Zero Sign-on – Replacing Passwords with Smart Phones
Making sure someone is who they say they are – also referred to as authentication – is something that’s frequently conducted by soliciting the user with a string of characters that only that user is supposed to know. In an age where we’re creating synthetic life, this primitive method of authentication has changed very little. The requirements are nothing short of ridiculous. We’re supposed to have a different password for every website and app that we use, and we’re supposed to create these cryptic strings of text that “must contain a special character, upper case, lower case, number, blah, blah, blah.” This brought out startups whose entire business model revolves around helping you manage your password collection. Lame.
In past articles, we’ve looked at many advances in authentication that involve things like biometrics (fingerprints, iris, voice, etc.) and some really cool machine learning functionality that recognizes how you use a mouse and keyboard and can authenticate in real-time. Still, the entire way we think about authentication needs to change. The change we need might be something called “zero trust security.”
What is Zero Trust Security?
Traditional approaches to network security have always assumed that everyone inside the network is kosher. If you are able to access the network, then that must mean you’re supposed to be there. That’s a flawed approach that assumes way too much. All it takes is someone’s credentials and bingo, you’re in the network and looking around for saucy texts from Jeff Bezos to his aged mistress that you can sell to the tabloids like the ambulance chaser that you are. Zero trust security means that we trust absolutely nobody – inside the network or outside the network.
The “zero trust approach” is all about assuming every single authentication request is suspicious and taking the steps needed to verify the validity of the request. Of course, asking someone for a password every seven seconds gets annoying, so why not just lose the passwords entirely? That idea is also referred to as “zero sign-on.”
What is Zero Sign-on (ZSO)?
You may already be familiar with what’s called Single Sign-On (SSO). Simply put, SSO means that you can use the same password across multiple applications. This is popular in the corporate world where you may need to login to 25 different apps in a single day and having to remember 25 different passwords doesn’t work. With SSO, you use the same login credentials every time you are asked to authenticate. With Zero Sign-On (ZSO), you simply enter your credentials once and that’s it. Roughly speaking, that’s how ZSO works. The magic takes place behind the scenes where you are continuously being verified as you move around between different apps. Just yesterday, a company called MobileIron announced the industry’s first mobile-centric, zero trust security platform.
Founded in 2007, MobileIron (MOBL) started out providing mobile security solutions for smartphones and tablets. In 2014, Deloitte identified MobileIron as the fastest growing company in North America with revenue growth of 123,678% from 2009 to 2013. In 2014, the company had an IPO after which things sort of went south. After shuffling leaders, the company seems to be back on track and a leader in what they do – something called “endpoint management” – according to this analysis by some overpaid MBAs at Gartner:
(An endpoint device is an Internet-capable computer hardware device on a TCP/IP network.) As you can see in the above diagram, MobileIron competes with some big names like Microsoft, VMware, IBM, and Blackberry, a company we talked about before with their acquisition of Cylance which uses machine learning to provide endpoint security. (MobileIron also uses machine learning in a similar fashion.) This is a good segue into talking about MobileIron and zero sign-on.
MobileIron and Zero Sign-on
Yesterday, MobileIron announced “the industry’s first mobile-centric, zero trust security platform,” which makes “the world’s most ubiquitous product – the mobile device – your ID and secure access to the enterprise.” The best way to describe how MobileIron works is to use some examples that you might be familiar with. Have you ever been prompted by Google or Microsoft on your mobile phone to verify that you’re the one trying to access a particular application? You know, this sort of prompt:
The idea is that if the person trying to access Salesforce is who they say they are, then they ought to have access to their smartphone. And let’s face it. For most of us, our smartphones never leave our sides. Nowadays, you probably have some apps that you access which authenticate using your smartphone in a similar manner where all you need to input is a four-digit code or perhaps use your thumbprint. But it gets much more sophisticated than that.
There are a large number of things we can use to validate a user at the time they attempt to login. Location is pretty telling. Is the mobile device in the same location as the login attempt? What time is the login attempt taking place? What is the threat level associated with the login attempt? These are all factors that can be used to differentiate between suspicious login attempts and normal login attempts. There are also methods that can be used for real-time authentication. (Please note that the below example was taken from a company called Callsign and is only being used as an example of how real-time authentication can work. In other words, we’re not saying MobileIron necessarily does this.)
Whenever you’re sitting in front of your computer and the screensaver kicks on, you probably take the mouse and give it a little “wiggle”. If your cursor disappears, you might also use the same sort of “wiggle” to see where the cursor is at. Turns out these “wiggles” are very unique. So is how you type your name. Or how you might choose dates in a selector. These are all patterns that are used by some online banks to make sure you are who you say you are, even after you login. In other words, these patterns allow for someone to notice if you hand your mobile phone over to a friend and they start using it. How cool is that?
Now you can understand how MobileIron – or any other company for that matter – might be able to authenticate a user without having them specify any credentials. Add some machine learning algorithms into the mix and it seems like only a matter of time before everything is zero sign-on.
MobileIron’s Annual Run Rate
Since MobileIron is a publicly traded company, you might be tempted to pick up some shares. However, evaluating the merits of a stock like MobileIron becomes complicated very quickly. We like to keep things simple. They’re a relatively small company with a market cap of around $600 million. They’re losing money every year, but that loss is decreasing steadily over time. They have just over $100 million in cash which should last them a few years at their current burn rate.
MobileIron’s revenues are growing steadily, but not all revenues are created equal. For Software-as-a–Service (SaaS) businesses like this one, we look at something called “Annual Run Rate” or ARR which is simply the amount of money being brought in from annual or multi-year subscriptions. It’s money that clients are contractually obligated to give you. If you have 100 customers giving you $1,000 a year, your ARR is $100,000. If nothing changes, you can expect that number to continue into infinity unless something changes like:
- You raise prices when a customer renews their subscription – GOOD
- You up-sell existing subscribers more stuff – GOOD
- You get new subscribers – GOOD
- Existing subscribers don’t renew – BAD
Consequently, we like to look at a metric called “renewal rate” which tells us how many customers are choosing not to renew their subscriptions. We can then attribute reasons for those lost customers and work to prevent them.
Now that we know how ARR works, we can take a look at the below chart from MobileIron which shows their revenue growth and ARR.
Firstly, let’s be clear about what we’re looking at here. The blue bars above (if you’re colorblind then they’re some shade of grey probably) reflect the ARR at that given point in time. In other words, at the end of Q1 2019, the annual run rate was $167 million a year. (Note: this number is not total revenues but simple recurring revenues.) The white line in the same chart tells us what percentage of total revenues is ARR. For example, in Q1 2019 we see that 83% of total revenues are recurring. That means that 17% of their revenues were one-time or not contractually obligated on a subscription basis. As you can see, the percentage of total revenues that can be attributed to ARR is steadily growing over time. And that’s a good thing.
MBA types look favorably upon ARR because it represents a predictable income stream that can then be used to value an enterprise. For C-level types, ARR is much easier to manage and predictable. Your enterprise salespeople need to find new clients and up-sell existing clients when it comes time for renewals (increasing ARR). Your consultants are tasked with making sure that “accounts at risk” are kept from canceling – in other words – increasing your renewal rate (keeping ARR from decreasing). Suddenly, it becomes a lot easier to forecast what your business will look like from quarter to quarter.
For your average retail investor, it’s best to have a few simple metrics that can be tracked over time and used to gauge a company’s progress over time. Who wants to sit through a 30-minute call every quarter and try to decipher what everyone is talking about? For MobileIron, just keep an eye on ARR and “renewal rate” and make sure they’re trending in the right direction.
The thought of never having to use a password again is something we can all relate to. MobileIron has developed a solution that solves the password problem and they have 17,000 existing clients that they can sell it to. For existing investors, this is a much-needed ray of light. MobileIron raised $100 million in a June 2014 IPO and the stock closed at $11.02 after the first day of trading. If you bought shares then, you’d be down about -50% on your position. If those investors simply invested in the broader Nasdaq index instead, they’d be up +81% instead. But as they say, past performance is no indicator of future results. This new product offering makes it increasingly likely that MobileIron can continue that double-digit ARR growth well into the future.