It has been a busy week at Descope! We recently launched from stealth and announced our developer-first authentication and user management platform. We are especially proud of the strategic investment from Silicon Valley CISO Investments (SVCI), a group of Chief Information Security Officers (CISOs) that operates as an angel investor syndicate.
As a team that has spent decades on the security frontlines, we are thrilled that more than 30 security executives from companies such as Ceridian, Coinbase, Dolby, HashiCorp, McDonald’s, Robert Half, Adobe, and Vercel have chosen to make a personal investment in Descope.
"I've been an early adopter and a happy customer of products the Descope team has built in the past. I know first-hand that this group of people love solving hard technology problems, actively listen to feedback, and are adept at bringing practitioner-friendly innovations to market." – Yaron Levi, CISO at Dolby Technologies.
Our mission is to help every developer build secure, frictionless authentication and user journeys for any application. Let’s delve deeper into our goals for making authentication secure for our customers.
No passwords, fewer problems
There’s no love lost between security practitioners and passwords. Over 80% of basic web attacks in 2022 were attributed to the use of stolen credentials according to the Verizon DBIR. In 2023, we have already seen a litany of credential-based attacks on PayPal, Reddit, CircleCI, and Norton LifeLock. And that’s without mentioning the data breaches at password managers that lend credence to our view that the best password is no password.
Descope enables developers to easily add a variety of passwordless authentication methods to their apps. Whether it’s biometrics and passkeys built on the FIDO2 and WebAuthn standards or longer-standing methods like magic links and one-time passwords, the common thread running through all these authentication methods is that they are safer than just using passwords.
“I’m excited to see how Descope will make it easier for organizations to implement FIDO2 and WebAuthn standards. Traditional credentials should be considered radioactive - used sparingly, frequently rotated, and never stored longer than necessary. With daily breaches becoming the new norm, Descope’s service enables developers to easily add passwordless authentication to their apps, which is great news for security teams that continually respond to password-based attacks.” – Kathy Wang, CISO at Discord.
The vulnerable nature of passwords is no secret, but they also fall short on user experience. Creating and remembering passwords is a pain for users. Instituting password reset processes is a pain for IT and help desk teams. Managing password infrastructure and fraud prevention controls saps time from security teams. Moving to passwordless authentication reduces friction across the board.
“Security and user experience are often engaged in a tug-of-war, which is particularly apparent during user authentication. Descope is rewriting this axiom by helping app developers easily add cutting edge authentication that is both secure and easy to use." – Philip Martin, CISO at Coinbase.
Lighten the developer load
User signup and login are the entry gates to any application, making them prime targets for adversaries. It’s understandable if security executives are concerned about ensuring that the dev team hasn’t unintentionally left the door open to identity attacks as they navigate their many priorities.
Descope’s platform takes authentication security responsibilities off developers’ heavy shoulders. There are tons of tiny but important security details that need to be kept in mind while building authentication for an app. Not every developer is an expert in authentication, nor do they have the bandwidth to become one given the ten other projects calling for their attention.
Descope Flows – our no-code authentication approach – simplifies authentication work for developers by abstracting away the implementation details of authentication methods, session management, risk management, and error handling.
Helping app builders visually represent the entire user journey in a no-code workflow also makes it much easier for security teams to review, evaluate, and implement risk controls at the right time.
When in doubt, step-up
Multi-factor authentication (MFA) and biometric authentication are effective added layers of defense from a security and compliance perspective. However, adding them to existing applications can be a challenge for companies that are already stretched in many other directions. Descope helps abstract these implementations for both new and existing apps. If dragging and dropping MFA helps more apps add MFA, we think that can only be good news.
The “when” is as important as the “how” for MFA. It’s vital to request additional authentication factors from users at the right time without adding undue friction to their login process. Descoper customers can add conditional steps to their authentication workflows to check for risky user signals (e.g. logging in from a new device, logging in from an unknown location) and only then request further authentication.
"Identity is a core piece of enterprise security. Organizations having to manage the identities of employees, customers, and other stakeholders - often with different authentication methods and security needs - can lead to complexity. I'm excited that the Descope team is rethinking identity and aiming to solve the fragmentation that currently exists in this space." – Maarten Van Horenbeeck, former CISO at ZenDesk.
One thing that developers and security practitioners have in common is that their trust is hard to gain and easy to lose. We have built trust with the security community over the decades and do not take it lightly. We are grateful for the strategic investment from SVCI as a signifier of this trust.
"Trust is paramount if and when a company decides to hand off authentication responsibilities to a third party. The Descope team has decades of security experience at both a strategic and tactical level. They are seasoned enough to see an ambitious vision for the future and humble enough to execute on the vision while ensuring that security is hardwired into every process from Day 0." – Colin Anderson, CISO at Ceridian.
The tasks at hand for us now are to continue building in public, seeking feedback from both the developer and security communities, and ridding the Internet of passwords one app at a time.