Biometrics? Bring it on: why Okta’s Jameeka Green Aaron wants passwords to go away

Share via:

Photo illustration by Alex Parkin / The Verge

How do you define what it means to be you in the all-digital 21st century — and how should systems protect that?

Today, I’m talking with Jameeka Green Aaron. She’s the chief information security officer, customer identity at Okta. Okta is a big company, a Wall Street software as a service darling, and also just the thing a lot of us have to log into at work 50 times a week to get anything done. So I was very curious to dig into the business of Okta’s business.

But Okta’s point of view, Jameeka told us, is that it’s not just a security company; it’s an identity company. So we talked at length about what the whole concept of “identity” even really means in 2023. Is it your whole actual self? Is it a digital replica of your vital stats and permissions? How do you define what it means to be you in the 21st century, and how does that relate to the way you use technology, tools, and systems? How is an identity-based approach to systems more or less secure than other approaches?

We also talked about what identity means in the offline space — the real world, at work — and why that matters for all the rest of us.

As I’m getting ready to host the Code Conference next month, AI is absolutely top of mind across basically every industry — and cybersecurity is no different. Jameeka told us what her real concerns about the new wave of AI tools are: not that they can move faster, although they can, but that they can disrupt security at the level of identity and make it harder to tell, well, who’s real.

A few notes: We talked about passkeys quite a bit, which big companies like Apple, Google, and Microsoft are all signed on to as a biometric replacement for passwords. We’ll put links in the show notes to various Verge stories about it, but the basic idea is that you can sign in to your accounts using your fingerprint or Face ID instead of a password. Google already supports it, Microsoft is testing it in Windows 11, and Apple will support it soon with the release of iOS 17 and macOS Sonoma.

We also talked a lot about the idea of keys and key management in general. At the most basic level, a key is what allows computers access to various systems, but once you have a big database with lots of users and complicated APIs, managing all those keys becomes a big problem that affects everyone. And that’s really very much the business Okta is in.

Lastly, you’ll hear us refer to “PII,” which stands for “personally identifiable information.” That means data that’s unique to you, like your name or social security number, as opposed to data like “what kind of phone is this person using.” That kind of data being compromised is the stuff security breaches are made of.

I had a lot of fun talking to Jameeka… right up until she made fun of my iMac.

Okay: Jameeka Green Aaron. Here we go.

This transcript has been lightly edited for length and clarity.

Jameeka Green Aaron, you are the chief information security officer, customer identity at Okta! Welcome to Decoder.

Thank you for having me. This is cool! I’ve been listening and following you for a while, and you’re a good interviewer, so I hope you take it a little easy on me.

The people who say that are usually people who are most prepared, so get ready because the org chart questions are coming. That’s what we do here.

Okta is a really interesting company. We use it here at Vox Media. It is a big company; it’s a darling of Wall Street. While we’re talking today, the stock price is up. It’s a big enterprise company. Everybody needs it.

For most people, it’s the thing that comes in the way between you and the thing you want to use at work. So, if I want to log into Airtable at work, I’ve got to stop and use Okta and then check the two-factor somewhere. That’s how most people experience Okta. So give people just a high-level view of the relationship between the thing they experience of Okta and what Okta is as a business.

Okta, as a business? We’re about people. We’re a technology company that’s about people. Our goal is to enable everyone to safely log in anywhere they want to log in, essentially — safely use the internet and log in. And so when we think about what Okta really is, we’re just a login box. In layman’s terms, we’re the login box.

We’re building a primary cloud for identity. Well, what does that really mean? What is a primary cloud? Salesforce is a primary cloud for CRM, or Workday is a primary cloud for HR. We are building a primary cloud using workforce identity and customer identity for identity. That’s what we’re trying to do, or that’s what we’re doing, at Okta. And we touch people everywhere that they are. So, yes, you see them at work, but what people don’t realize is that you also interact with us on the consumer side — when you’re logging in to your banking application or when you go to a baseball stadium, you are also interacting with the login process of Okta. That’s what we do.

I think of web applications — really, I think of all computer stuff — as a series of modules. I log in to a bank — they need a database vendor and a web design company. And you’re saying even through that, even through just logging in, you’re the vendor that supplies secure logging in to a bunch of people that need secure login, and then you can go and use your application?

Is that where it ends for you, or are you trying to go beyond that?

That’s where it begins for us. We absolutely are trying to go beyond that, because I think, to take your example, when you log in to a bank, you don’t just log in. You log in and you’re prompted for additional factors — so, multifactor authentication. So you’re prompted with a one-time pin, a password, or an additional password. You’re prompted with a social login or some other way to verify you. And so we are not just the login box — we’re not just securing the login box. We’re trying to blend the user experience into the login box. So there’s that. I think there are other new technologies that are coming out and that are changing that are also going to change what we do, like the way we protect personally identifiable information. And so we are now a part of that as well.

So I wouldn’t say that that’s where we end. I’d say we are at the beginning of the process. We’re trying to change the way people think about passwords and the way they think about how they log in, and that’s hard because the password is deeply ingrained into society. As long as we’ve known computers, we’ve known there’s a username and password, and we’re now saying, “Hey, let’s move beyond that. Let’s get beyond that. Let’s go into passkeys, let’s go into passphrases, let’s go password-less.” And so we’re thinking about all the ways in which we can do that securely but also in a way that people will actually use the technology to keep themselves safe.

I want to talk about passkeys in particular. That seems like a big trend that’s coming — Apple and Google are into it, Microsoft’s into it. But I want to stay focused on Okta for just a second here. When you think about that problem space, we want to make identity and logging in better — that’s a big problem. And it ties into a bunch of social factors. It ties into how people want to use the internet. It ties into the very notion of whether you should be the same person everywhere on the internet or different versions of yourself on different platforms. Does Okta have a view there, or are you more “okay, we’re for you at work, we’re for you when you interact with a business”?

“We’re about people. We’re a technology company that’s about people.”

No. I think we have a perspective that digital identity is important. From that perspective, when we think about digital identities, we want you to own your actual digital identity. I think that’s the most important thing when we think about people and technology. I want Nilay to own all the versions of Nilay on the internet. I want the threat actors not to own any of those versions.

So when we think about our trajectory as a cloud identity company or as a primary cloud for identity, we are thinking about: How can we make it so that wherever you are, you actually own your true identity? And that’s a really big problem space, and it’s hard. Because you have to think about … We are thinking about passports, about driver’s licenses and things that you physically hold that also can eventually relay into your digital identity. And we’re seeing some of that interplay now, right? You see your physical identities be scanned into digital platforms and verified that way. But ultimately, we want this to be a seamless process where who you are in real life and your digital identity align and they are both protected. And so, Okta has the problem space of trying to innovate in a way that we can protect both of those identities at the same time.

I hear that. That’s the big vision. I’ve heard that from a lot of companies over a long period of time. Then it runs into reality for me, which is — boy, maybe I don’t want my driver’s license on my phone. This is a very practical thing that big phone companies would like me to do. Apple would love me to put my driver’s license on my phone. Probably because they just want me to use their credit card. Throw away your wallet entirely.

They want you to use your digital wallet.

Now use Apple Pay. We will take some … It’s very transparent what’s happening there, but they’ve got to get my driver’s license on the iPhone for that to happen. And then I think: I would never in a million years hand my phone to a cop. It’s not going to happen. I need a warrant. You got to show me a warrant before I hand my phone to a cop.

But if I get pulled over, and I drive too fast, and I get pulled over, the first thing they ask me for is to hand me their driver’s license. As a business, Okta has a vision. That vision probably extends all the way to your state-issued ID should be digital in some way. And there’s the practical reality of a bunch of people are never going to hand their phone to a cop. Is there an interplay there? Do you see that?

Do you have to hand your phone to a cop? That’s the question. Do you actually have to hand your phone for them to get—

I think if a cop has an excuse for me to give them the phone, they will take it.

Yeah, I think so! In my mind, when I think about a digital identity, I would not want to hand my phone to a cop. So I agree with you there. I agree with that sentiment. But at the same time, we don’t hand our credit cards over now when we swipe to pay. When I think about just me, Jameeka, and the future of digital identity: I’m pulled over, and I’m in my car, I’m driving my car. Let’s give that example. And my driver’s license is not only tied to my registration in my car, so when I’m pulled over and my license plate is run, there’s information that’s given to a police officer that says, “This is Jameeka Aaron’s car, and this is her driver’s license, and this is what she looks like.” And so when they see me, they go, “Oh, we already have some of her information, or we’re using technologies like NFC to actually transmit that information over to them.”

So I don’t expect to hand over anything else anymore, essentially. I expect that when we think about the future of digital identity, I don’t think people are quite ready to part with anything physical, and that’s fair. I think there’s the physical identities that we have, but then there’s our ability to transmit that identity to those who need it for specific reasons. And I think it goes beyond that. It’s not just: transmit my identity, everything on it — my name, my address, my social security number. It’s: Hey, in this particular case, all you need to know is my name and if I have a valid driver’s license. And so when I think about the future of digital identity, I’m transmitting my name and the fact that I have a valid driver’s license over to a police officer in a wireless way, and that’s all they really need to verify at that point. Is she who she says she is? Here’s her photo, and she has a valid driver’s license. I think that’s the future of identity, and I also think that allows the consumer the ability to control what data is provided and where.

When you think about digital identity, that, to me, is what we should be thinking about. Right now, we don’t have a lot of control over the information that we provide to anyone. If you go through the airport and they scan your driver’s license or your passport, you don’t actually really know what information is being garnered in that particular case. The future of digital identity is one the consumer controls — where the consumer decides which information is actually needed, and do I want to provide that information? If I’m buying a drink and all you need is my name and that I am old enough to drink, then all I’m sending you is my name, potentially, or maybe not even that. Maybe I’m just sending you information that I’m old enough to drink, and yes, you can serve this to me. And so I think when we think about the larger world of digital identities, it’s really one where the consumer decides, and that’s, I think, what’s important to Okta. We’re thinking about: how do we put this back into the consumer’s hands and give them choice while also keeping them safe?

“Right now, we don’t have a lot of control over the information that we provide to anyone. … The future of digital identity is one the consumer controls — where the consumer decides which information is actually needed.”

And that to you is, there’s one unified identity that I control? It’s: I have an identity, and I’m picking and choosing what comes out of that database of identity characteristics.

Absolutely. It’s yours. It belongs to you. Correct.

How do you go from “a bunch of people have Okta accounts at their workplace with the name of their company and the login screen” to “everyone has a unified Okta account that interfaces with everything from local bars to cops?”

Number one, I think public-private partnership is going to be critical to that. And that’s not something that we’re totally good at yet. The fact that we have a state driver’s license tells us that we’re not good at unifying the identity space just yet. We totally have the capability to just have a driver’s license, right?

Yeah. But the political will in this country to do that does not exist.

It’s nil! But that’s what it’s going to take. It’s going to take that level of unification, not just across states but across companies. And one of the things that we [at Okta] pride ourselves on is neutrality. We’ve decided that we’re not going to pick. We’re going to work across many platforms, across various platforms, with thousands of partners, in thousands of ways that we’re connecting different infrastructures. That is what Okta’s trying to do: Our goal is neutrality.

I think us choosing neutrality, in some cases, everyone wants you to pick a side, and I think we have. We picked the side of neutrality and the side of our customers and our consumers. On the flip side of that, Okta’s not just workforce identity. My job is actually in the customer identity space. So, it’s the login box for everything else when you’re not at work. And so we have unique insight and unique data into how people actually move around. And one of the things that we have to do is identity proof all the time.

And when you think about identity proofing, it’s, “Hey, Jameeka’s got two email addresses, and she signed into this account, and is this the same one? If it is, let’s merge those together.” So I think that’s the other space where we really have the opportunity to innovate because we can identity proof, and we can go, “Both of these are Nilay. This is him. We know it’s him. We know these are his two email addresses.”

So when you think about putting that together in a larger identity space, we’ve got the ability to verify you at work. When you go to work, there are lots of verifications that happen that say: Yes, you can work, you pay taxes, those things. And then we also have the ability to identify you in the consumer space. Now, our two products right now are totally separate, but what they offer us the data and the opportunity to do is to look at people, how they move around, and put together the ideas of what digital identity will look like and how it will work. And so we’re still working on that. We haven’t solved the problem yet, but we understand that there’s this wide problem space, and we have a lot of data to be able to solve it.

You mentioned neutrality. Do you think the solution is that Okta maintains a neutral centralized database of identity, and everyone picks and chooses from it, and then we all trust Okta to keep that database secure? Because that seems like a rich target in the end.

“Ultimately, identity-based attacks are still the number one attack, and they are effective.”

I mean, I’m a CISO, so-

That’s why I’m asking you. I think this has to keep you up at night. “Oh, I’m building the greatest honey pot known to man!”

Yeah! I never think that it’s the best thing to do — to trust one place to do everything — because hackers know that, and they are good at what they do. No, I don’t think that you should just trust Okta. I think that the technology that we’re building and what we’re thinking about, you should trust the ideas that we have and the perspective that we have on the identity space. I don’t think that that database will be sitting solely with Okta. I think it will be decentralized.

But what I do think is that when I talk about public-private partnership, I do think there’s an opportunity for Okta to say, “Hey, US Passport Agency! We would like the opportunity to partner with you on digital identities and how we create the next space for digital identities.” So I don’t think that it’s a good idea to have any amount of data — specifically PII data — because ultimately, identity-based attacks are still the number one attack, and they are effective. I don’t think it’s a good idea to have that data sitting in any one space, but I do think that the opportunity for partnerships sits there for us to look at spaces and databases and really connect and figure out how we keep those safe while also having the ability to transfer information and share information.

A couple more questions about Okta, then I want to get into the Decoder questions and how you operate instead of Okta. Really basic here: Who are Okta’s competitors? When you have the big C-suite meeting, who’s on the list? We’ve got to beat X, Y, Z companies. Who are your competitors?

We have no competitors!

Yeah, sure.

I’m just kidding. Of course, Microsoft, Ping [Identity], OneLogin. Those are some of the ones that come up pretty frequently. I think what’s unique about Okta is that we are a cloud identity company, and that’s what we do. That is our space. And we are, again, powered by neutrality. But we are not an on-prem company. That’s not what we do. That’s not in the stars for us. We are really focused on the cloud identity space. And so that’s why when I said, hey, we’re building the identity cloud of the future, that’s the space that we’re ferociously focused on. There are not other lanes that we’re trying to get into.

You’re not going to put out the Okta internet appliance that I can install in my small business tech office.

Microsoft is a huge competitor in many ways. They are on-prem. They’ve had Active Directory for what seems like a billion years. For one minute, it seemed like a monopoly provider of identity services to big companies.

They’re under fire right now. We had Adam Selipsky from AWS on the show. He’s like, “Microsoft security practices are horrible.” He wouldn’t say their name, but he was like, “That company starts with an M.” Other cloud providers are saying Microsoft has problems. They just had a breach. Is your pitch, “Fundamentally, the cloud is more secure,” or is it, “We’re more secure than those guys?”

I am a firm believer in not trashing other companies, because your day’s coming. And that’s me, the CISO, speaking. I’m like, listen — everyone has their day on the front page of The Wall Street Journal. We’ve had our day as well. I think that that’s something that I just try not to do. What I will say is, we work with Microsoft. We work with Amazon. We work with all of these companies in various capacities, either because we’re users of them also but also because we’re neutral. Our goal is not necessarily to put other companies out of business; our goal is to make the best experience for our customers. And so when we think about workforce identity, we’re not just multifactor authentication. We’re single sign-on. We have partnerships. We have 15,000 partnerships and connections to various partners to allow you to do your work securely.

I wouldn’t say that we are better than them in the capacity of “we’re more secure.” I would say that we offer more options available to you. We are not trying to put you in the Okta ecosystem. We’re saying, figure out what ecosystem works best for you, and Okta will work with that ecosystem, and it doesn’t matter what company you are. We’re pushing very heavily on our partners to really create this space where it’s frictionless for the users, because once the users start abandoning our processes, it doesn’t matter how secure you are. If the user abandons the process, you’re going to get hit with an attack. And again, because we are aware that identity-based attacks are our number one, we’re thinking about that because we’re there, we’re the identity provider for so many. And so I don’t think of it in terms of who the competitors are or what we do better.

I think our neutrality makes us strong because it allows you to think about your seam and your sore systems. It allows you to integrate threat modeling. It allows you to look at our data, integrate our data and our threat intelligence into your model. So we’re wide open. We’re saying, hey, use whatever you would like but also use multifactor authentication. Use phishing-resistant factors. Really make sure that you’re building an ecosystem that is secure. We’re not necessarily saying choose a product. But if I had to say, choose a product, I say, hey, choose us.

Let me run at this a slightly different way. There are these phrases that everybody uses: security by design, privacy by design, innovate, make sure you build security in the beginning. Every company uses these phrases. As you look at the breaches Microsoft has had recently, some keys were leaked. I think they provide the Commerce Department with email. The Commerce Department email was hacked – these are huge breaches out of Microsoft. What are you learning as a CISO at Okta from those about your own processes and about places where the attack surfaces might’ve been different than what you had assumed?

I think when I look at some of what’s happening just in general in this space, key management is a challenge for everyone. Every company, every CISO that I talk to, key management is a huge challenge. I am an absolute fan of security by design. It is a practice that we employ implicitly within Okta’s customer identity cloud. It is a practice that takes co-conspiratorship of your CISO, your chief product officer, your chief technology officer. And one of the things that you have to build in your software development life cycle is key management and key storage and really flesh that out. And we have had to learn some hard lessons as well around this space. And so I think when I think about it, we’re just not there yet because the technology has moved very rapidly. We’ve all moved into the cloud very rapidly. I think that was the right thing to do, but sometimes security doesn’t catch up.

“Once the users start abandoning our processes, it doesn’t matter how secure you are. If the user abandons the process, you’re going to get hit with an attack.”

Now we’re playing this catch-up game where we’re trying to figure out how do we manage 40, 50, 60,000 keys in the space that all of our developers have access to and that they’re writing code with? They’re embedding them in many cases. They’re in our GitHub repositories. They’re everywhere. Keys are everywhere. And so, in this particular space, this is one that we all have to go take a look at, take a step back and go, “We need to do a better job with key management.”

What does that mean? It means is it built into the products that you’re using? Is it built into the clouds that you’re using? Are you using a third-party key management system? And even within that space, when you think about keys and secrets and paths, these are all things that mean various things throughout the software development life cycle.

Ultimately, when you think about secure by design, this is one of the issues that we’re going to have to tackle. Well, when do you tackle it, and how do you tackle it when you’ve already got this architecture in place or you’ve got this stack in place? That’s the bigger question, and that’s where I think many industries are getting hit. They understand that they have a problem. They’re working to solve the problem of key management, but they haven’t gotten there yet because you still have a stack that’s in place that didn’t take that into account.This is where secure by design becomes critical — because you build key management into your stack, and then it’s always managed. I think it’s one that we struggle with. It’s one that we’re going to continue to struggle with. One of my people put it this way. It’s an arms race. It is. This is one that we’re going to have to get after because the ability to pick up our keys and to… Especially when they’re hard-coded, when a hacker gets a hold of them, they can get in, and you won’t be able to detect them.

Because they’re using a real credential.

They’re using a real credential that belongs to you. It is yours, and now it is out there in the wild, wild west. And so this is a big deal, and it is unfortunate, but it’s going to keep happening until we actually start to practice secure by design.

It seems like keys are a really big issue in security, especially when you’re building software products and software businesses. Explain very quickly what you mean by a key and why they’re important to protect.

A key is essentially a password that a machine uses. When systems are talking to each other, there is a need to protect the information and the data and also to verify or authenticate that the information and the data is coming from trusted sources. So when you think about a key, a key is essentially a password that a machine or that an API might use to verify that it is who it says it is and it does what it’s supposed to do. And that’s the really simple short version of what it is.

We use them all the time as our systems talk or our containers talk to each other or as they’re passing data. There’s a key that happens or that is exchanged in the process of that conversation.

In many cases, there’s key pairs — there’s one key, there’s a public key, there’s a private key. There are all kinds of keys that look like that. But essentially, they’re passwords. They are a key to a door. You have a front door; it has a key to it. We have a front door, a back door, a side door, and 42 windows — they all have keys to them, and they all have different keys. And essentially, in many cases, we will build our software to have those keys as a part of the software. So they’re hard-coded into the software. We have to rotate them sometimes because we get broken into. They expire. You change neighborhoods or you change doors, and you rotate keys. Essentially, when that key is compromised or someone who isn’t supposed to have that key now has it, they can open all the doors. That’s the problem space that we’re in now.

Key rotation is another big part of the key management process. And so, in many cases, keys live in your software for a very long time or forever, and you have to go and find them and rotate them. And so that’s the other part of the space. You need to rotate your keys, and you need to manage your keychains. If you do neither, someone else will end up with your keys. They’ll end up with your keychain. They’ll end up with old keys, and they’ll go and they’ll start unlocking doors. And when they do that, they have full access to your environment, depending on what those keys do.

Let’s say I’m a small business owner, a small startup making a piece of software. I’m like, look, I need a secure login. I’m going to hire Okta. Does Okta come in and say, “We’re also going to audit your key management and your software,” or do you come in and say, “We’re going to do this for you”?

This is where Okta becomes super important. We do this for you. Let’s put the keys back in the phrase of passwords. We are going to help you manage this so that you don’t have to do it yourself. And Okta works with tons of startups. We have Auth0 for startups. We have free versions for small businesses. And this is really, honestly, a big part of what I’ve been doing these last couple of years, is talking to small businesses, talking to our NGOs, talking to spaces where they don’t think they need to do identity management because they’re not big enough for that.

There’s no size. If you have one employee, you should be thinking about this. If you have 10, you should be thinking about this. And so, Okta’s coming in and saying, “Don’t try to do this yourself. Don’t try to do identity yourself. Let us build it for you.” Whether that’s workforce identity with multifactor authentication and single sign-on and FastPass, which allows you to go password-less, or it’s on the customer identity side where we’re saying you’ve got a login box that’s facing the internet and you need some extra security. You need CAPTCHA, you need an SMS, you need social logins, you need something else that’s going to add an additional factor of protection. And so we are saying, “Don’t build it yourself. Let us do this piece for you, the identity piece.”

And then inside of that, like I said: Okta is a darling of Wall Street. How do y’all make money?

How do we make money? I guess it’s not a tough question, but essentially, we make money by protecting logins.

Do you get a nickel every time I log in to work?

Something like that.

It’s that simple. It’s like just every time—?

No, it’s based on number of—

Because then I’ve got to keep my computer logged in a lot more than I do.

On the workforce side, it’s based on a number of employees. It’s not every time you log in. It’s based on licensing and a number of employees. It’s based on MAEs. It’s based on a number of users. And this brings actually up another point, particularly on the consumer side. Because in the workforce, you know, I have 10,000 employees, I need 10,000 Okta accounts. The consumer side, not so. You don’t have any employees — you have consumers. And this is also where we’re saying, “Don’t build this yourself because it’s going to cost you more.” So, in many cases, consumer logins are incentivized. Log in, and you will get some miles. Sign up, and you will get 10 percent off. And ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.

They want those miles. They want those 10 percent offs over and over and over again. And so they’re going to populate your space with fake logins and fake identities. And so this is the other thing that we do on the consumer side is we’re really trying to help companies make sure that those identities that are logging in are real identity and they’re not bots and they’re not folks that are trying to take advantage of rewards programs. Because when that happens, when you have millions of false logins, not only are you taking up cloud computing space, which is costly — you’re not going to be able to make any money. You’re not going to be able to advertise. Because these are not valid shoppers. These are not valid consumers. And so on the consumer side, we’re really thinking … And I talked about identity proofing a little bit. This is where identity proofing comes in.

We’re thinking about — or we’re working to resolve — the problem of fake users, bots signing up, taking advantage of programs. We’re going through. We’re looking at databases and making sure that login credentials are valid. We’re kicking out invalid login credentials. We’re also going through … We have the capability of automatically resetting passwords of compromised credentials. And so when you ask what we do, I guess I didn’t dive into everything that we do, but we are using lots of technologies to help us make sure that your consumers are your actual consumers that you want.

Now, this is great for me as a CISO, but it’s also great for our marketing teams. Our CMOs are thinking about omnichannel operations, and they’re thinking about, “I want to make sure that Nilay gets this new shoe, and I want to make sure that he actually gets it and he gets the code and he is a valued customer of ours.” And so a part of our job is to make sure that your identity is protected, but also, for the businesses that you actually utilize, they understand who you are, they’re looking at real metrics about you, that it’s really your login. And so that’s the other side of it. And so it’s both for us. It’s both the consumer and the workforce.

I want to come back to that, but you’ve led me directly into the big Decoder question. Okta does a lot of things. There’s a big enterprise part of it. There’s a consumer part, which you’re a part of. Then there’s sales. How is Okta structured? How does the company work?

We have 18,000 customers. We have 6,000 employees. And we’re structured into our two primary clouds. So essentially, how I’ve been talking about it, that’s how we’re structured. We have our CEO, Todd McKinnon, and then we’re structured into our two primary clouds, our workforce identity cloud, which is focused specifically around workforce logins and employees. And then our customer identity cloud, which is focused around consumer internet, consumer apps, SaaS apps, internet-facing applications. And then, we have teams that support each of those primary clouds.

Then there’s the other big Decoder question, which is always very interesting to ask security people because the tradeoffs around decisions when your focus is security is very different. How do you make decisions? How do you influence what the company does?

“Consumer logins are incentivized: … Sign up, and you’ll get 10 percent off. Ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.”

I’m a product CISO, and this is my first time being a product CISO, and so, over my 25 years, it’s changed. I would say when I first started in the industry, I was hardcore security. There is no tradeoff. It has to be secure and as little risk as possible — very risk averse.

Now that I’m a product CISO and our product is security, security has to be a business enabler. I have the unique position of not only being the CISO of CIC but also of being the chief tester of products. I get to really look at some of our products. So when I first landed at the company, we were thinking about a product called Security Center. That product is now in GA [general availability], but we were thinking about it. And they came to me and said, “Hey, would you like to have this?” And I was like, “Hell yes. This is a dashboard that gives me all of the data around bots, around credential stuffing attacks. And this is something that I would love to see so that I can actually make good decisions around security.”

Let me give you an example. We have the ability through Security Center to tell you if an influx of activity is actually consumers trying to log in because you maybe have a new product launch, like a sneaker, or if it’s bots that are actually attacking you to take advantage of that new product. And then with that, you can turn our controls up and down. You can turn on advanced attack protection, you can turn on bot protection. And so, for me, I was so excited about the product that I leaked it accidentally a bunch of times because I wanted to talk about it, I wanted to share it, and I wanted other CISOs to see it.

So for me, as a CISO, this is the best place to work ever because I get to really see how our products are going to impact my own peers, and I get to understand if they’re going to be helpful, not just from talking to my peers but from actually testing the products out myself. And so it’s a really interesting role. It’s very different than all the other roles I’ve had because my previous roles were specifically about protecting our intellectual property, protecting the crown jewels.

This job is different. This job is about making security a business enabler — using the knowledge that I have of this industry to create better products for Okta and to create better products for our consumers, but also for our CISOs. And so we’ve got threat intelligence or threat insights coming out where it allows us to really seed information from our systems, which we see billions of logins every day. We get to see the real ones and the fake ones. It allows us to share information and intel.

The other thing about this role that I think has been fun and unique is that I am a fan of sharing information with other CISOs. We are so secretive oftentimes because we just can’t share. Our companies don’t really want to share the details around cyber attacks.

But ultimately, CISOs I think are a trusted community where we can share information because we’re all fighting the same adversaries. And one of the things that the adversaries have on their sides is that they share information. They go, “I did this, this attack was effective, and you try it now.” We are not doing that, and I think we have to get so much better at it. One of the things that I get to do is share information about what kinds of attacks I’m seeing in real time with the community so that they can do something about it. And so, for me, very different roles. Security is a business enabler now, but it’s not just a business enabler to me — it’s a business enabler to marketing, to our product officers, really, really helping them to understand how what they’re doing in this space can change and uplift the entire community.

There’s a tension you’re identifying there, and I want to just push on it a little bit more. In your previous roles, and [with] other security folks I’ve talked to, a lot of their decision-making is about, “Okay, the company wants to go fast, but I need the company to go slower and button up and protect those crown jewels and make sure that we are not introducing new kinds of vulnerability, but we’re thinking it through from a security perspective before we rush out to market.” It sounds like you are in a different role now where you’re selling the security to the market, and you’re able to act differently. How has that changed your decision-making process?

It’s both. I am selling security, but I also am still the CISO of a line of business. And so we talked a little bit earlier about secure by design. I am hardcore about it. What I’ve had to do is really change my relationships internally with my counterparts. So my CTO, she’s my co-conspirator. We spend a lot of time together thinking about secure by design and also thinking about the software development lifecycle and how we can build security into that. It makes my job easier on the backend because, when there’s a vulnerability, we are already thinking about… we don’t just patch them. We roll out a new version of our product where the vulnerability is resolved. And so that’s one piece of it that I get to impress upon the software development life cycle that security should be built into it. So that’s really my primary job — to reduce risk as much as I can.

The other side of it is, while we’re doing that, I’m also thinking about the final product and the ways in which that product can be helpful to a CISO. And so it’s both. It’s yes, I’m selling a product, and yes, it’s a security product, but I get this unique perspective on the entire process from start to finish. When we start ideating around what’s next, I’m sitting at the table saying, “I don’t think that that’s going to be what CISOs want, but let me go ask them.”

Or actually they will tell you. Obviously, CISOs are vocal people. They’ll share with you unsolicited, “This is what I want to see next. This is what I need from you.” And so I get to be their voice in the process, but I also get to see those outcomes. And so it’s a very different kind of job in that security is not just there to reduce risk. I still have the standard teams. Governance, risk, compliance, detection and response — we have platform and product security. So all of those teams still exist, and they’re still there, and we still have our primary job. But I think we all are challenged with this really higher level of thinking about security, and we’re thinking about it from the consumer perspective as well.

How do we create a product where a consumer can log in and it’s frictionless or as frictionless as it can possibly be? Because ultimately, they’re our first line of defense, and so we’re thinking about the entire process all the way through to the consumer. It’s a very different role.

Let’s talk about that process, because we are in a time of change for security right now. Probably in a few weeks, iOS 17 is coming along with the new iPhone. Apple’s already previewed it. They’re pushing into passkeys; Google said they’re going to do passkeys; Microsoft has said they’re going to do passkeys. This is a big change that’s coming. Describe to the listeners what’s going on with passkeys and how you think it’s going to change the experience of identity on the internet.

I talked a little bit about friction, and I think that, ultimately, what passkeys allow us to do is remove some of the friction from the login process. In many cases, we’ve experienced passkeys already, and we’re just not completely aware of it because the process is very smooth. If you are using your mobile device in any capacity to log in to something, there is likely a passkey involved — most likely with your bank. Banks are really good and really forward-leaning in terms of protecting the login space.

Why is this important? Because everyone’s on board. And the reason that everyone’s on board is because we feel like this is the right way to go. This is the way that we need to drive the industry. Well, why do we think that? Because the consumer ultimately decides how and the ways in which our products will work and if they’re successful or not. Passkeys make it very easy to log in to things, and they remove so much friction from the login process.

What is friction? Because I’ve said it a bunch of times, but I’ve not actually talked about what is friction. Anytime you have to stop and think about something else in the login process, it’s friction. So I’ll give you an example: You’re going to a website. You’ve put in your username and password. It says, “We don’t think this is you. We’re going to send you an email.” Now you’ve got to go to your email — that’s friction. Or CAPTCHA pops up, and maybe it’s not the greatest CAPTCHA, and you can’t really figure out how to get through it, and you can’t. That’s friction.

At this point, I assume every CAPTCHA is me training an AI modeling system somewhere. I’m like, “I’m just contributing to some AI model somewhere.” I’ve identified all the crosswalks in America at this point.

All the motorcycles, all the stoplights.

So passkeys are the next version of our ability to log in without friction. They are critical, and they are secure — that’s the other thing. And so when you see massive, massive amounts of industry, and you’re in this industry with us, moving in one direction, it’s because we feel like, universally, it’s the right direction to move in. Would I love to say that Okta spearheaded that? Yes. But I think it’s a mutual agreement amongst all of us that safety and security of the consumer is of utmost importance. And so that’s why we’re headed in that way.

So the consumer experience of the passkey is: I’ve got my phone. My phone authorizes me, usually with some biometrics, in every example that I’ve seen — Touch ID, Face ID, whatever. Now my phone knows it’s me, and now all logins are handled everywhere because my phone is authed to me. Is that how you see it playing out? Because I see a bunch of big companies saying we still want our employees to log in.

I think that that is how I see it playing out. And the reason for that is that people — it’s not because of the technology. It’s honestly because people hold onto their cell phones with a death grip. This is just my own perspective from just watching humans do humanity things. If you lose your cell phone, you lose your mind. You want to find it, you’ve got a tracker on it, you’ve got a way to trace it. And so the passkey takes advantage of something that we’re already doing naturally, and I think that’s why it’s going to be more successful. We already are building biometrics. They’re not are building; they’re there. We’re already building this additional vector of authentication into the capability of every cell phone. And we’re so serious about holding onto our cellphones, having them near us.

Even when you sleep. When you wake up in the morning, you go straight … And so I think we’re thinking about the way the world is actually moving and going. We need to build the technologies that people are really using. We don’t want to come out with something new and force people to do it because they’re still holding on ferociously to the username and password. And what we’ve done is iterated. Passkeys are an iteration upon that.

I love using biometrics. It’s one of my favorite things to use. And in many cases, if a login box pops up and that’s not an option, I am like, “I don’t even want to do this.” If I can’t turn it on … But it also is predicated on building a login process that has FIDO2 technologies, WebAuthn. You can’t use these new technologies if you’ve not built those into your stack. And so, there are some things that we still need to do to get to the place where everyone can use passkeys, but I do think it’s the way of the feature, and I think it’s the right thing to do.

“Biometrics are insanely secure. There’s only one version of Jameeka’s face.”

Biometrics are insanely secure. There’s only one version of Jameeka’s face. I think we still have a ways to go around biometrics’ ability to detect people. I’m a Black woman, and so, in many cases, biometrics has failed me. I don’t use facial recognition, but I do use my fingerprint pretty often. And I don’t use it because it doesn’t work for me. The models have not been trained enough with diversity in mind to get there, but we are going to get there. I do think we’re going to get there. And so I think when we think about the future with passkeys and with all of these different ways that we can use pass keys and we can access them, yes, it’s the way of the future, yes, it’s going to happen, and we’re all going to march in that direction, and people are going to — I think when they realize that, they’re going to like it.

I just got my mom — it was her birthday two days ago. It was my mother-in-law’s birthday. We got her a new iPhone. She is using biometrics now, and she thinks this is the best thing in the world. She’s 73 years old. She was like, “Wait a minute.” And she had an iPhone. Now, mind you, she had an iPhone 6. So this just tells you.

But I think about the world. I think about my own family when I’m thinking about the new technologies that we’re putting in place. So we got her a brand-new iPhone. We set it up for her. She loves it. She literally uses her fingerprint. She also uses facial recognition, and she thinks it’s the most amazing thing ever, which lets me know that when you get walked through the process properly or when you get to understand what it is that you’re doing and you get to see the technology work … She literally was like, “Well, what else can you do with this?”

So now I’ve got to go back and give her a whole lesson in all the places she can log in using passkeys or using biometrics. I think that if a 73-year-old can pick this up in 10 seconds with a little bit of help from her kids, the world can pick this up. And I think that that’s what we’re thinking about is what is going to be easiest for the world.

The other thing I think is that, in many cases, technology is not accessible to everyone, but there are cellphones. And so even when you don’t have a desktop or a laptop … I don’t know anybody that has a desktop anymore. But even when you don’t have a laptop—

I’m talking to you on an iMac. Come on. This is a 2015 iMac. This is state of the art.

2015.

It’s still rocking, man.

Passkeys are coming, and you’re still … I can’t even believe you just admitted that.

I love it. I’m never letting this thing go. It’s perfect. It does its job exactly right.

Even to that point, she held onto her iPhone 6, you’ve got your 2015 iMac, and you’re both going to get passkeys. So I think that, yes, we’re thinking about making technology accessible to everyone. I know that the manufacturers of hardware products are thinking about that, and we’re thinking about how we layer software on top of that that makes it accessible and secure.

So a big piece of this puzzle here is you bought your mother some new hardware. By the way, the CISO explaining all the websites you can securely log into to their mother — that’s like a children’s book for kids who want to grow up to be CISOs. It’s great.

But you’re dependent now. Okta was a startup. It became a unicorn. Now, it’s very successful because it leaned into a technology shift that was happening, away from on-prem into the cloud. You’ve talked about the cloud a lot.

Here you’re saying, “Okay, well, Apple’s got to ship Face ID and fingerprint sensors. Google’s got to enable this across the Android ecosystem. Microsoft has to do it on Windows, and then Lenovo’s got to put that system on their laptops, and it’s all got to work together, and Okta’s going to sit in the middle of it.” Does that create a new set of dependencies for you? Because that seems like it’s going to get very complicated in a way that for Okta and the enterprise, the entire pitch was just “do this in the cloud, we’ll handle it for you.” And you weren’t dependent on 50 of the biggest companies in the world all working together.

That’s what we’re doing. These companies are our partners. And yes, we compete in some spaces, but they are also our partners. And it is predicated on us as industry leaders to lead the way, so sometimes we have to work together. But this is also where industry standards become important. Because, in many cases, we are building with an industry standard in mind. And so we’re not necessarily saying that Okta is the dependency — we’re saying build toward the industry standard. And if you build with the industry standard, then Okta will pick up and manage identity for you.

Is there buy-in around this standard? Because I—

Yeah!

We cover our standards a lot here at The Verge and, boy, can that get loaded.

Yeah. I think there’s tons of buy-in around FIDO2 and WebAuthn. I guess I’m a forward-leaning technologist, so of course, I’m going to say yes. I haven’t seen a space where I just couldn’t use it… yet. But again, I think I’m biased because I’m a technologist at heart, and so I’m trying to figure out more ways in which I can use it. But no, I think there has to be industry buy-in for certain standards. USB-C. It’s all over the place now.

Right. But when I say, boy, can that get complicated — that’s another hour of how that standard is not actually easy to use and it has been corrupted in 50 different ways.

Yes. But it is a standard. And I think that sometimes you have to have a standard for the sake of interoperability. And I think that that’s what these standards are about, is interoperability. Because capturing market share is really, really challenging. And in many cases, you cannot capture market share when you do not have that interoperability.

“We all are reliant on each other. The failure of one technology, it’s like dominoes falling. “

There is no one company that owns the space completely. In many cases, we all work together in vast ways. In order for us to have that level of interoperability, we are working from a set of standards. Okta has 15,000 connections. Now, are some of them built on standards? No. Some of them are like, “No, we just really need to make this API work.” And so that’s what we’re doing. But we take that challenge. There are some that will be standards-based. There are some where we will just partner and say, “We need to make this work because it’s going to be a benefit to our customers.” It’s both.

Let me give you an example of just standards among these companies. I will abstract it out so you don’t have to talk about your competitors/partners directly. One big company agrees to do a standard with another big company. The first big company loves to just do the whole thing. All in, idealistic, we’re doing it. And then the other big company, which is just down the road from them, usually is like, “We’re taking three pieces of the standard and building our entire stack on it, and the rest of it will be completely ignored because this is the jewel-like user experience that we’re after.” I’m not saying which companies are which. I’m just saying that’s a pattern I see happen over and over again. For you as Okta, building on top of that, how do you manage that as you try to push out the consumer products that you’re building in a secure way?

Some of it is just … Well, in some cases, they just say no, and we go, “Okay.”

Sometimes you’ll hear us say we’re 80 percent of the way, because not everyone always wants to get on board. That’s going to happen. We know that. When you have your own ecosystem, you have flexibility to say, “No, I’m not going to participate.” It is our hope that when we think about identity, this is about people. This is not about market share. This is not about having your own ecosystem for Okta. This is about people, and this is about protecting people. And so it is my hope, it is Okta’s hope, that that becomes the forefront of standardizing if it is a benefit to people and protecting our consumers. Because ultimately, when our consumers are compromised or when we are compromised through our consumers, we lose trust. Trust rides in on a tricycle and leaves in a Rolls Royce. It comes in slowly, and it goes out on a jetpack. And so when we lose consumer trust, we all lose.

So what we are trying to do is to get the “companies that be” to say, “Yes, this is something that we all should do.” Is it hard? Is it difficult? Absolutely. But is it the right thing to do? Absolutely. And it’s a task or a challenge that Okta is willing to do. Because if we’re going to say that we’re neutral, we have to get as many partners on board as we can. And so that’s what we’re doing.

I’ll tell you, we have been wildly successful in that. In talking to some of the larger companies and saying it is important that this particular standard, passkeys, is the one that we agree on because it’s about people. If we keep that in mind, it makes the conversations different and a lot more smooth because, ultimately, nobody wants to be the company that is on there and saying 3 million of our customers’ data has been breached. That is what we are all facing when all of us don’t get on board.

We all are reliant on each other. The failure of one technology, it’s like dominoes falling. [If] we get compromised in the identity space, many, many other areas are compromised as a result of that. We don’t want that. So we are really, really focused on not only being a good partner but building those good partnerships. And sometimes, that means bringing everyone along, even if they don’t want to come along.

So let me ask you — that’s the work. It sounds very complicated. You sound very passionate about it. How long until the password goes away? The password as we know it.

Oh gosh. In one interview, I say, “forever,” and in one interview, I’m like: “tomorrow.” I don’t know. You know what? That’s a question that I really don’t know. I don’t know how long it’s going to be. I would like it to be in the next five to 10 years. That’s still a long time. I don’t have the answer. I think we’re really pushing toward it going away, but I don’t know. That’s one I just can’t answer. I would love to say that it’s sooner rather than later, but I don’t think that that’s true.

You don’t think that something like the release of iOS 17 with support for passkeys leads to rapid adoption and then an exponential curve of passwords going away?

No. I think that it will speed up the adoption, and I think that this is what has to happen. I think that we have to have these kinds of releases where they speed up adoption. But ultimately, in order for passwords to go away, everywhere that there’s a password, it has to have the technology built in for it to go away, or they have to use a product in front of their login box for it to go away. Now, obviously, we can do that for you.

Good plug.

We can do that for you — that is a good plug! But I think we’re still a ways out because people are emotionally tied to it. I think that they want it there. They think it’s important. And so I think we’re still a ways out because of the emotional connection, not because of the technical capability. I think the technical capability is there. I think that again, as we continue to partner and we continue to do software releases and hardware releases that this is available, people will just naturally migrate to it, and then it’ll become a part of how they do business every day. If you had to nail me down, I’d say we’re five to 10 years away from the password going away.

That’s a good answer. That’s what all the self-driving car CEOs say, too. It’s just enough to be specific but just fuzzy enough to be never. Nailed it. It’s a real theme on Decoder.

Well, you got an “I don’t know” out of me, so that’s the real answer, right? You got me to say, “Yeah, I don’t know.”

I think a lot of people want it to go away, and I think it’s comforting to people. I want to come back to that, actually. That thought of the fact that it’s real people that are going to drive the shift. But one more question about the passkeys in general. You mentioned biometrics — you really like it. There are big tradeoffs with biometrics. You mentioned that you’re a Black woman, and facial recognition systems generally have not been trained well on people with darker skin. I’ve experienced this as well. There’s bias in that data.

We’re also coming up on a time of massive AI development, and it seems like a lot of AI bad actors are going to point it right at biometric systems. The big tradeoff in biometrics is once it’s breached, it’s done, right? I can’t change my fingerprint, at least not yet. How are you thinking about those tradeoffs, especially in a time when AI systems seem poised to be used by bad actors to attack them?

Yeah. I’m worried. If I had to say, the biggest thing that I’m worried about is what happens when they lose my fingerprints? What happens when those are breached, and what are we going to do about it? I think that the tenets of protecting data and protecting PII — those are not new. As we start to think about how we’re storing and how we’re handling data and encryption and at rest, we’re going to have to, I think, uplevel our skillset around protecting biometric data. It is, I think, again, the thing that I am most worried about. And again, not as a CISO but as a human being. What happens when they lose my retinal scan? What happens? And I think that that’s one of the reasons why I am such a fan of having the capability on your cell phone. Because you’re holding it.

Locally, you mean. Not in a cloud.

Locally, right. Locally. When I say your cell phone, I mean locally. I’m a fan of that technology because we’re holding onto it with a death grip. But it also allows us to have some ownership and protection of it. And because there are tons of ways to wipe and delete remotely, there’s tons of things that we can do with cellphones to really protect that. And so I think that’s one of the reasons why I like the technology.

But I am very worried about how we protect the data. We have not gotten to where we are, I think, universally good at protecting data and protecting databases. I think, even more so, you talked a little bit about AI. When I think about AI, I think about these large language models that are being built and the ability for me as a CISO — one of the things that we can do right now is understand if it’s a human or if it’s a bot. Generative AI is bringing in deep fakes that are human-like. The thing about generative AI is that it mimics us. And so our ability to detect if it’s a human or if it’s a bot is diminishing, it’s going to diminish. And so this is where the challenge becomes really critical because what happens when those deep fakes can also mimic our faces and our biometrics?

I can imagine an attack where I get between the camera and the facial recognition system and deepfake your face onto my head. That would be crazy. I’m just saying I can imagine it.

That’s our future. That’s our future.

That’s where the attack happens, between the camera and the security system. And I deepfake your face, and you’ve only got one face. And once that’s done, that’s over. That’s the tradeoff with biometrics. It’s easy and convenient and the most secure right now, but it’s also… once you’re off the cliff, you’re done.

Yeah. And this is the CISO’s journey. This is a part of what … Oftentimes, they’re like, “Our CISO’s crazy, and they’re telling us about all these things.” I know they say it. We’re telling these horror stories. But AI is real. It’s not new technology. We’ve been using machine learning to defend against bots for years. It’s not new to us. And so, in that case, it’s not new.

What’s new is how generative AI is being used. And so yeah, I’m concerned. And I don’t have an answer for how we fix this yet. OAuth just came out with the top 10 for large language models, and I’ve been ferociously reading through it. It’s 30 pages. It’s a great read, though. And the Cloud Security Alliance has also put out some really great information around how we defend against it, but it’s not solid. We can use AI to defend against it. There’s still a lot of thought around if it’s going to be the defenses that have been proposed are effective, and none of them are talking about biometrics man-in-the-middle attacks.

“We also can’t get so far behind the mark with [AI] security as we do with other technologies. We’ve done it over and over again. We should know better by now.”

They are talking about adversary in the middle, but not this particular example that you’ve given. We’re not there yet. And when we think about why there is so much consternation about AI, this is the reason why. Because we all can come up with these various examples that none of us have thought about how we defend against yet. And so, while I’m a super fan of AI, also I’m like, we also can’t get so far behind the mark with security as we do with other technologies. We’ve done it over and over again. We should know better by now. We really are going to have to get really, really good at this particular space of security and defensibility in the space of AI.

Not happening at a rapid pace the way I would like to see it. But what I do know is that I think it is as important to us as it is the folks who are making AI to do this work and to secure this work. We’ve let something loose. I look at some of the AI generators around headshots, and I’m like, “These look great, and they look just like me.” And how would you know if I sent you a headshot that wasn’t really me at this point? It’s hard to know. That’s the good part of it because Jameeka looks great all the time. The bad part of it is when you take what I’ve sent you and use it biometrically to log in to everything that I own. So it’s both. I think we’re going to have to be very, very thoughtful about security in the AI space.

There’s lots of talk about, like, “Hey, what happens when my developers dump all of my code in?” I’m not super concerned about that, and I’ll tell you why. The reason for that is you have to have a lot of data to change a large language model. And then the person who’s attacking you has to know that your data’s out there and that it’s a part of a model. And so it’s pretty sophisticated. You would’ve to dump all of the entire source code in there — they’d have to know how to use it. You’d have to have all the secrets in there. So, yeah, I don’t want our developers doing that, but at the same time, in order for it to actually go into a public large language model that’s crawling the internet, you’ve got to really put a lot of instances out there for it to pick it up. I am much more concerned about what you’ve talked about here. I don’t have the answer yet. It’s one that we are all digging into in the security community and trying to figure out how do we not create these scary stories but really get finite user-centric details around what can actually happen with generative AI and what are the threats that are out there.

Do you think that it’s worth slowing down the headlong rush toward passkeys and biometrics on phones while this gets sorted out?

No. No, I don’t.

Why is that?

There will be times when technology doesn’t move at the same pace. And so I think that we, as ferociously as AI is moving forward, we are going to have to move forward as well because if we stop the rollout of passkeys and biometrics, AI is still going to keep going, and those deepfakes are still going to happen, except for now, those deepfakes are just going to be using username and passwords. And so it’s one of those things where it’s like, no, you can’t — you shouldn’t stop, because ultimately the answer could be an AI technology. It will likely be that we fight AI with AI. And if we don’t keep moving to advance these technologies, AI is not going to stop. It’s not. As much as the flag has been raised and people said, no, no, no, you don’t see it slowing down at all. And so, why would we slow down when we know that this technology is moving that we need to be able to protect and defend against? And so I would say no. Actually, what needs to happen is that we need to move faster, and we need to be uniquely acquainted with AI and all of the risk and vulnerabilities and threats that it presents. And we need to continue to evolve these technologies to go right along with AI.

I want to end with just a bigger-picture question. We’ve talked a lot about people in this episode, how they behave and what they like and what they’ll do and how you can get them to act in a more secure way by making it easier, by reducing friction. You have a pretty unique background here. You came out of the Navy. You’re a woman of color in the security industry. That’s fairly rare.

It seems like understanding people’s behavior broadly is really important to security, and the cast of characters in the community has been pretty narrow, been pretty insular. They’ve all pretty much looked the same from the same backgrounds. Do you see that changing? Do you see that pipeline of people from the military, for example, from other walks of life, coming into the industry? How do you accelerate that? Because it feels like that’s the key. You’ve got to understand the 73-year-old mom if you want to make passkeys work and that the community understands itself right now.

It’s my life’s work to diversify the community that I’m a part of. It’s important to me because diversity of thought is important — to your point, the 73-year-old mom, the person of darker complexion or darker skin. We have a ways to go. We didn’t create the society that we live in overnight. This didn’t just happen to us. This is hundreds of years in the making. It’s been done through various mediums. And so what we’re seeing now is the end result of intentional behaviors. And so what we need to fix this is intentional behaviors. We need people who are leaders who are willing to go and find diverse candidates and not say things like, “We’re going to lower the bar.” That’s bullshit. It’s bull. You’re not lowering the bar when you go and look for candidates of color — you’re going out of your comfort zone. And that’s what I want the community to be honest about — that we are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.

“You’re not lowering the bar when you go and look for candidates of color — you’re going out of your comfort zone. … We are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.”

There is not a place where one person with one train of thought can do everything for everyone because you’re not going to be able to include everyone’s hopes and dreams and wishes in that. But when you go and you seek out a diverse community and diverse thought, then you will get a larger intersection of the world. And it is my hope that someday I will look around and the world that I live in doesn’t look like the world that I work in. I want the world that I work in to look like the world that I live in because it is incredibly diverse and it is a beautiful community of people who are brilliant and bright and who have all these great ideas.

And so we’ve got to be intentional. The leaders in security have got to be intentional about how we recruit, but not just how we recruit. Because I see tons of diverse candidates come in through the pipeline, they get new jobs, and then the culture of the workplace is horrible to them. We’ve got to retain those folks that we bring in. The culture has to be friendly. The culture has to be accepting. The culture has to be one in which people feel like they can bring their true selves to the office because when you do that, that’s when you get brilliance. And I’ve said this to leaders that I’ve worked with before.

I’ve spent many, many times in many, many positions where I was not an authentic version of myself. I was a version of myself that I felt was appropriate for work. And I spent so much time being that person that there were many great ideas that I didn’t bring to the table. And then I came to Okta. And I have been able to be a very authentic version of myself. You can’t do everything at work. It’s work. It’s not recess. But what they have gotten is some of my very best work and some of my very best thought leadership because I’m not thinking about “Are they concerned about what Jameeka looks like? Are they concerned about how she talks?” They’re not concerned about these things. They’re concerned about, number one, “How can Jameeka bring her very best thought leadership?” But number two, “Jameeka also has unique challenges that the rest of us don’t face, and we want to make sure that we’re not a part of perpetuating that problem for her.”

We have not been intentional about diversity. Looks like we’re walking it back a little bit in many cases. And so I think that we have to be really intentional about diversity, and we have to be really intentional when we bring diverse candidates and employees in. We are also intentional about making sure that they are welcome and that their ideas are welcome and that we’re listening.

Ultimately, when we think about these big jumps, there’s someone out there who’s going to solve this AI security problem, and we don’t know where they are in the world. And if we’re not looking for them, we’re not talking to them, then we’re never going to have the answer. And there are other answers out there in the world that we’re not going to get because we don’t have diverse audiences. And so that’s my soapbox on that. But I think it’s important to me. I’ve got a long time left in industry, and I think that it is going to continue to be a big part of what I do to make sure that we have diverse spaces where people can thrive.

It seems very important to me in the security space in particular that you understand the people — like all the people, not just some of the people.

But you’ve given us so much time, Jameeka. This has been an incredible conversation. That’s a great place to leave it. It sounds like you have a lot of problems to solve, so we’ve got to let you get back.

I’ve got a lot of problems. I’ve got a lot of work to do.

We’ve got to let you get back to work. You’ve got to come back soon. Let us know how this passkeys thing is going. This has been great. Thank you so much.

Awesome. Have a good one.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

Popular

More Like this

Biometrics? Bring it on: why Okta’s Jameeka Green Aaron wants passwords to go away

Photo illustration by Alex Parkin / The Verge

How do you define what it means to be you in the all-digital 21st century — and how should systems protect that?

Today, I’m talking with Jameeka Green Aaron. She’s the chief information security officer, customer identity at Okta. Okta is a big company, a Wall Street software as a service darling, and also just the thing a lot of us have to log into at work 50 times a week to get anything done. So I was very curious to dig into the business of Okta’s business.

But Okta’s point of view, Jameeka told us, is that it’s not just a security company; it’s an identity company. So we talked at length about what the whole concept of “identity” even really means in 2023. Is it your whole actual self? Is it a digital replica of your vital stats and permissions? How do you define what it means to be you in the 21st century, and how does that relate to the way you use technology, tools, and systems? How is an identity-based approach to systems more or less secure than other approaches?

We also talked about what identity means in the offline space — the real world, at work — and why that matters for all the rest of us.

As I’m getting ready to host the Code Conference next month, AI is absolutely top of mind across basically every industry — and cybersecurity is no different. Jameeka told us what her real concerns about the new wave of AI tools are: not that they can move faster, although they can, but that they can disrupt security at the level of identity and make it harder to tell, well, who’s real.

A few notes: We talked about passkeys quite a bit, which big companies like Apple, Google, and Microsoft are all signed on to as a biometric replacement for passwords. We’ll put links in the show notes to various Verge stories about it, but the basic idea is that you can sign in to your accounts using your fingerprint or Face ID instead of a password. Google already supports it, Microsoft is testing it in Windows 11, and Apple will support it soon with the release of iOS 17 and macOS Sonoma.

We also talked a lot about the idea of keys and key management in general. At the most basic level, a key is what allows computers access to various systems, but once you have a big database with lots of users and complicated APIs, managing all those keys becomes a big problem that affects everyone. And that’s really very much the business Okta is in.

Lastly, you’ll hear us refer to “PII,” which stands for “personally identifiable information.” That means data that’s unique to you, like your name or social security number, as opposed to data like “what kind of phone is this person using.” That kind of data being compromised is the stuff security breaches are made of.

I had a lot of fun talking to Jameeka… right up until she made fun of my iMac.

Okay: Jameeka Green Aaron. Here we go.

This transcript has been lightly edited for length and clarity.

Jameeka Green Aaron, you are the chief information security officer, customer identity at Okta! Welcome to Decoder.

Thank you for having me. This is cool! I’ve been listening and following you for a while, and you’re a good interviewer, so I hope you take it a little easy on me.

The people who say that are usually people who are most prepared, so get ready because the org chart questions are coming. That’s what we do here.

Okta is a really interesting company. We use it here at Vox Media. It is a big company; it’s a darling of Wall Street. While we’re talking today, the stock price is up. It’s a big enterprise company. Everybody needs it.

For most people, it’s the thing that comes in the way between you and the thing you want to use at work. So, if I want to log into Airtable at work, I’ve got to stop and use Okta and then check the two-factor somewhere. That’s how most people experience Okta. So give people just a high-level view of the relationship between the thing they experience of Okta and what Okta is as a business.

Okta, as a business? We’re about people. We’re a technology company that’s about people. Our goal is to enable everyone to safely log in anywhere they want to log in, essentially — safely use the internet and log in. And so when we think about what Okta really is, we’re just a login box. In layman’s terms, we’re the login box.

We’re building a primary cloud for identity. Well, what does that really mean? What is a primary cloud? Salesforce is a primary cloud for CRM, or Workday is a primary cloud for HR. We are building a primary cloud using workforce identity and customer identity for identity. That’s what we’re trying to do, or that’s what we’re doing, at Okta. And we touch people everywhere that they are. So, yes, you see them at work, but what people don’t realize is that you also interact with us on the consumer side — when you’re logging in to your banking application or when you go to a baseball stadium, you are also interacting with the login process of Okta. That’s what we do.

I think of web applications — really, I think of all computer stuff — as a series of modules. I log in to a bank — they need a database vendor and a web design company. And you’re saying even through that, even through just logging in, you’re the vendor that supplies secure logging in to a bunch of people that need secure login, and then you can go and use your application?

Is that where it ends for you, or are you trying to go beyond that?

That’s where it begins for us. We absolutely are trying to go beyond that, because I think, to take your example, when you log in to a bank, you don’t just log in. You log in and you’re prompted for additional factors — so, multifactor authentication. So you’re prompted with a one-time pin, a password, or an additional password. You’re prompted with a social login or some other way to verify you. And so we are not just the login box — we’re not just securing the login box. We’re trying to blend the user experience into the login box. So there’s that. I think there are other new technologies that are coming out and that are changing that are also going to change what we do, like the way we protect personally identifiable information. And so we are now a part of that as well.

So I wouldn’t say that that’s where we end. I’d say we are at the beginning of the process. We’re trying to change the way people think about passwords and the way they think about how they log in, and that’s hard because the password is deeply ingrained into society. As long as we’ve known computers, we’ve known there’s a username and password, and we’re now saying, “Hey, let’s move beyond that. Let’s get beyond that. Let’s go into passkeys, let’s go into passphrases, let’s go password-less.” And so we’re thinking about all the ways in which we can do that securely but also in a way that people will actually use the technology to keep themselves safe.

I want to talk about passkeys in particular. That seems like a big trend that’s coming — Apple and Google are into it, Microsoft’s into it. But I want to stay focused on Okta for just a second here. When you think about that problem space, we want to make identity and logging in better — that’s a big problem. And it ties into a bunch of social factors. It ties into how people want to use the internet. It ties into the very notion of whether you should be the same person everywhere on the internet or different versions of yourself on different platforms. Does Okta have a view there, or are you more “okay, we’re for you at work, we’re for you when you interact with a business”?

“We’re about people. We’re a technology company that’s about people.”

No. I think we have a perspective that digital identity is important. From that perspective, when we think about digital identities, we want you to own your actual digital identity. I think that’s the most important thing when we think about people and technology. I want Nilay to own all the versions of Nilay on the internet. I want the threat actors not to own any of those versions.

So when we think about our trajectory as a cloud identity company or as a primary cloud for identity, we are thinking about: How can we make it so that wherever you are, you actually own your true identity? And that’s a really big problem space, and it’s hard. Because you have to think about … We are thinking about passports, about driver’s licenses and things that you physically hold that also can eventually relay into your digital identity. And we’re seeing some of that interplay now, right? You see your physical identities be scanned into digital platforms and verified that way. But ultimately, we want this to be a seamless process where who you are in real life and your digital identity align and they are both protected. And so, Okta has the problem space of trying to innovate in a way that we can protect both of those identities at the same time.

I hear that. That’s the big vision. I’ve heard that from a lot of companies over a long period of time. Then it runs into reality for me, which is — boy, maybe I don’t want my driver’s license on my phone. This is a very practical thing that big phone companies would like me to do. Apple would love me to put my driver’s license on my phone. Probably because they just want me to use their credit card. Throw away your wallet entirely.

They want you to use your digital wallet.

Now use Apple Pay. We will take some … It’s very transparent what’s happening there, but they’ve got to get my driver’s license on the iPhone for that to happen. And then I think: I would never in a million years hand my phone to a cop. It’s not going to happen. I need a warrant. You got to show me a warrant before I hand my phone to a cop.

But if I get pulled over, and I drive too fast, and I get pulled over, the first thing they ask me for is to hand me their driver’s license. As a business, Okta has a vision. That vision probably extends all the way to your state-issued ID should be digital in some way. And there’s the practical reality of a bunch of people are never going to hand their phone to a cop. Is there an interplay there? Do you see that?

Do you have to hand your phone to a cop? That’s the question. Do you actually have to hand your phone for them to get—

I think if a cop has an excuse for me to give them the phone, they will take it.

Yeah, I think so! In my mind, when I think about a digital identity, I would not want to hand my phone to a cop. So I agree with you there. I agree with that sentiment. But at the same time, we don’t hand our credit cards over now when we swipe to pay. When I think about just me, Jameeka, and the future of digital identity: I’m pulled over, and I’m in my car, I’m driving my car. Let’s give that example. And my driver’s license is not only tied to my registration in my car, so when I’m pulled over and my license plate is run, there’s information that’s given to a police officer that says, “This is Jameeka Aaron’s car, and this is her driver’s license, and this is what she looks like.” And so when they see me, they go, “Oh, we already have some of her information, or we’re using technologies like NFC to actually transmit that information over to them.”

So I don’t expect to hand over anything else anymore, essentially. I expect that when we think about the future of digital identity, I don’t think people are quite ready to part with anything physical, and that’s fair. I think there’s the physical identities that we have, but then there’s our ability to transmit that identity to those who need it for specific reasons. And I think it goes beyond that. It’s not just: transmit my identity, everything on it — my name, my address, my social security number. It’s: Hey, in this particular case, all you need to know is my name and if I have a valid driver’s license. And so when I think about the future of digital identity, I’m transmitting my name and the fact that I have a valid driver’s license over to a police officer in a wireless way, and that’s all they really need to verify at that point. Is she who she says she is? Here’s her photo, and she has a valid driver’s license. I think that’s the future of identity, and I also think that allows the consumer the ability to control what data is provided and where.

When you think about digital identity, that, to me, is what we should be thinking about. Right now, we don’t have a lot of control over the information that we provide to anyone. If you go through the airport and they scan your driver’s license or your passport, you don’t actually really know what information is being garnered in that particular case. The future of digital identity is one the consumer controls — where the consumer decides which information is actually needed, and do I want to provide that information? If I’m buying a drink and all you need is my name and that I am old enough to drink, then all I’m sending you is my name, potentially, or maybe not even that. Maybe I’m just sending you information that I’m old enough to drink, and yes, you can serve this to me. And so I think when we think about the larger world of digital identities, it’s really one where the consumer decides, and that’s, I think, what’s important to Okta. We’re thinking about: how do we put this back into the consumer’s hands and give them choice while also keeping them safe?

“Right now, we don’t have a lot of control over the information that we provide to anyone. … The future of digital identity is one the consumer controls — where the consumer decides which information is actually needed.”

And that to you is, there’s one unified identity that I control? It’s: I have an identity, and I’m picking and choosing what comes out of that database of identity characteristics.

Absolutely. It’s yours. It belongs to you. Correct.

How do you go from “a bunch of people have Okta accounts at their workplace with the name of their company and the login screen” to “everyone has a unified Okta account that interfaces with everything from local bars to cops?”

Number one, I think public-private partnership is going to be critical to that. And that’s not something that we’re totally good at yet. The fact that we have a state driver’s license tells us that we’re not good at unifying the identity space just yet. We totally have the capability to just have a driver’s license, right?

Yeah. But the political will in this country to do that does not exist.

It’s nil! But that’s what it’s going to take. It’s going to take that level of unification, not just across states but across companies. And one of the things that we [at Okta] pride ourselves on is neutrality. We’ve decided that we’re not going to pick. We’re going to work across many platforms, across various platforms, with thousands of partners, in thousands of ways that we’re connecting different infrastructures. That is what Okta’s trying to do: Our goal is neutrality.

I think us choosing neutrality, in some cases, everyone wants you to pick a side, and I think we have. We picked the side of neutrality and the side of our customers and our consumers. On the flip side of that, Okta’s not just workforce identity. My job is actually in the customer identity space. So, it’s the login box for everything else when you’re not at work. And so we have unique insight and unique data into how people actually move around. And one of the things that we have to do is identity proof all the time.

And when you think about identity proofing, it’s, “Hey, Jameeka’s got two email addresses, and she signed into this account, and is this the same one? If it is, let’s merge those together.” So I think that’s the other space where we really have the opportunity to innovate because we can identity proof, and we can go, “Both of these are Nilay. This is him. We know it’s him. We know these are his two email addresses.”

So when you think about putting that together in a larger identity space, we’ve got the ability to verify you at work. When you go to work, there are lots of verifications that happen that say: Yes, you can work, you pay taxes, those things. And then we also have the ability to identify you in the consumer space. Now, our two products right now are totally separate, but what they offer us the data and the opportunity to do is to look at people, how they move around, and put together the ideas of what digital identity will look like and how it will work. And so we’re still working on that. We haven’t solved the problem yet, but we understand that there’s this wide problem space, and we have a lot of data to be able to solve it.

You mentioned neutrality. Do you think the solution is that Okta maintains a neutral centralized database of identity, and everyone picks and chooses from it, and then we all trust Okta to keep that database secure? Because that seems like a rich target in the end.

“Ultimately, identity-based attacks are still the number one attack, and they are effective.”

I mean, I’m a CISO, so-

That’s why I’m asking you. I think this has to keep you up at night. “Oh, I’m building the greatest honey pot known to man!”

Yeah! I never think that it’s the best thing to do — to trust one place to do everything — because hackers know that, and they are good at what they do. No, I don’t think that you should just trust Okta. I think that the technology that we’re building and what we’re thinking about, you should trust the ideas that we have and the perspective that we have on the identity space. I don’t think that that database will be sitting solely with Okta. I think it will be decentralized.

But what I do think is that when I talk about public-private partnership, I do think there’s an opportunity for Okta to say, “Hey, US Passport Agency! We would like the opportunity to partner with you on digital identities and how we create the next space for digital identities.” So I don’t think that it’s a good idea to have any amount of data — specifically PII data — because ultimately, identity-based attacks are still the number one attack, and they are effective. I don’t think it’s a good idea to have that data sitting in any one space, but I do think that the opportunity for partnerships sits there for us to look at spaces and databases and really connect and figure out how we keep those safe while also having the ability to transfer information and share information.

A couple more questions about Okta, then I want to get into the Decoder questions and how you operate instead of Okta. Really basic here: Who are Okta’s competitors? When you have the big C-suite meeting, who’s on the list? We’ve got to beat X, Y, Z companies. Who are your competitors?

We have no competitors!

Yeah, sure.

I’m just kidding. Of course, Microsoft, Ping [Identity], OneLogin. Those are some of the ones that come up pretty frequently. I think what’s unique about Okta is that we are a cloud identity company, and that’s what we do. That is our space. And we are, again, powered by neutrality. But we are not an on-prem company. That’s not what we do. That’s not in the stars for us. We are really focused on the cloud identity space. And so that’s why when I said, hey, we’re building the identity cloud of the future, that’s the space that we’re ferociously focused on. There are not other lanes that we’re trying to get into.

You’re not going to put out the Okta internet appliance that I can install in my small business tech office.

Microsoft is a huge competitor in many ways. They are on-prem. They’ve had Active Directory for what seems like a billion years. For one minute, it seemed like a monopoly provider of identity services to big companies.

They’re under fire right now. We had Adam Selipsky from AWS on the show. He’s like, “Microsoft security practices are horrible.” He wouldn’t say their name, but he was like, “That company starts with an M.” Other cloud providers are saying Microsoft has problems. They just had a breach. Is your pitch, “Fundamentally, the cloud is more secure,” or is it, “We’re more secure than those guys?”

I am a firm believer in not trashing other companies, because your day’s coming. And that’s me, the CISO, speaking. I’m like, listen — everyone has their day on the front page of The Wall Street Journal. We’ve had our day as well. I think that that’s something that I just try not to do. What I will say is, we work with Microsoft. We work with Amazon. We work with all of these companies in various capacities, either because we’re users of them also but also because we’re neutral. Our goal is not necessarily to put other companies out of business; our goal is to make the best experience for our customers. And so when we think about workforce identity, we’re not just multifactor authentication. We’re single sign-on. We have partnerships. We have 15,000 partnerships and connections to various partners to allow you to do your work securely.

I wouldn’t say that we are better than them in the capacity of “we’re more secure.” I would say that we offer more options available to you. We are not trying to put you in the Okta ecosystem. We’re saying, figure out what ecosystem works best for you, and Okta will work with that ecosystem, and it doesn’t matter what company you are. We’re pushing very heavily on our partners to really create this space where it’s frictionless for the users, because once the users start abandoning our processes, it doesn’t matter how secure you are. If the user abandons the process, you’re going to get hit with an attack. And again, because we are aware that identity-based attacks are our number one, we’re thinking about that because we’re there, we’re the identity provider for so many. And so I don’t think of it in terms of who the competitors are or what we do better.

I think our neutrality makes us strong because it allows you to think about your seam and your sore systems. It allows you to integrate threat modeling. It allows you to look at our data, integrate our data and our threat intelligence into your model. So we’re wide open. We’re saying, hey, use whatever you would like but also use multifactor authentication. Use phishing-resistant factors. Really make sure that you’re building an ecosystem that is secure. We’re not necessarily saying choose a product. But if I had to say, choose a product, I say, hey, choose us.

Let me run at this a slightly different way. There are these phrases that everybody uses: security by design, privacy by design, innovate, make sure you build security in the beginning. Every company uses these phrases. As you look at the breaches Microsoft has had recently, some keys were leaked. I think they provide the Commerce Department with email. The Commerce Department email was hacked – these are huge breaches out of Microsoft. What are you learning as a CISO at Okta from those about your own processes and about places where the attack surfaces might’ve been different than what you had assumed?

I think when I look at some of what’s happening just in general in this space, key management is a challenge for everyone. Every company, every CISO that I talk to, key management is a huge challenge. I am an absolute fan of security by design. It is a practice that we employ implicitly within Okta’s customer identity cloud. It is a practice that takes co-conspiratorship of your CISO, your chief product officer, your chief technology officer. And one of the things that you have to build in your software development life cycle is key management and key storage and really flesh that out. And we have had to learn some hard lessons as well around this space. And so I think when I think about it, we’re just not there yet because the technology has moved very rapidly. We’ve all moved into the cloud very rapidly. I think that was the right thing to do, but sometimes security doesn’t catch up.

“Once the users start abandoning our processes, it doesn’t matter how secure you are. If the user abandons the process, you’re going to get hit with an attack.”

Now we’re playing this catch-up game where we’re trying to figure out how do we manage 40, 50, 60,000 keys in the space that all of our developers have access to and that they’re writing code with? They’re embedding them in many cases. They’re in our GitHub repositories. They’re everywhere. Keys are everywhere. And so, in this particular space, this is one that we all have to go take a look at, take a step back and go, “We need to do a better job with key management.”

What does that mean? It means is it built into the products that you’re using? Is it built into the clouds that you’re using? Are you using a third-party key management system? And even within that space, when you think about keys and secrets and paths, these are all things that mean various things throughout the software development life cycle.

Ultimately, when you think about secure by design, this is one of the issues that we’re going to have to tackle. Well, when do you tackle it, and how do you tackle it when you’ve already got this architecture in place or you’ve got this stack in place? That’s the bigger question, and that’s where I think many industries are getting hit. They understand that they have a problem. They’re working to solve the problem of key management, but they haven’t gotten there yet because you still have a stack that’s in place that didn’t take that into account.This is where secure by design becomes critical — because you build key management into your stack, and then it’s always managed. I think it’s one that we struggle with. It’s one that we’re going to continue to struggle with. One of my people put it this way. It’s an arms race. It is. This is one that we’re going to have to get after because the ability to pick up our keys and to… Especially when they’re hard-coded, when a hacker gets a hold of them, they can get in, and you won’t be able to detect them.

Because they’re using a real credential.

They’re using a real credential that belongs to you. It is yours, and now it is out there in the wild, wild west. And so this is a big deal, and it is unfortunate, but it’s going to keep happening until we actually start to practice secure by design.

It seems like keys are a really big issue in security, especially when you’re building software products and software businesses. Explain very quickly what you mean by a key and why they’re important to protect.

A key is essentially a password that a machine uses. When systems are talking to each other, there is a need to protect the information and the data and also to verify or authenticate that the information and the data is coming from trusted sources. So when you think about a key, a key is essentially a password that a machine or that an API might use to verify that it is who it says it is and it does what it’s supposed to do. And that’s the really simple short version of what it is.

We use them all the time as our systems talk or our containers talk to each other or as they’re passing data. There’s a key that happens or that is exchanged in the process of that conversation.

In many cases, there’s key pairs — there’s one key, there’s a public key, there’s a private key. There are all kinds of keys that look like that. But essentially, they’re passwords. They are a key to a door. You have a front door; it has a key to it. We have a front door, a back door, a side door, and 42 windows — they all have keys to them, and they all have different keys. And essentially, in many cases, we will build our software to have those keys as a part of the software. So they’re hard-coded into the software. We have to rotate them sometimes because we get broken into. They expire. You change neighborhoods or you change doors, and you rotate keys. Essentially, when that key is compromised or someone who isn’t supposed to have that key now has it, they can open all the doors. That’s the problem space that we’re in now.

Key rotation is another big part of the key management process. And so, in many cases, keys live in your software for a very long time or forever, and you have to go and find them and rotate them. And so that’s the other part of the space. You need to rotate your keys, and you need to manage your keychains. If you do neither, someone else will end up with your keys. They’ll end up with your keychain. They’ll end up with old keys, and they’ll go and they’ll start unlocking doors. And when they do that, they have full access to your environment, depending on what those keys do.

Let’s say I’m a small business owner, a small startup making a piece of software. I’m like, look, I need a secure login. I’m going to hire Okta. Does Okta come in and say, “We’re also going to audit your key management and your software,” or do you come in and say, “We’re going to do this for you”?

This is where Okta becomes super important. We do this for you. Let’s put the keys back in the phrase of passwords. We are going to help you manage this so that you don’t have to do it yourself. And Okta works with tons of startups. We have Auth0 for startups. We have free versions for small businesses. And this is really, honestly, a big part of what I’ve been doing these last couple of years, is talking to small businesses, talking to our NGOs, talking to spaces where they don’t think they need to do identity management because they’re not big enough for that.

There’s no size. If you have one employee, you should be thinking about this. If you have 10, you should be thinking about this. And so, Okta’s coming in and saying, “Don’t try to do this yourself. Don’t try to do identity yourself. Let us build it for you.” Whether that’s workforce identity with multifactor authentication and single sign-on and FastPass, which allows you to go password-less, or it’s on the customer identity side where we’re saying you’ve got a login box that’s facing the internet and you need some extra security. You need CAPTCHA, you need an SMS, you need social logins, you need something else that’s going to add an additional factor of protection. And so we are saying, “Don’t build it yourself. Let us do this piece for you, the identity piece.”

And then inside of that, like I said: Okta is a darling of Wall Street. How do y’all make money?

How do we make money? I guess it’s not a tough question, but essentially, we make money by protecting logins.

Do you get a nickel every time I log in to work?

Something like that.

It’s that simple. It’s like just every time—?

No, it’s based on number of—

Because then I’ve got to keep my computer logged in a lot more than I do.

On the workforce side, it’s based on a number of employees. It’s not every time you log in. It’s based on licensing and a number of employees. It’s based on MAEs. It’s based on a number of users. And this brings actually up another point, particularly on the consumer side. Because in the workforce, you know, I have 10,000 employees, I need 10,000 Okta accounts. The consumer side, not so. You don’t have any employees — you have consumers. And this is also where we’re saying, “Don’t build this yourself because it’s going to cost you more.” So, in many cases, consumer logins are incentivized. Log in, and you will get some miles. Sign up, and you will get 10 percent off. And ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.

They want those miles. They want those 10 percent offs over and over and over again. And so they’re going to populate your space with fake logins and fake identities. And so this is the other thing that we do on the consumer side is we’re really trying to help companies make sure that those identities that are logging in are real identity and they’re not bots and they’re not folks that are trying to take advantage of rewards programs. Because when that happens, when you have millions of false logins, not only are you taking up cloud computing space, which is costly — you’re not going to be able to make any money. You’re not going to be able to advertise. Because these are not valid shoppers. These are not valid consumers. And so on the consumer side, we’re really thinking … And I talked about identity proofing a little bit. This is where identity proofing comes in.

We’re thinking about — or we’re working to resolve — the problem of fake users, bots signing up, taking advantage of programs. We’re going through. We’re looking at databases and making sure that login credentials are valid. We’re kicking out invalid login credentials. We’re also going through … We have the capability of automatically resetting passwords of compromised credentials. And so when you ask what we do, I guess I didn’t dive into everything that we do, but we are using lots of technologies to help us make sure that your consumers are your actual consumers that you want.

Now, this is great for me as a CISO, but it’s also great for our marketing teams. Our CMOs are thinking about omnichannel operations, and they’re thinking about, “I want to make sure that Nilay gets this new shoe, and I want to make sure that he actually gets it and he gets the code and he is a valued customer of ours.” And so a part of our job is to make sure that your identity is protected, but also, for the businesses that you actually utilize, they understand who you are, they’re looking at real metrics about you, that it’s really your login. And so that’s the other side of it. And so it’s both for us. It’s both the consumer and the workforce.

I want to come back to that, but you’ve led me directly into the big Decoder question. Okta does a lot of things. There’s a big enterprise part of it. There’s a consumer part, which you’re a part of. Then there’s sales. How is Okta structured? How does the company work?

We have 18,000 customers. We have 6,000 employees. And we’re structured into our two primary clouds. So essentially, how I’ve been talking about it, that’s how we’re structured. We have our CEO, Todd McKinnon, and then we’re structured into our two primary clouds, our workforce identity cloud, which is focused specifically around workforce logins and employees. And then our customer identity cloud, which is focused around consumer internet, consumer apps, SaaS apps, internet-facing applications. And then, we have teams that support each of those primary clouds.

Then there’s the other big Decoder question, which is always very interesting to ask security people because the tradeoffs around decisions when your focus is security is very different. How do you make decisions? How do you influence what the company does?

“Consumer logins are incentivized: … Sign up, and you’ll get 10 percent off. Ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.”

I’m a product CISO, and this is my first time being a product CISO, and so, over my 25 years, it’s changed. I would say when I first started in the industry, I was hardcore security. There is no tradeoff. It has to be secure and as little risk as possible — very risk averse.

Now that I’m a product CISO and our product is security, security has to be a business enabler. I have the unique position of not only being the CISO of CIC but also of being the chief tester of products. I get to really look at some of our products. So when I first landed at the company, we were thinking about a product called Security Center. That product is now in GA [general availability], but we were thinking about it. And they came to me and said, “Hey, would you like to have this?” And I was like, “Hell yes. This is a dashboard that gives me all of the data around bots, around credential stuffing attacks. And this is something that I would love to see so that I can actually make good decisions around security.”

Let me give you an example. We have the ability through Security Center to tell you if an influx of activity is actually consumers trying to log in because you maybe have a new product launch, like a sneaker, or if it’s bots that are actually attacking you to take advantage of that new product. And then with that, you can turn our controls up and down. You can turn on advanced attack protection, you can turn on bot protection. And so, for me, I was so excited about the product that I leaked it accidentally a bunch of times because I wanted to talk about it, I wanted to share it, and I wanted other CISOs to see it.

So for me, as a CISO, this is the best place to work ever because I get to really see how our products are going to impact my own peers, and I get to understand if they’re going to be helpful, not just from talking to my peers but from actually testing the products out myself. And so it’s a really interesting role. It’s very different than all the other roles I’ve had because my previous roles were specifically about protecting our intellectual property, protecting the crown jewels.

This job is different. This job is about making security a business enabler — using the knowledge that I have of this industry to create better products for Okta and to create better products for our consumers, but also for our CISOs. And so we’ve got threat intelligence or threat insights coming out where it allows us to really seed information from our systems, which we see billions of logins every day. We get to see the real ones and the fake ones. It allows us to share information and intel.

The other thing about this role that I think has been fun and unique is that I am a fan of sharing information with other CISOs. We are so secretive oftentimes because we just can’t share. Our companies don’t really want to share the details around cyber attacks.

But ultimately, CISOs I think are a trusted community where we can share information because we’re all fighting the same adversaries. And one of the things that the adversaries have on their sides is that they share information. They go, “I did this, this attack was effective, and you try it now.” We are not doing that, and I think we have to get so much better at it. One of the things that I get to do is share information about what kinds of attacks I’m seeing in real time with the community so that they can do something about it. And so, for me, very different roles. Security is a business enabler now, but it’s not just a business enabler to me — it’s a business enabler to marketing, to our product officers, really, really helping them to understand how what they’re doing in this space can change and uplift the entire community.

There’s a tension you’re identifying there, and I want to just push on it a little bit more. In your previous roles, and [with] other security folks I’ve talked to, a lot of their decision-making is about, “Okay, the company wants to go fast, but I need the company to go slower and button up and protect those crown jewels and make sure that we are not introducing new kinds of vulnerability, but we’re thinking it through from a security perspective before we rush out to market.” It sounds like you are in a different role now where you’re selling the security to the market, and you’re able to act differently. How has that changed your decision-making process?

It’s both. I am selling security, but I also am still the CISO of a line of business. And so we talked a little bit earlier about secure by design. I am hardcore about it. What I’ve had to do is really change my relationships internally with my counterparts. So my CTO, she’s my co-conspirator. We spend a lot of time together thinking about secure by design and also thinking about the software development lifecycle and how we can build security into that. It makes my job easier on the backend because, when there’s a vulnerability, we are already thinking about… we don’t just patch them. We roll out a new version of our product where the vulnerability is resolved. And so that’s one piece of it that I get to impress upon the software development life cycle that security should be built into it. So that’s really my primary job — to reduce risk as much as I can.

The other side of it is, while we’re doing that, I’m also thinking about the final product and the ways in which that product can be helpful to a CISO. And so it’s both. It’s yes, I’m selling a product, and yes, it’s a security product, but I get this unique perspective on the entire process from start to finish. When we start ideating around what’s next, I’m sitting at the table saying, “I don’t think that that’s going to be what CISOs want, but let me go ask them.”

Or actually they will tell you. Obviously, CISOs are vocal people. They’ll share with you unsolicited, “This is what I want to see next. This is what I need from you.” And so I get to be their voice in the process, but I also get to see those outcomes. And so it’s a very different kind of job in that security is not just there to reduce risk. I still have the standard teams. Governance, risk, compliance, detection and response — we have platform and product security. So all of those teams still exist, and they’re still there, and we still have our primary job. But I think we all are challenged with this really higher level of thinking about security, and we’re thinking about it from the consumer perspective as well.

How do we create a product where a consumer can log in and it’s frictionless or as frictionless as it can possibly be? Because ultimately, they’re our first line of defense, and so we’re thinking about the entire process all the way through to the consumer. It’s a very different role.

Let’s talk about that process, because we are in a time of change for security right now. Probably in a few weeks, iOS 17 is coming along with the new iPhone. Apple’s already previewed it. They’re pushing into passkeys; Google said they’re going to do passkeys; Microsoft has said they’re going to do passkeys. This is a big change that’s coming. Describe to the listeners what’s going on with passkeys and how you think it’s going to change the experience of identity on the internet.

I talked a little bit about friction, and I think that, ultimately, what passkeys allow us to do is remove some of the friction from the login process. In many cases, we’ve experienced passkeys already, and we’re just not completely aware of it because the process is very smooth. If you are using your mobile device in any capacity to log in to something, there is likely a passkey involved — most likely with your bank. Banks are really good and really forward-leaning in terms of protecting the login space.

Why is this important? Because everyone’s on board. And the reason that everyone’s on board is because we feel like this is the right way to go. This is the way that we need to drive the industry. Well, why do we think that? Because the consumer ultimately decides how and the ways in which our products will work and if they’re successful or not. Passkeys make it very easy to log in to things, and they remove so much friction from the login process.

What is friction? Because I’ve said it a bunch of times, but I’ve not actually talked about what is friction. Anytime you have to stop and think about something else in the login process, it’s friction. So I’ll give you an example: You’re going to a website. You’ve put in your username and password. It says, “We don’t think this is you. We’re going to send you an email.” Now you’ve got to go to your email — that’s friction. Or CAPTCHA pops up, and maybe it’s not the greatest CAPTCHA, and you can’t really figure out how to get through it, and you can’t. That’s friction.

At this point, I assume every CAPTCHA is me training an AI modeling system somewhere. I’m like, “I’m just contributing to some AI model somewhere.” I’ve identified all the crosswalks in America at this point.

All the motorcycles, all the stoplights.

So passkeys are the next version of our ability to log in without friction. They are critical, and they are secure — that’s the other thing. And so when you see massive, massive amounts of industry, and you’re in this industry with us, moving in one direction, it’s because we feel like, universally, it’s the right direction to move in. Would I love to say that Okta spearheaded that? Yes. But I think it’s a mutual agreement amongst all of us that safety and security of the consumer is of utmost importance. And so that’s why we’re headed in that way.

So the consumer experience of the passkey is: I’ve got my phone. My phone authorizes me, usually with some biometrics, in every example that I’ve seen — Touch ID, Face ID, whatever. Now my phone knows it’s me, and now all logins are handled everywhere because my phone is authed to me. Is that how you see it playing out? Because I see a bunch of big companies saying we still want our employees to log in.

I think that that is how I see it playing out. And the reason for that is that people — it’s not because of the technology. It’s honestly because people hold onto their cell phones with a death grip. This is just my own perspective from just watching humans do humanity things. If you lose your cell phone, you lose your mind. You want to find it, you’ve got a tracker on it, you’ve got a way to trace it. And so the passkey takes advantage of something that we’re already doing naturally, and I think that’s why it’s going to be more successful. We already are building biometrics. They’re not are building; they’re there. We’re already building this additional vector of authentication into the capability of every cell phone. And we’re so serious about holding onto our cellphones, having them near us.

Even when you sleep. When you wake up in the morning, you go straight … And so I think we’re thinking about the way the world is actually moving and going. We need to build the technologies that people are really using. We don’t want to come out with something new and force people to do it because they’re still holding on ferociously to the username and password. And what we’ve done is iterated. Passkeys are an iteration upon that.

I love using biometrics. It’s one of my favorite things to use. And in many cases, if a login box pops up and that’s not an option, I am like, “I don’t even want to do this.” If I can’t turn it on … But it also is predicated on building a login process that has FIDO2 technologies, WebAuthn. You can’t use these new technologies if you’ve not built those into your stack. And so, there are some things that we still need to do to get to the place where everyone can use passkeys, but I do think it’s the way of the feature, and I think it’s the right thing to do.

“Biometrics are insanely secure. There’s only one version of Jameeka’s face.”

Biometrics are insanely secure. There’s only one version of Jameeka’s face. I think we still have a ways to go around biometrics’ ability to detect people. I’m a Black woman, and so, in many cases, biometrics has failed me. I don’t use facial recognition, but I do use my fingerprint pretty often. And I don’t use it because it doesn’t work for me. The models have not been trained enough with diversity in mind to get there, but we are going to get there. I do think we’re going to get there. And so I think when we think about the future with passkeys and with all of these different ways that we can use pass keys and we can access them, yes, it’s the way of the future, yes, it’s going to happen, and we’re all going to march in that direction, and people are going to — I think when they realize that, they’re going to like it.

I just got my mom — it was her birthday two days ago. It was my mother-in-law’s birthday. We got her a new iPhone. She is using biometrics now, and she thinks this is the best thing in the world. She’s 73 years old. She was like, “Wait a minute.” And she had an iPhone. Now, mind you, she had an iPhone 6. So this just tells you.

But I think about the world. I think about my own family when I’m thinking about the new technologies that we’re putting in place. So we got her a brand-new iPhone. We set it up for her. She loves it. She literally uses her fingerprint. She also uses facial recognition, and she thinks it’s the most amazing thing ever, which lets me know that when you get walked through the process properly or when you get to understand what it is that you’re doing and you get to see the technology work … She literally was like, “Well, what else can you do with this?”

So now I’ve got to go back and give her a whole lesson in all the places she can log in using passkeys or using biometrics. I think that if a 73-year-old can pick this up in 10 seconds with a little bit of help from her kids, the world can pick this up. And I think that that’s what we’re thinking about is what is going to be easiest for the world.

The other thing I think is that, in many cases, technology is not accessible to everyone, but there are cellphones. And so even when you don’t have a desktop or a laptop … I don’t know anybody that has a desktop anymore. But even when you don’t have a laptop—

I’m talking to you on an iMac. Come on. This is a 2015 iMac. This is state of the art.

2015.

It’s still rocking, man.

Passkeys are coming, and you’re still … I can’t even believe you just admitted that.

I love it. I’m never letting this thing go. It’s perfect. It does its job exactly right.

Even to that point, she held onto her iPhone 6, you’ve got your 2015 iMac, and you’re both going to get passkeys. So I think that, yes, we’re thinking about making technology accessible to everyone. I know that the manufacturers of hardware products are thinking about that, and we’re thinking about how we layer software on top of that that makes it accessible and secure.

So a big piece of this puzzle here is you bought your mother some new hardware. By the way, the CISO explaining all the websites you can securely log into to their mother — that’s like a children’s book for kids who want to grow up to be CISOs. It’s great.

But you’re dependent now. Okta was a startup. It became a unicorn. Now, it’s very successful because it leaned into a technology shift that was happening, away from on-prem into the cloud. You’ve talked about the cloud a lot.

Here you’re saying, “Okay, well, Apple’s got to ship Face ID and fingerprint sensors. Google’s got to enable this across the Android ecosystem. Microsoft has to do it on Windows, and then Lenovo’s got to put that system on their laptops, and it’s all got to work together, and Okta’s going to sit in the middle of it.” Does that create a new set of dependencies for you? Because that seems like it’s going to get very complicated in a way that for Okta and the enterprise, the entire pitch was just “do this in the cloud, we’ll handle it for you.” And you weren’t dependent on 50 of the biggest companies in the world all working together.

That’s what we’re doing. These companies are our partners. And yes, we compete in some spaces, but they are also our partners. And it is predicated on us as industry leaders to lead the way, so sometimes we have to work together. But this is also where industry standards become important. Because, in many cases, we are building with an industry standard in mind. And so we’re not necessarily saying that Okta is the dependency — we’re saying build toward the industry standard. And if you build with the industry standard, then Okta will pick up and manage identity for you.

Is there buy-in around this standard? Because I—

Yeah!

We cover our standards a lot here at The Verge and, boy, can that get loaded.

Yeah. I think there’s tons of buy-in around FIDO2 and WebAuthn. I guess I’m a forward-leaning technologist, so of course, I’m going to say yes. I haven’t seen a space where I just couldn’t use it… yet. But again, I think I’m biased because I’m a technologist at heart, and so I’m trying to figure out more ways in which I can use it. But no, I think there has to be industry buy-in for certain standards. USB-C. It’s all over the place now.

Right. But when I say, boy, can that get complicated — that’s another hour of how that standard is not actually easy to use and it has been corrupted in 50 different ways.

Yes. But it is a standard. And I think that sometimes you have to have a standard for the sake of interoperability. And I think that that’s what these standards are about, is interoperability. Because capturing market share is really, really challenging. And in many cases, you cannot capture market share when you do not have that interoperability.

“We all are reliant on each other. The failure of one technology, it’s like dominoes falling. “

There is no one company that owns the space completely. In many cases, we all work together in vast ways. In order for us to have that level of interoperability, we are working from a set of standards. Okta has 15,000 connections. Now, are some of them built on standards? No. Some of them are like, “No, we just really need to make this API work.” And so that’s what we’re doing. But we take that challenge. There are some that will be standards-based. There are some where we will just partner and say, “We need to make this work because it’s going to be a benefit to our customers.” It’s both.

Let me give you an example of just standards among these companies. I will abstract it out so you don’t have to talk about your competitors/partners directly. One big company agrees to do a standard with another big company. The first big company loves to just do the whole thing. All in, idealistic, we’re doing it. And then the other big company, which is just down the road from them, usually is like, “We’re taking three pieces of the standard and building our entire stack on it, and the rest of it will be completely ignored because this is the jewel-like user experience that we’re after.” I’m not saying which companies are which. I’m just saying that’s a pattern I see happen over and over again. For you as Okta, building on top of that, how do you manage that as you try to push out the consumer products that you’re building in a secure way?

Some of it is just … Well, in some cases, they just say no, and we go, “Okay.”

Sometimes you’ll hear us say we’re 80 percent of the way, because not everyone always wants to get on board. That’s going to happen. We know that. When you have your own ecosystem, you have flexibility to say, “No, I’m not going to participate.” It is our hope that when we think about identity, this is about people. This is not about market share. This is not about having your own ecosystem for Okta. This is about people, and this is about protecting people. And so it is my hope, it is Okta’s hope, that that becomes the forefront of standardizing if it is a benefit to people and protecting our consumers. Because ultimately, when our consumers are compromised or when we are compromised through our consumers, we lose trust. Trust rides in on a tricycle and leaves in a Rolls Royce. It comes in slowly, and it goes out on a jetpack. And so when we lose consumer trust, we all lose.

So what we are trying to do is to get the “companies that be” to say, “Yes, this is something that we all should do.” Is it hard? Is it difficult? Absolutely. But is it the right thing to do? Absolutely. And it’s a task or a challenge that Okta is willing to do. Because if we’re going to say that we’re neutral, we have to get as many partners on board as we can. And so that’s what we’re doing.

I’ll tell you, we have been wildly successful in that. In talking to some of the larger companies and saying it is important that this particular standard, passkeys, is the one that we agree on because it’s about people. If we keep that in mind, it makes the conversations different and a lot more smooth because, ultimately, nobody wants to be the company that is on there and saying 3 million of our customers’ data has been breached. That is what we are all facing when all of us don’t get on board.

We all are reliant on each other. The failure of one technology, it’s like dominoes falling. [If] we get compromised in the identity space, many, many other areas are compromised as a result of that. We don’t want that. So we are really, really focused on not only being a good partner but building those good partnerships. And sometimes, that means bringing everyone along, even if they don’t want to come along.

So let me ask you — that’s the work. It sounds very complicated. You sound very passionate about it. How long until the password goes away? The password as we know it.

Oh gosh. In one interview, I say, “forever,” and in one interview, I’m like: “tomorrow.” I don’t know. You know what? That’s a question that I really don’t know. I don’t know how long it’s going to be. I would like it to be in the next five to 10 years. That’s still a long time. I don’t have the answer. I think we’re really pushing toward it going away, but I don’t know. That’s one I just can’t answer. I would love to say that it’s sooner rather than later, but I don’t think that that’s true.

You don’t think that something like the release of iOS 17 with support for passkeys leads to rapid adoption and then an exponential curve of passwords going away?

No. I think that it will speed up the adoption, and I think that this is what has to happen. I think that we have to have these kinds of releases where they speed up adoption. But ultimately, in order for passwords to go away, everywhere that there’s a password, it has to have the technology built in for it to go away, or they have to use a product in front of their login box for it to go away. Now, obviously, we can do that for you.

Good plug.

We can do that for you — that is a good plug! But I think we’re still a ways out because people are emotionally tied to it. I think that they want it there. They think it’s important. And so I think we’re still a ways out because of the emotional connection, not because of the technical capability. I think the technical capability is there. I think that again, as we continue to partner and we continue to do software releases and hardware releases that this is available, people will just naturally migrate to it, and then it’ll become a part of how they do business every day. If you had to nail me down, I’d say we’re five to 10 years away from the password going away.

That’s a good answer. That’s what all the self-driving car CEOs say, too. It’s just enough to be specific but just fuzzy enough to be never. Nailed it. It’s a real theme on Decoder.

Well, you got an “I don’t know” out of me, so that’s the real answer, right? You got me to say, “Yeah, I don’t know.”

I think a lot of people want it to go away, and I think it’s comforting to people. I want to come back to that, actually. That thought of the fact that it’s real people that are going to drive the shift. But one more question about the passkeys in general. You mentioned biometrics — you really like it. There are big tradeoffs with biometrics. You mentioned that you’re a Black woman, and facial recognition systems generally have not been trained well on people with darker skin. I’ve experienced this as well. There’s bias in that data.

We’re also coming up on a time of massive AI development, and it seems like a lot of AI bad actors are going to point it right at biometric systems. The big tradeoff in biometrics is once it’s breached, it’s done, right? I can’t change my fingerprint, at least not yet. How are you thinking about those tradeoffs, especially in a time when AI systems seem poised to be used by bad actors to attack them?

Yeah. I’m worried. If I had to say, the biggest thing that I’m worried about is what happens when they lose my fingerprints? What happens when those are breached, and what are we going to do about it? I think that the tenets of protecting data and protecting PII — those are not new. As we start to think about how we’re storing and how we’re handling data and encryption and at rest, we’re going to have to, I think, uplevel our skillset around protecting biometric data. It is, I think, again, the thing that I am most worried about. And again, not as a CISO but as a human being. What happens when they lose my retinal scan? What happens? And I think that that’s one of the reasons why I am such a fan of having the capability on your cell phone. Because you’re holding it.

Locally, you mean. Not in a cloud.

Locally, right. Locally. When I say your cell phone, I mean locally. I’m a fan of that technology because we’re holding onto it with a death grip. But it also allows us to have some ownership and protection of it. And because there are tons of ways to wipe and delete remotely, there’s tons of things that we can do with cellphones to really protect that. And so I think that’s one of the reasons why I like the technology.

But I am very worried about how we protect the data. We have not gotten to where we are, I think, universally good at protecting data and protecting databases. I think, even more so, you talked a little bit about AI. When I think about AI, I think about these large language models that are being built and the ability for me as a CISO — one of the things that we can do right now is understand if it’s a human or if it’s a bot. Generative AI is bringing in deep fakes that are human-like. The thing about generative AI is that it mimics us. And so our ability to detect if it’s a human or if it’s a bot is diminishing, it’s going to diminish. And so this is where the challenge becomes really critical because what happens when those deep fakes can also mimic our faces and our biometrics?

I can imagine an attack where I get between the camera and the facial recognition system and deepfake your face onto my head. That would be crazy. I’m just saying I can imagine it.

That’s our future. That’s our future.

That’s where the attack happens, between the camera and the security system. And I deepfake your face, and you’ve only got one face. And once that’s done, that’s over. That’s the tradeoff with biometrics. It’s easy and convenient and the most secure right now, but it’s also… once you’re off the cliff, you’re done.

Yeah. And this is the CISO’s journey. This is a part of what … Oftentimes, they’re like, “Our CISO’s crazy, and they’re telling us about all these things.” I know they say it. We’re telling these horror stories. But AI is real. It’s not new technology. We’ve been using machine learning to defend against bots for years. It’s not new to us. And so, in that case, it’s not new.

What’s new is how generative AI is being used. And so yeah, I’m concerned. And I don’t have an answer for how we fix this yet. OAuth just came out with the top 10 for large language models, and I’ve been ferociously reading through it. It’s 30 pages. It’s a great read, though. And the Cloud Security Alliance has also put out some really great information around how we defend against it, but it’s not solid. We can use AI to defend against it. There’s still a lot of thought around if it’s going to be the defenses that have been proposed are effective, and none of them are talking about biometrics man-in-the-middle attacks.

“We also can’t get so far behind the mark with [AI] security as we do with other technologies. We’ve done it over and over again. We should know better by now.”

They are talking about adversary in the middle, but not this particular example that you’ve given. We’re not there yet. And when we think about why there is so much consternation about AI, this is the reason why. Because we all can come up with these various examples that none of us have thought about how we defend against yet. And so, while I’m a super fan of AI, also I’m like, we also can’t get so far behind the mark with security as we do with other technologies. We’ve done it over and over again. We should know better by now. We really are going to have to get really, really good at this particular space of security and defensibility in the space of AI.

Not happening at a rapid pace the way I would like to see it. But what I do know is that I think it is as important to us as it is the folks who are making AI to do this work and to secure this work. We’ve let something loose. I look at some of the AI generators around headshots, and I’m like, “These look great, and they look just like me.” And how would you know if I sent you a headshot that wasn’t really me at this point? It’s hard to know. That’s the good part of it because Jameeka looks great all the time. The bad part of it is when you take what I’ve sent you and use it biometrically to log in to everything that I own. So it’s both. I think we’re going to have to be very, very thoughtful about security in the AI space.

There’s lots of talk about, like, “Hey, what happens when my developers dump all of my code in?” I’m not super concerned about that, and I’ll tell you why. The reason for that is you have to have a lot of data to change a large language model. And then the person who’s attacking you has to know that your data’s out there and that it’s a part of a model. And so it’s pretty sophisticated. You would’ve to dump all of the entire source code in there — they’d have to know how to use it. You’d have to have all the secrets in there. So, yeah, I don’t want our developers doing that, but at the same time, in order for it to actually go into a public large language model that’s crawling the internet, you’ve got to really put a lot of instances out there for it to pick it up. I am much more concerned about what you’ve talked about here. I don’t have the answer yet. It’s one that we are all digging into in the security community and trying to figure out how do we not create these scary stories but really get finite user-centric details around what can actually happen with generative AI and what are the threats that are out there.

Do you think that it’s worth slowing down the headlong rush toward passkeys and biometrics on phones while this gets sorted out?

No. No, I don’t.

Why is that?

There will be times when technology doesn’t move at the same pace. And so I think that we, as ferociously as AI is moving forward, we are going to have to move forward as well because if we stop the rollout of passkeys and biometrics, AI is still going to keep going, and those deepfakes are still going to happen, except for now, those deepfakes are just going to be using username and passwords. And so it’s one of those things where it’s like, no, you can’t — you shouldn’t stop, because ultimately the answer could be an AI technology. It will likely be that we fight AI with AI. And if we don’t keep moving to advance these technologies, AI is not going to stop. It’s not. As much as the flag has been raised and people said, no, no, no, you don’t see it slowing down at all. And so, why would we slow down when we know that this technology is moving that we need to be able to protect and defend against? And so I would say no. Actually, what needs to happen is that we need to move faster, and we need to be uniquely acquainted with AI and all of the risk and vulnerabilities and threats that it presents. And we need to continue to evolve these technologies to go right along with AI.

I want to end with just a bigger-picture question. We’ve talked a lot about people in this episode, how they behave and what they like and what they’ll do and how you can get them to act in a more secure way by making it easier, by reducing friction. You have a pretty unique background here. You came out of the Navy. You’re a woman of color in the security industry. That’s fairly rare.

It seems like understanding people’s behavior broadly is really important to security, and the cast of characters in the community has been pretty narrow, been pretty insular. They’ve all pretty much looked the same from the same backgrounds. Do you see that changing? Do you see that pipeline of people from the military, for example, from other walks of life, coming into the industry? How do you accelerate that? Because it feels like that’s the key. You’ve got to understand the 73-year-old mom if you want to make passkeys work and that the community understands itself right now.

It’s my life’s work to diversify the community that I’m a part of. It’s important to me because diversity of thought is important — to your point, the 73-year-old mom, the person of darker complexion or darker skin. We have a ways to go. We didn’t create the society that we live in overnight. This didn’t just happen to us. This is hundreds of years in the making. It’s been done through various mediums. And so what we’re seeing now is the end result of intentional behaviors. And so what we need to fix this is intentional behaviors. We need people who are leaders who are willing to go and find diverse candidates and not say things like, “We’re going to lower the bar.” That’s bullshit. It’s bull. You’re not lowering the bar when you go and look for candidates of color — you’re going out of your comfort zone. And that’s what I want the community to be honest about — that we are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.

“You’re not lowering the bar when you go and look for candidates of color — you’re going out of your comfort zone. … We are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.”

There is not a place where one person with one train of thought can do everything for everyone because you’re not going to be able to include everyone’s hopes and dreams and wishes in that. But when you go and you seek out a diverse community and diverse thought, then you will get a larger intersection of the world. And it is my hope that someday I will look around and the world that I live in doesn’t look like the world that I work in. I want the world that I work in to look like the world that I live in because it is incredibly diverse and it is a beautiful community of people who are brilliant and bright and who have all these great ideas.

And so we’ve got to be intentional. The leaders in security have got to be intentional about how we recruit, but not just how we recruit. Because I see tons of diverse candidates come in through the pipeline, they get new jobs, and then the culture of the workplace is horrible to them. We’ve got to retain those folks that we bring in. The culture has to be friendly. The culture has to be accepting. The culture has to be one in which people feel like they can bring their true selves to the office because when you do that, that’s when you get brilliance. And I’ve said this to leaders that I’ve worked with before.

I’ve spent many, many times in many, many positions where I was not an authentic version of myself. I was a version of myself that I felt was appropriate for work. And I spent so much time being that person that there were many great ideas that I didn’t bring to the table. And then I came to Okta. And I have been able to be a very authentic version of myself. You can’t do everything at work. It’s work. It’s not recess. But what they have gotten is some of my very best work and some of my very best thought leadership because I’m not thinking about “Are they concerned about what Jameeka looks like? Are they concerned about how she talks?” They’re not concerned about these things. They’re concerned about, number one, “How can Jameeka bring her very best thought leadership?” But number two, “Jameeka also has unique challenges that the rest of us don’t face, and we want to make sure that we’re not a part of perpetuating that problem for her.”

We have not been intentional about diversity. Looks like we’re walking it back a little bit in many cases. And so I think that we have to be really intentional about diversity, and we have to be really intentional when we bring diverse candidates and employees in. We are also intentional about making sure that they are welcome and that their ideas are welcome and that we’re listening.

Ultimately, when we think about these big jumps, there’s someone out there who’s going to solve this AI security problem, and we don’t know where they are in the world. And if we’re not looking for them, we’re not talking to them, then we’re never going to have the answer. And there are other answers out there in the world that we’re not going to get because we don’t have diverse audiences. And so that’s my soapbox on that. But I think it’s important to me. I’ve got a long time left in industry, and I think that it is going to continue to be a big part of what I do to make sure that we have diverse spaces where people can thrive.

It seems very important to me in the security space in particular that you understand the people — like all the people, not just some of the people.

But you’ve given us so much time, Jameeka. This has been an incredible conversation. That’s a great place to leave it. It sounds like you have a lot of problems to solve, so we’ve got to let you get back.

I’ve got a lot of problems. I’ve got a lot of work to do.

We’ve got to let you get back to work. You’ve got to come back soon. Let us know how this passkeys thing is going. This has been great. Thank you so much.

Awesome. Have a good one.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

More like this

AI startups: Tech veterans ditch C-suites for the AI...

A number of top tech executives are joining...

Should Indonesian startups brace for a stormy 2025?

Funding levels are set to dip further in...

3 coins back from the dead in 2024 that...

Riding political shifts, regulatory optimism and growing institutional...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!