Beyond Identity Isn’t What I Expected but Could Be What We Need
Walking from Moscone to a small PE office during RSA Conference 2019, I thought I was on my way to do a favor for a friend. This wasn’t Snowflake business since I was going to meet the Beyond Identity team on a personal invitation. All I was told was they had an identity and access management solution, and they wanted to hear what I thought about it. At the time, they didn’t even have a name for their company. Within two minutes of them starting the walk-through, my mind was racing. What they have built is something I first imagined decades ago. I bet it’s something many have imagined. Like all the best technology companies, when you learn what they do and the basics of how they do it, you think: “Why hasn’t anyone done this before?” That answer, for Beyond Identity, is that the technology in our pockets and the platforms we are using have only just now aligned in the right way to make this possible. What follows are my personal opinions about why I think that’s true, and how exciting it could be.
Right now, as you read this, there is most likely a little lock icon right next to this website’s URL, somewhere above this text. That little lock is the sign that many proofs of identity, called certificates, have been exchanged without you needing to do anything special in order to ensure the security of your visit to this page. They guarantee that you are speaking to the website you think you are, that no one has interfered with the content you’re seeing, and that it uses state-of-the-art cryptography to do it. Again, you didn’t need to do anything special to make that so. If we can do that for every website on every browser on every device, why can’t we easily prove who *YOU* are to applications without needing passwords? This is not a new question. However, the old answers were terrible. For entertainment, try searching “the year of PKI” to see how terrible.
In brief, the idea that every organization and person could be a source of trust for certificates was very impractical because of the technological demands of creating and maintaining trustworthy systems. But now we all carry sophisticated computing in our pockets and have infinitely scalable clouds. The idea that your device is trustworthy is supported by every multi-factor authentication you do with your phone. Beyond Identity is taking the next natural step. Why use passwords, codes, and other things that tax humans when you can trust something you already do – the device itself? Just like the little lock confirms that you are absolutely communicating with the right website, the Beyond Identity check mark can tell an application it is absolutely communicating with the right person’s phone. Since we trust only that person can unlock that device with strong biometrics, we have a chain of trust from the human to the service – no passwords needed.
The other fascinating bit about the Beyond Identity solution to me is the origin. The old saying is “necessity is the mother of invention,” but I find in tech it’s more true to say “the best inventions come from the detailed problems.” The company that is now Beyond Identity started off trying to build a consumer platform for home use. They didn’t want people to need to log in to use it, but they also wanted multiple profiles and good security. They had an identity management problem. It just so happens that this team also had a lot of Netscape and other DNA that knew a thing or two about certificates. By the time they solved the problem for their consumer platform, they realized that this elegant solution with certificates was the real winning idea. So they pivoted. These are all just my opinions, and this thought is doubly so: I have always found the best tech comes from people who get mad at some detailed problem and channel that to solve it so thoroughly that they invent something powerful. Beyond Identity clearly fits that mold.
All this was racing through my head in that little VC conference room. A lot of it poured out of my mouth then, too. I immediately dashed past their enterprise plans to ask about how to bring this out everywhere. Can you imagine something like this coupled with an identity platform like LinkedIn or built into Android? Of course, that’s why I’m not the one who makes business plans. Enterprises are suffering from authentication issues every day. I’ve already introduced this to several people I know, and every one of them has started a serious conversation with the Beyond Identity team. So, clearly, their go-to-market plan makes sense. But now that I know this exists, I’m a little more mad every time I get a password prompt and have to do the dance of bringing up my password manager, clicking, and maybe copying and pasting. I know there’s a better way, and I’d like it on my phone and for all my identities tomorrow. So let’s get on that, please.
For more information about the author, Jonathan Sander, follow him on LinkedIn.