Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Solving the digital identity crisis | Mike Engle @ 1Kosmos
36 Plays9 months ago
1Kosmos is like having a digital ID on your device that lets you access your bank application or your employer’'s computer systems without needing a password. Mike Engle is a serial entrepreneur and in this freewheeling conversation, he shares his lessons from his three decade long journey.
Recommended
Transcript
Introduction to OneCosmos
00:00:00
Speaker
My name is Mike Engel, co-founder and head of strategy at OneCosmos, and I'm here to make you smile.
00:00:18
Speaker
Who are you? This may seem like a simple question. But businesses spend billions of dollars to answer this question about their employees, users, clients and potential customers. OneCosmos is a platform that allows businesses to easily and quickly answer this question and thereby manage access control.
00:00:36
Speaker
Think of OneCosmos as a digital identity that you carry inside your device which allows passwordless access to your banking app or your employees' internal systems.
Mike Engel's Early Tech Journey
00:00:46
Speaker
Mike Engle, the founder of OneCosmos, is a serial entrepreneur and in this freewheeling conversation with Akshay Dutt, he shares his lessons from his three-decade-long journey. Stay tuned for the conversation and please do subscribe to Foundathesis on YouTube or any audio streaming platform.
00:01:11
Speaker
So while we are here to talk about one cosmos, but I want to really understand your professional journey. Give me a little bit of a context. Where did you grow up? What did you study? How did you start your career? And what brought you up to being an entrepreneur?
00:01:29
Speaker
Yeah, I mean, going way back, I grew up in Pennsylvania, and what changed my life was my parents bought me a Radio Shack Tandy color computer sometime in the 1980s. So that was probably 10, 11, 12. I don't remember exactly, but I got the Tandy Coco 2.
00:01:51
Speaker
and I was a bit of a geek before the term geek existed. So I opened up the book and learned how to program in space. Which year was this when you were 10 or 11? I'd say it was, yeah, it's almost 1984 or five. Okay. All right. And then I eventually got my hands on a modem.
00:02:15
Speaker
and be able to connect to the outside world. So it started with a 1200 baud modem and connecting the CompuServe and then eventually AOL and bulletin boards and all that stuff. So I had an affinity for computers right out of the gate and just have always played with technology.
Wall Street Security Experience
00:02:34
Speaker
And one of the things I did back then was, the term hacking didn't exist, but freaking did, P-H-R-E-A-K-I-N-G.
00:02:44
Speaker
I would dial and try to find systems that would answer a modem and, and log into them or, or, you know, use four digit pin to get in. And it was kind of gray, you know, not doing it. You could get into a lot of trouble today for it, but it told me how to think about getting in and securing things. And that kind of changed my life. Um, so.
00:03:06
Speaker
Fast forward, not many computers in high school, I had a typing class, that was it. So I learned how to type about 110 words a minute. And then went to college and got just a number of computer related jobs to put myself through college. And the rest is history. I moved into security right out of college and headed towards Wall Street. Where did you join? Like tell me about your career path also a bit.
00:03:35
Speaker
Yeah, so security didn't exist as a career back then. So I graduated college in 93. First job was in Philadelphia, just doing distributed systems, right? So migrating Novell to Windows and, you know, just being the computer guy to make things happen. I migrated my way out of Philadelphia to Wall Street. So I
00:03:58
Speaker
landed a job at Merrill Lynch and really started focusing on active directory and securing user accounts and account management and working with identities before they were called identities.
00:04:11
Speaker
went even further and that was in Princeton, New Jersey and made my way up to Lehman Brothers in 1996. And one of the first things that I did there again was built out ways for users to access systems and detect when they were accessing systems improperly. And we went through Y2K and had to protect the firm from all the hackers that were going to come on on 2000, January 1st, 2000. And that was quite a lot of fun.
00:04:42
Speaker
So that was my path to getting to Wall Street. And eventually that turned into running the whole security program for both IT and working on physical security technology as well. Like access control for buildings and stuff like that.
00:04:59
Speaker
Yeah, access control, IP video, biometrics. We were putting biometrics in data centers. You had to scan your eyes to get in. It was really neat. You know, robots, programming robots to go through the data centers and just look for bad people, things like that. So my goal was to have both IT, CISO, physical security, IT security coming together under one hat.
00:05:27
Speaker
I thought that that might be a converging trend. It turns out that it really hasn't, right? Not many organizations have physical and logical security under the same umbrella. So kind of glad that I didn't pursue that too long. But it's neat to have both skills in the tool belt for sure. Did you encounter any threat actors and any war stories from Lehman?
00:05:51
Speaker
Oh, yeah. So many. I mean, one of the first really gold stars of my career was I wrote scripts to monitor the domain controllers because you didn't have endpoint protection back then. You had antivirus. And so I wrote scripts in Perl.
00:06:11
Speaker
for those that really, again, want to date myself. And it just looked for account, strange account activity. And I deployed this on the domain controllers and the alerts were all going to me. We didn't have a security operations team. This was in the early days.
00:06:26
Speaker
And Friday night, 11.45 PM, my Blackberry research and motion pager with little wheel and keyboard on it starts lighting up. It says, user, strange user started doing strange thing.
Security Tools and Practices
00:06:39
Speaker
I'm like, oh, that's really strange, but it's 11 o'clock on a Friday. So I called the help desk. I said, just call me and tell me if anything strange happens. And my phone rang five minutes later and they said a whole bunch of bankers just called. They can't get to their files.
00:06:54
Speaker
So I logged into that domain controller and I saw thousands of files getting deleted. And so I disabled the accounts and I called everybody. I basically called a code red and got everybody in because somebody put a scheduled task on to do elevated privileges and they were trying to take out the whole investment banking division.
00:07:15
Speaker
So, you know, it could have been a lot worse. I caught it on Friday night. You know, it didn't go until Saturday, Sunday morning. And we had everything back and restored from backup tapes, right? We were using tapes back then. Wow. And it was just a really, there's a cool wind, right? And so often that we don't see the winds in infosec. So that was one. And then we got affected by a worm once that got into our environment and took the entire network down in six seconds.
00:07:44
Speaker
And we had to go visit every Cisco switch and manually reboot it. So seems some really, you know, that was back when you really worried about perimeter, which today is not as much of the focus because of the cloud, right? So, you know, you've used a bunch of very industry specific terms, which a lot of listeners may not understand, like, what is CISO?
00:08:10
Speaker
I'm just asking you these terms and we can just go through them for people to get some context. Sure.
00:08:20
Speaker
The term CISO, I think really evolved in the 2000s. It stands for Chief Information Security Officer. So today there's a chief for everything, right? I'm chief strategy officer now, there's chief revenue officers, chief operating officer. So the term CISO though is very specific to protecting the information and setting all the policies and typically managing a large teams that do that. So a lot of my friends that are CISOs now,
00:08:47
Speaker
I have teams of 200 people that just do security. So that's what CISO is. And it's a very high stress, high visible job in most organizations. Yeah, I can imagine. What is the endpoint protection? Well, I think everybody has experienced it if they bought a new computer. And that's anything that protects your computer
00:09:15
Speaker
and the endpoint means the device that we use. It's your Windows, your Mac, your iPhone or your Android.
00:09:23
Speaker
And so old endpoint protection was just antivirus, semantic, McAfee, and that stuff is still around. And now they have more behavioral detection, right? Like my computer is doing something weird or looking for malware in different ways. So that's what endpoint protection is. And there's an evolution of InfoSec. It started
00:09:47
Speaker
with, let's just get a firewall that stops bad guys from getting into my network. Cause when computers first got connected, everything was open and you could just log in anywhere pretty much. And then we put firewalls in place and then we realized. Firewall is just something which requires a password before it gives you access.
00:10:07
Speaker
Your house, if you have cable or broadband internet, has a cable modem, right? And it has a built-in firewall. It stops somebody from just getting in and connecting to your computer. Firewalls have been around, you know, one of the oldest internet technologies in it. That used to be an entire industry. That was like the hot industry was firewalls.
00:10:30
Speaker
But today it's gotten just so intricate and interconnected that you need obviously much more than firewalls and antivirus So you were talking about the evolution. It started with firewalls then Yeah, so
00:10:46
Speaker
There's been entire industries that have been popping up every couple of years. There's firewalls and antivirus. And then we got into very specific security technologies that do certain things. It might be, I just detect bad things on my network. I see traffic. I see behaviors. There's an entire industry that popped up just to control what websites people go to.
00:11:14
Speaker
They're called web proxies. All these little solutions popped up to help add more security, more controls because the bad guys are getting more and more creative to try to get in and steal all of our secrets. Let's say a company doing a billion dollars of revenue, how many tools would the CISO be using for managing security?
00:11:41
Speaker
Yeah, way too many. So what happened, most CISOs, they have this urgent problem. I have to do, everybody knows about two-factor authentication, right? That's the code that you have to go get after you log in. And so people go out and they buy all these two-factor tools and more tools and more tools that probably
00:12:03
Speaker
200 to 400 security tools inside of a good size organization today. And they're trying to reduce that because every tool has to be managed. It has a license cost, et cetera. Yeah, there's too many, I think, is the answer. Yeah, OK. So I mean, considering that everything is on the cloud,
00:12:27
Speaker
Most of the cloud applications come with built-in security, right? Like if I'm using, and again, I'm giving a very, very simple example, but if I'm using Google for my email, and if I log into a new device, it'll automatically ask me to, you know, verify identity through like a one-time password on my phone. So why does an organization need to go beyond what a cloud application already has available as security?
00:12:58
Speaker
Yes, because Google, Microsoft, Facebook, Apple, the large companies, they do a lot, and they have a lot of security built into their products, and you want to use as much of that as you can. But they're so big, and if you try to rely on just Microsoft to do your security, there's many gaps. What happens if you have a Mac?
00:13:23
Speaker
So that's just one incredibly simple example as to why you can't have one solution provider for security. Another example is something called privilege access management. So you have your super users, your administrators, those people that get in there and can create and manage everything.
00:13:45
Speaker
There's an entire industry called Privilege Access Management that puts really strict controls because those are the most important systems. And your Microsofts and Googles don't do Privilege Access Management. There's billion dollar companies that do it. So you have all these nuances because again, the bad guys get a hold of that one account and they can ransomware you and do all these bad things.
00:14:09
Speaker
So there is a need for hundreds of security products and then different verticals need different security applications. So for example, doctors, they need to walk up to their medical screen and just tap it and work with a patient and
Entrepreneurial Ventures after Lehman
00:14:29
Speaker
walk away. So there's an entire product line that lets you tap a badge
00:14:34
Speaker
to that workstation and go, you know, like just very simple examples. But that's why it's like there's there's it's complicated out there. And the big box vendors just can't can't do it all. They might do 20, 30 percent, I would say. Interesting. OK, so you were there for the Lehman crash. Right. Tell me about living through that. And what did you do next?
00:14:57
Speaker
Yeah, so Lehman was the darling of Wall Street, had phenomenal growth, and they got caught up into the real estate bubble and got overextended. And many of us were there until the end, until September 15th, 2008.
00:15:15
Speaker
And, uh, we thought this could never happen. Right. You know, it wasn't, it wasn't like WorldCom was complete theft by management, right? Complete abuse. This was risky bets. So, you know, we watched it and stopped going down, down. Some of us bought a little bit more cause well, it's $2 a share. Why not? There's a lesson. There's a lesson in that somewhere. I can tell you about, you know, uh, risk management, but.
00:15:45
Speaker
So I lost three years of what are called RSUs, restricted stock units, which is a large part of my pay for three years. But it's a lesson in life. There's worse problems I could have. I was very lucky to have a good job and to have made decent money all those years. But I was done with Merrill Lynch and Wall Street and driving to New York City every day. So what happened was Lehman was heavily impacted by 9-11.
00:16:15
Speaker
We had a thousand people in World Trade Center and the plane hit. We had one employee that was in the elevator that died, but that heightened our awareness of security and being able to protect our employees. And so one of my projects when I got involved with physical security was how do we track our employees and be able to help them in minutes if we ever have another emergency?
00:16:41
Speaker
And so we were far more sensitized to the physical presence of our people. So I got involved with tracking people when they came in the building and tracking when they left, because in an emergency, everybody runs out the doors, but you don't know who left.
00:16:59
Speaker
And so we, you know, normally you put your badge to come into a building. Well, Lehman Brothers had you badging out. So now when you run out of the building and if your badge was red, we know that there's only 400 people left that we have to find. So that was really neat. And one of the technology providers that I use was a company called TwoTrack that were based out of London. And I really liked their technology. We were tracking our executives when they went to the Middle East.
00:17:28
Speaker
We were tracking the CEO's artwork in case it got stolen. We were tracking everything. So I got into tracking and I decided to start a tracking company in 2009. And I started tracking vehicles and high net worth individuals for security purposes. And that company is called Two Track. It's still around today and has thousands of vehicles and hundreds of high net worth people that it tracks today all over the world.
00:17:55
Speaker
So it was neat. I learned a lot about trying to start a company in an economic downturn. Not easy. And made a lot of mistakes on how to grow a company. And between now and then I've started two other companies and happy to tell you a little bit about that as well.
00:18:13
Speaker
But just to wrap up on Lehman Brothers, it was really surreal when the bankruptcy hit and Barclays came and bought our building and just a very unforgettable moment. People carrying boxes out on their shoulders, right out the lobby with all their belongings on September 15th. Yeah, all the iconic photos show that. Right. So, Two Trek would have been like a hardware software product, not just pure software, right?
00:18:42
Speaker
Right, yeah, little device you put in a vehicle or...
00:18:45
Speaker
I happened to have an old Blackberry here with the keyboard. I was doing a presentation. I got this out for effect. But we would put a piece of software on this. This was the only smartphone before 2008, right? This was it. Yeah. So TwoTrack had a little app that would track this. And you could push a panic button and call for help. And that was used by some pretty important people on Wall Street.
00:19:15
Speaker
So that was good. I did that for about five years and again, track all kinds of different organizations and people. I guess the consumer technology kind of made the business redundant, right? Like once you have a smartphone, then it's just a matter of downloading an app. And I mean, the value creation as a company for you would have been very limited, right?
00:19:42
Speaker
If you try to today, everybody has free apps that they can use to track their people, their kids, their children. But there's still, to your example before, your question before, why don't people just use Google or Microsoft or Apple? Well, today we still have high net worth individuals that want a very specific application.
00:20:05
Speaker
They want to prove how many days their executives stay in New York City or do not stay in New York City. Why? Because you have to pay taxes for every day you're in New York City.
00:20:19
Speaker
Okay. So I give them an application that costs a couple hundred dollars and they can prove to the IRS that they were only in New York for 57 days. And so that saves them potentially hundreds of thousands of dollars in taxes. So it's a very specific application. You know, it's like, um, it's just different ways to deliver something that's commoditized in a way that adds value.
00:20:42
Speaker
The vehicle tracking business by itself is a large opportunity and there are like unicorns in that space like you know who work with let's say fleet operators and use that telematics data to create I mean as the base layer and then create more value-added services on top of that and stuff like that so you know that could have been a way to like build a unicorn
00:21:07
Speaker
It could have, yeah. If I had known what I know today about fundraising and scaling, growing product marketing, I was just, you know, I was a security geek that started a company. I didn't have much mentorship in the area. And so, you know, it grew, it grew to a respectable size and I created jobs and, and, and provide a good value.
00:21:32
Speaker
But I missed the tracking unicorn for sure on that one. OK. OK. That's OK. Yeah, absolutely.
Founding Bastille Networks
00:21:40
Speaker
So what were the other two ventures that you did?
00:21:43
Speaker
Yeah, so a friend of mine who was at Lehman with me, we got together and started another security company called Bastille Networks, Bastille as in the castle in France, or the band, if you like the Bastille band. And what it does is it monitors your space for all of the wireless conversations that are happening. So right now around me, I probably have, you know,
00:22:12
Speaker
20 radios in computers, laptops, phones, tablets, whatever. Organizations don't know what conversations are happening inside their own wireless environment. You have Wi-Fi, but there's so many other wireless things that Wi-Fi can't see. There's Bluetooth, Zigbee, and Z-Wave, and all this stuff. We're using the technology called software-defined radio.
00:22:38
Speaker
which means I can program a radio to look for anything from like, if you know megahertz and kilohertz and gigahertz, right? That goes all the way down to 60 megahertz to six gigahertz and just see everything. So what we'll do is the federal government has these areas where no cell phones are allowed, no Fitbits are allowed, no Apple watches. We put our sensors and we show them what's going on.
00:23:04
Speaker
So, manufacturing uses lots of wireless. Lots of bad guys could jam the wireless or hack into your
00:23:15
Speaker
data centers through the chillers, right? So it's nichey, but it was an unserved market using specialized technology that has been very well received by the market. Okay, what did you learn about scaling up niche businesses? You know, like, how do you find the right audience for it? And you did it bootstrapped. So you know, how did you scale it up in a bootstrap way? And just tell me a few of those lessons.
00:23:44
Speaker
Yeah. There's a couple of things. There's a book called The Lean Startup by Eric Ries. It's like the Bible for how to figure out what works and what doesn't. I think there's probably 10 Bibles or whatever your book is.
00:24:07
Speaker
And the principle behind it is build, measure, learn. So you build something, you measure its success, you learn from it, and then you pivot. So nearly every company I've been involved with, including Lehman Brothers, we've tried certain things and you learn, you fail fast is a common term in an entrepreneur world. And the more failures you have, the better, the more rounded you are, the more experienced you are about a product yourself.
00:24:35
Speaker
And so, for example, at Bastille, we tried targeting Fortune 500 out of the box. And there's a vulnerability in nearly every mouse that allows me to turn this into a keyboard.
00:24:54
Speaker
It, we called it mouse Jack because when we detected it and so bad guys can connect to the mouse, see all of your keystrokes and you know, but we went to the fortune 500 and we tried selling it there and they're like,
00:25:08
Speaker
It's hard to put all those sensors into all of my floors where all of my people are. It's too expensive. And that problem, there's a proximity. You have to sit outside the windows as a bad actor. And so we learned that that wasn't on the top 10 or 20 priorities at the time. And so we pivoted into government. The government really cares about this in an embassy.
00:25:29
Speaker
Right. Right. Yeah. And so that that's like an example where we could have spent five years and burned all of our money and and that's it. Companies out of business. So we pivoted early enough and we added cell phone detection and some other things. So the market testing, there's something called the mom test. Have you ever heard of that? No, no. So the mom test, I might mess it up a little bit, but there's a book called the mom test. It's how to talk to your customers and learn
00:25:58
Speaker
if it's just your mom saying, oh, that sounds great, honey. Nice job. You know why? Because we go test it all with our friends.
00:26:09
Speaker
We ask our mom, mom, do you think this is a good idea? Do you think it's a good idea to look for mice in Fortune 500? She goes, that sounds great. You need to figure out the right questions to ask so you're not wasting your time. It needs to be like your mom doesn't give you the hard truth sometimes. If I had talked to one of my CISO friends about that,
00:26:33
Speaker
And he was like, Mike, no. You're not going to sell that to me. You're wasting your time, right? I asked my mom. She says, yes. I asked my C so funny.
00:26:42
Speaker
So that's called the mom test. So that's really important. And I recommend everybody to check out that book if they're testing new ideas out in the marketplace.
Founding OneCosmos and Digital Identity Challenges
00:26:53
Speaker
What about building sales muscles? I mean, you're not a sales guy, right? But you must have had to learn how to sell, how to get customers. Well, as soon as you start a company, you're a sales guy or girl.
00:27:10
Speaker
That's it. You have to sell. Every successful startup has founder led sales and you need to know, I mean, really in life, aren't you always selling?
00:27:22
Speaker
yourself, your ideas to your kids, to your wife, to your, you know, your religious institution, your, you know, you're doing fundraising, whatever it is. So I think selling is being enthusiastic about what you do. And so you have to sell. And so I did learn a lot about sales. Now there's all these structured sales programs and the methodology of a deal and I hire salespeople to do the mechanics, but you have to sell. I'm selling to you right now. Yeah.
00:27:52
Speaker
It is really important. I think sales, the term has a bad rap, but some of the most successful people in life are good sales people. Yes, absolutely. What did you learn about how to be a good salesperson? It's asking as many questions to the other person as it is just telling them what you do. So you can have a conversation with a customer that's more about
00:28:21
Speaker
It's a conversation, not a sale. They kind of go hand in hand. For example, in certain words that you want to use to open up somebody's mind, and I'll give you some examples. If I say, actually, how open-minded are you to learning about cybersecurity?
00:28:46
Speaker
How open-minded are you? There's no answer. There's only one answer. You learn a little bit, just some simple mechanics like that, or how would you feel if I could stop bad people from getting into your environment?
00:29:01
Speaker
I'd feel great. You learn a little bit of just conversational, there's a little bit of psychology in it, and I've really geeked out on some of that stuff. I have this list of 20, they're called magic phrases that I try to work into conversations. It's just learning over time what works what doesn't. Talking too much, bad. Asking questions and listening good.
00:29:26
Speaker
I'm stating the obvious, but it's a lot of things that technologists may not think about when they get started. Yeah. Yeah. Interesting. Okay. So tell me about one cosmos. How did that come about? What's the background there? Yeah. A bunch of my friends that were CISOs.
00:29:47
Speaker
There's like three of them that kept telling me about this company and this guy who's the founder, my partner in business over here. And so I'm like, I gotta go meet this guy. And so I met up with him, geez, going on like seven, eight years ago. And he's an entrepreneur as well. His last company, he grew to over a thousand people. His last company is called Simeo Solutions.
00:30:13
Speaker
And so I just liked the guy. And one of the most important things when you get involved with a company is liking your business partners. If there's anything toxic there, we've seen many stories where that just doesn't work. So the idea behind the company is all about identity. And if you think about what we struggle with today online, your parents or
00:30:40
Speaker
your friends and family trying to log in and do things, it's so broken. We're creating new accounts everywhere we go. We can't prove who we are. The bad guys know how to log in as us. And so the idea that we came up with is let's figure out a way to prove who we are. That's easy and repeatable.
00:31:01
Speaker
And the company is called One Cosmos, as you mentioned. One Cosmos with a K stands for one universe. Cosmos means universe or world in Greek. And so the idea is you'll have one identity everywhere you go, online. Now, when you go to airports or hotels, you have one identity today, right? You're who you are from your hometown with your documents, your driver's license, your passport.
00:31:29
Speaker
You know, your ad hoc card, whatever it is. But online, you don't have that. So what's happened in the last couple of years is this has become a very powerful tool for us to hold and use a digital identity.
00:31:44
Speaker
And that's what we really started doing from day one is creating a way for you to prove who you are and use that proof over and over again to do anything online in a safe and secure way. And it's easier than how you're doing it today.
00:32:00
Speaker
Give me a lay of the land in terms of identity solutions. I believe there's also a company called Okta, which is also into identity solutions. Help me understand the space a bit better. Yeah, absolutely. Okta is
00:32:23
Speaker
They're an identity company, as is now Microsoft, as is ForgeRock, and Ping, and a couple pretty prominent players. And of course, there's the companies that do things in airports. Would you go scan your eyes? Would you say that even Facebook, LinkedIn, Google, Apple are all identity companies? Because I can go to a website which will allow me to sign in with Apple, sign in with Google.
00:32:48
Speaker
That's right, yeah. So before those guys, you had a username and a password everywhere, right? And that's, of course, very fragmented and you're creating more data in these hundreds of systems. And then Google and Facebook, Microsoft, Apple became the gateway of the platform that we engage with. So now you log in with Apple, they make it really easy. There's one way to do it.
00:33:18
Speaker
The problem with that is they control your identity now. So if Apple doesn't like something about me or Google doesn't like something about me and they turn off my identity, my login, I'm done. And this has happened to people. And I'll give you one example. I have probably, you know,
00:33:43
Speaker
10 Gmail accounts from different companies I've worked at and lots of people do. One of my accounts has all my photos and lots of documents. There's a story, and you can look this up online, of a guy who uploaded photos to Google Photos, and Google interpreted a photo as having child pornographic content. It didn't.
00:34:13
Speaker
but they have a policy, it's very binary. It says if their algorithm detects this, they shut your account down and you'll never access it again. So you're basing your login with Google on this one rule, right?
00:34:31
Speaker
Maybe there's a picture of something over my shoulder and a photo that they don't like. And so when you trust your identity to these gateways, there's risk there. So personally, I use my email and a password, and then I use a password manager, like one password.
00:34:50
Speaker
to control that myself. So if Google's like, ah, you know what, we don't like you, fine, I'll move my email over somewhere else, but I have my usernames and passwords everywhere. And then the other challenge is, as a company, are you ever gonna trust login with Google to get into your company systems?
00:35:11
Speaker
There's no way, right? Yeah. I mean, Google could write the rules now to get into your corporate applications. So there's lots of challenges with it. That's called federated login. And what now is happening is there's- What does that term mean, federated login?
00:35:28
Speaker
Federated, meaning I'm trusting this one party, Facebook. Log in with Facebook, and Facebook is gonna go send my information to 200 sites. It makes it much easier, but I'm trusting all that federation to Facebook, Apple, Google, Microsoft. Now, Okta is a commercial version of that.
00:35:51
Speaker
but it's the same thing. So you log into Okta and then Okta will send your information to salesforce.com or whatever your business applications are. So they've made a business version of login with Facebook.
00:36:05
Speaker
or login with Google that you can kind of write your own rules and control. And there's no way Okta is going to like, you know, turn it off. Cause this is now that's what they do for a living, right? So Okta has made a great business, but I still wouldn't call them an identity company. I call them single sign on systems and the term single sign on, um, if you've ever logged into your Google and then you logged in somewhere else with your Gmail account, that's, it's like passing your, your.
00:36:35
Speaker
Identity to that other entity that's called single sign-ons. Yeah and use it multiple times. Yeah, so These companies are single sign-on and the reason they're single sign-on not identity companies is because they can't prove it's Mike Engel That's logging in and that's what one cosmos does for a living And there's a big difference between the two what is the difference the difference is
00:37:02
Speaker
I'm going to hold my phone up to my screen and show you what I have inside of my application here. And the picture is worth a thousand words. So I have, see if this works, my identity.
00:37:21
Speaker
Inside of my One Cosmos application, and you can call this my Bank of America application, whatever you want, I have verified my driver's license, and that means I've scanned it, I've matched my face, I've done all these integrity checks, and now I'm in charge of it, so One Cosmos doesn't have it.
00:37:44
Speaker
My employer doesn't have it, whatever, I have it. And that's the next wave of identity is letting people take their citizen identity or their, you know, whatever it is, their real world identity and owning it just like you own a driver's license or a passport today and then only presenting it when you need it and with consent and permission.
Passwordless Authentication and Biometrics
00:38:11
Speaker
There's a couple of names for this technology. It's called the like singles or a self-sovereign identity is one of the terms or user managed or user controlled identity. And it's really the same as when you go to the airport and you present your passport, you're in control of that. They can't take that out of your pocket and see it. And so that's the next wave in digital identity that One Cosmos is pioneering. What is the One Cosmos product? Help me understand that.
00:38:41
Speaker
Yeah, we call the platform Block ID. And the reason the word block is in there is because we use some of the best parts of blockchain technology to keep everything safe and secure. But the technology really revolves around a few simple concepts. So let's say, have you opened a bank account or a crypto account in the last five years? Yeah, bank account. Bank account, okay. You had to prove to the bank who you are.
00:39:10
Speaker
The old way of doing that in the United States is type in your social security number, your national ID number, your address, your phone number, waiting a few days, maybe getting rejected, or maybe you have to go into the branch. It's very painful for both the company and for the person. So what we do is we say, sit at home, scan your documents, and digitally transmit them to the bank.
00:39:40
Speaker
And that concept is called identity proofing. I'm proving my identity, identity verification, and that's a multi-billion dollar industry. So we do that. We do it really well. We do it in a way then where when you proof who you are, you keep it and you save it for yourself. And there's, there's a couple other companies that do that as well. Then we can turn this strong identity into a passwordless
00:40:11
Speaker
experience. So, uh, have you heard the term passwordless, uh, getting popular anywhere? Is that ringing? Yep. Yep. Yep. Yep. Yeah, it is. Yeah. So passwordless. What does that mean? I log in without a password. It's that simple. And the way you do it typically is using a biometric biometric can be your face, your, uh, thumb, maybe a retina, you know, or even your voice.
00:40:38
Speaker
And so that's a game changer. And the reason we can do that now, but we couldn't do it really 10 years ago, is because biometrics are everywhere now. You have a camera on every device, billions of cameras that have been consumerized by first Blackberry and then Apple and Google. And so now I can look you in the face anytime and say, is this you?
00:41:05
Speaker
And that's really what's allowing a password list. There's two technologies that are allowing password lists to get popular. It's that, your face, your thumb, whatever, and a secret.
00:41:17
Speaker
All right, so this is like a cryptography thing, right? Where I can put a secret key and keep it somewhere safe that only I can get to it. And that secret place is an Apple key chain or your Google security area on your phone. And of course, Windows and Mac, they have it as well. Or there's even, like this here, this is a little device, a USB device that I can plug into, that's a secret key. So this,
00:41:46
Speaker
Plus my face allows me to log in anywhere without even really touching the keyboard. That's passwordless. And there's lots of different flavors, but that's kind of the gist. Okay, okay. Is there a reason why Apple dished fingerprints? And only Apple has dished fingerprints on phones, right? Like nobody else has. Well, I think the Androids do too. I have a Galaxy S10 that does a thumbprint reader.
00:42:13
Speaker
Yeah. And actually my windows, my Mac laptop has a thumbprint reader. So they're getting popular and I think people are getting very comfortable with using them. There's thumbprint and face scanners in cars now. You can just unlock your car by walking up to it with your face.
00:42:33
Speaker
I was asking that Apple is focused more on face scan as opposed to thumbprint. Most Android devices are still on thumbprint. Is there a relative advantage of one approach versus other?
00:42:49
Speaker
Um, I think the face, the way Apple's done it is, is really neat because they're using LiDAR. They're using like a form of, it's not just the camera, but they're using, they can tell the depth of my, my eyes and all this stuff. Um, so it's very accurate. It's fast. It works in the dark. So that's probably, they've just gotten really good at it.
00:43:13
Speaker
and getting people comfortable with it. You need hardware to have a strong face identity system, and Apple obviously has hardware in place. So that's why they can go all in on face. Got it. Interesting. Exactly. So you said that through, essentially, you can first create an identity. And with that identity on your phone, you can now do passwordless login to systems using one Cosmos.
00:43:43
Speaker
That's right. Yeah. There's a couple of ways to do it. So, uh, I'll walk through three examples. Normally you go to a computer system, like your remote access or your login to your bank and its username, password you'd enter. And then you go fetch a code or your, your app jingles and you say, okay, what we can do is we can display a QR code and you scan the QR code, scan your face and you're in at about two seconds.
00:44:14
Speaker
And there's a couple of advantages to that. First of all, it's so easy, right? We all know how to scan QR codes now because of COVID and menus, right? You scan a menu, right? The second is it's phishing resistant. So phishing, pH, right? Not with an F. For those that don't know what phishing is, it's somebody trying to steal your credentials. So they'll call you up or they'll send you an email with a link. They want you to click it and they'll steal your information.
00:44:44
Speaker
Because I'm reaching out and initiating here and scanning, it's much harder for a bad person to get into this loop, right? Yeah. Well, that's fishing resistant. Passwordless, if done right, is fishing resistant. And that's great, excuse me, because the bad guys know how to fish really well, right? The MGM hack that shut down the casinos a couple of weeks ago was some sophisticated fishing.
00:45:11
Speaker
So in a phishing attack, essentially, they'll create a replica website of a website where you normally log in. And if you're not careful, you will just enter your username and password and click on log in. There might be like a minor change in the spelling of the domain, et cetera, so that you don't realize it. And that's how they get your password. And then they can misuse your password.
00:45:34
Speaker
Exactly, exactly. And using the QR scanning, then there is no way that I mean, the whole ability to do that gets eliminated then. Yeah, because there's nothing for them to go get. I just got one today from the
00:45:51
Speaker
USPS, it said, your package could not be delivered. Click here to fix it. And they were trying to get all my information. And it's very well done. Their websites are amazing. Now, if I knew that, if I knew that every time I log into USPS, I have a certain procedure. I have password lists. I'd look at that and be like, I can't even log in. I have nothing to give you. For example, one cosmos, I don't have a one cosmos username and password. There's nothing to fish.
00:46:20
Speaker
So when I go to log into my mail, if somebody, I'm sorry, you cannot log in as me, unless you have my face and my authenticator on my phone, right? So that's a real game changer from a security perspective. Okay. So, okay. Now you have this app for consumers to prove their identity.
00:46:47
Speaker
What are the businesses who are currently accepting this as a way for you to log in? I mean, there are two pieces of this puzzle that you need to solve, right? You need to have consumers give them a way to prove their identity, and then you need to have businesses use this as a way to allow consumers to log in. So what's happening on the business side? Yeah, so you don't need to prove who you are everywhere.
00:47:14
Speaker
For example, Amazon, they've never asked me for my driver's license. All they care about is I pay my bills with my credit card, and they ship me products. It's amazing.
00:47:24
Speaker
So for them, they're sort of passwordless, right? Because when I log in once, it stays, I don't know how they know who I am, but they're always there. But a lot of organizations now will pop up when I log in, username, password, they'll pop up and say, would you like to go passwordless? I say yes.
00:47:44
Speaker
And then my iPhone or my Windows will just pop up and say, scan your face or scan your finger. And that's what you'll do going forward. So there's an industry standard that's getting really popular. It's called Fido. Like Fido the dog, we have a common dog name over here, I guess. It stands for fast identity online. It's a nonprofit. It was formed in 2013.
00:48:13
Speaker
And all the big tech companies and companies like OneCosmos are in there saying, we're going to help the whole world get rid of passwords. And so there's a standard. And so now Fido is built into every device you use. It's in your iPhone, your Android, your Chrome, your Safari, your Firefox. And so what you're seeing is when you log into your existing bank or merchant, it pops up and says, would you like to go passwordless? And what are you going to say, yes or no?
00:48:40
Speaker
Obviously, yes. You're going to say yes. And so you're going to see this happening over and over again with more websites where they say, let's get rid of passwords. In fact, there's a FIDO conference going on right now up in California where all the tech people are talking about this. And because Apple, Google, and Microsoft are heavily invested, it will happen. So that's exciting because it means there is a future for us to get rid of passwords.
00:49:12
Speaker
So, I mean, what's one cosmos doing in the Fido ecosystem? And I mean, isn't Fido in a way replacing one cosmos? Like you're saying that Fido will allow companies to directly scan consumers. Why would they need a one cosmos app then? A couple of reasons. Fido right now is
00:49:37
Speaker
all about the passwordless part, but it doesn't have identity built into it. So in that example, username, password, would you like to enable FIDO? I didn't really prove who I was there. So a bad guy has my username and password, they can turn on FIDO. What one Cosmos says is, turn on FIDO if you have a verified identity.
00:50:02
Speaker
And again, you don't need to do that for ordering a $2 razor, but for doing banking, you want verified identity, or more really good at verified identity. And the other reason is, there's a lot of devil in the details on how you do FIDO.
00:50:19
Speaker
It's not just press a button and it's magic inside of your application. So we provide a very flexible framework where you can do FIDO in certain ways. So enterprises don't want to just trust Apple or Google with their, it's going back to that other example we had. They want to put very strict controls on their system login.
00:50:40
Speaker
before you log into, you know, your Tesla, you want to know that it's that person. So we bring a lot of higher levels of security to the FIDO experience, whether it's FIDO or it's not FIDO. So how do you prove that, like I said, that... There's a number of different ways. In the United States, we have a standard.
00:51:10
Speaker
Our standards government organization is called NIST, the National Institution for Standards and Technologies. And so they have a rule set of guidelines where you say, here's how you prove who somebody is. You scan their credential, you match their face, and you verify their identity in the databases.
OneCosmos Business Model and Adoption
00:51:33
Speaker
So for example, I have to prove I live at 123 Main Street.
00:51:37
Speaker
So we have built products that follow that standard. In Europe, you have a standard called EIDAS. You have a similar standard in UK and many parts of the world. So that's one way you prove identity is following the standard for document proofing identity verification. The other way that can be a little easier is just verifying your phone.
00:52:04
Speaker
In some countries, you have to prove identity before you get a phone number. You've probably had the same cell phone number for many, many years, right? If I can prove you have your phone, I can prove that you are who you are. Another way, just as easy, is prove that you have a bank account.
00:52:25
Speaker
Why? Because bank accounts are subject to money laundering checks, anti-terrorism, all those things. Know your customer norms. Know your customer, right. And so we have all these different ways and you might want to just gently ask your customers to do these things because
00:52:44
Speaker
The big fear is friction. If you create friction when you're logging in and doing something, they're going to go to the competitor. So we've gotten really good at gently asking users to prove who they are in a way they're like, no problem. I really want to complete this transaction. So let's just verify your phone number. You don't have to bother scanning your driver's license. However,
00:53:07
Speaker
You're going to scan, you're going to move a hundred thousand dollars or change the routing number on your account. You know what? We need your driver's license. We need your passport, right? So we've created those custom rules in the platform that make it really easy. What are the businesses we're using when customers and I assume you monetize through businesses, right? Like there's not a consumer product.
00:53:29
Speaker
Yeah, we have a good number of Fortune 100 banks that use the platform for their employees to get rid of passwords, because passwords let the bad guys in.
00:53:43
Speaker
So an example would be one of the largest asset managers in the world uses our platform to log into remote access, right? So they log in from home and then they log into their windows or their Mac with our technology because all they have to do is just press a button and scan their face. It's an amazing user experience. It keeps the bad guys out. In the consumer world, we have one of the largest banks in India.
00:54:10
Speaker
that uses it to authenticate their banking consumers and their employees. It's kind of neat because they're using identity for both. We've served one of the largest telco operators in the world, Verizon, uses our product to create something called Verizon Identity. So it really, there's no limit to the type of company that needs better identity, right? Because it's so broken.
00:54:40
Speaker
And so we don't really limit ourselves to any particular vertical or industry. So is this like you said a bank in India uses it. Would the bank ask consumers to download the One Cosmos app or is it like a white label solution that you've built for them? So consumers don't know that there is a One Cosmos which is powering the technology. We support free models.
00:55:09
Speaker
You can go get the One Cosmos Block ID app and just use it. And some organizations do that, especially those that are doing it for their employees, because they don't want to manage an app. In the consumer world, it's more common for organizations to get our SDK, our software develop our
00:55:30
Speaker
programmers libraries and build them into their existing app. So when you go, you know, an example would be if you go to the Amazon app and Amazon wants to prove who you are, then they call our library and our library does the identity verification part.
00:55:48
Speaker
So that's the second model. And the third is they can call our APIs, right? So they can just reach out to us and ask questions and say, could you just go verify them and tell us yes or no? And so we support a very flexible, we call it developer friendly journey for people to embed this into their existing applications.
00:56:09
Speaker
Okay. And the business space per identity verified or something like that. How do you monetize? There's a couple of ways.
00:56:22
Speaker
First of all, the price of it, it's priceless, right? Sorry, I could help. That's like a MasterCard joke. So you typically, there's two ways. It could be transactional. I need to prove who you are one time and then they save it. And that's usually only done once or twice over a couple of years.
00:56:45
Speaker
And then the other is per user per year, per month, because they're constantly using the system, right? How many times a day do you log into your computer? 20. So we'll charge, you know, X dollars per user per month, and they get lots of benefits from that. So for an organization which is using this for their employees, you would in a way be replacing Okta.
00:57:10
Speaker
No, Okta does single sign on and they do it really well. And they do some password lists too. So there's a little bit of competitive nature of our product versus Okta or Microsoft. But again, they don't do the operating system.
00:57:26
Speaker
Microsoft and Okta don't let you go passwordless into Mac, right? Microsoft does some windows, but they don't do remote windows machines, right? So it leaves still a lot of opportunity where we, the way we think about it is Okta, Microsoft, they're here and they have all their applications and they do that really well, right? They've been doing that for 15 years and Microsoft for 40.
00:57:52
Speaker
We sit up here and we say, let's prove who this is. And so Microsoft is gonna let you into this system right here, but it's a high security system. So let's go have one cosmos verify their identity because we don't do that, right? And so that's a very nuanced difference between the single sign on and the identity provider that we are up top.
Global Digital Identity Integration
00:58:18
Speaker
So you, like, how do you do the operating system part of it? Like, you know, that I cannot log into my laptop without using one Cosmos. If I'm working for a company which has adopted this, how does that happen? So if you're using our technology to log into Windows or Mac,
00:58:41
Speaker
When you go to the login screen, you see username, password, and we put a little button on the side that says login with passwordless. Okay. So we put a little piece of software on the operating system. Okay. And this is like, Microsoft has worked with you for this, or you've created somewhere in which you don't need to work with Microsoft to put in that button.
00:59:08
Speaker
Yeah, we create the software, Microsoft, they digitally sign it, they authorize us to put it out there, and they do that for lots of providers. So there is a, you know, you can't just have anybody writing software for Microsoft, right? Yeah, there's a permission model. Okay, okay, okay, got it, got it, okay. Interesting.
00:59:32
Speaker
I'm wondering for a country like India where, you know, Adhar, which is your offline identity, is also increasingly becoming your online identity. And India has this Digilocker app through which you can have a digital Adhar. And, you know, so would that not be what you're trying to do? Like, it's similar, you know, so
01:00:00
Speaker
This problem exists in every country. They don't have a digital presence. In fact, Adhar is one of the best in the world in terms of its exposure and its scope, right? It's just, it's ubiquitous, right?
01:00:16
Speaker
But we have tried scanning Adhar cards and we do it well, but people laminate them and they're not very high quality, right? And then you get reflections. But what we would do is be able to read the Adhar card and use that as one source of truth. So in that digital wallet that I showed you, I can simply have my verified Adhar right there. And then I can transmit that to somebody.
01:00:46
Speaker
And I know there's, again, a bit of a competitive nature because ADHAR is allowing banks to log in with your ADHAR card, right? You mentioned the digital locker, but it's complex. There's people complaining about limited access and registration restrictions. So it may only cover a fraction of the population.
01:01:07
Speaker
If we can do Adhar and everything else, it allows an organization to be more flexible. It's kind of similar to what you were saying, why doesn't somebody just use Google or Microsoft? Because we create other paths, options, exception processes for when it doesn't work. Okay, well, let's just try, maybe let's use their passport.
01:01:28
Speaker
Is there an India driver's license as well as an ad hoc? Yes, there is. So we could possibly consume that and give you more options and flexibility.
Growth and Entrepreneurial Insights
01:01:41
Speaker
Tell me about the revenue journey. What kind of revenues are you currently at?
01:01:47
Speaker
help me understand a little bit about the customer acquisition journey, what were the early wins over there and just taking through that a little bit. Yeah, I think we've been really lucky. They say timing is everything when it comes to startups or being successful. Another popular book is Malcolm Gladwell's Tipping Point.
01:02:16
Speaker
where he talks about Bill Gates happened to be at the right place the right time, had access to a mainframe, and that just created this whole world for him, right? Same thing with Steve Jobs. And so we were lucky that we latched on to identity proofing and authentication very early. Lots of companies do authentication. We're seeing now our competitors
01:02:38
Speaker
They only did authentication and password lists say, oh my goodness, we really got to go do some of that identity verification stuff now. And they're just starting now. One of our biggest competitors just started doing that last month. So we're at the right place, right time. And we've been on a amazing growth trajectory because of that.
01:03:00
Speaker
And so I can't give specific numbers on this call without talking to the legal powers that be. But the model that you want for maximum fundraising and valuation is something called a triple, triple, double, double.
01:03:15
Speaker
In your early years, you want to triple your growth for two years. So if you make a million dollars your first year, you want to make 3 million, and then you want to make 6 million. It's a very hard thing to do. That's a lot of growth. Think about it. You just made a million dollars, you got to make 3 next year. And then people are realistic because you can't just triple forever. I mean, some companies do it.
01:03:44
Speaker
maybe open AI or something, then you double. So then you go from six to 12 and 12 to 24, just again, as an example.
01:03:52
Speaker
And we've been fortunate to be on that trajectory and have a great set of venture capital companies join us on that journey. So our VCs, you can go find them on Crunchbase, our ForgePoint Capital and Google Tech Adventures and Nextera Energy and companies like that. So we've been really lucky. It doesn't help that we had successful founders that have done it before, right? So it's a combination of a couple of different things.
01:04:18
Speaker
But when would you cross, let's say, a 10 million air rush?
01:04:24
Speaker
Yeah, already there. I mean, that's amazing. OK, amazing. And what's your plan for India? Like, you know, do you see that the one cosmos name by itself getting recognition in India by virtue of, you know, like where companies are asking people to use one cosmos to sign in or like, you know, what do you think the Indian market is going to be like?
01:04:50
Speaker
Yeah, India is a great market for us because my founder, Haman Vimalbalal, is from Bombay. He doesn't let me say Mumbai, by the way.
01:05:07
Speaker
So we have a very strong presence there and strong developments. So we've been there since the beginning. And we have some great partners there like Hitachi Microsystem sells our products throughout India and the Asia Pacific region. And what's really helped is the Reserve Bank of India.
01:05:26
Speaker
passed the RBI Act in 2018 that says, here's some security guidelines. And so everyone went scrambling to say, oh, we need multi-factor. And we happened, again, to be right place, right time. And that's really opened up the India market for us. So we're very optimistic about our growth rates in India. Are you at liberty to tell me which bank it is that's using one cosmos?
01:05:54
Speaker
No, not the banks because they're really, they don't want anybody knowing the technology so we have very specific non-disclosure. But I will, there's one testimonial that's public out there from Vodafone India. It's called Vodafone IDEA, right? There's a merger between the two companies.
01:06:12
Speaker
Um, we had a really great success story there and their CISO put out a, uh, kind of a public thank you to one cosmos because we helped him solve some real security challenges that he was wrestling with. And, um, so that testimonial has been made. And this is for the employee login.
01:06:30
Speaker
That's right. OK, OK, OK, interesting. So, you know, just to like wrap up our conversation, what are like some of the lessons that you can share with people who are aspiring to be founders and build businesses?
01:06:46
Speaker
Yeah, there's a couple. There's the exposure, right? So when you start a company, if you sit there in your bunker and you just write code and try to sell it to a couple people, you don't have the exposure. And so there's
01:07:03
Speaker
The challenge of you can make a great product that solves a great set of problems, but you don't have what's called scale. How do you then sell it to the first million dollars or million people? In order to do that, one of the most important parts of any company is marketing.
01:07:25
Speaker
That's one thing that I've really come to appreciate being here at One Cosmos and Heyman is a marketing junkie. And I geek out on marketing technologies like demand generation and creating a great website and just learning how to engage with people in different ways. And so those are really important for any startup and it's just setting the right corporate culture out of the gate as well.
01:07:51
Speaker
And that brings us to the end of this conversation. I want to ask you for a favor now. Did you like listening to the show? I'd love to hear your feedback about it. Do you have your own startup ideas? I'd love to hear them. Do you have questions for any of the guests that you heard about in the show? I'd love to get your questions and pass them on to the guests. Write to me at ad at the podium dot in that's ad at T H E P O D I U M dot in.