In this interview, Rishi Bhargava is answering our questions about Descope, authentication and user management platform. Rishi was VP of Product Strategy at Palo Alto Networks, which he joined via the acquisition of Demisto; another company that he co-founded. Prior to Demisto, he was VP and GM of the Datacenter Group at Intel Security.
What is Descope? What exactly does Descope do? And what is your role in the company?
My name is Rishi Bhargava and I am a co-founder of Descope. Descope was founded in April 2022 and just launched from stealth on February 15, 2023. Descope is a comprehensive authentication and user management platform that enables developers to easily add passwordless user journeys to their consumer and business apps with a few lines of code.
How did you come up with the idea of creating a login authentication solution?
The company was founded by eight members of the core team that built Demisto, which was acquired by Palo Alto Networks in March 2019 for $560 million. This team has built multiple companies before and has felt the pain of building authentication and user management in-house. Adding functionalities such as password management, single sign-on, tenant management, roles, permissions, etc. turned into multi-year investments and expended a lot of time and effort.
The other thing our team was sure about was that passwords are bad and need to be phased out of our daily lives. We have seen friends and family members struggle with creating, remembering, and resetting passwords ad infinitum. We are also acutely aware of how bad passwords are for security – being the root cause of the vast majority of cyberattacks.
The team’s vision is to “descope” authentication and user management from every app developer’s daily work so that they can focus on business-critical initiatives without worrying about building, updating, and maintaining authentication. We are also committed to helping apps move past passwords.
What kind of benefits does Descope offer compared to traditional authentication solutions?
The Descope platform helps developers add authentication and user management capabilities to their B2C and B2B applications with a few lines of code. Descope offers different integration flavors based on developer preferences – a no-code workflow builder and screen editor, a set of SDKs, and comprehensive REST APIs.
One of Descope’s core differentiators is Descope Flows, a drag-and-drop workflow editor and screen designer that developers can use to create and customize authentication flows for their applications without writing a single line of code. This greatly speeds up time to market and also makes it easier to modify and update user journey flows with time. These no-code workflows abstract away the complexity of building authentication while still giving app builders control over their UX and UI.
Descope is built on a scalable multi-tenant architecture that can support modern B2B requirements. Descope makes it easy for developers to add single sign-on (SAML SSO), tenant management, roles and permissions, and automated user provisioning to their B2B apps – greatly accelerating their ability to sell to large enterprises.
In addition, Descope was built by a team with decades of security experience that have brought multiple innovations to market. Descope enables app builders to identify risky user signals and add a second authentication factor, stop bot attacks on login pages, and ensure secure session and token management.
Descope supports various authentication methods, also biometrics. Biometrics is currently being used on mobile devices. However, it still did not gain popularity on laptops and PCs. Do you think biometrics authentication will become more popular in the future?
Yes, we believe biometrics based on the WebAuthn and FIDO2 standards will gain widespread adoption in the months and years to come. You are right to say that biometrics is prevalent in mobile devices – Mercator estimates that 66% of smartphone owners will use biometrics for authentication by 2024. However, platform authenticators such as Windows Hello, Apple Face ID, and Apple Touch ID are also used on laptops and other devices.
With companies such as Apple, Google, and Microsoft continuing to enable the shift to passwordless authentication with passkeys, we expect biometrics adoption to grow steeply in the near future. However, this has to be accompanied by two things – awareness and developer adoption.
Awareness must increase about FIDO-based biometrics and why they are arguably the most secure and convenient form of authentication available today. There are privacy and spoofing concerns about biometric authentication that do not hold true for FIDO authentication; stakeholders need to be made aware of the same.
Developer adoption of passkeys and biometric authentication needs to increase if these technologies are to achieve true mass adoption. Currently, implementing these methods on an app is not trivial if done by the developers themselves. Resources and enablement that helps simplify the implementation of biometric authentication for any app will pave the way forward.
You offer authentication solutions for both consumer-facing applications and business applications. What kind of differences are there between consumer and business authentication processes?
The preferred authentication methods for consumer and business applications tend to be different. For consumer apps, methods such as biometrics, magic links, and one-time passwords are prevalent. For business apps, social logins and SAML SSO are generally preferred.
Looking beyond authentication processes, the requirements and goals for authentication are different for consumer and business applications.
For consumer apps, the goals are to achieve frictionless and secure user onboarding without imposing any cognitive load (like passwords) on users so that they are more likely to return to the application. Consumer app builders are concerned about account takeover fraud and bot attacks as well.
For business apps, the overall authentication and user management process is much more complicated. If a business app wants enterprise customers, it needs capabilities such as tenant management, role-based access control (RBAC), user provisioning and deprovisioning, and SAML single sign-on. This can take engineering teams months, and that’s without considering ongoing maintenance and ad-hoc updates.
In 2022, ransomware was the biggest cybersecurity threat for organizations, most of which were caused by stolen credentials. Do you think these threats will cause more organizations to prefer to outsource authentication solutions?
There is no question that identity and credential-based attacks dominate the news cycles. Apart from the ever-present risk of ransomware attacks, recent breaches such as PayPal, Norton LifeLock, GoTo, and CircleCI were all due to passwords or session hijacking. Businesses must realize that their applications are only as secure as the identity safeguards built for them.
Passwordless authentication offers a solution, but only if application developers have the tools and resources to apply it. By outsourcing authentication and user management, organizations can easily add secure passwordless authentication into their applications, which can in turn reduce the attack surface and prevent attacks such as credential stuffing, brute force, and account takeover fraud.
You have announced that Descope received $53 million through a seed funding round. How will Descope spend this funding?
The capital will be used to:
- Enhance product capabilities and continued research and development.
- Increase awareness and adoption among the developer community.
- Build and improve compatibility with various web development frameworks and cutting-edge authentication methods.
- Launch and support open-source initiatives around authentication, authorization, and user management.
Is there any change in the management team after the seed funding round?
No.
What are your plans for this year? Which new features should we expect from Descope?
We plan to:
- Expand support to more programming languages and SDKs.
- Add more authentication methods such as WhatsApp and other messaging services.
- Enhancing our drag-and-drop workflows to include more parts of the user journey.
- Reprioritize and introduce new features based on feedback from the community.