity assurance or identity security.

So what-- what HYPR does is we go into enterprise environments, typically, where many of our customers have Okta, they have Ping, they have ForgeRock, they have Azure Active Directory or Entra, whatever it's called now. They have all these things. But they still have all these security issues and they realize that. None of those products specifically focus on identity assurance across the entire landscape. And that's really where HYPR fits in-- is we go into that enterprise environment and we say, “Okay, you've got all these identity directories, you're managing all your users in all these different places. How can we have trust that-- or assurance that it is the same person across all those different identity silos all the time?” And that's really what HYPR focuses on. 

Steve: Those that listen to this podcast typically are in digital identity, identity verification. Are there ways that those types of companies would partner with HYPR or would they be competitive to HYPR? How do you think about the broader IDV landscape? 

Bojan: Yeah, when I look at the IDV tech out there, that's today-- that's available today, we partner with some of them for sure. Where I mentioned HYPR Affirm earlier, which is our identity verification capability, we actually plug in different tools and products into that verification flow, okay? So HYPR Affirm itself is really a-- an engine with-- with some out of the box steps capabilities built into it, but it's designed to be extensible so that if our customer really likes a different document verification product, for example, from one of their vendors, they can incorporate that into the identity verification flow for Affirm, which has a lot-- a lot of additional context and data and-- and trust built into it.

Steve: Earlier, you mentioned for those that sign on with HYPR, you have a crawl, walk, run approach. You've actually got a really cool asset on your website where it explains it in a lot of detail. And I'll link to that asset as part of this transcript of the episode. For a company that wants to start out using any of your technologies, what's the crawl step that you typically recommend? 

Bojan: The crawl step that we recommend is how do you make better security optional for a user and get them to adopt that technology on their own? A lot of times when organizations think about security controls like MFA, it's painful for the end user, right? Because you're adding additional steps for them that they feel like they shouldn't have to go through.

And so what we recommend for our customers is, make stronger authentication, that's actually a better user experience, available to your users. And that's the crawl step, making an alternative to what they're doing today and let them opt in to that better alternative. Lots of companies try a carrot and stick approach. We prefer the carrot approach because we feel like that's how you get faster adoption at scale across your users. And so what we recommend as a crawl step is if you're not using passkeys right now, deploy them as an optional capability to your end users and nudge them in the right direction, and then see the adoption growth.

Steve: Beyond the crawl, what's the walk step, just as a sneak preview? 

Bojan: The walk step is, once you start getting adoption from the crawl step, and people start to really see the value in it, what you need to be able to monitor who's doing what and how. So if you see a person logging in with a passkey, for example, for two weeks straight, the walk step is you then disable the password login. It's clear that they don't use it anymore. Let's eliminate that attack vector entirely. 

Steve: That's great. And we're going to hold back the run steps so people go and check out your great asset. Thank you for sharing that. 

Well, we're coming up on time, Bojan, and I'd love to hear your perspective on the future of HYPR. Where you're focused in 2024, if it's continued investment in the core pillars of your platform, or if you're going to broaden it into other pillars, can you share anything publicly with us on the podcast? 

Bojan: Yeah. Our-- our strategy for the next couple of years is what we call our anti AI strategy. Which is not that we were against people using AI, we think they should, I do personally all the time. But we think that hackers are going to be weaponizing and utilizing AI to their advantage much faster than the people defending because hackers don't have red tape, they don't have approvals and processes and budgets and things like that, right? They just.. so our anti anti AI strategy over the next couple of years is how do we incorporate technology and controls and processes for our customers that stop hackers in their tracks who are using AI to make some of these traditional identity based attacks much more potent, and that's really the big thing that we're doing today. And over the next couple of years, it's really exciting. And-- and so stay tuned for that.  

Steve: Excellent, I look forward to seeing that as it rolls out. I won't ask you too many more questions on there because I don't want you to jeopardize your-- your plans out in public. 

Before we wrap up, Bojan, I'd love to go a little bit deeper into your personal background. If you've seen any of the episodes of EXECUTIVE SERIES, I like to highlight a little bit about the person behind the press releases… and I could ask you about your time as a former hacker, you could go there, but I think you've probably been asked a lot about that in different forums. I'm curious more about your work with the Big Brothers and Big Sisters of New York. Can you share more about that organization? What you've done there? 

Bojan: Yeah, I moved to New York City about 12 years ago now and I was trying to find ways to be a better citizen. You know, when you move to New York City, there's a endless list of things that you can do and see. And-- and many of those things that you can do, you know, aren't super productive or particularly healthy, right? There's-- there's a ton of-- a ton of things in the city that just you should avoid for-- for your own good health. So I said, hey, you know, I've always enjoyed volunteering in different capacities historically, and I've always done it a little bit sporadically. So I decided to join the Big Brothers Big Sisters program. And if you don't know what that is, it's basically, you know, every-- every two weeks, sometimes more frequently, you spend an entire day with your little brother or your little sister. And they're typically kids, you know, who-- who come from, you know, the lower tier of the income bracket, for sure. And-- and so it's just a tremendous rewarding experience and you just do everyday things, right? You-- you-- you show them different skills, different capabilities. Sometimes you just do homework together or play video games. It's a really rewarding experience. I've done that for 10 plus years and it's something that, you know, my little brother that-- that I was with for a long time, he started at eight and graduated at 18. So it goes all the way into adulthood. So it's… you form a real relationship and a bond with-- with a person that I think lots of other volunteering type of  projects you don't get to do.  

Steve: It's amazing, Bojan. And for your mentorship, do you ensure they also have great password hygiene, that they understand their threats as they're out there creating their accounts?

Bojan: Yeah, of course. Yeah, you know, I-- I taught my little brother, you know, how to code all these different types of things. So it's-- it's a ton of fun. And yeah, we definitely make sure that, you know, no passwords and you never write them down. 

Steve: That's wonderful. That's wonderful. That's a great organization to be part of, thank you for sharing your role in that Bojan. 

As we wrap up today's podcast conversation, for those that are watching or listening to this, what kind of conversations would you be open to having? 

Bojan: You know, I think for me, it's all about learning about other people and the problems that they're facing, especially problems that haven't been encountered too many times before. So, if anybody wants to reach out, you know, discuss ideas around product technology, best practices or situations on how to get users to adopt technology faster… because working in the identity space, it's so people oriented, like, those are some of the most interesting problems, which is like, “Hey, how did you get this group of users to do this or adopt this technology to be more secure?” Those conversations are absolutely fascinating to me. 

Steve: And what's the best way for listeners to engage with-- with you directly or your organization? 

Bojan: LinkedIn, our-- our website, email me, first name@HYPR.com. It's no secret and always-- always up for a chat.  

Steve: Great. Well, I'll be sure to provide your email, your LinkedIn profile.

And as we wrap up, I will close out with my HYPR hat here. And what kind of swag do you have in store for 2024 or any other things I can add to my collection.  

Bojan: Definitely more hats. You know, we're-- we're looking at stuffed animals. We have a… our internal mascot is Hero the Hedgehog. So look for -- at future shows -- look for a hedgehog stuffed animal that with the HYPR branding for sure. 

Steve: I would definitely look for one of those to bring it home for my kids. Well, Bojan, and thank you so much for taking the time to speak with me. I look forward to seeing HYPR’s continued growth and I look forward to a passwordless future. 

Bojan: Thank you, Steve. Appreciate it, man.