Debbie Reynolds, “The Data Diva,” talks to Heath Spencer, CEO, TraitWare. We discuss his early tech journey in business, the prevalence of password news in the media, TraitWare and its unique approach to multi-factor authentication, the importance of the business aspect of security through mobile devices, passwords remain necessary where smart devices are lacking, increase in multi-factor adoption due to COVID, decentralization of identity from business to individual, privacy and identity are often perceived as co-mingled, the appeal of using existing biometric devices, FIDO.org, and his hope for Data Privacy in the future.Support the show
people, biometric, password, privacy, identity, mobile device, create, apple, factor authentication, moving, register, companies, storing, device, based, adoption, technology, factor, key, shared
Heath Spencer, Debbie Reynolds
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that business needs to know right now. I have a special guest on the show, Heath Spencer. He is the CEO of TraitWare. He's also a passwordless, multi-factor authentication solution leader. Nice to meet you.
Heath Spencer 00:43
Nice to meet you as well, Debbie. Thanks for having me today.
Debbie Reynolds 00:45
Yeah, well, we've actually met before, and we have a friend in common, right? We do. Elizabeth Perry, she's my ethics person in Barcelona, and she thought we should meet. So we met, and we hit it off and thought it'd be a great idea for us to have a podcast together. You're in the US in the Reno area, and I would love to talk about, first of all, your journey into technology and what made this area around passwordless multi-factor authentication a passion of yours?
Heath Spencer 01:27
Yeah, so you know, I'm old enough that my technology journey started, you know, early in high school when the Internet was first coming out. And then, in my early entrepreneur days, I had a retail rental brick and mortar business that we opened in the 90s, leading into the original .com boom. And so we went through the original movement of trying to take physical businesses into the digital realm with, you know, the initial envoy into that was really around how do you expand your reach with goods and wares and being able to sell those and deliver those and all of those things. And at that very early onset of that, I had to learn very quickly about how to operate within that. And then the type of information and data that was required to transact business in the digital world. And so, you know, my digital journey with data and privacy started early on around that original .com boom and then took a different path for a little while. And then ultimately, around 2017, after some different things we did, we have built this company today, that really started out as after we had sold a prior business said, what do we want to solve for ourselves, right. And at that point, the explosion of the use of passwords in our lives, to access all of these digital accounts that we had created in how we were from our consumer accounts, paying your power bill, whatever it is, you have a lot of data about yourself out there, and those platforms or those services that you've registered for. And, you know, there are comedy routines around how frustrating passwords are. And we thought, man, there's got to be a way to use modern technology to improve this and do it in a different way than just adding layers of security, which ultimately added layers of frustration to us as the people having to do those steps to try to protect our own data and privacy, right.
Debbie Reynolds 03:48
Yeah, so actually, you're pretty fortunate that this topic has been in the news a lot lately around Apple and what they're doing with their different authentication methods. Apple recently joined the FIDO Alliance, looking at two different ways to create a passwordless future. I'll say one of my pet peeves about passwordless. When people say that, I guess, in my view, I don't know, maybe it's past code. So even though someone's not using words, what they're doing is instead of using words that we know they can be stolen, they can be cloned and different things like that, having another way for people to use a code or identifier of some sort to take the place of a password, right?
Heath Spencer 04:47
Yeah. So I mean, I think there are a lot of different ways that different companies are working to solve this problem. And it's the early stages. You know, Apple has made this announcement recently that they're really on track to try to do it by September of this year. And they're using technologies similar to what we've created and are in are doing and in that instead of creating, and then there are other technologies that I would phrase are more of a passworless experience versus real passwordless. In that, though, a simple way to think about it is at any point of the life cycle of the account that you have with whatever service provider that is, whether that's your email provider, your utility company, your Dropbox or Box account where you're storing files, etc. Did you ever have to create a password anywhere in that process, like the first day that you created that account? And then a good example is that a lot of the mobile banking apps today allow for a passwordless experience after you've registered their mobile app. So the example of that is, you create the account using your username and password, you install their banking app, and then you register that banking app using your password. And then, after the fact, you could turn on Face ID or fingerprint depending on whether or not you're on an iOS device, an Android device, etc. And so the example in that use case is there now just obfuscating the password from your experience right in that login attempt, which is great for convenience but not so great for security. And so what we do and what Apple's striving to do, is to be able to leverage different ways to identify who you are without ever having to create that knowledge base factor or a code that could be shared or passed across a different type of platform. So receiving an SMS code or receiving a one-time code in your email are all things that really could be transferred from you is the rightful person to possess that to a potential bad actor through, phishing, attack or social engineering. And so really, the goal needs to be to get to a phishing resistant or a phishing proof or social engineering proof type of you know, what Apple's calling a passkey, you know, what we do is we actually create a dynamic or rotating key based on how you interact with your mobile device, and then use that to transfer a tokenized mathematical identity of you to the relying party, which would be the service that you're trying to access the application that you're trying to sign into. So there's a lot, there is a big difference between achieving strong authentication through what we call multi-factor authentication, which is multiple factors of who you are, ways to authenticate you are who you say are. So a really brief description of, we've seen the evolution of this go from a single factor, which was just your password, to then what was called two-factor authentication where you had your password, and then a one-time code that either you got an email or SMS, like we just talked about, to then what is multi-factor today really needs to be something you possess, right, or something you know, or somewhere you are, or some other hidden key that's within your possession on a device, right? And so you need at least three of those factors to have multi-factor authentication. So how do you do that? And without adding layers of frustration for you as the person.
Debbie Reynolds 09:09
I feel like, so basically, people use a username and password. That's kind of one factor. So that's the world that we live in right now.
Heath Spencer 09:18
Debbie Reynolds 09:19
There are many apps or applications, or companies that are trying to force people to use two-factor authentication. And then you're moving into a different realm which is more than two factors. So tell me a little bit about how you don't have to tell me the secret sauce part. But tell me a little bit about how your company is different in terms of how you deal with multi-factor authentication.
Heath Spencer 09:46
Yeah, so we take that approach of you need either something you possess, which is either a hardware-based key or a software-based token. We thought that we're already, 97% of US adults, which the stats are pretty similar across the globe, have a smartphone today, one that's typically biometrically, enabled, etc. And so we're already carrying around this mobile device, that's a smart device. How do we leverage the use of that to create a secure key to sign in anywhere, right? We're not just working on our phone, but then signing into our laptop or desktop, really, you could use it to sign into a TV screen, like any screen that's connected, right. And so, rather than having to purchase another hardware type of key, which we've seen with one of Microsoft's big partners is Ubico, they make the UbiKey, Google makes a hardware key called the Titan key. There are other keys that are out there, one of the original originators of this was RSA. And they, if you were in the financial industry, back in the day, you for sure had an RSA key that generated this randomized 13-digit code that you had to enter at the time of doing that. So looking at modern technology, we said, look, we're already carrying this phone, how do we create a software-based application that could create this unique tokenized identity of you, and then use that to be able to sign in or log in, authenticate you to other environments. And so we have an app-based authenticator, just like, you may have used like Google Authenticator, or Authy, or Duo or an app like that, to get a one time code for your to FA, we created something like that, and just took it a step further, to deliver multi-factor authentication. And in that process, can actually create your account and authenticate your without ever having to create a password. And I do want to clarify that our initial available solution today is really focused on business solutions. We hope to be able to extend this to consumer use in the near future. But right now, we're really focused on how to help secure the businesses anywhere from a small business up to an enterprise business.
Debbie Reynolds 12:14
I think the business aspect is very important, because businesses obviously have to use smartphones. So your statistic, as you talked about the adoption of smartphones, I think it is probably around maybe 90% for businesses, worldwide for individuals only about 45%, even though we know that the US obviously has a lot a higher rate of smartphone adoption.
Heath Spencer 12:43
I agree with that. But I do want to say that even in other countries, we're seeing a movement to mobile devices, particularly Android devices, because they are tremendously more accessible and affordable than trying to get everyone a computer or a laptop, and the computing power that the mobile devices have these days, really allows people to access their health records, everything. We've seen this big push over the last two years during the pandemic, and then this leads to a whole different discussion around privacy and data protection. But you know, moving to a vaccine passport type of thing, there's a big push to get to a bigger adoption of mobile devices globally. And so there's that. We think that it's a viable path, even in the other countries, and really, again, for the workforce, it's particularly very viable.
Debbie Reynolds 13:44
Yeah, obviously, you're right. So the adoption is growing, but not quite where it should be. I think one of the issues that people have had with Apple and even FIDO doing this, you know, that all those things are great at. A lot of news reporting is like, oh, well, passwords are going away. So well, no, not really, because for people who don't have smartphones, who still, to me, it's a significant number of people. They have to have an alternate way of accessing things right now, and their only option is a password. So I think, as you say, we're seeing obviously more mobile device adoption over laptops and tablets.
Heath Spencer 14:28
Well, they are, and so I mean, but it gets tricky like this is why a lot of service providers haven't moved in this direction yet or made an OEM yet because they don't want to preclude anyone from accessing their service. We fully understand that there has to be multiple paths to success. And allowing for multi-modality of access controls is one of the central points when everyone's moving around standards, so we leverage standards for our processes. Well, you know, with Fido, OAuth, OpenId, Connect SAML, we're integrating using standards, and then those standards can be implemented and allow for multiple paths to get there. So even when you're discussing, you know, what Apple's just announced, and what other things are doing, whether it's IBM, etc. And we've got, we're a tech security technology partner for them. And we're for different companies like Citrix, etc. If there's an employee or even a consumer in another country that's accessing something online, they have some sort of digital device, and whether they have a mobile device or not, they they're on a PC or a laptop, a tablet, something. And so tablets are also becoming very, very prevalent. It's kind of a hybrid between a computer or just a phone, right? Our process can work on any mobile device, which includes all of the tablets, so it's very prevalent there, then, when you look at the standards that they're looking at, through FIDO, etc, you can do those, like Apple's not going to restrict it to being used on a phone. If there's a fingerprint reader, or if we look at Windows devices that have Windows Hello with Face ID, you're going to be able to implement those types of biometric keys on a computer as well as a mobile device. So it won't be restricted to just a mobile device. Does that make sense? So those processes in those standards will be available, it becomes trickier on a shared device, right? So the reason we really like having a mobile device is that typically, you have your mobile phone, and you're not necessarily sharing that with other people. Now, in less fortunate families or something, there might be only one mobile phone. And there is a way that you could create user profiles on a shared device, right? Laptops do this today, PCs do this today, you know, whether it's a Mac or Windows device, mobile devices can do this, you can have user profiles, and then under that user profile, create your behavioral biometric, your native biometric based keys, etc. doing that. So I do think that there's, anyone that's accessing something digitally is going to be on some sort of computerized device, or they're not accessing something digitally. So looking at the global adoption of cell phones, you have to take in account of, well, a large percentage of the people that don't have a cell phone just aren't using the Internet at all. So there are certain parts of the world that just don't have Internet connectivity, period. And so then they don't have a digital identity. So they're not in need of these processes yet. But the bottom line is that over 80% of every data breach, ransomware, attack, etc, still comes down to a password being the number one root cause of that. And so, if we're going to focus on solving what is going to be a trillion-dollar problem across the globe in the near future, we have to start with the largest common denominator of users, which that's people using a mobile phones and being online every day.
Debbie Reynolds 18:35
Excellent. Tell me a little bit about workforce now. So I think that you tell me if I'm wrong, I think that COVID pushed a lot more people towards digital transformation. And being able to do more things with digital devices, have you seen more adoption of tools like yours as a result of COVID.
Heath Spencer 19:06
So, as a result of COVID, in the pandemic, we obviously all saw a massive movement to work from anywhere, right? A lot of people phrase it as work from home, but really, it became work from anywhere. What this did is it then put parents having to homeschool their children at the same time as working from home, which means you have, going back to this where we just talked about shared devices, right, but now you've also got shared networks. And so we think it's, we think we're seeing a tipping point now where a lot of businesses that are allowing people to now still remain at work from anywhere and or this hybrid environment of coming to the office a couple of days a week and rotating just to keep the numbers of people in the same environments down is we have been seeing a recent resurgence of illness going around and everything just like the flu, seasonal, etc. But with that, the need for security became very prevalent, as you had a lot of commingled, or longer we're on the corporate network and being able to rely on the old perimeter-based moat and castle wall type protection of a firewall. And identity really became the new perimeter. And how you did that. And if you, unfortunately, were sharing, storing your passwords in a browser extension, and then got off of your work call, and your child needed to use your computer to do something for school real quick gets on your computer, they accidentally click a malicious link, you end up with malware on your computer that's now looking for passwords that are saved or being auto-filled. And now your company passwords are compromised, right, because of this work from home. And the potential exposure to shared devices is making it very aware for people to need to take identity seriously. And, you know, Ann Johnson, who's the Vice President of Cybersecurity at Microsoft, she's on a mission to help people reach 100% of MFA coverage across 100% of the employees across 100% of the applications because reaching that coverage of multi-factor authentication would prevent 99% of those ransomware attacks, and data breaches. So if we want to talk about privacy and protecting data, the goal has to be to get to multi-factor authentication everywhere. So how do you do that without driving people nuts and making them super frustrated about all the steps they have to take to then do their job?
Debbie Reynolds 22:01
Right. So when I guess I want to talk a little bit about decentralization. So as you use the analogy about people thought previously about security, like you're in a castle, and that's how tight you know, everything is like the castle. So people didn't really think about as much as they should have protection on those assets so that they weren't in the castle, right, when they were doing another phase. But I feel like there's a shift, as it should be, in my view, from the business idea about how identity works to a more individual idea. So for me, I think I feel like the way it's going to go is a people have to be a bank of their own information. And then, they have to decide how they want to grant access to individuals, as opposed to them going into 100 sites and creating usernames and passwords. What are your thoughts?
Heath Spencer 23:02
So I think that there is a world where that's coming. There's been a lot of discussions around that. And in the concept of bringing your own identity, right? And who I think the really the question is, is then who is the authority, right? Who is the single source of truth? How do you actually then know that that person is who they say they are when they've created this digital profile? You know, one of the things that people enjoy about being online is they can create an alias profile, right a character of who they are, and maybe they can live out whatever life they want to choose under that false identity. And so one of the things that came up in a recent conversation with us and one of the the VCs we've been talking to is around the identity proofing aspect of that. So, I think, with technologies moving forward, like blockchain, etc. And being able to create these immutable records where once the identity is created, there's a way to track that and make sure that it stays the same and maintain anonymity, right, a certain amount of anonymity around that, and then you can then choose who gets to use that, and there's a lot of digital wallets that are moving this direction. I think there is a little bit of ways to go still on. Those ledgers, if we were doing that for everything, would become, right now we're relying on the individual businesses to absorb the cost and the expense of managing the identity of their customers. If we're making the switch to move that to where the consumer owns their identity and is in charge of managing it. Who and where and what is storing that? That ledger? Right? And that is that the government? Do we really want to trust the government to have that? We do already to a certain extent, I mean, if, in the US, we just took Social Security numbers and our driver's license as our government ID, that's really our source of truth to go do anything else, right, we have to have those things. To fly in a plane, we have to have those things to go open a bank account, though. And so most likely, fortunately, or unfortunately, it's going to come down to some sort of centralized identity store, to then allow you as the person to manage that. I don't have the answer today on how that really plays out. But there's still a lot of things. You know, to sort out that, you're going to have to trust someone, whether that's Apple, right? Do you want to trust Apple to be your identity store? Do you want to trust Google to be your identity store? I mean, already today, we already see a lot of applications. And people are doing this today, right? You can go into websites today and click sign in with Facebook, or sign in with Google or sign in with something else, right? They they've already tried to make that somewhat convenient, where you can use this single identity, your Google identity, or your Facebook identity. And then, as that is a trusted source, use that somewhere else, right. So that but even in that aspect, and that simple aspect. If I had taken the time to build up a strong enough profile on Facebook, whether it was real or not. And then I could use that to sign into other things. I now don't have identity proofing of actually knowing that I'm the real person, right? This is if we talk about what's in the news right now, and one of ElonMusk's concerns about, you know, moving forward, the acquisition of Twitter is, how many bots are there, right? Because they want validation that there's really a human somewhere behind those accounts. And they're struggling to be able to prove that. And I think there's a lot of monetary aspects of that as well. Because if you look at ad revenue models from different companies, etc, and they get paid just on impressions, not actually click through. So if there's bots that are viewing your ad, then they're charging you for that impression, right. So how are we going to deal with actually knowing if we're moving to a self-sovereign identity? How are we going to deal with identity proofing? That it's really a human? And that's something I'm not sure is there yet?
Debbie Reynolds 27:50
Very good. Very good. Let's talk a little bit about privacy and identity. Right? So I think in the US, it's very much intertangled together, like a lot of times to talk about privacy, maybe cybersecurity, or vice versa. And it really is, yeah, there's obviously a symbiotic relationship there for sure. But as you were talking about when you're thinking about, we're talking about bots, that sort of reminded me about the need for being able to determine if someone is human or not. And then, obviously, I think we saw something in the news about someone at Google who thought that there was some chatbot that was sentient or something like that.
Heath Spencer 28:44
That's yeah, they're very, it's very recent in the news. And, again, I don't think we're quite there yet. But we have to be realistic that with quantum computing being really where it is today and moving forward fast, and we look at how fast really, if you think about it, from the late 80s, to where we are today, which is only really three decades. How quickly did technology evolve? Right? I'm old now. So I've seen a lot of it. But it's only going to move quicker. So I think there are a lot of things to answer around that. Now a lot of the questions we get around privacy and amusing modern things, even with Apple's announcement last week around using Face ID or fingerprints as a way to generate your keys to then use those keys. A lot of people's hesitation, you know, one of the questions we get around privacy or anonymity or personal information is, well, with a password, I could change my password. It's something I controlled, if I use my biometric. It's when that gets taken, it's gone forever. That's their perception, right? And they're worried that I would never be able to get that back. How do I, if I use my face to register something and someone takes it, then it's gone forever? Well, a couple of things with that. One is if you've ever done a video call like this that we're doing, and you're where you've got pictures on Facebook, your face is no longer private. Anyway, it's already out there. Someone can model it. But I want people to understand, particularly around iOS devices, and one thing that Apple is doing well and in Androids improving on is how they're leveraging the use of biometrics for the native biometric array. So a lot of us have become comfortable unlocking our phones with our faces or unlocking our phones with our fingerprints. And in that use case, what people need to understand around the privacy aspect of it is Apple or Android, they're not storing an actual picture or a realistic representation of your biometric meaning, there's not a picture of my face in my phone that it's mapping against when I unlock my phone, what's in my phone is a math equation, right? So when I register my biometric, whether it's my fingerprint or my face, it could be my voice as a template, right? It could be a bunch of different things. It's really simply a math equation that's running math around certain checkpoints around your face, or your fingerprint, etc., in generating a number based on that mathematical representation. Well, if we're using math, then we can actually change the math just like you would change a password. Right? So this perception that if I use biometrics and they get stolen, they're stolen forever. Well, that's incorrect, right? Because you're it's not so we can maintain privacy. Now, the other advantage, when we talk about privacy and using biometrics on a mobile device is the user stays in the possession of that at all times, right, so they register it on the mobile device, they can delete it the moment they delete it, and if they choose to re-register it, you actually have new math. So that's just like changing a password. It also means that companies like ours can take advantage of using that math equation without actually ever knowing that math equation, we just get to check against it. And you, as the user, stay in possession of it. So we allow you to maintain the privacy and control of that math. And we can just use it as a way to verify that it is you because you had to register it before registering our product, right. So there's privacy, there's really actually stringent privacy laws in Illinois. And then California is very closely behind. So a year and a half ago, we saw a 16-year-old sue Six Flags Magic Mountain because they stored his biometric template without his permission, right? So that was a violation of his privacy. If Six Flags had been using a technology like ours, where the user chose to register the biometric on a device that they possess and then just leveraged the use of that, Six Flags would not have been sued because they would not have been storing the biometric without the user's permission. So it really is technologies like what Apple's going to do with FIDO. And what we're doing allow the user to maintain that possession of the math and then maintain the privacy of it, but allows for the creation of strong authentication out of that. So I think that that's a very unique way that privacy and security are overlapping, but overlapping in a really good way.
Debbie Reynolds 33:56
Excellent, excellent. And just for anyone who doesn't know, FIDO is Fast ID Online. And there's actually an alliance called the FIDO Alliance. And I think their website is FIDO.org if I'm not mistaken, so very cool. Anyone who cares about passwords stuff wants to know, that the latest thing that's happening with manufacturers are standards, vital. That org is a great place to start for sure. So if it were the world, according to Heath, and we did everything you said, what would be your wish for privacy, anywhere in the world with anything, whether it's technology, law, or human stuff, what are your thoughts?
Heath Spencer 34:38
Well, I mean, I do agree that I would love to see some way to control, or where we get we're seeing this a lot with social media and influencers right, where they're getting to use their personal brand to generate revenue, right and if all of these big companies are really taking your and behavior and your personality and your personal traits, etc. And then monetizing that, I do think that as an individual, I'd love to see more, more self-sovereign control over that. And then one piece of advice I would give people based on that is, if you're using a solution that's free, you are the product. So if you don't want to be the product, then you might need to pay for the application because they're going to have to monetize it in some way. So, you know, from a global aspect, I'd love to just see people take their digital lives more seriously. And the accountability of actually, you know, being smarter around how they're managing their digital identity, identity, and their digital life. And not a lot of people I hear this every day are like, well, I don't have anything that anyone wants to take, or I'm not worth enough for the bad guy to want to ransomware me. And that's just not true. Unfortunately, because they're using automation and bots to attack any open door they can, you're going to suffer some at some point if you don't take it seriously. So my wish is that, and this is even with my own children, trying to teach them that they need to take their digital lives seriously because it can impact their real-world physical life, and it will today.
Debbie Reynolds 36:26
Excellent. So let people know how they're interested in finding out more about TraitWare how do they get in contact with you guys?
Heath Spencer 36:34
Yeah, so just on our website, TraitWare.com is a great place to start as well, as you know, on LinkedIn, we've got a company profile, Facebook company profile, etc, YouTube videos, on Twitter at TraitWare, as well, as don't hesitate to shoot me a message on LinkedIn as well. And it's just Heath Spencer@TraitWare, and we're here to answer any questions, and we are happy to answer any questions that anyone's got, especially around how do you secure your small business today? I've got a heart for small businesses as I've been a serial entrepreneur and small businesses for years. And they're really the ones that are the most exposed today.
Debbie Reynolds 37:14
I agree with that. I agree with that. Well, thank you so much. This is great. Elizabeth was correct for getting us together. I think we have a really great inspiration that the audience will really like to hear.
Heath Spencer 37:26
Well, thank you again for having me, Debbie and great to get to spend some time with you.
Debbie Reynolds 37:30