Unlocking the Future: Descope’s Co-Founder On How Passwordless Authentication Is Revolutionizing Identity Management

Threats against our digital identities are constantly evolving. The best way for organizations to ensure their users are protected is to implement robust, user friendly identity and access management controls.

In this episode of the Expert Insights podcast, we delve deep into the topic of Customer Identity and Access Management (CIAM) with Rishi Bhargava, co-founder of Descope. In this compelling conversation, we unlock the complexities of passwordless authentication and the transformative potential of AI in reshaping user experiences and security landscapes. 

Whether you’re a developer, business leader, or tech enthusiast, this conversation is packed with insights that could redefine your approach to digital identity and security.

Listen here, or read the full transcript below. 

Joel Witts: Hello everyone. Welcome to the Expert Insights Podcast. Thank you very much for tuning in. I’m your host, Joel Witts. I’ve got Rishi Bhargava with me today, the co-founder at Descope, a leading Customer Identity and Access Management provider. With account takeover attacks on the rise and new technologies like passkeys slowly starting to roll out for consumer applications, there’s been a big focus recently in the cybersecurity space on identity, access management, and customer identity in particular. So, Rishi, it’s great to have you on the show. Thanks very much for joining us today.

Rishi Bhargava: I’m very excited to be here, Joel. Thanks for having me.

Joel Witts: We have a lot to cover across the customer identity and access management space, but it would be great to start by hearing a bit about your background, Rishi. I know with Demisto and Palo Alto Networks, you’ve had a really exciting career in the cybersecurity world. It’d be great to hear about how you got into it, how you got into the identity space, and what the story is behind co-founding Descope.

Rishi Bhargava: Yeah, absolutely. I think the story is like, since my first job, I have been in cybersecurity. In my first job, when everybody was doing networking or a dot com company in the early 2000s, I picked up the infrastructure side on the networking side. Right after that, in 2003, I started in cybersecurity. So, lots and lots of cybersecurity experience from endpoint security to database security to server-side, then with Demisto, it was all about security operations centers. A variety of experiences. Demisto had an amazing run, got acquired by Palo Alto Networks, and I spent three years there.

Coming to the Descope story, when we started Descope with the same founding team from Demisto, the question we asked wasn’t like waking up one morning with a brilliant idea; that’s not who we are. We thought about what the big cybersecurity challenge was, what was a problem that was very big and had been around for a long time. The obvious one that came to mind was passwords. If you think about it, passwords are the number one problem that has existed, both from a user friction challenge and a security challenge, across the board for consumers and businesses—compromised passwords. 

That’s what started it. So, we started by wanting to create a passwordless world. What does it take to create a passwordless world? That’s how we started. It wasn’t really customer identity at first. With the mission in mind to create a passwordless world, we decided the best way was to enable developers to remove passwords from their applications. That’s the biggest impact, right?

Workforce passwordless is a thing, but the biggest impact to remove passwordless is to enable every application out there, from consumer applications a GoFundMe, to a business application like a Databricks, to just enable passwordless experiences across the board. That’s how Descope got started with that mission in mind.

Joel Witts: Fantastic. And I suppose to take a kind of high-level question to get us going, what is customer identity and access management, which I suppose is the extension of that passwordless mission for Descope? Why does it matter, and what problems does it solve for businesses and consumers as well?

Rishi Bhargava: Yeah, I think this is one of those things where any site you go to, whether it’s a business application like Salesforce or HubSpot in your daily work, GitHub if you’re a developer, or consumer sites like shopping sites from Home Depot to Wayfair to Macy’s, everybody has a login. That login button is what customer identity and access management (CIAM) is all about. On the surface, it looks like a login box. How difficult could it be? But behind that, a lot goes on because the purpose of this login box is to keep the bad guys out. The second purpose it serves should be to let the good guys in—and really fast. In an ideal world, if we could figure it out, it should be invisible to the good folks and a big barrier to the bad folks. That’s the goal of CIAM. 

Think about the impact it could have, like if you never had to log into anything if you are a legitimate user, and then everyone who doesn’t belong is blocked. That’s the goal—that’s like the Holy Grail of CIAM. Now behind that login box, a lot goes on. To keep the bad guys out, how do you prevent account takeover attacks, compromised credentials, protect against bots, and detect multiple failed login attempts and block them?

On the good side, when a user logs in or creates an account, how do you make the signup process seamless? If the user returns to the website, can you detect that they are the same user and let them in right away, or ask the minimal questions needed? How do you connect that identity to all internal systems within an e-commerce world? So that’s the point; the login box is the CIAM, whether it’s B2C or B2B, but all of the stuff behind it, like single sign-on, connecting to Google, connecting to Facebook, is what we enable.

Joel Witts: And I wanted to get a snapshot from you of what the threat landscape looks like. Obviously, the challenge around passwords, weak passwords, compromised passwords, and phishing have been around for a long time, and those challenges are still difficult to solve. Like you say, the problem is simple, and the objective is clear, but getting there is a real challenge. So what’s the state of the identity threat landscape today? And what impact are technologies like AI having on things like phishing and account takeover?

Rishi Bhargava: Yes, even before we get into the AI side, as you asked about the threat landscape, it’s actually very complex when it comes to identity. On the surface, let’s cover the simple but prevalent issues. We started with the story about passwords. The number one challenge is still people reusing their passwords. 

These passwords get stolen and published on sites like Pastebin or other websites, and attackers will take those passwords and try them on other websites to log in. If people use a password manager, they’ll often see notifications about compromised passwords and identities. Passwords get stolen all the time; that’s the simplest and most common problem. But then it becomes more complex, with automated bot-related account creation. Attackers will try to create accounts on behalf of a user after compromising their email or phone.

Account takeover attacks with phishing are another concern. A recent example where we’re helping customers involves attackers standing up a phishing site that looks exactly like the original site. They try to fake the login, send it to a user, and then the user logs in. You might have signed up for MFA on the original site, but if the MFA is SMS OTP, you receive an SMS thinking you’re logging into the proper site, enter the SMS, and the attacker gets access. It’s a simple attack to execute. Setting up a site that looks like another, with a similar domain, can easily compromise users.

Attackers always innovate. We thought MFA solved the problem, but not really. SMS as an MFA is the number one method and can be easily compromised with phishing. What we have seen is a very clear indication that the attack landscape continues to expand, and organizations need to invest in phishing-resistant MFA and passwordless methods. 

Now, coming to AI, that’s a whole new world, Joel. Think about it this way: The AI is being designed to act like a human and do every task that a human can do, which means it can bypass those “I’m not a robot” checks. AI can guess that. It’s a small yet impactful example of what’s to come.

The AI bot can act like a human and get past all of those checks. But it’s even more interesting. In the world of legitimate use cases, bots may want to log in on a user’s behalf. For instance, if I have a copilot or an assistant, I want them to do tasks on my behalf but not using my identity or login.

So how do we enable this new ecosystem where an AI copilot can perform tasks on my behalf—do shopping, work tasks, log into Excel sheets and update them—but they should be distinct from me? It’s my alter ego or identity associated with me, but not exactly my identity. How does that login experience work? That’s going to be a fun challenge in terms of how this landscape will change. Identity, as I said, should be invisible. But how do we empower this new world of AI is going to be the big question.

Joel Witts: Yeah, absolutely. So, the threats are really a mix of social engineering, where the customer themselves is susceptible to phishing. Technologies like MFA can only go so far because if you can trick the user, you can get that MFA token from them. But there are also bigger threats behind the scenes that users don’t think about but can still impact the security of their accounts. As AI gets better at impersonating people, including fictitious ones, we’re hearing about these threats with fake employees and deepfaked employees signing up to companies and making accounts with banks. Is that something that also fits into the customer identity and access management workflow?

Rishi Bhargava: Yeah, absolutely. Either directly or indirectly, it does. If you look at the customer identity landscape, there’s an adjacent field called identity verification. Customer identity primarily focuses on login, signup, and MFA experiences. When you signup for the first time with whatever digital credentials you’re creating, that’s when you need to prove you are really who you say you are. So identity verification is an adjacent field, but at the same time, it’s being impacted by AI quite a lot as well, like with deep fakes. Even if I do verification of your picture and your license or passport, it’s like, is it really Joel on the video? Am I really talking to Joel?

Being in the security world, I’ve seen some really interesting attacks. One recent attack involved a Zoom call set up with the CFO of a very large company. A deep fake of the CEO was played on Zoom, instructing the CFO to wire $25,000 urgently, with a promise to send an email for confirmation. The CFO believed it was a live person, and after the call, they received the email and almost carried out the actions. Imagine receiving a video call from your boss asking for something urgent, saying they’re calling to ensure it’s not spam, and then instructing you to do something before abruptly hanging up.

Joel Witts: That’s terrifying. It does make you think about doing calls like this and how much information you might be giving away. I want to move on to how businesses and users can protect themselves from these threats. For businesses building out secure authentication workflows and executing a successful CIAM strategy, what are some of the challenges and roadblocks you hear about?

Rishi Bhargava: I think the most common challenge is moving from existing infrastructure and processes that hold them back. It’s important to define your CIAM strategy and chart the path from where you are to where you want to be. Consider the business benefits—beyond just security. For instance, a retailer could see significant business improvements by increasing website visitor conversion by as little as 1% through passwordless login experiences with biometrics or social login. Define your business goals, the benefits of CIAM, the security improvements, and what roadblocks are holding you back. Plan how to address these challenges.

Additionally, always consider security and experience at all stages. People often trade-off between security and user experience, but you can aim to enhance both. For example, a good MFA choice can improve both security and user experience. Implementing options like passkeys, Face ID, or Touch ID as MFA can secure the system and provide a better user experience. Changing the conversation from choosing between security and experience to achieving both is crucial.

Joel Witts: Yeah. And I suppose passwordless authentication is one of the prime examples where you can remove the friction of having to remember and rotate complex passwords, making the process smoother and more secure. I wanted to explore that a bit more because when you tell an end user, maybe someone not familiar with the security space, that you’re going to take away their password and it will be more secure, they might wonder how that works. So, what are the benefits of passwordless authentication?

Rishi Bhargava: The best way to explain passwordless authentication is by comparing it to what’s known as knowledge-based authentication, which is something you know, like a password. There are other methods to identify or authenticate yourself, like something you have or something you are. For example, something you have could be a phone in your possession. Something you are could be a biometric, like Touch ID or Face ID.

Passwordless authentication, such as a passkey, works from your device—your laptop or phone—and involves both something you have and something you are. It unlocks only with your biometric, which is something you are, and you need to possess the phone, which is something you have. So even if your phone gets stolen, it can’t be unlocked. And if someone manages to fake your biometric, they would still need the device. It acts as a two-factor authentication by itself.

This is a significant benefit over knowledge-based authentication, where you need to remember, write down, or rotate passwords if they get compromised. In contrast, the elements in passwordless authentication are much harder to steal. For users, a practical approach is using login options like “Login with Google,” “Login with Facebook,” or “Login with Apple.”

Initially, as a security enthusiast, you might worry that a compromise on Google means you’re doomed. However, even if that were the case, a username and password wouldn’t help much because they could reset your password using your Google email. With “Login with Google,” “Login with Facebook,” or “Login with Apple,” you have a more seamless experience and enhanced security, given that these companies are doing a commendable job in protecting accounts. Social login provides a secure, frictionless login method. It’s way more secure as well.

Those are some tips to think about. In general, most passwordless methods, in fact, I’d argue all passwordless methods, are at the same level or more secure than password-based authentication. Eventually, if you need to change a password, you’d use one of these passwordless methods, which is typically the least secure path, so you’re more secure anyway.

Joel Witts: Yeah. Okay. That makes a lot of sense. Moving onto the passkey side, we’re starting to see big authentication providers like Google, Microsoft, and Apple moving toward passkeys. What are your thoughts on that transition towards passkeys? Do you think it really represents the future of authentication and could replace legacy passwords? How is this factoring into the business case with customer identity and access management? Is this where you see the market moving, or is there more to come?

Rishi Bhargava: A few things from my perspective—passkeys are absolutely the future. These large providers like Google, Microsoft, and Apple are doing an amazing job enabling the ecosystem. If you ask me, the world is moving slower towards this direction than I would like. We should move faster, but that’s the state of things. Infrastructure and current processes often hold us back. Passkeys offer better experience and security, both of which align very well.

When planning a migration to passkeys, it’s important to have thoughtful goals in mind. Consider the business and security objectives and how they will be improved. An area that needs continued improvement is cross-platform compatibility—how a passkey on an Apple device works with Google Chrome, for instance. This year has seen progress, with large retailers and banks adopting passkeys, but it’s still early. I still see passkeys as an alternate method rather than the primary one, which is fine because it will take time to have a truly passwordless world. But I’m hopeful we are moving in the right direction.

Joel Witts: In terms of developers, businesses, or even individuals who are building apps with these AI tools, we’re seeing loads of apps spin up that require these kinds of authentication flows. What advice would you give? What’s the action point someone could take away from this interview to create a more secure authentication process for their app and build a successful IAM strategy?

Rishi Bhargava: The simplest advice, although it might seem self-serving, is not to build your own. The build versus buy debate is the number one challenge I see. I recently posted about this on LinkedIn, and it’s a common dilemma business leaders face.

Why am I saying building your own isn’t the best option? It ties back to everything we discussed in the last 25 minutes. 

The world of identity and authentication is far more complex than it appears behind a login box. It’s easy to see a login box and think, “Google login is easy to create. Here’s the sample code; I should just copy and go with that.” But as your organization evolves, the requirements become more complex. New authentication methods need to be added, and security threats grow in severity, so you’ll constantly be playing catch-up. The cost of maintaining your solution will be higher, and you’ll never achieve the security you could with a dedicated solution.

It’s a significant risk. I tell every customer, “You are not a snowflake.” It may feel like you are due to various reasons, but that’s usually just because you haven’t evaluated the requirements objectively. So, my number one advice to app builders is to go in with an open mind. Don’t just assume building is the right path. In the long run, it will not be low cost, more secure, or provide a better experience.

The only scenario where it makes sense to build your own is if you’re truly a hyperscaler—a cloud provider like Google. In that case, owning the solution makes sense. Starting out is not the place to build your own IAM solution.

Joel Witts: That makes a lot of sense. And yes, very helpful advice there. It ties in quite nicely with talking about Descope and your approach to CIAM, what sets you apart from other solutions, because this is becoming a very competitive market space, isn’t it?

Rishi Bhargava: Yes, it’s hugely competitive. Our philosophy ties in with what we’ve discussed. One of our core values is providing a very flexible environment. Descope isn’t a pre-packaged solution that you deploy and you’re done with. It’s part of your toolkit. My advice to customers is to think of Descope as a toolkit you have. You design your experiences with workflows, and you design your customer experience. You decide which authentication method you want. For instance, if you’re a bank, you might need a very short session timeout, whereas if you’re a retailer, you might have a longer timeout window.

The key takeaway is that Descope can meet you where you are, whether you’re an early startup with simple auth needs or a large Fortune 500 company with complex requirements. Our workflows and visual journeys are tailored to your use case, industry, and user journey. We’re not going to dictate a one-size-fits-all solution. It’s about your environment and your needs. This means your customer’s experience will be exactly how you want it, with top-notch security, without you having to carry the full burden of building this element.

Lastly, there’s the aspect of future-proofing. With our visual workflow approach, you can design your journey in a flexible, customizable manner. When you want to add a new auth method, you simply change the visual workflow, hit save, and the new process is deployed in production without touching the app. The paradigm is to deliver a very customizable experience to our customers, who can then tailor it for their clients. Authentication isn’t static; it evolves with your company, allowing you to tweak security and experiment with user experiences to improve conversion. That’s our philosophy: CIAM should evolve with you.

Can we provide you a platform that grows and evolves with you? That’s what’s unique about Descope. One thing I always emphasize is that we’re all about customer success and catering to customers. If you look at our wins, every customer is referenceable. Within less than a year out of stealth, large brands are already loving the product. Customer success is very important to us.

Joel Witts: Absolutely. As a co-founder of the business, what are your long-term goals for Descope, and how do you see the business growing?

Rishi Bhargava: I’m very excited about the amazing growth ahead. Long-term goals are just to continue this trajectory. Proud moments occur when products like GoFundMe adopt Descope, powering some of the largest causes. Similarly, when a retailer uses us—sometimes I can’t name them—you might realize you logged into a company yesterday through a Descope experience. That’s a proud moment. Our goals include team growth and customer growth. It’s very satisfying, especially with this type of product, to tell my network, my kids, my family, “Go experience it,” and they will see Descope’s impact.

Joel Witts: Fantastic. It’s unique as a security co-founder to have something visible to the end user. This has been a fantastic conversation—really interesting. I wanted to ask one final question: What excites you about the future of customer identity and access management? What makes you think the future will be incredibly exciting, and what impact do you think AI will have more broadly? Maybe the two are tied together, maybe not.

Rishi Bhargava: Yeah, they’re absolutely tied. What excites me about customer identity is that we’re in a very unique spot—the whole industry, not just Descope. We have the opportunity to enable businesses while providing better security. Few technologies offer both promises. Done right, we can impact business and security at the same time and enable amazing experiences. One of our early investors asked, “Why is this a billion-dollar problem?” I said, it’s not a billion-dollar problem; it’s a billion people problem. We can truly affect the experience of everyone out there.

Regarding AI, I believe that eventually, all of us will have copilots. It’s nearly there. I’m already starting to use several copilots at work. While I haven’t done much on the consumer side yet, I believe we’ll see more soon. We need to build the right infrastructure for this, as we can’t retrofit it. If an AI agent has your identity and malfunctions or goes rogue, you won’t know and won’t be able to defend against it. You need the right controls, such as the agent asking permission from the user before taking actions. These controls need to be built from the ground up right now. Delivering the right experiences and evolving them as the world moves to AI agents must include the right security controls.

Joel Witts: Absolutely. Rishi, thank you again so much for joining us on the podcast today. It’s been great having you.

Rishi Bhargava: Same here. Exciting conversations, and I’m very excited about bringing this new future.

Joel Witts: Fantastic. Thank you everyone for listening. If you enjoyed this episode, please make sure to follow us on LinkedIn and subscribe to the Expert Insights Podcast for more interviews with other leading cybersecurity experts. Thank you so much, and see you soon.