Identity without Passwords

Every day, employees at hotels, restaurants, and resorts across the country are doing exactly what they were hired to do: being warm, responsive, and eager to help. It's what makes hospitality work. It's also what makes hospitality one of the most targeted industries in cybersecurity. When your entire workforce is trained to say yes, teaching them to be suspicious is an uphill battle. The smarter solution might be to take the target off their backs entirely.

Jasson Casey is the co-founder and CEO of Beyond Identity, a company built around one idea: making identity-based attacks impossible. With over 20 years of experience designing large-scale security infrastructure for global enterprises and carriers, Jasson has spent his career thinking about what happens when stolen credentials open doors they never should have. Beyond Identity's answer isn't better passwords or more authentication hoops, it's eliminating the credential that can be stolen in the first place.

Josh Johansen is the Director of IT Systems and Technology at Brandt Hospitality Group, an owner, operator, and developer of hotels under brands including Marriott, Hilton, Hyatt, and IHG. Josh came up through hotel operations, not a computer science program, and that background shapes how he thinks about security practically, from the floor up. He knows his workforce isn't looking to become cybersecurity experts. His job is to build systems that protect them anyway.

We talk about why the hospitality industry is such a rich target for phishing attacks, and what happened when one of Josh's general managers nearly paid a fraudulent invoice because she couldn't log in without a password she no longer had. Jasson breaks down how device-bound passkeys work, why most consumer passkeys aren't nearly as secure as people think, and what separates a real security system from one that just looks like one. Josh shares the lessons learned from rolling out this technology across a multi-brand hotel portfolio including what he'd do differently and what it means for an industry still wrestling with shared logins, high turnover, and workers using four different brand systems before lunch.

Show Notes:

• [3:05] A cyber insurance mandate pushes Brandt Hospitality Group to find an MFA solution, and complaints about authentication fatigue make the obvious options the Brandt partners are already using feel like the wrong fit.
• [4:03] After months of evaluating vendors and completing a full proof of concept, the leading candidate drops smaller accounts without warning, sending Josh back to square one and into a same-day demo with Beyond Identity.
• [5:09] Beyond Identity moves fast, puts together a rapid proof of concept, and earns the business. Josh describes meeting Jasson in person for the first time at BeyondCon shortly after signing on.
• [5:45] Hospitality is uniquely vulnerable to phishing attacks, and the industry's culture of helpfulness connects directly to the behaviors bad actors are counting on.
• [6:49] A general manager calls convinced she needs her password to pay an overdue vendor invoice. When she can't get a login prompt, the situation is recognized immediately as a phishing attempt she nearly fell for.
• [7:33] Reflecting on that moment, someone sharp and experienced nearly became a victim, and removing the password from the equation entirely turns out to be the real breakthrough.
• [9:05] The conversation turns to the limitations of cyber awareness training, and why even well-intentioned employees with heavy workloads cannot be expected to function as a reliable last line of defense.
• [11:13] Jasson describes how Beyond Identity works, using the analogy of a monkey in a jail cell to explain how a signing key stored in a secure hardware enclave can authenticate a user without ever leaving the device.
• [12:06] The concept of stealable credentials expands beyond passwords to include API tokens, session cookies, SSH keys, and anything else that can be copied and lifted from a system.
• [17:33] The discussion shifts to agentic identity and AI-driven workflows, with customers on opposite ends of the spectrum — some where agents make up the majority of their workforce, others who paused rollouts after discovering how easily prompt injections could expose sensitive data.
• [19:17] The biggest mistake organizations make going into a passkey rollout is diving in without a clear understanding of how their identity environment is actually configured and what that means when things don't behave as expected.
• [20:35] A lesson from their own deployment — initially limiting passkeys to senior staff and leaving line-level employees on passwords — makes clear that partial coverage leaves meaningful gaps.
• [22:58] Most organizations under active phishing load will experience an incident during a mid-deployment window, and that moment often becomes the event that accelerates full adoption.
• [24:33] The shared workstation challenge in hospitality comes into focus, along with how the device-bound passkey differs from the consumer versions employees may already be familiar with through Google or Facebook.
• [29:14] Jasson draws a clear line between consumer passkeys optimized for conversion and enterprise passkeys built for security, explaining how sync fabric trades credential protection for convenience in ways that matter in a corporate environment.
• [31:07] One enrolled device can cryptographically authorize the enrollment of another, allowing organizations to scale without moving keys or introducing new vulnerabilities.
• [33:33] The passkey model changes accountability inside a hotel operation — device-bound credentials and role-based access make it significantly harder for well-meaning managers to share login access with staff informally.
• [36:55] As the conversation wraps, a simple test is offered for evaluating any passkey system: if the passkey can move, it is not a security product.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Jasson Casey – LinkedIn
• Jasson Casey – National Security Institute
• Beyond Identity
• Joshua Johansen – LinkedIn
• Brandt Hospitality Group

Transcript:

Jasson and Josh, thank you so much for coming on the podcast today.

Josh: Thanks for having us.

I'll start with Jasson. Can you give the audience a little more background about who you are and what you do?

Jasson: Sure. My name is Jasson Casey. I'm a co-founder and CEO here at Beyond Identity. What do I do? Anything and everything necessary to move the world forward. But look, my background is technical. I grew up in the world as an engineer, building and designing large-scale security systems, infrastructure security systems, and 25 years of doing that brought me to today, and that's still what I'm doing today. Just with a little bit different scope.

Awesome. Josh, what's your background?

Josh: Right now, I'm the Director of IT or Systems and Technology here at Brandt Hospitality Group, where you are an owner, operator, and developer of hotels. They're all branded actually, mostly Marriott Hotels, Hilton High at IHG. My background is I started in hotels when I was in college. It was my part-time job when I was going to school for aviation. Put myself all the way through that, and when I finished, September 11th, the backflow is all these plants were furloughed.

There wasn't a lot of opportunities there. They asked me if I have ever thought about working in hotels and being in GM, and I said, “Absolutely not.” A week later, I was driving to Texas and that's what I did. I worked on the operations side for about 10 years, and then moved over to the property-support side and have been leading the IT stuff for about nine, 10 years now, working on that side.

Awesome. How did the two of you meet?

Josh: We had a mandate back in—well this is a while ago now—where we had to have MFA for our cyber insurance in order to meet those requirements. Otherwise, we're going to have a—I actually am not sure that they're going to renew us, unless we put it into place. As we were exploring options, when we work with multiple brands, each of them were also moving to the same path of having an MFA.

Marriott, I was using theirs, I think it's Entrust, and Hilton was going with Duo and Microsoft Authenticator. Of course, we're a Microsoft shop, so that could be an option, but I was already hearing complaints about folks of the MFA fatigue of every time you have to do anything, you’ve got to pull out this thing, or text a code, or get a code, or enter it in.

We were looking for something that was a lot less friction, and I wanted to be so it could integrate seamlessly so people wouldn't complain about at least the stuff that I was rolling out. They can continue to complain about our brand partners, but at least what we were doing in this house, we're trying to make it as user-friendly as possible. The other challenge we have is, with hospitality, our users are definitely not—we don't hire people for the technical acumen. We hire them for their willingness to sell people out, friendliness, outgoingness, sales, which is pretty much everything that a bad actor would love to see.

We've gone through a process to try and find a solution. We're all the way through the end of it. It was going to be, “Hey, this is a little bit different than what other people were doing, a little bit less friction for the end user.” At the last minute, there was a little, there was a typo in the contract of the agreement that was not what we agreed on. I needed to get that fixed before I'd sign it.

They were going to take that to get that fixed. They came back and they said, “Hey, we just had a meeting this morning that any agreement that wasn't signed, if you're less than, I think, 500 users, we're dropping you.” We're like, “Really?” We've just done this whole proof of concept, gone through this whole process for the last, like, probably four or five months. And at the very end, it was, like, over. I'm scrambling to try and find another one.

I don't know why Beyond Identity had never come up in my prior search, but that day I was, like, going back through all these same ones, Okta, Beyond Identity, anything I could find. And the folks at Beyond Identity replied back to me within, oh, I think it was within an hour. It was shockingly fast. And I kind of explained the situation and they said, “Hey, we can get you on a demo, like maybe even this afternoon.” And I said, “Let's do it.” And so we did that. They put together a small proof of concept for us, so we could get through the process really fast.

And the next thing we know, we signed up with them and we're beginning that process of rolling it out. And then I met Jasson for the first time in person. I met him online, like they would do check-ins. Then the first time I met him in person was when they had their BeyondCon a couple of years ago, where they brought customers in.

Awesome. My understanding is that at some point along the line, you guys experienced a cyber attack.

Josh: Yeah, hospitality is very vulnerable to phishing attacks before PCI compliance. That was the thing that was always a huge target on our back. Like I said, we're great at taking care of people and making diseases possible for you. But that also means that, “Oh, yeah. You want to pay for your sister's room? Just photocopy your credit card for me and send it on over.” And then, which maybe isn't the most secure way of doing it.

So that's why the industry, you know, we've changed things a lot. And now we have better processes and systems in place, but that also requires security and getting rid of the generic accounts and having everyone with a named account. But we continue to have these phishing attacks. The big thing that Beyond Identity did for us was changing that password that can be harvested.

We get so many phishing attacks where they're just trying to harvest the credentials. These things are phenomenally good. We've moved over to Beyond Identity. Now, everyone, at least our high-level leadership folks who access finance and accounting and things like that, are using a passkey. And I get calls from a general manager and she is, like, convinced. She said, “Hey, I need my password.” And I said, “You don't have one anymore. Like we use this passkey system with Beyond Identity.”

And she's like, “No, I got an invoice from this tribal agency. It has to be paid. It's overdue. We need to make sure we get this paid.” When I click it, it brings me to the Microsoft sign-in page. And I don't get the prompt. It's asking—I get a password window. And so I need to get it. And I'm like, “That's a phishing attempt. You can just ignore it. Just delete it.” And she was very convinced that, I think we, she didn't want to not pay somebody that needed to be paid.

But that was the, I think, the big eye-opening event. This probably happened, I don't know, two, three months after we'd finished the initial rollout. Knowing that, I'm like, “Wow, this is somebody very good at their job. But they're very in tune with what's going on.” But they still were, could have been susceptible to that. And this, beyond a doubt, just stopped it from even being a breach point because there is no password anymore.

That was the big thing for me. Like, “Hey, this is the right way to go.” And I know that the passkey is a bit of a lift for folks, but it's well worth the effort because I wish it was the only time that that ever happened. But I've gotten that call multiple times now in different various levels of urgency where people are looking for their password because they got something and it's asking for the password. We need to make sure that this gets taken care of.

I mentioned this, one of the challenges is training within your industry, particularly because your people are being solution-oriented and, “How can I help you?” Their whole job is to help people. Whereas, someone calls me, my job is, I'm going to be a gatekeeper. I'm going to try to give you as little information as possible. Yet you've got people that it’s, like, their job to do it, not do whatever you can, but do almost anything that you can to help out the potential customers.

Josh: Absolutely. We talk about the human firewall all the time. And part of the PCI compliance is that we do employee training and it's cyber awareness training. It's not just related to the payment cards, but just general cyber awareness, like smishing, bishing, all of those types of training. But the reality is it just takes one click for that to go out the window if you don't have some other layer of protection in the backend.

That's why I love this solution with the passkey down to that secure enclave, because it takes away the—they’ve got so many things going on. A general manager of a hotel is not only—people think, “Oh, what do they do? They just kind of visit with people all day.” No, they have the budgetary side. They have the sales side. They have ownership asking them questions and metrics and responding to their P&Ls. They also have to make sure like, oh, you know, the restaurant manager is now ill and they’ve got to figure out how they're going to cover that.

And it's a holiday and there's a big bus now that just decided to come in. They would pop up, the sales just booked. They've got a lot of things coming at them all the time. And when you ask them to like, “Hey, now we want you to be a cybersecurity expert as well and analyze every message you get and make sure that it's legit.” This is a way that we, on the IT or the support side, can be like, “Hey, we're going to take away that, I guess that attack surface for you, and get rid of that.”

You no longer have to worry about, “Oh, does this pass muster?” You know, it gives them a little bit more confidence to just go through their day and get their job done. But it is a little bit of a, or it's very much a mental shift of how you work because the idea that, “Hey, is it really secure? I don't have to type in a password. I just put in my username and I'm logged in, as long as I'm on my device.” I think the magic that makes efficiency happen for these operators. And that's why we love the solution in hospitality.

Awesome. Jasson, can you talk a little bit about how passkeys work for the audience who doesn't know?

Jasson: Sure. Beyond Identity focuses on identity defense. We typically get plugged into an organization's existing identity stack. We don't displace the identity stack. You can think of us as almost like an identity detection and protection module for your Okta or for your Microsoft Intra or your One Login Shibboleth, et cetera. The first thing that happens when we plug in is that we take over authentication.

And the way that we do that is we have a—you can think of it like a wallet. Our wallet runs on the machine that you actually want to work from. If you want to work from a mobile device, it can run on your mobile device. If you want to work from a laptop, it can run on your laptop. But it takes advantage of some specialized hardware that it now exists pretty much universally across all of these device types.

We basically create a key that cannot move. This is really, really important. The 70 to 80% of all security incidents that you deal with right now are really based on stealable credentials. Obviously, we think about passwords because that's the obvious thing I can steal, right, if I can capture it. But one level down, we're also talking about API bearer tokens. We're talking about access tokens. We're talking about session cookies, session hijacking. We're talking about SSH keys. We're talking about GPG keys.

Anything that can be copied, right, can be stolen. In modern architecture, things get copied a lot, right? Our fundamental insight was, number one, let's move to an authentication system where we don't have to move the secret material. That's kind of everything in our system is basically a cryptographic signing, right? The signing key doesn't have to move. But we take it one step further and we create that key in an enclave with a guarantee that it cannot move.

What is an enclave? You can think of an enclave as a small jail and there's no door, right? There's only bars. And there's a monkey on the inside with a pen, right? You hand the documents through the bars and you say, “Hey monkey, sign this document.” And he may have a couple pens, a pen with no policy. He's sure the monkey signed your document, hand you the document back. That's a perfect example. The pen never leaves the jail. The pen is locked in jail. The pen can't really be stolen.

It's possible to have other pens where you ask the monkey to sign your document and they look at the pen and they're like, “Oh, the pen requires me to also have a biometric and/or a pen, right?” By the way, this is exactly what's happening when you buy a cup of coffee with Apple Pay or Google Pay. Our wallet operates in that way. We create that bound credential. It physically cannot move. It has something called a hardware attestation, which is like a little proof, a certificate or a receipt that shows that the key was created properly with the hardware policy and you can trust this under the only assumption is that the hardware foundry itself has not been compromised.

We do some other things, like we also believe that modern security is about joining identity and security tightly. It's not just enough to know you're the right person. We also need to know that your device is secure enough for whatever you're asking for. We have the core of what looks like an EDR sensor actually wrapped into our authenticator, right? Every authentication in our system is, it can be a question of who are you, who is your device and what security and what, how hardened is your device? How protected is your device relative to what you're asking for?

That's a customer control. Customers can kind of control that level of scrutiny through policy. But that's really kind of the core of our architecture and kind of how we got started. Keys that cannot move, signing keys that probably cannot move with posture wrapped around it and then kind of doing this all continuously. You'll see this in the trade press if you see things called the continuous part, continuous identity. Sometimes people talk about it in that way.

Although what is unique with us is that proof of being device-bound. Most other solutions that market themselves with passkeys are not device-bound, they carry no proof. And in fact, those passkeys actually do move.

Can you give an example? Because you were talking about device-level security and does this device meet the security standards of the client? What are some of the different variations of what you would consider a less secure device and a more secure device?

Jasson: It's very situational. I'll give you a couple of examples. Here's a simple thing. Most organizations have some level of BYOD devices and third-party devices that actually have access to their environment, right? Maybe the COO required an exception of IT so that they can work from one of their personal devices, right? Maybe marketing has contract PR and contract designers.

Maybe their devices are managed, but they're managed by a third party. But the organization still has to be signed up for SOC. The organization is still signed up for some compliance regime or some set of security controls that says, “I don't care if it's unmanaged or third-party managed. I still need a control that verifies at the moment of access and continuously during authorization that it still has some form of EDR running on it. That it still has some kind of MDM policy input that the browser that's asking for the authentication is actually an executable compiled by Microsoft or Google or Brave and not just a Python script trying to harvest an access token, right?”

Those are various things that you can kind of turn up or turn down. The reality is, I think we support like 10,000-plus attributes in our policy engine. And the reason for that variability is customers, different customers, just care about different things and want to write policies in different ways.

Now in the world, so we're actually now marching into a GenTech identity. And in the world of a GenTech identity, those thousands of attributes are actually now becoming required because policy for access is no longer good enough to be a set of deterministic rules. You kind of need intent-based policy, right? Because agents are really, really good at, “Oh, you're going to deny me the file open tool. Well, I'm going to use the stat tool to go figure out whatever the objective is, right?” And so being able to kind of map out a complete set of policy controls, given a higher-level intent, I would say is going to become table stakes if you're running agents.

Yeah, are you seeing lots of pushbacks from your interest in your customers from running agents, or are people a little bit paranoid? Or both?

Jasson: We have both. We have people that, we have customers that, I don't know how much of this is marketing because I don't see exactly inside of their organization, but their claim is 70% of their employees are agents, right? What they're basically trying to say is every employee is expected to essentially steer and manage a collection of agents to get their work done.

Then we have other customers where they literally paused their agent rollout because they didn't set up the right controls to start with. They realized really, really simple prompt injections by some squirrely DevOps guy to read the email of the CEO as possible based on how they set up their RAG. We see both. Look, the world is changing right in front of us, right? Like over the weekend, we saw Claude book, not Claude book, Moltbook, sorry.

How much of it you believe is people parroting or not? The thing that is undeniable in my mind is like the zero to X million set of accounts, the activity and the action. Some people are going to move because they see utility. Some people are going to move because they fear they're going to get left out. And both of them need real protection to make sure that they don't replicate classic mistakes at the scale that an agent can replicate.

Getting back to kind of the cybersecurity and using passkeys and more modern technology to prevent, what are some of the big mistakes that organizations make before they implement something like passkeys?

Jasson: Josh, you want to start and let me finish?

Josh: Yeah. I think for us, like it was just, like when you go through the demo, I think this is true of any technology now. When you're going through the sales side, like Beyond Identity did a great job. But the reality is, as the customer, when you're trying to fill a need, you're like, “Oh wow, that's fantastic.” You know, and you're just, you just dive, head first and then you don't maybe kind of explain some of the nuances that your organization has.

I don't come from an IT, like I mean, I didn't go to school for computer science or information systems or anything like that. I worked in aviation, or I mean studied aviation then worked in hotels. Understanding for me, all my IT has been because of the things, processes and partners that we've worked with and what I've learned from that. And so when I’m like, “Hey, yeah, we have on-premise Active Directory and we do federated sync-up to Azure.” I didn't maybe have the nomenclature down properly, like, “Hey, we have a hybrid Azure AD-joined environment. It's going to be slightly different.”

Remember during our rollout, when I was filling out the questionnaire, like, “Hey, how we have this.” Then we're like, “Hey, how come this isn't working?” And then we had to get back and like, “Oh, but will you have this?” Well, we can still support that, but we’ve got to change it to this way of doing it. And they had solutions for all of that. But more of that was my ignorance of understanding the difference of the nuances with the different types of Azure AD-joined environments you can have and, like, how that process works.

I think having a really good understanding of how your identity is currently functioning is really crucial to making sure that you have everything. The other mistake that we made was we were just going to secure our higher level folks that had access to multiple systems and let the, like the line-level folks, the restaurant servers, the front desk reps, those continue on with the password. We quickly saw that the value of getting into everybody and then kind of figuring out the best way to make that transition so that everybody's using a passkey.

And for us, I know in hospitality, we have a rather high turnover just because of their seasonality in the work, the demographic of people that work, like, that are bus boys and servers and bartenders and reception folks is a different demographic than maybe like corporate career folks who are locked in for the job for a long period of time. That's the onboarding process and making sure everybody's aware of the latest and greatest.

And the best way to do that lift to get everybody onto the passkey is still something we're figuring out because it is a little bit of a process when you have a shared workstation environment and you're enrolling people on multiple workstations. With a password, you do it once—that was the beauty of Active Directory—once and you're done. This is, like, once per piece of hardware that you use to make sure that they're able to access that throughout their workday.

I think the biggest thing you could do if you're preparing to move to something is making sure you have a really good documentation and understanding of how your environment's set up when it comes to identity, and then what your rollout plan is as far as how you're going to secure the different groups, and also the training and education is some things that I think are very logical.  The passkey thing is kind of a mental look from a password. To be able to understand how that, how to make that happen.

Jasson: This is actually pretty typical we see in customers during rollout. With Josh, he was just explaining, like, the post rollout, so most organizations are under a constant phishing load, right, and there's usually some non-zero percentage of detonation, which results in an access token theft. And then whether that's useful or not, whether that gets detected or not is a whole other thing.

Fundamentally, what we do from a technical perspective is we remove certain pieces from the equation where, literally, you can click on all the bad links and nothing bad actually happens. Oftentimes, when we're deployed, a customer who's mid-deployment with us will actually experience an incident for the people who are not enrolled. And what that usually does is accelerate the exercise. What Josh has seen is actually no different than what a lot of our other customers have seen, in that the incidents or the attacks are still happening.

The users are still clicking on the link, but there is nothing to steal. There's nothing to lift off.

Those are dead ends, but the way they actually come, the way they actually come back usually to the operator, the head of operations is like, in Josh's case, this particular individual who was really diligent about making sure all vendors got paid. The other one, we have another one, which is a public utility. They had dedicated one or two people just to post phishing compromise—what’s the right word—essentially fix up where they would basically, like, kill off, identify the blast radius, kill all the authorized tokens, do the audit log, do the review.

And in those cases, those people basically were not doing anything for a month. And then they realized, “Oh, yeah. This is actually not possible anymore. You now have a new job.” I guess it's not a blow-by-blow on China was at the door and they pivoted onto this machine for this and that machine for that. It's more of 70 to 80% of what drowns your stock today is actually this. And it's not, and you don't have to get a better detection. You could actually make it go away.

Gotcha. For either of you, when it comes to—because traditionally passkeys in most consumer implementations is one user, one machine, one device, and you're talking about issues where in hospitality, particularly like servers, you've got multiple employees using the same machine. How does, in the big picture, are passkeys developed for situations like that?

Josh: I can talk just a little bit from the hospitality side. This is one thing that I still have as a conversation with people. When they hear that we use a passkey, there are the small percentage, because it's just like Google now is letting you enroll with one, and I think Facebook and any of these main ones. But the problem is, the passkey that we use is nothing like their passkey. Well, actually, I don't know if it is, but in my mind, it's nothing like that. Because the challenge with—like I've had, well, we just opened a hotel this past fall.

And one person, when I heard we had passkeys like, “Oh, I had that with Google and Facebook and it never works. Can I just keep my password?” Or like, “Well, it's Google and Facebook’s; they call it a passkey.” Maybe that truly is the definition of a passkey. But the reality is I have a passkey in my Google account, but if I click the option, I can still use my password. I don't really know what the point is, because you can move them around from browser to browser.

There's no secure side. That actually is a little bit of a barrier for this person who is exposed to those consumer website passkeys, trying to explain how ours works. Like, “Hey, now think of ours like your Android wallet or your Apple Pay. Like when you get, “Do you use that?” They're like, “Yeah, no.” They head over, they head. You're like, “Hey, if you get a new phone and you already have your credit card on your old phone and you do the backup, when you get your new phone and you've restored your backup, your credit card's not there. You still have to add that card in again.”

I think that's what I like about this pass, well, as we call it, the Beyond Identity passkey, because it is tied to that device. This particular hotel, we're getting them set up like, “Hey, we're working with the leadership folks, the GM, AGM, director of sales, the initial people that are there before our hotel opens, and getting them set up with that.” And they were a little bit confused at first, like, “Nope, this is your computer. We got it. You have it here. Let's put the app on your phone. Now you can access Teams and email from your phone or your computer. And when your Hilton workstations come in, we're going to have to put the same authenticator on each workstation that you want to log in and move your passkey there.”

And then once they've done it, he's like, “Wow, this is automagical.” Just because he's like, “Wow, this is great.” You know, he didn't have to log in. They said, “Can you do that for my Hilton pass, Hilton account too?” Like, “No, I can only do it for your brand account, because your Hilton accounts still use a password and authenticator and duo, depending on what Hilton resource you're accessing.”

I think that's, to me, I mean, this GM was like, “Wow, this is great, because now I don't have to.” They have a PIN to log into their computer and they can access everything they need to with us without having to reset a password every 90 days or pull out anything like that. Then when he saw what he had to do with the brand, he's like, “Hey, how can you make my passkey work on that too?”

And we're like, “No, because it's not our thing. Hilton will have to get Beyond Identity.” One day we're working on it, trying to talk him into it. But I mean, that's the, I think the confusion that happens with the consumer side is that experience with the, you have a Google or Facebook, and then finding out that that passkey is like, it's this big headache that, they haven't done a great job of educating. Or maybe they haven't, we're all just confused. And then compared to the beyond identity corporate, where it's bound to the device, I think you guys call it a key pair certificate. I'm not exactly sure how, the technical definition.

Jasson: Yeah, so marketing one here, we had all sorts of what we thought was cool technical names and they're like, “Yeah, we don't care what you say. People know passkey. We're just going to ride that train.” But yeah, consumer passkeys are very much about the consumer marketplace. The consumer marketplace generally does not actually care about security. They care about conversion rate. You can see this in how passkey implementation on the consumer world have been optimized. They've been optimized for, “How do we get you from X to Y incredibly quickly?” Unfortunately, this has led to a weakening in the consumer passkey system.

There's this thing called passkey sync or sync fabric, which really, it's this weird thing where it's like all the security of your passkey guarded by the strength of your password. It's kind of like what we just described, your passkey literally gets copied and moves through this cloud apparatus to a new device when you enroll in the new device and you use your iCloud password or your Google password. I want to be careful in just saying it's bad. It's not bad, it's just, it's solving a different problem.

We came at this a bit different and we also came at it before a lot of these things existed. We said, “All right, the number one security, so we're an enterprise business, right? Our customers are large organizations.” We said, “All right, the number one thing in this system from a critical foundational vulnerability perspective is really a credential that it can move. How do we provide guaranteed non-movement?”

And when we figured that out. The very next problem is like, “All right, if I have configured, if I have guaranteed non-movement, now I've introduced some user friction because that almost implies that a user has to kind of do something extraordinary to enroll any particular device.”

The next idea the team came up with is, “Well, wait a minute. What if these devices can all kind of enroll their own keys?” When they enroll a key, they produce a proof of, like, essentially custodial ship. And what if we had something a little bit like a certificate signing request? What if, when a device is enrolled, what if we, as an option of a way of enrolling a device, rather than moving a key, what if we let one key essentially attest a paternal relationship to another key, right? And this is not the certificate tree that your grandparents are familiar with. This is a little bit different.

This is really just like, “Hey, one of my devices is really just authorizing the enrollment of one of my other devices.” And we're like, “Well, that's interesting, but all of our authorization models in the world kind of exist or predicated on possession equals access.” It's like, well, that doesn't have to be true. We can literally just split those things. Possession, in fact, in our system, does not actually equal access. Possession just equals possession. And then when you want to use that key, every time you use that key, you still have to go through policy. And policy is like, “Hey, prove you can use the key. Prove you can use the key guard with the biometric. Prove that CrowdStrike is still running on your device. Prove that the process asking for the authentication was built by Microsoft within the last decade,” right? Or however you actually dial up policy.

We started coming at it this way and we realized that, number one, I think the consumer side was a little lazy in their idea that, like, just deciding that you needed to move these keys around.

Because technically I could simulate key movement by letting one key authorize another. And technically it's a new key, but I have this cryptographic lineage. I have apprenticeship. That was kind of a lot of the innovations that we came up with back in 2019 and 2020 around, “How do I enroll devices? How do I enroll devices against different authority? How do I separate out possession from usage?” We didn't anticipate it at the time, but that turned out to be a really key differentiator around organizations that run incident response.

Imagine an identity system that's anchored in a device. When I have an incident, my blast radius is a device of one. I know exactly what I'm talking about. And because of that EDR-like sensor that I mentioned earlier, you can actually discharge or run instructions, query instructions against that targeted device. In fact, you want adversaries to kind of enroll in a system like this because of the amount of visibility that you get. And like these are the differences of what I call enterprise secure passkeys versus what you're going to get with what you would see as a Google passkey or a Facebook passkey.

Josh: The challenge that we've had in hospitality is we have had, like, a generic credential. This is going to terrify you. We've had a generic credential until right up to just after COVID when they finally got rid of it. If you worked at a hotel and you could probably, if you'd worked at one brand, you'd probably go to another brand, figure out that login information fairly easily. Thankfully, all the brands have gotten rid of that.

At least the brands we work with, they no longer allow that. But that was used, that was done until then. And the big challenge there was, I think even though people think, like, Marriott or Hilton, they think this large enterprise, a lot of them are independent. There’s, like, the one owner and there might just be that at that hotel.

They may, even though they have the backing of the brand for the brand side of the systems, they might not have, like, they might be using, like, a generic email address instead of, like, those named, a shared email, like front desk at whatever, gmail.com. Now, I think the push here is they individualize everything. The nice thing with the passkey, the way that it works with me out of danger is I'm pretty confident now that I know that if I see Jane Doe did something, it really was Jane Doe.

It's not as easy to lend your passkey to somebody as it is to lend your password to them. Because I know that the best-intentioned GMs that are like, “OK, Lucy does great. I'm going to have her code my accounting system. Here's my password.” Now, at least in this way, like, “Hey, no, we don't want you to do that.” We're going to do rule-based authentication controls. So like, “Hey, no, Lucy, if she needs access to that, we're going to grant it to her so that she can use her own credential to do that.

And I know that this type of framework promotes that versus the password, or it's very easy to be like, “OK, here's my password. Just log in as me and code these invoices.” From an operating standpoint, that's what I think that hopefully more people will see the value of that and kind of move towards that as well.

I suppose in your situation, you have the additional complexities of not only do you have your own brand, you have the brand or the hotel that you're operating that you've got to work with two kinds of separate sets of identity.

Josh: Yeah, yep. I know that Jasson I've talked about this briefly is just like, “Hey, in the future, is there a way that those things can be, like, sourcing off of two directories or identities where you have that—I’m not sure how to say the word—provenance or whatever, to like say, “Hey, this is truly Josh Johansen and the Marriott system and Josh Johansen, the brand system. That I can use that singular thing, because right now, I do have a different identity for every brand or company that I'm working with.

Or at least those people that are in your organization that are crossing brand, I assume someone who's just working in a Marriott, they're just living in that environment; they're not living in multiple environments like your executive staff are.

Josh: Yeah, they're living in the branch environment and the Marriott environment, but not three or four, but we do have some sales teams, like in regional places where they are living in a Hilton environment, an IHG environment, a Marriott environment and Brandtland. But the nice thing is there for us, we don't have to, as long as they're using our passkey, there's no extra authentication that they have to do, but it is that extra step. I hope that in the future, we're able to see more of that using of that secure enclave to prove who we are rather than having lots of things we have to punch and add codes and text people.

Absolutely. Jasson, as we wrap up here, do you have anything additional to add?

Jasson: No, I think I covered it. I mean, enterprise scalp passkeys are very different to consumer as we've just been talking about. There are lots of easy ways, low-effort ways of enrolling both the human workforce as well as the non-human workforce in this sort of system. But, like, fundamentally, a passkey system that's actually a security system is one where the passkey doesn't move. And if you don't have that, you don't have proof of that, you're not, you're buying something else.

Gotcha. If people want to connect with Beyond Identity, where can they find Beyond Identity?

Jasson: Yeah, just hit our website up beyondidentity.com. We've got a pretty exciting agent identity product. We're actually launching in February. So beyondidentity.ai. We're on the normal places and Twitter and LinkedIn as well.

And if people want to reach you guys on LinkedIn, where can they find you?

Jasson: Jasson Casey on LinkedIn. [inaudible]

Josh: Josh Johansen on LinkedIn, and just look for the most handsome one.

Guys, thank you so much for coming on the podcast today. I appreciate you guys sharing your story.