A lot of the discussion around agentic payments understandably focuses on the “wait … how exactly is this supposed to work safely?” part. Which makes sense, given that we are talking about autonomous software making decisions that eventually lead to money moving around. So when Google and Mastercard contributed AP2 and Verifiable Intent to the
This World Passkey Day, take a moment to thank your passwords for their years of service. Then, escort them gently to retirement before they reset themselves for the 14th time this quarter. To every company still making users create complex passwords with inscrutable complexity rules, consider this your friendly intervention. The passwordless future is already
Another RSAC Conference is almost here, but it’s not going to be the same, not without Andrew. I don’t know when it will happen, but I’m reasonably sure it will hit me at some point. Maybe it will happen when I walk past one of the cafes where we’d meet to catch up and compare
When Ian mentioned the Sarbanes-Oxley Act in his LinkedIn post sharing the news of SGNL getting acquired by Crowdstrike, it led to a funny exchange between us. It also reminded me of a task I had assigned myself almost 8 months ago. Last summer, I spent quite a bit of time going deeper into how
You may have missed this recent announcement Microsoft made about adding native support for third-party passkey managers (commonly referred to as credential managers) in Windows 11. From the perspective of anyone committed to building stronger, more usable identity systems, this is an important development, and paired with the introduction of passkey syncing in their own
Getting rid of passwords has never been the end goal, not really. The mission has always been to make digital life simpler and safer for everyone, and to give organizations the ability to operate and deliver services securely, without unnecessary friction. Moving to phishing-resistant, passwordless authentication is a critical part of that, but it doesn’t
I’m back from an exhilarating, albeit tiring, week at the FIDO Alliance’s annual Authenticate conference. As you probably already know, I recently joined the Alliance as Chief Technology Officer, which made this experience a little bit different than years past. There is a lot going on in the digital identity ecosystem right now, which really
[Two of the best people in identity, and the world. And me] I’m on my way to SF to join many, many others in celebrating the life of handsome debonair man about town (self-attested) Andrew Nash. It’s taken me a few days to find the words to write this post. Not because I couldn’t talk
In my last blog post, I argued that we don’t need more innovation invention to fix the broken state of SaaS and cloud security that Patrick Opet’s open letter was calling out. Instead, I said that what we need are different priorities. The conversations it triggered basically boiled down to this: if we already know
In my recap of RSAC 2025, I referenced the open letter that Patrick Opet, CISO of JPMorgan Chase, published in which he spoke about how essential security guardrails are being broken down by the lack of secure-by-design thinking in modern integration patterns within the SaaS world. His open letter challenged Cloud and SaaS providers to
