Tom Jermoluk: The ‘lightbulb moment’ to eliminate passwords

Tom Jermoluk (TJ) is a serial Silicon Valley investor and inventor leading companies like Silicon Graphics, Netscape, and WebMD. Now, in his role as CEO of Beyond Identity, it is his mission, alongside his long-time business partner and fellow Silicon Valley Giant, Jim Clark, to eliminate passwords. 

How did your collaboration with Jim Clark begin, and why does it work so well? 

My partnership with Jim Clark goes back a long way – 38 years in fact. Our partnership began with 3D graphics and visual effects pioneer Silicon Graphics in the early 1980s, continuing when Jim Clark and I helped ignite the commercial internet with Netscape, the first commercial internet browser and the high-speed cable Internet service provider @Home Networks. It is fair to say we have been together through some significant technological breakthroughs.

Perhaps surprisingly, the original idea and ‘light bulb’ moment for Beyond Identity came about when we were developing technology for a high-end automation company and were met with the challenge of using passwords to turn on a lightbulb. It got us thinking about how the limitations of passwords go far beyond just lighting. 

Jim and I collaborated on this idea of getting rid of passwords by revisiting inherent identity weaknesses that existed from the early days of the web, which drove us to go back to the core foundation to ‘reboot’ user authentication by extending the cryptography used in Secure Socket Layer (SSL), which was invented at Netscape. We knew this opportunity was too big and disruptive to miss. The resulting effort – Beyond Identity – introduces the elegantly simple concept of extending the asymmetric cryptography used in TLS to bind a user with their device. The solution leverages existing secure communications infrastructure and crypto standards like FIDO passkeys to extend the trust boundary beyond server-to-server communications to include users and their devices. By doing so, it completely removes the need for ‘shared secret’ password-based authentication approaches, and dependence on friction-laden compensating controls.

Jim and I have stayed close and continued to invest together over the past 30 years. In a nutshell, we work well together because our skills complement each other, and we have huge respect for one another on what we bring to the table. Broadly speaking, Jim is the innovator and I’m the technology guy with the operational expertise that makes it happen, but I would say the partnership and collaboration are key.

Today, we are 100% driven in our strong belief that becoming passwordless is the next big thing for cyber and it should be top of the list for enterprises large and small everywhere. Given our past success and ability to collaborate to bring disruptive ideas to market, we were both excited to go forward and tackle this one together.

Why is passwordless the next big thing in cybersecurity?

Passwords are the root of all evil, the cause of all our cybersecurity problems and threats today. Trust in corporate networks has never been more important and passwordless authentication is a giant step forward for the industry.

The password vulnerability has led to a nearly incalculable number of successful data breaches. Stolen and reused credentials are the main source of ransomware and account takeover today. 

Eliminating passwords removes prominent attack vectors reusing stolen credentials to gain access and multiple other password-based attacks. MFA was supposed to solve the password issue, but it’s clear that the MFA in-use today is a band aid that isn’t working.  By eliminating passwords and replacing weak MFA with strong, easy-to-deploy, phishing-resistant authentication methods, CISOs and team leaders can shut the door on their largest vulnerability and build the most robust Zero Trust initiatives. 

Industry leaders like Snowflake, Unqork, and Roblox are relying on Beyond Identity to solve their access security challenges for their customers, employees, contractors and developers to advance their journey toward Zero Trust security. 

How are you building a modern approach to MFA at Beyond Identity?

A passwordless identity management solution, like Beyond Identity, replaces passwords with asymmetric cryptography that employs public/private key pairs and creates a FIDO-based phishing-resistant authentication process. Users are authenticated by proving they possess the enrolled device and that it is bound to the user’s identity.

Establishing high trust in the user and the device, plus the ability to ensure devices meet appropriate security controls before and after initial access, is a cornerstone of a Zero Trust model – especially for modern network architectures where the identity has become the new perimeter.

Even if you did all the other pieces of Zero Trust perfectly, unless you establish user identity and trust in the device, the effort will fail.