Creating true passwordless security
Welcome back to What’s NEXT, a podcast from Samsung NEXT exploring the future of technology. In this episode, I talk with HYPR CEO George Avetisov about how his company is solving the problem of mass password breaches (like Equifax, LinkedIn, Yahoo) that are the result of centralized passwords.
Ryan Lawler: Welcome to What’s Next, George.
George Avetisov: Thanks for having me, Ryan.
Ryan Lawler: So to start, why don’t you tell us what is HYPR? What do you do?
George Avetisov: So at HYPR, we’re focused on solving the problem of mass breaches and credential reuse that happen because companies centralize passwords. So when you look at all the big breaches like Equifax, LinkedIn, Yahoo, the one thing that you’ll notice is it’s not how the hackers get in that’s the same, it’s that the hackers tend to go for their favorite target, which is the centralized credential store, and that’s where millions of people’s passwords and personal data is stored in one place.
And when centralized password breaches happen, people get impacted for years to come. And that’s why we have so much fraud, and that’s why millions of people get impacted by fraud. So at HYPR, we believe that by decentralizing credentials onto users’ mobile devices, we can effectively remove the hackers’ favorite target. We can stop credential reuse, we can eliminate fraud and phishing. And that’s what our customers believe too. So big banks and enterprises like Mastercard, they’ve deployed HYPR to millions of users, and we believe that true passwordless security is the next big trend in the cyber industry.
Ryan Lawler: Okay, cool. And how did you get started solving this problem or why were you interested in it?
George Avetisov: So my background’s in e-commerce, and when you’re in online payments, or e-commerce, or fintech, or anything that deals with digital money, you come across fraud, sometimes lots of it. So in e-commerce, you’re always dealing with fraudulent purchases, stolen credit cards, account takeover, and you’re always thinking about, how do I prevent these things from happening? Or how do I catch them faster?
During my time in the e-commerce industry, I was always thinking, why hasn’t this problem been solved? Why do we have so much fraud? And what could be done about it in the future? So when we started HYPR, we had the vision that as companies deploy biometrics, their users will have new ways to authenticate that weren’t possible before. And that’s how the idea for true passwordless security really got started.
Ryan Lawler: Right. So maybe we can talk about why this is such a big problem right now, like what are the things that are happening that makes password security, especially at enterprise scale, such a big deal, and why do we keep seeing such larger and larger data breaches seemingly like every couple months?
George Avetisov: So I think there’s a couple of trends we’ve been storing passwords in one place for many years, and as enterprises have moved things to the cloud and continue down this trend of centralization, we’ve gotten accustomed to storing everything in one place. Unfortunately, that creates a single point of failure. So when hackers breach that target, millions of people are impacted, and enterprises know this, so they want to prevent it.
Another big trend is the rise of credential stuffing. So credential stuffing attacks have gotten really popular. Just this past year, there’ve been reports stating that banks pay up to $2,000 per account takeover, thanks to credential stuffing attacks. And what they are are brute force attacks by malicious hackers on an online service trying out millions of people’s passwords over and over again until they get in. And we’re constantly being, you and I, our online accounts are constantly being attempted by malicious hackers, and it’s those reused passwords that are effective in getting in. Human nature is to reuse passwords.
I believe an analyst research report said there was approximately a two percent success rate on credential reuse. Now, it doesn’t sound like a lot, but when you’re talking about billions of passwords over a couple of years, it is a lot. And these trends have converged and basically caused enterprises to say, “Put passwordless security at the top of the shopping list. Let’s do away with this problem right now.”
Ryan Lawler: Right. I think a lot of people right now are thinking about personal password security and how that works, but what are enterprises doing to try and protect against this? I mean, even before things like HYPR came along?
George Avetisov: So enterprises have tried educating the user on make your password stronger, make them longer. We’ve seen companies go to 14 character alphanumeric passwords and complex passwords and phrases. Unfortunately, that’s not gonna fly. The average human being can remember a seven digit alpha numeric number or phrase. It’s very difficult for people to remember long complex passwords, and that’s why they reuse them, that’s why they write them down.
So I think enterprises have given up on telling the customer that this is their responsibility, and have started to realize that it’s the enterprise’s responsibility to go passwordless. Another trend is that for the past couple of years, enterprises have been deploying passwordless user experiences. You know, many times that’s a passwordless user experience that makes it easier for you to log in, but the company’s still storing your password somewhere. It still exists.
So while it’s easier to log in, the security isn’t that much better than it was before. So what enterprises have realized is, can’t get the users to move away from passwords or create stronger passwords. Biometrics alone aren’t going to solve this problem. We need to go true password passwordless. We need to eliminate these passwords once and for all, and that’s where we’re at today.
Ryan Lawler: So how does your technology work? And what are you offering to enterprises to solve this problem?
George Avetisov: So companies integrate HYPR into their applications, their mobile applications, their web applications. You don’t know that HYPR is there, but it’s running under the hood and it’s enabling what we call true passwordless security. So our SDK is integrated into large banks, mobile apps, and when you go to log in, the app might say, “Hey, we’ve improved our login experience. Can you re-enroll or re-register?”
When you’re doing that, HYPR is actually decentralizing your credentials onto your mobile device, securing them, and initiating what we called decentralized authentication. So for every login or every transaction moving forward, you’re protected with true passwordless security. On the enterprise side, the enterprise deploys HYPR’s validation server, and that’s where the magic happens because now they no longer have to worry about storing your credentials centrally. That HYPR architecture ensures that they have true passwordless security.
Ryan Lawler: How does that actually work? If they’re not storing your password or credentials on the back end, how do they know that it’s you?
George Avetisov: So what’s happened is companies like Samsung have introduced phones capable of biometrics or new types of authentication and capable of what we call decentralized authentication. And it’s a term that describes a way of authenticating using public private key cryptography or PKI. We’ve had PKI authentication for many years. It’s been around for a long time, but we’ve never used it at this scale to secure consumers. What was missing was the mobile phone.
So just in the past 10 years, virtually every user of an online service has received a mobile phone capable of PKI authentication. And without getting too technical, what happens there is instead of using a password that’s stored centrally to authenticate you, the company is using a private key that’s stored on your phone to authenticate you. They don’t have that key. They don’t have to worry about storing or securing that key, and it’s securely stored on your mobile device. So that new trend of using the mobile device for PKI or decentralized authentication is the missing link.
Ryan Lawler: Okay. So when we talk about biometrics, give some examples for what people might be able to use.
George Avetisov: We’ve actually done some user studies with some of our customers, and we’ve seen preferred biometrics, we’ve seen trends. They are different from continent to continent and demographically. So people really prefer fingerprint, and I think that’s due to the familiarity. In one study, we saw over 65 percent of users prefer fingerprint out of the five modalities that were tested. Second place was facial recognition. I think people have really warmed up to face ID and facial recognition such as the Samsung phones that have face scanning built into them has really taken face recognition to the mainstream.
Behind facial recognition, you’ll see that people really like eye recognition. So you’ll see some of the new Samsung phones even have iris and face baked right into them. And then you’ve got voice, you’ve got even palm scanning, you’ve got behavioral biometrics. These are, I would say, in the earlier stages of adoption. They’re very promising, but I think right now, if you just look at the mainstream, touch and face are really leading the pack.
Ryan Lawler: Right. So when we talk about biometrics adoption, obviously pretty much any new high end device will come with some form of biometric login capabilities, but on the adoption side of things, when we talk about consumers, what’s the actual take up of those services?
George Avetisov: Just speaking from user testing we’ve done with a lot of our customers, on the employee access side, they love it. Employees at an enterprise hate entering 14 or 15 character alphanumeric passwords. They hate having to reset them every 90 or 100 days or whatever. It’s extremely inconvenient, and when you introduce biometrics into the enterprise, you get a very unanimous adoption rate. They love it.
Consumers vary based on demographic. I think the general American public has been very receptive to biometrics. Initially, there was sort of this, it’s a little creepy, or where am my biometric stored? But what people started to realize, and this is thanks to the phone manufacturers doing some great marketing, was that your biometrics are stored on your device, and in many cases, they never leave that device. They’re yours, which is an example of decentralized authentication and people like that.
So in the states, we’ve seen really high adoption rates. Overseas, it varies. We did a study, I think it was on the continent of Australia, where a number of users aged 18 to 35 did not like iris or eye recognition at all. Whether this was something about the perceived security, or maybe there’s something cultural that they don’t like using eye … I don’t know, but it’s interesting to see how that differs from the US.
Ryan Lawler: Right. One of the concerns that you hear around biometrics and security is that you can change your password, but you can’t change your fingerprint. You can’t change what your face looks like. And so I’m curious how good anti-spoofing tech is around biometrics today and are people right to be concerned about these types of concerns?
George Avetisov: There’s a lot of sensational media articles about, “Hey, we tricked your phone and to thinking it’s you, or hey, we hacked the facial recognition on your phone or your computer.” And it’s like, wow, that’s great. How’d you do that? You know? And they never really talk about the need to actually steal your device to achieve that. So yes, you can spoof biometrics, and I’m sure that even with anti-spoofing and whatever technologies are put in place, hackers will get a step ahead of it. They will figure it out.
Deep fake videos are going to definitely get ahead of the biometric scanning technologies, but it’s important to remember most biometric sensors require you to use the actual device as well. You can’t just take my face and log in at any given phone or any given computer. You have to first steal my phone and use my biometric. That is an exponentially more difficult attack than stealing my password. And I think that the media should be a little more honest about how complicated it is. You don’t just do this remotely from the comfort of your own home.
Ryan Lawler: Right. So you’re a B2B company selling to enterprises. What types of companies do you work with today and how are they using HYPR?
George Avetisov: So yes, we are a B2B facing solution. Our technology has primarily been deployed by large banks, payment providers, insurance companies, and financial institutions in general have been really receptive to our technology because when money passes through an application and credential reuse can divert that money or steal it, there’s a very easy quantifiable metric to credential reuse and fraud. It’s very easy for a company to understand, how much are we losing per user per account takeover?
So adopting a technology like HYPR or true passwordless security in general makes it very easy to understand ROI benefit for these companies and it makes it very easy for them to show their executives that, “Hey, we solved a major problem. We’ve improved the bottom line.” And this is a trend that I think is going to continue beyond the FIs, but today primarily, you’ll see HYPR deployed across the big financial institutions.
Ryan Lawler: So when you talk about how much loss happens because of these issues around enterprise security, do you have any numbers that you can share?
George Avetisov: Yeah. So there’s a few stories that companies have shared with us. One is a large Fortune 500 insurance provider who deployed HYPR to millions of consumers, and their story was really interesting because they had a password reset problem. And they were spending, in some cases, $18, $20 per password reset. Now, think about that. When you’re talking about millions of people resetting their passwords every year, to spend millions of dollars in customer service on password resets, that’s a nightmare. And this true passwordless approach helped them get away from that customer service headache.
Other companies have said that the cost of account takeover from credential stuffing, in some cases, it’s an average of $1,500 to $2,000 per account fraud. So on average, when you look at a financial institution and the billions of dollars in fraud that they see every year, you’re talking about a couple thousand dollars per account fraud on average. That’s crazy. So I think it makes it very justifiable ROI when they buy something like HYPR.
Ryan Lawler: Gotcha. And do you have any data that you can share around reduction in those costs that you’ve been able to prove?
George Avetisov: Yeah. So we’ve got some great case studies and success stories on our website, hypr.com, H-Y-P-R.com. We go into how companies have achieved their ROI goals, and what they did, what they deployed. There’s a really great set of use cases out there from password reset stories to individual account fraud takeover. One is particularly interesting where employees had to enter longer passwords, and the enterprise quantified that they were spending, across the enterprise, thousands of hours a year, wasting thousands of hours a year on password entry. And when they reduced that, it was a great story to see that type of ROI come from employee productivity.
Ryan Lawler: Right. Yeah, I mean being part of a large company, this is something that I feel where I get the notice every 90 days or whatever and in the 30 days leading up to the end date saying, “You should change your password,” and you get notified every day until you actually do it, and then you can’t reuse a password or anything.
George Avetisov: Don’t you love that?
Ryan Lawler: Yeah, that’s my favorite. So this all sounds great, but what are the biggest challenges to adoption when you’re talking to potential customers?
George Avetisov: Well, enterprises move slow. I think everyone knows that. If you’ve worked with B2B in the B2B space, you’ll know that enterprises move slow, not quite as slow as the government, but close. And it’s important to identify which enterprises have the ability and the drive to move quickly. We’ve seen customers deploy HYPR to millions of users in just a couple of months. That’s unheard of in some fields of B2B enterprise sales and enterprise software.
And there are others who take well over a year to deploy across their entire user base. And it’s not often their fault. Their users need to update their apps. Their users, in some cases, have outdated phones. So I think that this is one of those trends that, over the next couple of years, will be ubiquitous. Everyone will have true passwordless security, but the past few years, we’ve seen enterprises who just can’t deploy as quickly as others, and it’s not always their fault. So I think it’s a lot of give get on the side of the company, on the provider, and it’s up to the users to update their license, update their apps, and you got to weather that storm.
Ryan Lawler: Right. This might be going a little bit deep into the weeds, but who actually is the buyer for the enterprise for your product? And once they choose to implement HYPR, what do they have to do sort of on the back end to actually make it work?
George Avetisov: So we see a lot of business leaders deploying and adopting HYPR, the head of retail banking, or the head of payments, or business leaders who typically don’t look at security products look at HYPR because it helps them solve a business need, which is enhancing the customer experience, eliminating fraud, which leads to a better bottom line, accelerating transaction speeds, and getting rid of the credential reuse and stuffing problem, which is shared across the line of businesses. It’s not just a CSL problem.
Then, of course, there are the CIO and CSO personas who have HYPR at the top of their shopping list. And it’s great to see, in this sale, it’s great to see the info sec teams and the businesses, the lines of business interacting and collaborating together. You sometimes don’t see that, and actually, you often don’t see that. And often, you might see an adversarial relationship between the two. But I like that in this space and with what we’re doing, you get to see them work hand-in-hand. They have the same goal and they really want to deploy the product. So that accelerates adoption.
Ryan Lawler: Right. And what do they need to do to actually implement what you’re offering?
George Avetisov: So we’ve made HYPR as easy to deploy as possible. I’m really proud of the work our engineering teams have done. We’ve seen major global 2000 enterprises integrate HYPR into their Android and iOS mobile apps within a matter of two to three days, which is fantastic. The SDK is very easy for them to integrate. It’s very easy for them to adapt. The rollout takes time. So you got companies who do extensive QA, they do extensive pen testing, they do extensive UAT, and even user experience studies.
And in some cases, like I said, it could take them a quarter to see full user adoption, and other cases up to a year, but once that technology is integrated, and once that HYPR server is deployed, it’s pretty much green light from there. It used to be much more, I think, effort for a company to work with an enterprise before the cloud and before a lot of the trends we saw today, but I think if you have the right tools in place and if you’ve done your SDK and your documentation right, there’s no reason they shouldn’t be able to get up and running in days, if not weeks.
Ryan Lawler: Awesome. So I have a few questions I like to ask everybody. So what is one controversial opinion you have that’s really strongly held?
George Avetisov: The password is not dying.
Ryan Lawler: Okay.
George Avetisov: So that’s really … It’s weird hearing that from someone whose vision and the company’s mission and the whole team’s mission is to kill the password, but I want people to understand that the password is not inherently problematic. It’s not that the password is a bad way of authenticating, it’s that centralized passwords have led us to this credential reuse problem that we have today. It’s the way we’ve been storing passwords.
The password will remain, in my view, a type of authentication. A PIN will remain a method of authentication for a very long time because once it’s decentralized and stored on your phone, it’s actually quite secure. And I think that when you hear people in the media saying, “Password’s dying, it’s on its way out,” it’s just a little bit short-sided. You have to admit that once the better architecture is put in place, you can actually use the password. It’s just not as fun as a biometric.
Ryan Lawler: Right. I’m curious if you have sort of best practices for consumers that are top of mind for how they can protect themselves. Once you give a password that centrally stored to someone like in Equifax, there’s not much you can do if it gets breached. But to protect yourself from the consumer side, what can people do to make sure that if their credentials are stolen, that they can limit their exposure?
George Avetisov: I don’t want to take a cynical view on this, but I just don’t think that telling consumers top five steps or ways you can stop breaches is effective. I get asked these questions a lot, and we see these articles all over the web, and you just have to realize that the average consumer will not remember to update, change their passwords regularly. It’s hard enough forcing them when they work for a company to do that.
How do you know they’re not writing them down? How do you know they’re not in the sticky note on their desktop or in an email? You don’t, and it’s human nature to make these mistakes, and it’s human nature to reuse these passwords. And I also don’t think it’s fair to a lot of companies call consumers lazy or just ignorant about security practices. It’s not their job to worry about this stuff.
For example, do you look at your apartment key or your house key and sit there and stare at it and think, is this complex enough? No, you don’t. You don’t go to the lock maker and ask them, “Will this be breached?” You just use it. You trust the lock maker. I think we should be telling enterprises best practices, and we need to get the enterprises working on this problem so that the consumers no longer have to worry about it.
Ryan Lawler: Right. I’m one of those people that has a password manager, but I’m curious what you think of that. Like what do you think of password managers?
George Avetisov: Well look, the best you can do right now is use a strong password manager that generates long alphanumeric passwords. I think, not to pick any specific vendors, but I think a few have done a great job of keeping their reputation and keeping their security at a place where enterprises actually adopt them internally. Unfortunately, maybe unfortunately for them, but fortunately for the space as a whole, there’s not gonna be a need for those password managers when all these services are passwordless. So I think it’s just going to be a matter of time.
Ryan Lawler: How will the future be different if hyper becomes ubiquitous?
George Avetisov: Whether it’s HYPR or some other solution that does get us to a true passwordless world and a true passwordless state, I believe that we’ll see a lot more attacks on the devices, and we’re already starting to see hackers target your mobile device. So today’s headlines are, “Equifax was breached,” or, “LinkedIn was breached,” and there are companies getting breached. I think five years from now, these headlines will be replaced with, “Such and such model of a phone has been breached,” or, “This new malware is targeting this iOS or Android device,” and we’ll see a lot of device side attacks appearing in the headlines. It’s up to us to be ready for it, and I think the industry is preparing for that.
Ryan Lawler: So if you weren’t working on this problem, and if you weren’t running HYPR, is there some other technology that you’re excited about or bullish on or something else that you’d be working on?
George Avetisov: AI.
Ryan Lawler: Okay.
George Avetisov: Well, I’ve watched The Matrix way too many times. I would love to get into that field, and it’s something that I know a lot of great work is being done there today. I like watching from the sidelines. I like staying up to speed on what’s going on. I have an optimistic view on AI, and I think it’s the next natural step.
If we achieve artificial general intelligence or ASI, which some might call super intelligence or the singularity, I think it’d be really cool and I have an optimistic view on it, but, again, watched The Terminator and The Matrix enough times. I just want to keep an open mind but stay concerned without getting too negative. I would love to get involved in that space at some point.
Ryan Lawler: Well, it’s a pretty broad field. Are there specific applications that you’re interested in?
George Avetisov: I would love to see air travel give up more control to AI. I fly a lot, and I’m fascinated by just how amazing these pilots are, the take off and the landing, which I believe is still manual most of the time. Am I wrong on that? I think that most of the flight is pretty much the autopilot, but the landing and takeoff is still human, the human element is very much involved. I would love to see a point where AI has taken over that because I think that’s a really interesting thing that if the AI can do that with 100 percent success rate, I think it’d make a lot more people comfortable about flying.
Ryan Lawler: Cool. Sounds great. Well, thank you, George, for being on the podcast.
George Avetisov: Thanks, Ryan, for having me.