Playback speed
×
Share post
Share post at current time
0:00
/
0:00
Transcript

Passwordless Authentication with Co-founder & CEO of Authsignal, Justin Soong

Steve interviews Justin Soong, Co-founder & CEO of Authsignal

In this week's episode, I speak with Justin Soong, Co-founder & CEO of Authsignal.

Justin shares how his team is disrupting the authentication space by making a simple, drop-in solution that doesn’t require re-architecture or migration. He discusses Authsignal’s origin and how his experience processing billions of dollars of payments later equipped him and his team with the expertise to build one of the Asia-Pacific region’s most innovative digital identity companies.

We also cover the evolving threats to MFA, session hijacking, and how the world can move to zero-trust with passkeys.

RESOURCES:

Connecting with Justin Soong

Justin Soong’s LinkedIn: https://www.linkedin.com/in/justinsoong/

Authsignal’s Website: https://www.authsignal.com/

Companies & Resources Discussed

Authsignal is a fraud operations and authentication platform that delivers a suite of leading tools to enable the prevention of fraud, securing of customer journeys and the enablement of businesses to orchestrate the authentication of customer behaviors and actions at any stage in the customer journey.

Generative AI And The Risk Around Digital Trust  is an article written by Authsignal founder, Justin Soong published in the Forbes Technology Council in February 2024.

Laybuy is a fintech app that offers shoppers an interest-free credit alternative to credit cards. It was founded in New Zealand and is available in the UK.

Afterpay is an Australian fintech, buy now, pay later service. It operates in Australia, the United Kingdom, Canada, the United States, and New Zealand.

Dovetail was an instant payments platform that was acquired by Fiserv.

Harmoney is an online consumer-direct personal lender operating across Australia and New Zealand. Harmoney provides customers with unsecured personal loans that are fast, easy, competitively priced.

Paloma Ventures is a venture studio that partners with promising early-stage founders to transform pre-product, pre-revenue startup ideas into highly scalable and successful ventures.

Hewlett Packard Enterprises (HPE) is a global edge-to-cloud company built to transform business by helping organizations connect, protect, analyze, and act on data and applications from edge to cloud. Steve Craig, PEAK IDV and Justin Soong, Authsignal, both worked there at one point in their respective careers.

FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

iProov, founded by Andrew Bud, is a biometric solution, protecting the world’s most security-conscious organizations from deepfakes and other types of identity fraud.  Andrew was a previous guest on the PEAK IDV EXECUTIVE SERIES podcast  -  “Stop Liveness Attacks with Founder & CEO at iProov, Andrew Bud

Conferences referenced:

Authenticate

Identiverse

IDENTITY WEEK (Singapore)

MessageBird, now known as Bird, is a customer relationship management (CRM) platform that helps businesses streamline conversations through their customers’ preferred channels, like WhatsApp, Email, SMS, Voice, WeChat, Messenger, Instagram

WhatsApp is an instant messaging and voice-over-IP service owned by technology conglomerate Meta.

Auth0, acquired by Okta, is a customer identity solution that enables organizations to provide secure access to any application, for any user through a customizable platform. Auth0 will continue to operate as an independent business unit of Okta.

Rails Girls states that “Our aim is to give tools and a community for women to understand technology and to build their ideas. We do this by providing a great experience on building things and by making technology more approachable.” Ruby on Rails is a server-side web application framework written in Ruby under the MIT License.

FULL EPISODE TRANSCRIPT

Steve Craig: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement Officer of PEAK IDV. For our audience, this is a video first series, so if you're listening to the audio version, please check out the full video recording on executiveseries.peakidv.com where you can watch the full video episode, you could read the transcript, and you can access any of the resources or links discussed in today's conversation. In this week's episode, I'm really excited to speak with Justin Soong, Founder and CEO of Authsignal. AuthSignal is a drop in authentication platform. They focus on enabling enterprise and mid-market businesses to seamlessly authenticate customer identity, mitigate fraud, and secure customer data. Justin has a diverse background in fintech across the Asia Pacific region, from being CTO of Australian Security Exchange listed Laybuy to working on the Afterpay codebase at Dovetail, and then launching a P2P lending network at Harmoney.

Justin's team-- Justin and his teams have processed billions of dollars in payments and lending. And he's taken his experience from scaling and managing risks into Authsignal. I first met Justin at FIDO Authenticate just recently this last year in Carlsbad, and he joins us live on the episode here from Auckland, New Zealand. Welcome Justin to the podcast. 

Justin Soong: Thanks, Steve. Really great to be on the podcast. 

Steve: Excellent. Well, let's get started. Let's dive right in. Justin, can you share more about Authsignal? What's your typical elevator pitch? 

Justin: I started to realize that digital trust is going to become the biggest security issue for the next decade. What we found was especially my experience, trying to bridge that gap, especially the consumers, very difficult to build in-house, and there are very few solutions that are easy to implement. And that can navigate a beautiful customer experience and keep bad actors out. 

So Authsignal is very simple. We're upending the script and disrupting the space by making a simple drop in solution that doesn't require you to re-architect or migrate all of your customer data. Keep it as how it is and inject our APIs into your customer journeys. This way you get to offer new next-gen passwordless technologies like passkeys that keep bad actors out, but also make your customers feel like they're the best customer on earth. 

Steve: In preparing for this particular episode, I did some research and it looks like Authsignal was founded in 2022 with backing from Paloma Ventures. Is that the right date? And can you share some of the origin story of the company?

Justin: Perfect. Yeah. Yeah, that's about the right time we started. But with every origin story, it starts a few years back. And it's been a privilege to be on this journey and have great people like Paloma back us and other investors. Now, I've spent my time in consumer finTech. If you dig down into my history about a decade and I started to see re-occurring themes, problems that my teams had to solve over and over and over again. And in my last role, we had to rapidly scale consumer based processing billions of dollars worth of payments.

What you tend to find in -- when you're in the hot seat -- is that you're not only growing customers, but you're also growing the rising threat of cybersecurity issues, bad active threats that ultimately fall on your plate and your team's plate to try and solve. What we found was it's very difficult to get right, especially when you take on responsibilities of having to build every single customer journey and customer flow. It's an expensive process and requires subject matter expertise, requires dedicated teams, and it started to get very frustrating.

There were no off the shelf solutions and just building it just started to become too much of a huge burden. So I looked out to the market and I thought this is something that I could solve and build as a product that's satisfied key criteria that I wish I had in my last job, for example. So that was the birth of Authsignal.

The idea is simple. Good customers should just be let through and be able to get through automated processes so that they can get things done online and bad actors should be stopped in their tracks. That's the formula and that's the key ethos of Authsignal as a product. 

Steve: That's a great origin story. A lot of companies, I think, start that way where the leaders are trying to implement a solution. They're building it themselves and they would much rather just buy. But then nothing exists to go out and buy. So it's great, thank you for sharing. And what's, what's your origin story? I see, you know, looking back on your early career, you were a specialist in the Singapore armed forces, like how did you get your start in your career? And how did the time with armed forces prepare you for tech? 

Justin: Yeah, no, it's an honor to serve. And it really set me up to realize that the world out there is not all unicorns and puffy clouds. We live in a world full of threats and we need to be constantly equipping ourselves to understand the landscape and then responding to threats and issues. And serving in the military really gives -- yeah -- gave me that platform and that kind of hands on understanding of this reality. As-- being born in Singapore, I was made to join the military as part of a conscription process. So that was how I fell into the armed forces, but it was a great time. You know, the other thing I got out of that journey was, you know, everything is all about people. If you don't have the right team around you, if they don't know what the objectives are and cannot work together, then you'll never ever going to win both in a, you know, a military sense, but also in real life.

So I had a great time being a specialist sergeant in the military. And I got to dabble in all sorts of aspects of military life, including branches that allowed me to use my skills as a software engineer. So that was the beginning of -- I guess -- me, you know, kicking off the career. And I decided to put it into the private world and found myself applying the software engineering, skills that I built up in the military. And I moved on to starting work for private enterprise, like places like Hewlett Packard was the first place I felt-- found myself working.  

Steve: Excellent. Yeah, I noticed you worked at HP. I worked at HP too. I think we were different offices, maybe different times. I didn't make it very long there. What business unit were you in? 

Justin: I was in the professional services and consulting field and we were actually building fintech applications for banks. You know, back in the day, interestingly enough, banks communicated to you through mail. So we did a lot of the processing of all the communications and we built a lot of the apps that process all of these banking communications through HP.

Steve: That's great. HP was such a big company. It had so many different business units and I don't recall the financial services side of it. So that's great foundational working experience for what you later do with Authsignal. 

If we can jump back now to Authsignal you're a big proponent of passkeys and you provide passkeys. This is something that I've been hearing more and more about. The Authenticate show that I mentioned earlier, had a lot of sessions on this, but can you describe for the podcast audience, how you think about passkeys versus something like a password? 

Justin: Yeah. And before I jump into what passkeys are, let's take a few steps back and understand a problem that we've been building up over the last 30 years. And this is a problem of, what we call, a symmetric authentication flow. And to dumb it down even more, we've built a whole society based and trust around things that should remain private that needs to be shared with another party to then create an exchange of trust. So typically it would be me, maybe with a pin code or a password that I know myself, and I would have to share that with a website or app. And the website would have to store some form of version of that password, whether or not it's an encrypted or hashed version of it on its side.

And we exchange these codes and passwords to gain access and gain entry. Now for the last 30 years, we know that that is very insecure. We've seen the, you know, the rise of data breaches and the value that is placed on data, like our pin, our passwords and our individual lives. There's value because I can use those to exchange and initiate a trust exchange with someone else.

My date of birth, for example, is what some-- my insurance company uses when I pick up the phone and ring them up and they asked me for my date of birth. Well, you know, it's pretty public knowledge what that is, but that's the status quo, right? The exciting thing is with the advent of passkeys and fundamental technologies that underpin it, we can start building a world that moves away from that. The sym… you know, this world of symmetry, this world of needing to exchange secret things with each other that we have to relay all the time. Passkeys are built on asymmetry, me needing to know something that I never have to share with you but exchanging something else that you can use to validate and exchange and create trust with me.

It uses very solid internet technology called, you know, public key cryptography that underpins a lot of what the internet is built on today. But the folks at FIDO Alliance and the tech companies that are big proponents of passkeys, they've turned all these complicated technologies into something anyone and everyone can use.

So our phones hold passkeys and they've… Apple and Google have built great user experiences that turn asymmetric cryptography, a big word I know, into something that just requires you to use your face ID or your biometrics on your phone to then initiate a trust exchange with the other person that you're dealing with, a website, or an app.

So long story short, we love passkeys because it builds incremental steps to a world that doesn't require passwords anymore. And we acknowledge that that's going to take a long time, but we need to start somewhere and passkeys offer that pathway for that. 

Steve: That's a really great way of explaining it, Justin. And as you were talking through, I think about passwords or just knowledge in general, like your date of birth. Like, that's something that can be replicated pretty easily. If you share with me your date of birth, or you write your password down on a piece of paper and you give it to me. Now I can use that in whatever way I choose outside of the context of you knowing. But then if you shift to a technology where you can't necessarily shift that knowledge, and now it becomes something else that is perhaps one time or something you continue to control, I think that helps get at the heart of one of the challenges with using knowledge.

I'd love to dig in a little bit deeper to what your company offers in particular within your tech stack. In particular, I saw you have a no-code rules engine and you have this concept of a single view of a customer and you have some other tools and components for the delivery of passkeys. Can you describe what Authsignal has as a product?

Justin: Authsignal is tuned for B2C companies. If you've got millions of users and transacting with millions of users, we're the perfect type of product for your company. The reason why is because most customer facing or customer based identity products are huge and clunky and require you to spend years and build teams around to adopt.

With Authsignal, you can park all of that effort and actually concentrate on your customer experience and go. I have multiple touch points with how my customer interacts with me, be it a website, a mobile app, or even a call center. How do I then build experiences that can create these new passwordless experiences that I can drop in very quickly?

So with Authsignal, we have a single API that you can give to any engineer of any type of capability or experience -- don't need 10 years in identity -- to then quickly inject these customer journeys into every part of your customer journey. When you start sending these API calls to us, we build up a picture of all of your customer behavior.

So from when they first signed up to how many times they logged in today, to maybe them changing an email address and then transacting a big, large amount. When you start putting these API calls in your system, we build up a 360-degree view of your customer into an audit trail, and we surface analytics.

From this analytics, you can now start to tune and tweak your customer journey according to your risks that you have at any one point in time. And we know that risks change. They don't stay static and they evolve over time and they evolve with businesses too. And there's no one single, one size fits all model that can be applied to any business.

So once you have an understanding of your customer base, your risk, and what you'd like a good customer journey to look like, you can rule… use our no-code rules engine to build policies without any engineering effort. So no need for long, painful conversations with product teams to prioritize what you might change.

Your team or product team or operational team can make these tweaks in real time according to how you see fit. Lastly, we have customer tuned user experiences that you can launch based on these policies that you've built good customers into to verify themselves. And one of them could be a passkey flow, where if a customer is going through a customer journey and there is perceived risk based on your policies, rules, or maybe third-party data points, like a risk scoring provider, you can throw your good customer into a passkey flow. They would go straight through using their face ID or touch ID. So very little to none -- no friction at all in the process. They can get… you can assert-- you can assure the transaction and go, “Hey, look, this person's using a passkey. We don't have to add any more manual steps or review steps in this process.” You can let that transaction through. 

So really with three pillars of key functionality that make up Authsignal. The ability to observe what's going on in your customer platform, the ability to respond very quickly with no-code rules and customer tuned user experiences that you don't have to build. All through the single API call.

Steve: When it comes to the user experiences, what are the different options that you support for multifactor, like the different types of modalities? 

Justin: Right at the top of the list, we've got passkeys, which is something that we're a big fan of. But if you step down the list of different assurance levels, we work with different partners that offer biometric authentication flows from face biometrics down to palm, palm vein. And as you step through that, through the list of assurance levels, you get to things like TOTP, which is your typical authenticator app flows that is starting to become a little bit more popular -- SMS OTP, email magic links, email OTPs. So we offer it a full gamut. And the reason why we do that is because we know that there is a transitionary period to where it's biometrics or passkey type of authentication factors. We're not going to just make this leap straight to passkeys. So by offering optionality and choice for consumers. We're able to navigate this complexity of having to juggle different types of customer experiences. It's all baked into our Authsignal platform. Customers get to choose and you get to choose when and where passkeys will be introduced into your system or your platform. So that's pretty critical. 

We're excited with, you know, things like face verification and palm verification as well as just previously mentioned. It's an exciting space and we feel that the world is going to become more based on tools like that. 

Steve: It's a really good point you make around the different maturity levels of organizations in terms of what technologies they want to use. So being able to work with some that might want to make that leap right into biometrics and others may be a little bit more interested in still the email links and the SMS links. 

I did notice that you had announced a partnership with iProov and Andrew Budd has been a guest on this series from the last season. Can you share more about the biometrics partnership and the work that you have with iProov? 

Justin: Yeah, great. iProov, in our opinion, are one of the top vendors and suppliers of biometric technologies globally in the world. So having aligned ourselves with them is just a match made in heaven. And we're also making huge strides in rolling out passkey technology to large enterprises. So it was a natural fit to work together. 

What we do is we wrap their APIs and their biometric flows within this whole Authsignal suite that we just talked about and offer customers the ability to uplift and upgrade at their own choice or use the rules engine to selectively migrate customers into say an iProov biometric flow.

Now, this is important because you have to build… when you start introducing these technologies, what you realize is that this customer experience is actually the superpower that increases adoption. Just throwing a technology there and hoping someone in your population or your demographic, is just going to pick it up and run with it is, you know, a little bit of a pipe dream.

So with Authsignal and iProov, we give the power back to platforms and consumers to go on this journey to opt in and present different flows so that they can be presented with the choices and options that they need. And for iProov, it's a great use case for high value transactions. For example, we see banks using iProov to authorize really large sums of, say, internet banking deposits or withdrawals without the need for any human verification. So we see a lot of banks are suffering in the customer service area. Their call centers and their email inboxes are getting overloaded. And they see this as an automation step and go, “How can we create a level of digital assurance that is as good or even better than a signature?” And we know… you know, I'm using that as an easy example, yeah, that can give me the authority to transact on behalf of my customer. And iProov ticks all the boxes there. 

Steve: When I work with practitioners or enterprises that are looking to implement biometric technology, they often think about matching, you know, the accuracy of match rates. But they don't, until they go live, think about presentation attacks and the importance of of liveness and making sure the user is really there and it's not some replicated video screen or some photograph in some cases. So certainly I'll link to the iProov episode for those that are listening. You certainly should watch that and then I think connecting that to what Justin's doing will be really powerful.

Justin, are there any other notable partnerships that you can share within your ecosystem? 

Justin: Yeah. So we have a really great partnership with Messagebird. So for those who are trying to figure out how to transition out of SMS OTPs, as an example, we offer some step changes to where it's a world where maybe you can offer a more secure version of the SMS OTP using MessageBird’s communication APIs and technologies.

And one of it is using WhatsApp. So WhatsApp is one of the world's largest end-to-end secure communication channels, which is brilliant -- we love that. And, we work with MessageBird to offer a WhatsApp OTP flow where yes, it's not as good as passkeys, but it's a step up into this world of making everything secure.

So instead of SMS OTP text message that you, a customer may get, we use MessageBird to try WhatsApp first and gracefully fall back to SMS, for example. It's all these little nuances that are very difficult to tune and get right that we've baked into our product. So MessageBird are great partners of ours. And, you know, if you've got any sort of… if you just need a sounding board and how to move away from traditional SMS OTP and help you optimize for cost, you know, we can certainly help with that. 

Steve: That's great. Well, from a technical perspective, when someone signs on with Authsignal, say they've got a signed contract and they're ready to move forward, what are some of the initial stages of implementation? Like, how does a company get started using your technology generally? 

Justin: The great thing is we're a fully cloud based SaaS product so you don't have to speak to multiple people to get started. Sign up online, follow our documentation, and you can get very far. But to take a few steps back before you get coding, the most important thing is to understand how your customer interacts with you and maybe just do an audit of all the different places where the customer may interact with you and the highest points of risk. And what we encourage is don't automatically gravitate to the login box as your first interaction that you'd like to secure. Because, sometimes it's the heart, you know, it's a very high friction step for what potentially is pretty low risk when a user just first signs up for your product or service and is just sniffing around and just exploring. Where you'd really want to step up is where the risk lies. For example, if you have PII that you show on different parts of your app, or you're initiating a high value transaction, do a bit of an audit, understand how your customer interacts and where the risks are in your customer flow.

With that understanding, then it makes it very simple to know where to place Authsignal and our APIs. So, simple, take an audit… actually I have to take a step, sign up for an account, figure out how your customer interacts with you, and give the documentation to one or two developers and away you go. That is all that's required to get up and running with Authsignal. 

Steve: One of the things I noticed on your website is you had Figma templates, which I didn't fully download, but I imagine that's for user experience planning. Do you offer a consultation or professional services for companies that need more help?

Justin: Yeah, we love to engage with folks. So, you know, although you can sign up and not talk to everyone, we love to talk to our customers. Some of our customers have large design teams that care so much about customer experience. So Figma templates help our customers build these flows so that they can sell new authentication flows and verification flows internally, get a handle on how it looks like and how it feels without writing a single line of code.

So if you get in touch with us, we have all sorts of little tools that can help your team build out a great Authsignal experience.

Steve: For those that are listening, I'm sure they're familiar with authentication and authentication companies. How does a company like Authsignal compared to companies say, like Auth0?

Justin: So the biggest fundamental difference is we're not an identity platform. We don't require you to migrate all of your customers to Authsignal, we augment what you have. You may be on an IDP, some of our customers are on some of the largest IDPs that you've just mentioned, Microsoft ones and AWS ones. Some of them have rolled their own stack for decades, we're agnostic to that. If you're interested in rapidly introducing new secure journeys for your customers without the need to migrate, drop us in. Augment your current flows through this one single API and you can move very, very quickly. So we've been able to help folks that have now understood and realized that they could move really quickly and still introduce passkeys without the need for migration. That's exciting for our customers and we're excited to support that. 

Steve: The types of implementations that you're doing, again, going through your website crypto, fintech, marketplaces, those industries I know have a lot of overlap, but they also have major differences. As you've done user experience consulting with these companies and help them deploy, where do you see overlap? Where do you see things that are just different in terms of the companies? 

Justin: The biggest overlap is any consumer app these days are starting to look more and more like a fintech. Even we work with one… an airline that's voted the world's best airline in the world last year, Air New Zealand.

And when you dig underneath the hood, they don't just put people on planes. They have a loyalty program. You can send each other miles and points. You can buy things using the points -- there is a wallet. You start seeing these recurring themes. Most crypto companies have a concept of wallets. Most fintechs start to store value. Even e-commerce merchants store credit and loyalty points within their system. And we're hearing of attacks where -- traditionally -- where account security is not prioritized like e-commerce, bad actors being able to start buying gift cards through account takeovers, through stored credit or loyalty points, and when you have a large enough customer base, it becomes super profitable.

So yeah, this is the kind of recurring theme that we're seeing as more and more companies start looking like fintech companies. 

Steve: Yeah, the theme I see is where there's value of any sort, you're going to find bad actors and fraud and someone trying to take over the account, someone trying to get those points or access those funds. So, I think that's a pretty recurring theme. 

You've got a lot of other really interesting logos on your site in terms of customer implementations. Are there any logos, companies, that really stand out that were game changers for Authsignal in terms of when you got them as a customer? 

Justin: The biggest call out is Air New Zealand. We were so impressed with their fanatical obsession over the digital experience for their airline. They weren't just concerned about the in-flight experience, but they really wanted to replicate the same award winning experiences they had, you know, providing great service in the air to their customers on the ground, on their phones, and on the apps.

So we… you know, some of the work that we've been able to help Air New Zealand with is obviously the first airline in the world to roll out passkeys globally, but also implement passkeys and flows that, you know, we never even dreamed that we would see very quickly being adopted by customers. So a good example is Air New Zealand are using passkeys to authenticate customers through a call center IVR flow. So every call that goes through Air New Zealand, you get the option of using your passkey to authenticate. This means that customer support people on the other side don't have to ask those awkward questions that we all hate. You know, what's your last name and date of birth and what was the last thing you ate yesterday for dinner? They can just get straight to helping you and getting the job done. 

And, you know, they're seeing some great improvements around the customer call time as well. So not just a pure security play or verification play, they're getting huge efficiencies in their customer experience. So really, you know, we're very fortunate to work with such a forward thinking airline and we wish more people start, you know, looking at their example and going, “Hey, look, it's possible with Authsignal with passkeys.We don't need to spend two years trying to put something like that in. It's available today. 

Steve: Yeah. So I've used companies that have this push verification from their call center, and I think it's really powerful and I feel more secure. I've also had companies where they don't ask me my date of birth, but they asked me, “Hey, what was the last transaction you did?” Which if it was fraudulent and a fraudster put it there, they could certainly answer that question and then take over the account. 

When we think about the market challenges that we see with fraud and account takeovers and phishing and social engineering, for those that are listening that might be on the practitioner side and we're talking about passkeys and passwordless, but maybe they're thinking, well, what if I just made the passwords more strict in terms of requiring special characters and numbers? Or what if I just rolled out the authenticator process? How does this specifically help thwart some of those rising attacks? 

Justin: Yeah, look, there's obviously baby steps in every journey and password complexity is one that if you still have a password box, please put it in now.

It should be a simple change I hope but if you-- if you're not, you know, ready to move to passkeys or other authentication factors, that's the first thing that you can do. So, you know, look we're pretty-- we're pragmatic, you know. So we view the world take pragmatic steps that you can quickly iterate on, break down the problem, so that you can move fast and solve problems quickly in this space, but it's evolving, right? So, you know, some of the growing threats in the marketplace -- you know, you mentioned deep fakes and Gen AI -- this is a fundamental problem that we need to very quickly tackle as an industry and globally because bad actors, nation states, they know that holes exist, and they would very quickly jump to abuse and exploit these holes.

Gen AI is not just replicating your face or video, but voice match, voice biometrics is now under threat. You know, and a lot of banks use voice biometrics for the call center verification. So start realizing that the threats are real. I say… and then very quickly start thinking of how you could iterate out and supplement the flows that you have with additional authenticator types. If it means a TOTP authenticator app flow, if that is your fastest pathway to achieving that, Authsignal can support that. But, if it means going straight to passkeys, and we can also help with that. So the advice is just understand the threat, understand that if-- if it hasn't landed on your desk, it will soon in terms of issues in your customer database or within your customers. And you do need to take proactive measures so that you protect your customers and their data and their money. 

Steve: On the-- the Gen AI topic, I read an article that you wrote for Forbes Technology Council. It's a generative AI and the risks around digital trust. Talk about this, zero trust model. Can you describe how this concept relates to what we were just talking about with passwords and how Authsignal has a role to play in that? 

Justin: So zero trust in the article unpacks something that is quite a very common concept in the world of networking and corporate security. It's something that's been rolled out over the last five years and internal teams and CISOs are pushing this paradigm onto how internal employees access things within a company. Now there's no reason not to take the same concept and apply it to consumers. And we're big believers that the whole world will be zero trust in a very, very short space of time.

And there's some key aspects of zero trust that are a big fundamental shift from the current paradigm of what we, you know, we think is verify once and trust always. Typically, customer journeys and flows fall into that prior paradigm. I log in once and I trust that you are who you say you are when you first signed up and I can trust that for a set amount of time and you can do whatever. Yes, you may have done MFA seven days ago, but we still trust you. 

The threats are evolving. The session hijacking issues now where bad actors are stealing cookies that have, that can bypass MFA. We see a world where everything is based on zero trust and you would verify explicitly all the time. It may sound tedious, but with passkeys. With a simple touch ID or face ID or a tap of a button, you can cryptographically verify someone without any hassle. So why wouldn't you do it? 

So, to give an even more high level example, we see the world where everything has a checkmark, where you can trust someone or a tweet or an email, where you could go, “Hey look, that came from Steve or that came from Justin and I trust that.”

And we see the world moving towards APIs and technologies that can help enable that. Lastly, we don't think that you can beat AI with more AI. We need to fall back on some really well and true tested solutions using cryptography and supplement that with some of your flows, for example, using iProov with face biometrics and tying cryptographic steps at different points of your customer journey so that you can have a really high level of reassurance in your customer.

Yeah, so that is really just a bit of an insight into the evolving world that we're seeing. It's not everyone's kind of day job to think about these things, but we spend a lot of time thinking about it. And with the advent of passkeys and different forms of high trust biometrics. We feel that we can get to a world where I could trust you every single time or trust my bank every single time or them trusting me all the time without any hassle or picking up the phone.

Steve: In a world where we have all of these AI agents, you know, replications of ourselves or systems transacting on our behalf. How do you think that the technology, especially around deep fake technology, is going to evolve in the next few years? 

Justin: We think that everything can be solved through just software alone, but we see a world where hardware becomes quite important in this world of transactions and agents.

Being able to trust a chip and the keys that are being used by agents to transact on your behalf through specialized hardware or specialized chips that I trusted in the supply chain, for example, we see is-- we're really stretching out -- so I'm stretching out here a few years -- play an important role in allowing us to use bots agents to act on our behalf that we can approve using devices, a click of-- a tap of a fingerprint reader, a tap of the push notification. So we see the role of devices playing a huge part in this world where you may have a lot of people working on behalf of you, but there are fundamental hardware devices underpinning the security and assurance levels for the digital world. So chips are, you know, chips are not going to go away too quickly.

Steve: Many companies think about software immediately to solve the problem because they want to combat AI with AI and solve AI problems with machine learning technology, and then you make a case for hardware. I think there's a people role in here too especially around governments and regulations.

I'm always curious to hear perspectives from those in other countries. What is going on in New Zealand or perhaps Singapore? You spend time there as well with respect to AI, what's the national discussion like in those countries? 

Justin: Yeah, Singapore in particular, investing heavily in regulation and understanding the landscape of which AI needs to be regulated.

So we're seeing huge government intervention around building policies and laws that can protect consumers fundamentally, which is perfect. And we want all governments to start unpacking that because it is a new era. We haven't had to think about digital representations of ourselves or bad digital representations of ourselves. So Singapore is really leading the charge. 

In this part of the world, New Zealand and Australia are one of the first countries in the world to roll out digital identity bills in their governments at the federal level to bake into the law how digital identity should be one, treated for consumers, but then can be used to verify and reuse digital identities for consumer again.

So for example, governments needing to do away with plastic identification cards and moving away to digital driver's licenses. There is a lot of work in the space in this part of the world to try and get customers off these physical documents that are not as secure. So we're seeing not just legislative changes, but rollouts of digital identity solutions and the world of verifiable credentials, if-- for viewers, who may want to look that up.

Steve: From a US perspective, I often see different CEOs of tech companies get invited to speak in front of US Congress, US Senate, and the questions that the government officials and elected officials ask often make me think that they don't always understand the technology. So I wouldn't think they would know a verifiable credential versus doing a passkey versus some of the other technologies out there. If we were to invite you to come to the States and speak in front of our Congress or our Senate, and you had 10 minutes, what were some of the key points you'd want to put out? And it could be also for New Zealand or Singapore, whatever government you want to get in front of. 

Justin: Yeah, I think the biggest way to sell any bit of technology is to not talk too much about the technology. So that's sort of the learning that I've experienced over the last decade. The more you talk about technology, the more people switch off and you've got, you know, you'll have Congress people asking silly questions.

We need to focus on the benefits that consumers are going to have when we migrate away to these next-gen verification and authentication technologies. And it comes in twofold, consumer harm is going to be greatly reduced when we adopt these new technologies. So that should poke the ears of any politician because they can start talking about how they're looking after folks and the security from threats.

But second-- secondary to that customer convenience, being able to get the job done without needing to wait in line at the DMV (Department of Motor Vehicles), that one saves government's money. And in a world that we're… you know, different governments trying to optimize your costs, moving digital and moving digital identities towards the use of passkeys or digital driver's licenses will reduce your costs over time and you get all the benefits of protecting your citizens and your customers.

So when you present it this way to people who are not technologically inclined you'd hope that these two things would be able to prick your attention and try and drive changes through to-- so, you know, get people adopting it.  

Steve: Excellent. Well, I will be sure to put in a good word to get you the invite to Washington DC, and you can speak through some of these topics.

Well, we're coming pretty close to time today, Justin. I have just a few more questions to get a little bit more forward facing into the future. Where do you see AI evolving further at 10 years, 15 years, 20 years? Are you in the camp of the singularity is near, or do you feel like this technology is just going to augment? Like, what's your take on where we're headed? 

Justin: Look, I think the singularity is inevitable. I just can't predict when but we're… I mean, it's scarily fast, the advancements that we're seeing out of, you know, Open AI and the different companies that are spearheading you know, Gen AI. I think if we adopt the posture of AI augmenting humanity, and if we can all settle on that ethical contract between each other-- between each other, and it starts from governments also setting the foundation. We feel that AI can be such a huge force for good in our world. If we make AI and allow AI to be unregulated, which it will in different countries, it will be abused and you will see threats that we haven't been able to tackle before. So I don't think we should launch straight into AI taking over all of ourselves and our humanity.

I think there are some-- and people like Elon are raising some pertinent questions around the rate of pace that we're trying to rush, get ourselves to in the forms of the singularity and it's… there are valid concerns. It is not all that good, and to move that quickly and there are some ethical conversations that need to be had first before we launch into full AI taking over our lives. So, that's where we stand, that's where I stand, and hopefully that resonates with some of the viewers. 

Steve: Yeah, it's often in extremes, you know, from one side that's doom and gloom, where we're headed is an extinction level event that's coming. To others, that we're going to enter an age of prosperity and AI is going to fundamentally change humans in a positive way. So it's a fascinating to get your take. Thank you-- Thank you for that. 

Zooming into a shorter timescale, where do you see Authsignal in the next few years? Like what's your plan for the company as you grow it? 

Justin: No, we're hellbent on just protecting customers as much as possible and giving the tools for platforms that have lots of digital customers. Quickly iterate into a world where they can offer passkeys -- well heck even offer MFA, let's not get too ahead of ourselves -- to move away from pin codes and passwords. So we want to enable that reality and rationalize it for folks that are in the hot seats at companies making decisions. Get on the call with us, we can rapidly solve the problems that keep you up at night.

So we want to spearhead technologies like passkeys and just a little around the corner, you're looking at digital driver's licenses and verifiable credentials. And ultimately the ethos of Authsignal will stay true over the next couple of years. By making adoption simple, both to the implementer and for the consumer, that is how we're going to create a safer digital environment.

So we are going to stick to that value system and the ethos, and we're meeting customers that are aligned on that and implementing Authsignal as we speak. So it's an exciting journey and it's really, you know, for the team and also, you know, being playing a part in saving the world one passkey at a time is something that, you know, we'll keep on that mission.

Steve: Excellent. Thank you for sharing. Before we close out. If you've seen any of these episodes of executive series, you know, I like to go just a little bit beyond the LinkedIn profile behind the company news and researching for this interview. I see that you were into sport bike-- motor biking, or do you still ride these days? Is that still a hobby of yours? 

Justin: Oh yeah, so mountain biking is big in New Zealand. So we've got some world class mountain biking trails. I've got my mountain bike, to be honest, in the last few years while being busy building the business, I've-- I haven't had the time to get it dirty. So it's a bit too clean for my liking.

But, you know, I think taking time out is important especially when we're busy executives and those who are on the call. There's a big focus on mental health and wellbeing and making sure that yeah, that, you know, we want to save the world tomorrow, but there's also-- in order to do that long term, you do need to take some time out.

So, you know, these days we live by the beach, the Pacific ocean is just next door-- if I line of sight, but as the crow flies, I'll hit San Diego. So you know, we like taking our dog out and going on short trips away and doing those sorts of things. So my mountain biking days are hopefully, you know, just a little bit of a hobby for now. But yeah, just a simple life by the beach. 

Steve: Did you ride a sportbike as well? Like a motorized…  

Justin: No, no, I didn't. Just an MTV. Yeah, not yeah, I don't have enough cojones to jump on that-- those sorts of bikes. 

Steve: I also noticed you do volunteer work and mentorship with Rails Girls, this Ruby on Rails organization. 

Justin: Yeah, so we-- we love mentorship and growing the next generation of software engineers. So for me, it's important to give back, you know, for us as a company to bring talent in, we need to think a few steps prior to an engineer applying for a role. So we give back. There are some great organizations that help women get into software engineering we-- teens get into software engineering and I've been involved in such organizations in the past, and it's been a privilege and we'll continue supporting that. And yes, it's a great way to give back. 

Steve: That's wonderful, Justin. Well, to close out for the podcast today, what types of conversations would be most interesting to you? For those that are watching this or listening to it, how should they reach out?

Justin: Yeah, so two things. If you have an outstanding security risk or if you're seeing attacks that are unmitigated, pick up the phone now. We're not here trying to sell anything in the first instance, we just want to help, because I've been in similar experiences and it can be a daunting and actually lonely place. When you're probably the sole person in charge of identity or looking after your customer accounts. So, please feel free. We have an open door policy, even just to vent or spit ball, some ideas. 

Secondly, if you're interested in passkeys and how it relates to adopting it in your consumer base, we've had the benefit of seeing it rolled out to a diverse demographic, and we've got some learnings that we can share with you.

So… oh, and I'll just add another one, you know, I just love making new friends, so just be in touch and we can have a coffee or a beer next time I'm in your city. 

Steve: Do you have any big trade show plans for the rest of 2024? Any other shows that you'll be at? 

Justin: So we'll definitely be at FIDO Authenticate and we're looking at Identiverse, so may see folks in Las Vegas or San Diego this year.

Steve: Excellent. I'm trying myself to get to Identity Week Singapore. It's one of my ambitions to get to an Asia Pacific show. So maybe I'll see you on the other side of Pacific at some point. 

Justin: It's not far away, it's a 12 hour flight. So see you there.

Steve: Excellent. Well, Justin, thank you so much for taking the time to speak with me today. You're-- and you're coming from the future because it's already the next day where you are. I'm excited to see Authsignal’s continued success in the market and roll out of passkeys and I look forward to watching more from you and your company. 

Justin: Thanks, Steve. And thank you to your listeners.

Discussion about this podcast