The Future of Authentication is Passwordless - Top Shelf Tech w/ Craig Currim (Global VP, Transmit Security)

10 November 2021

Identity experience company, Transmit Security, launched themselves onto everyone's radars when they received record-breaking Series A financing earlier this year. Specialising in passwordless authentication, Transmit Security enable frictionless login experiences for users and unlocks game-changing data insights for businesses.

Join Transmit Security's Global VP, Craig Currim, and our very own Jeremy Nees, on our latest Top Shelf Tech episode on how passwordless authentication works and how it positively impacts user experience, security, and business profitability.

Disruptive Technology is a series dedicated to showcasing the disruptors from around the world who share our spirit of shaking up the world of technology.

Watch the video below or scroll down for the full transcript.



Jeremy Nees

Hey, welcome to Top Shelf Tech and thanks for joining us on our Disruptive Tech series today. We are talking to Craig coming from Transmit Security. Craig is a Global VP of Customer Solutions and System engineering. Welcome along Craig.

Craig Currim

Thanks so much, really happy to be.

Jeremy Nees

So great proud to be able to do these things globally, despite not being able to travel.

So I'm in New Zealand, Craig sitting in New York right now. And yeah, I guess Transmit Security for me is an interesting one because I had never heard of Transmit Security until about three months ago. And then my LinkedIn feed blew up. What this news of a company doing $543 million US on the series a round which is the largest funding round in history, I believe for a security cyber security company. Craig, tell us about.

Craig Currim

Yeah, absolutely. We're super proud of it and excited about it as well. So Transmit's been around for about seven, seven and a half years or so. And really our goal as a company was to bring together two different domains.

So, you know, looking at identity and access management and looking at user experience, and usually there was always this fine line you have to straddle. It wasn't even a fine line. It was a thick line between giving the user something that made them feel good and was easy. Versus, you know, how do you actually authenticate and authorize them?

And so the company's mandate and kind of goal from day one is to bring these together: identity, access management, user experience, and turn it into identity experience. And the ultimate goal was, you know, even if you look at some of our early slides, they'll say it was a password replacement toolkit. We knew identity had to change.

We knew all the problems with passwords. We knew what people were doing. And unfortunately, back when the company started, there were only so many options that you had to layer things over and over. So we started out in the market space with the same vision and the same goal, and we built a very successful business.

We were privately funded up until as you mentioned, I guess this June by the two founders were Rakesh Loonkar and Mickey Boodaei. And we were cash flow positive actually after year number two, so highly successful people needed to move to a new way to do identity. They recognize that. And as time went on and we kind of evolved the technology and continued to execute on that vision, this goal of passwordless. Creating this new paradigm of identity and getting closer to who the end user actually is started becoming so much more powerful, and it was all led by giving a great user experience.

While at the same time, giving a better picture of who that user is, preventing things like account takeover, all the things that are, you know, you should be looking at when doing identity. And so, you know back in June, we built a very successful portfolio of customers up until that point.

You know, all validating the technology, which allowed us to go out and led by some of the, you know, most prominent VCs out there. We got, you know, close to actually over half a billion dollars in a series, so not that we needed the money for the operation, but obviously there's many reasons why you would take around.

That was behind it as it was truly established technology, a truly established vision. And everybody seems to agree that you know it makes sense.

Jeremy Nees

And I think this has gone wild because as we've just heard about it through the cap raise, but you know, as you said seven years operating and you've got some pretty big customers sitting behind you as well from what I understand.

Craig Currim

We do. We have you a lot of large financial customers, but it really spans the gamut in the way that we've developed identity. Now, identity is a problem that we've seen proliferate across all verticals. So financial, we definitely have a strong hold there. Why?

Because they're kind of in a balancing act. Their challenges with identity are so complex and we're trying to solve these things. And they're very slow to evolve and move. So creating a technology that allows them to leapfrog and do it faster and really get to where they need to be is super powerful.

But you know, between the financial space healthcare, you know retail has been actually really big for us and even gotten bigger since COVID hit. As things are becoming more and more digitized, more is going online and what we're finding is even retail verticals, they're looking to understand more about who their users are.

In other words, not allowing things like guest checkout, they want to understand more. So really you know, we've been able to build the stronghold, I think, across all these verticals. Really, really well.

Jeremy Nees

I think, you know, identity in its own right, is digital identity. It's been quite challenging to solve. And one of the ways it was explained to me, that's always stuck with me, is on a human to human level. When somebody stands in front of you, you’ve kind of got all these checks and balances, you're doing sort of a background processing. Does this person look the way I'd expect him to look?

Given what I know about them, do they sound the way I'd expect and all these sort of intrinsic things we do as humans, and to replicate that in the digital world. When you really don't have a lot of that natural identity stuff happening, then you end up having a lot of complexity. And I think the really interesting thing here is you're talking about removing complexity and in fact, a huge amount of what you're trying to solve is around user experience, positive experience, getting good uptake of identity. And I think to your point, instead of people just using guest checkouts and taking the easy path, they'll actually engage in and use a digital identity.

Craig Currim

That's right. And to your point, you know, if you think about it this way and I always talk to people about the difference between authentication and identity, you know, what is the difference?
The act of authenticating is very simply presenting some kind of an identifier and some kind of a secret that's matching. That doesn't tell me who Craig is as a user and really in looking at this new way of doing identity and looking at what's available. At the same time, keeping that balancing act, what's easy to me as a user.

What do I do on my iPhone a hundred times a day? I unlock it, how? I use biometrics. What else can I do around that? What are things we can take advantage of? I almost see it as you know, you're looking at a picture starting to form and you see little pixels starting to come in.

The same way you're saying when someone's standing in front of you, you're assessing, oh, it's about the right height. It's about the right hair color. So on and so forth. If you just have one piece of information or maybe two, because you have a step up for authentication that really tells you nothing.

But if you're able to start gathering data and you're able to start doing it in a very, very frictionless way for the end user. And you're able to understand patterns and behaviors. When I say behavior, you know, it's a broad term. I don't mean telemetry. Although those are solutions that are out there. I mean, you know, Craig's coming in the mobile app now he's coming in the web app. Now he's coming to the call center. What can I glean about him or the devices he's using or combinations thereof. And building that picture and grabbing those pixels. How can I start getting closer to who that user really is? And that's what really the company is focused around is enabling people to do that.

Even with the proliferation of new technologies that are out there and new devices now. Biometrics are on everything. And that's great. That's one element, but there's a bunch of different capabilities that we need to put together in order to achieve what I just talked about. And that is the hard part, but it's very hard for people to do. And the success we've had is that we've been able to do that as a service and make it super easy to consume.

Jeremy Nees

We talk about biometrics on I-phones and people have been comfortable with that for a long time, because I think, you know, it's something you've got there yet. You slip it in your pocket, it feels like you still have a sense of ownership of that.

Should people be concerned about biometrics being used more broadly from an identity perspective?

Craig Currim

Yeah. You know, it's an interesting question. What I will say is that, you know, what these devices have done really well and you know, it's not just the iPhone, but of course it's the Androids as well. You know, Windows machines with the TPM chips and the Macs, they have dedicated, secure hardware and subsystems. And so the beauty there is that the biometric and how it's being translated into some kind of a mathematical representation, it never leaves the device.

It's stored incredibly securely. Right now you can utilize that in the context of identity in the right way. You can use it in the wrong way, but in general, generally speaking using biometrics, you want to make sure that they're not flying over the air. They're not stored centrally.

When you look at starting to do all of those types of things, things can get a little bit more complicated. Things can start to scratch your head and say, “well, wait a minute, is that really secure? Where is it being stored? How's it being stored? How's it going over the wire? Who has access to that?”

And so the beauty is that natively, these devices do it all for us. And we know that they're on our person. We know that that information is never leaving the device. And so think of it as a key that's being used that actually is being used to release or to access a key that's stored securely to prove that you know, that the biometric was matched and that whatever process is invoking is now authorized. So this is the right way to look at it. You know, why not use something that you have in your possession? Why not use something now that is a commodity and it's out there for everyone. And it's the most secure approach.

Jeremy Nees

You're talking to a customer and the customer's saying, "look Craig, how do I justify purchasing Transmit? What is the value proposition?" We've mentioned a number of things around user experience around being able to connect to a customer journey, improving security, getting rid of passwords. What does it kind of show up with when somebody is trying to go and write a business case, what did they put down to say? This is why we should use Transmit.

Craig Currim

Yeah. And if you ever listened to one of our sales presentations, you'll see, it's all about this. It's talking about the way we deliver identity as a business enabler.

At the end of the day, the security is great. The ATO is great, but it has to mean something to the business at the end of the day. So, you know, when you look at the whole customer experience piece and you know, I'll just talk about three areas really quickly, the first is revenue loss. So when you look at the terrible experience with passwords when people come in to do a checkout experience and they have to do things like, okay we recognize your email, please log in to proceed further, to check out.
All right. Hey, I've forgotten my password. I don't know what it is. I've got to go through an OTP. I've got to call and you know what? I'm abandoning my shopping cart. I don't care. I'll go somewhere else where I can get it. A great example of that. We have a very, very large, home improvement type organization here in the U S and when COVID started these to actually allow guests checking.

And they were missing a lot. It costs them almost $70 per user to get information about that user so they can market to them and do various types of things to better understand the business. And so they, they took away guest checkout and they enabled, or they required login. And the amount of money they lost by shopping cart abandonment was huge. Now tied into that piece is higher support volumes. So, Hey, I've forgotten the credentials I have. I'm calling into the support center. Okay. What does that mean for me? Those calls cost a lot of money, horrible user experience. Awful. I hate them. You go through the VR user, the IVR is, and it's just, it's a complete nightmare.

And then tied directly into that are security breaches. How many passwords are harvested every day? How many attacks are attributed to password leads, password breaches, and how big of a vector is calling into the call center? Because you've got a human on the other end. Impersonating Craig and saying, yeah, it's really Craig.

I've got this information. I know his favourite pizza topping, or his dog's name. Let me reset his password. So those are direct business outcomes. Now, things that we've actually measured and that are important to people out there. Our initial log in. The abandonment rate for initial logins, for sure.

The interdiction. So the amount of step-ups that you have to do, why do we do step ups? Because you let them in with a low degree of assurance. It's like building a house and the brick you laid first has a crack in it. So you're laying another brick on top, which also has a crack by the way, because OTPs can be stolen and you've got captures that can be foraged and all this kind of stuff.

So a false sense of security plus creating a bad user experience. Resets? What happens when the user gets a new device and enrolls against all of these things we've shown and we've studied have a direct business impact. And when you bring those use cases back, we see a direct correlation between user experience and the business.

Jeremy Nees

Awesome. You've got half a billion dollars burning a hole in your pocket. Now where to from here for Transmit?

Craig Currim

Yeah, we've got some really, really exciting stuff happening. So, you know, in this broader concept of identity, you know, what else should we be looking at? There's lots of places where we can go and it's all predicated upon first and foremost, you know, doing away with passwords.

Now, a lot of people hear this term password. And the way other companies are using it is making less use of passwords with our model. It's eradicating them completely from the user experience. Never even from the initial login. I'm sure you've seen your apps. Hey, I log in with a user and a password. Oh, do you want to enable face ID?

Sure. Boom. But if I lose the app or have to download it again, I have to rebind again, guess what? I'm logging in with a password. Those are all weaknesses. So we've built this foundation that by the way, is not easy to do. It's not predicated upon a traditional user directory, which requires passwords.

So we've laid the foundation down for that. The other thing you may have heard is the FIDO standard for those of you that don't know it. It's widely accepted out there now. It's actually FIDO2, which uses an interface called WebAuthn. And it's great because all the operating systems support it. So do the browsers and it allows you to go and actually use a secure mechanism, a PKI framework instead of passwords. The problem is that it's very hard to implement. It's very costly to implement. So we've created a solution that fills the gaps for all of that. And we're going to continue to expand on that.

So for example, think about it, I'm able to authenticate, but I'm also able to fill those gaps that Fido had, which is what happens. If I come in an incognito browser, what happens if I come in from a different device, cannot build a portfolio of devices and authenticators where I could still as a service, give the service or the relying party an indication that yes, this is in fact, Jeremy. He's just using a different device. So more along the lines of blurring between you know, what we used to think of very distinctly as identity. And then trust or risk.

Imagine merging these two things to really create what we're talking about as a new vision for identity, not predicated on passwords and doing so much more with getting closer to the end user. Now this also involves other things. For example, the question might come to mind of, well, how do you link the user initially?

IDV processes, KYC processes, maybe scanning of a government issued ID. All of these things become tools and they're just services. Blended together properly. And that identity model. This is where we continue to grow the company and the product.

Jeremy Nees

Awesome. Hey, Craig sounds like you and Transmit have a very exciting journey ahead of you. Just want to thank you for taking the time to join us today and talk to us a little bit about where you guys have come from and where you're heading to. So thanks a lot for joining us and great to hear what you guys are up to.

Craig Currim

My pleasure again, thank you so much for the invite. It was a real pleasure to meet you and to have this opportunity.

And yeah we're excited to get out there and talk to more people about Transmit.

Jeremy Nees

Awesome. Thanks a lot, Craig, and thank you to everybody who's joined us today on Top Shelf Tech.