Episode 014: User Management with Brian Pontarelli
When it comes to building a website, there are so many moving parts that it can be easy to overlook some of the more straightforward ones. Login and user management is such a critical tool, but it’s rife with problems and shortcomings.
One of the biggest limitations in managing this aspect of the user experience is that companies have to build each piece themselves. Fortunately, there is a solution in the form of FusionAuth. This user management platform alleviates many of the setbacks that sites face, and they are ramping up production because of high demand. In this episode, I’m talking with Brian Pontarelli, founder and CEO of FusionAuth, to see why this is such a high-market area.
Here are a few highlights of what we discussed.
User Management as the Wild West
Although other parts of web building have become streamlined and user-focused over the years, the login experience hasn’t. Before Brian and his team came along, there wasn’t really a uniform method of doing things, which meant that each company had to piecemeal solutions together to try and make something work. Yes, it might get the job done, but without standardization, it’s all but impossible to make it user-friendly.
A Rejection of the Login With Google/Facebook Model
Part of the reason why user management hasn’t gotten the attention it deserves is that, for a while, many people were more than happy to let Google or Facebook take the wheel. However, in recent years, with privacy issues becoming more and more prevalent, these companies are becoming less trusted with user data.
So now, individuals and companies are looking for an alternative solution. That’s where tools like FusionAuth come in because they offer comprehensive standardization without having to give the keys to a massive conglomerate like Google or Apple.
Security vs. Convenience: the Ultimate User Acceptance Problem
On the one end of the user management spectrum, you can have users gain access to their accounts with just a username or PIN. While that method is super easy, it’s wildly insecure. On the other end, you can have a six or seven-stage user authentication that makes it all but impossible for hackers to get in, but it’s so inconvenient.
That balance of simplicity and security is where the future lies. According to Brian, insecure platforms and user acceptance standards are rampant within the industry. We hear about the massive breaches at multinational corporations, but we never understand the extent of the damage. Most small businesses are getting breached, which puts a lot of user data at risk.
Another setback is the current strategy of securing a login attempt. Most sites will make the hash process as slow as possible to prevent a brute force attack. However, that approach eats up so much data that it can slow down the system exponentially when you have tons of users trying to get in at once.
Fortunately, as technology progresses, alleviating these problems will only get easier. Brain and I talk about potential solutions, from geotagging your smartphone to biometrics to physical security keys that can verify your identity.
We discuss a lot more about user management in the episode, so be sure to check it out here. Also, you can find out about Brian and his company at www.fusionauth.io. The future of the login experience is here, and it’s about to change the world.
Frank Bria (00:00):
The SaaS CX Show, Episode 14
From founders and CEOs, to founders and CEOs. It’s the SaaS CX Show. You’ve found the one stop shop for all things CX. Each interview is an in depth analysis of a successful growing SaaS company, building a world class customer experience for their users. And now for your host, serial SaaS entrepreneur, founder, consultant and advisor, Frank Bria.
Frank Bria (00:32):
Everyone. Welcome to the SaaS CX Show by SaaS founders and CEOs for SaaS, founders and CEOs. I’m your host, Frank Bria. In today’s episode, we are going to talk about user management, but first, the SaaS CX Show is brought to you by the SaaS CX group. The number one reason for ideal customer churn, not getting value from your software. Find out how to fix that by downloading our SaaS churn checklist. We cover the seven things you need to have in place to ensure your ideal customers stay, use and love your software. Decrease churn by 10 to 25% in just three to six months. Find out how at the show’s homepage saascx.show. That’s saascx.show. And now I am pleased to be introducing today’s guest, Brian Pontarelli. He is a technology entrepreneur currently solving login, registration, and user management challenges with FusionAuth. Brian works with companies from startups to fortune 500 organizations. This work helps address the complexity of security, identity and user management as businesses scale from their first user to millions of users. Brian, welcome to the show.
Brian Pontarelli (01:42):
Thanks for having me.
Frank Bria (01:43):
Absolutely a pleasure. So this idea of, I mean everyone who’s got software has logins, right? Users and logins. This is sort of a perennial issue. What’s your guys’s take on this where you felt there was a little bit of a hole in the marketplace for you guys to fill?
Brian Pontarelli (02:01):
Yeah, that’s a great question. So I like to think of login, registration, single sign on sort of all those identity pieces, the same way we think about databases from back in the 70s, 80s, right? You used to build it yourself, you could probably make it where, you know, who knows if the data would still be there the next day. But then eventually, all of these database providers started coming along and they started helping us build transactions and manage all this in a better way. And so now I start to see, authentication and identity the same way. We’re trying to provide tools that’ll help any application, not have to implement all of this themselves cause it’s complicated. And I think one of the issues that we have in the industry is that the legacy model has just got such a hold on everything. And often it just doesn’t scale. It just doesn’t work. And so we realize that there are companies with hundreds of millions of users, and this is a main pain point for them is how do I log all these users in on a regular basis? And they throw a lot of time and effort into solving that problem. And so we decided to tackle it from the vendor perspective. It’s like, sure, you can tackle that yourself, but let’s stop doing that. And let’s see if we can make a product that solves those problems.
Frank Bria (03:17):
Yeah. How problematic is the security element of this? I mean, we’re all hearing stories about softwares compromised and email addresses of everyone get leaked. I mean, fortunately in most of our cases it’s not credit card numbers and things, you know, we can’t all be credit reporting agencies that have our stuff get hacked, but like how big of is that a problem for people? Is that a common occurrence these days to have those kinds of security breaches?
Brian Pontarelli (03:50):
It’s a huge problem. Yeah. So we always see the headlines about the big ones, right? Cause those are the ones that actually make sense to write about. You’re not going to hear that, you know, Joe Bob’s eCommerce site got hacked, but they do. And it happens pretty frequently. So I think the danger there is that, you know, as you see more and more of these breaches, a lot of these databases being sold on the dark web and like other places you can torment them this, you know, they’re pretty easy access. What ends up happening is people will start to just reuse the information in them to go steal high value targets like social media IDs. So there are a lot of use cases for why people are breaching these databases and hacking these systems and then reselling the credentials.
Frank Bria (04:35):
Yeah. It’s a, you know it’s a problem when it starts showing up in my questionnaire with my insurance agent for liability insurance for the company. So it’s totally an issue. I mean we’ve definitely made the shift, I think in the software industry to sort of reusing components, right? So when there are pieces that don’t feel like they’re the super strategic component of the software, it makes complete sense to go out and find a really good provider to do that. Do you think in user management there’s a little bit of resistance there because this feels like, I don’t know, these are our people and you don’t want to push that out. Is that dragging some of adoption in this area?
Brian Pontarelli (05:20):
Yeah, it definitely is. So I think there’s sort of the two views on it. It’s like I know as a developer I can write all this code. I know that I can store and manage my own users. I don’t need your help. Versus the, Hey, I know that over the long term this is going to take me months and months of dev time cause I’m just going to have to keep maintaining it and bolting on features and let’s just buy or use some free tool out there and just like not do any of this. So it’s slow, but we can see it start to cascade. Within the last year, there’s so many more developers thinking this way, who would have before just said like, nah, I got this.
Frank Bria (06:02):
Yeah. I’ve never met a developer who’s not said yeah, I’ve got this. I think it all comes down to the question you ask like, can you code this? Yes. Should you code this? Different story. So one of the things that you talked about early on is the scaling problem. So as companies are getting bigger, where are some of the places that their homegrown tools start to fall apart as the company grows? What fails first as you’re scaling through user management?
Brian Pontarelli (06:33):
So there’s sort of two or three pieces of user management that are actually made slow on purpose. One of them is how we store passwords. So when we take a plain text password and we want to store it securely, we run it through a hashing algorithm and the traditional mode of a developer, which is make it fast, make it work is flipped. We actually design algorithms to make it slow and make it painful. And what that does is it prevents brute force attacking those hashes. So a brute force attack is basically trying every possible combination, creating the hash until you find one that matches. The slower the hash, the harder it is to generate all the permutations, right? So it’s a natural course of things just to say let’s make this algorithm really slow. Well that chews up CPU and GPU and RAM and everything else that a computer has to offer. So when you have 20 or 30 people trying to log in all at the same second, things start to stack up. The classic example of that is Pokemon Go, right? So for the first seven months that it was online, it took forever to log in and half the time you were just constantly reopening the app to see if the login servers had a low enough volume right then for you to log in. Otherwise it would basically tell you to take a hike and come back later. So that’s the biggest pain point that we see in terms of scale. And then the other part of it is just the data. So like, how do I find the user I want to manage? Right? So that’s a very large search engine problem when you have, you know, 200 million records. So there’s a lot of other little pain points, you know, how do I manage tracking every login when we have a billion of them a day. So these things become data size problems as well.
Frank Bria (08:14):
Yeah. It is sort of, an action tracking or following the user through the use of the app. Does that kind of fall in the user management scope or is that typically kind of a native that your clients handle themselves?
Brian Pontarelli (08:31):
Either way. So we track all of the logins, both successful and failed, but then we can actually fire events for all of those and we can actually send those events to event tracking systems. So we have a lot of people pushing all of our events into other stacks just to have their own monitoring as well. So we have a hybrid approach.
Frank Bria (08:51):
That’s great. A lot of apps now, and as we work with companies, it comes down to the data, right? So being able to see the event data. And I think a lot of developers when they start putting their app together, they don’t think about the kinds of events they would want to track. You can sort of sit down and whiteboard it out in advance, but to have some kind of a process where that’s built in so that as you’re adding those events, it’s a lot easier rather than having to go back and recode stuff in order to track data that’s, you know, we see a lot of people when they need to move to that level of data of understanding what users are actually doing on an event level. It’s harder if they haven’t thought that through in advance. So.
Brian Pontarelli (09:37):
Exactly. And that’s usually where the vendors come in cause we get information from thousands of customers and we’ve pushed that back into the product rather then you’d have to dream up all those use cases just sitting in front of a whiteboard.
Frank Bria (09:48):
Right. So I want to pivot a little bit to talk about the customer experience of login. Right? So it’s such a small little piece, but as you mentioned, it’s so critical, right? It’s how long the line is to get into your amusement park essentially. And we think about Disney, you know, that’s the shortest line in the park is to get into the park because once you’re in, you’re in. So it’s kind of the same thing with AF. So let’s talk about where are we seeing things go from a customer experience. One of the big movements with single sign on and that made things a little bit easier. What are some things, are going to see biometrics implemented here? Where do you see this going?
Brian Pontarelli (10:31):
Yeah. I think the industry is obviously moving more and more towards simplicity without lower security. Right? So that’s kind of the trade off. It’s always been this straight up. We make it really hard to log in, 12 steps, mail in your fingerprints, it’s really secure, but it sucks and no one’s gonna use it. They’re going to get super frustrated versus just type in your username and you’re logged in, right? It’s the most insecure thing, but it’s the fastest. And so there’s this balance, but with smartwatches, smart phones, smart devices, lots of investment in security infrastructure, we’re trying to make it easier. And so what we see is it’s like in addition to single sign on, once you have your phone, you can now just use it to log in to all the sites that trust your phone, those kinds of things. And so there’s a lot of specifications built around this that are really coming into the mainstream. And so finally, a lot of the platform providers, you know, Apple, Google, those folks Microsoft, they’re implementing these specifications. So Web Auth and Fido, these specifications are specifically designed to authenticate users quickly through a use of some smart device or a smart card or a key without having to type everything in, it just knows that you’re, you. So that’s the direction we see everything going and it’s just reducing the barriers to entry, making logins simpler.
Frank Bria (12:02):
Well, I mean the mobile has just completely transformed the potential of authentication generally speaking. I mean, you have now two factor authentication that’s possible through a mobile device. But so much of the power of a mobile device and authentication, we haven’t even touched yet. Right? I mean, there’s the potential, I know people are kind of playing around with safe geolocation spots, right? So, you know, if you’re connected to a wifi network that you’re normally connected to or is your home wifi network that process can be expedited? There are things around how close your mobile device is to where your computer is or if you’re at an ATM or there’s a lot of things that are going on that are really fascinating coming down the pike in terms of authentication.
Brian Pontarelli (13:00):
Yeah. Near-field, bluetooth, low voltage stuff is really cool. Yubikey and Yubico with their little cool hot devices where you can basically plug it into whatever you’re on and it just knows you’re you and so you’re automatically authenticated with a secure key. There’s so many cool ways to just beat down the barriers that have been blocking people from logging in, which is really cool. I think in the next two, three years, things are going to change quite dramatically.
Frank Bria (13:29):
Yeah. Well one of the clients that we have is actively looking at key pattern. Actually typing the key pattern typing to recognize, to fingerprint how you type in your username, let alone the username itself. It’s just kind of interesting. One question that keeps coming up is as people are starting to leverage trusted authentication networks from Google and Facebook and so on, is this a good thing or a bad thing? It seems like it’s a good thing that it’s really easy now in an app to click on something and go, I’m just gonna log in through Google or Facebook or whatever. And yet, we have all of these authentication pieces kind of running through one authentication network and the impact of failure becomes much, much, much more intense. You know, data privacy issues, not even withstanding. What’s your opinion on this? This is probably a loaded question because you work with Google and Facebook and stuff and connect all that stuff. But as a user, what are the good things, bad things, what are the things we should be watching out for in the future?
Brian Pontarelli (14:45):
So I would say that, especially from our perspective, it’s sort of like bring your own requirements. If you like Google use Google. A lot of people have moved away from Google. I mean even a lot of people have, you know, just closed up their Facebook accounts and a lot of people even are tending not to trust LinkedIn anymore. And there’s a lot of shift in sentiment between what we used to think was like Google, it’s super secure, do no harm, they can have all my data and now everyone’s like, Oh my God, Google is selling my data and using it for crazy things. So yeah, I think that it’s actually a huge issue that the industry has yet to solve. I mean look at the login to sign in with Apple. Apple is forcing developers that are on iOS and building native apps to use sign in with Apple. And it’s actually not a great protocol. They kind of butchered really well known standards and it’s a mess. I mean, we have lots of apps that are exist across multiple platforms. So you don’t have to sign in with Apple. That’s a ridiculous requirement. So I think that, again, there’s just going to be a lot of change because authentication and identity is such a big topic right now and everybody’s scrambling to try and figure out how to make it work and nobody’s figured it out. So most of our customers and most developers we know of are just like, we’re going to keep our own identities. We want our users to be our users and login through us.
Frank Bria (16:13):
Yeah. I mean, obviously lots to watch in the future, but, someone a long time ago was talking about when people build their platforms to avoid digital sharecropping, you know, so that point avoid sort of building all your stuff on something that someone can take away from you. So it’ll be an interesting thing to watch. What’s next for you guys roadmap wise?
Brian Pontarelli (16:41):
So we recently launched sort of our first paid additions of the product, which is really exciting. Cause before we were really just sort of in adoption mode, let everybody know the product exists, use it for free, and just get everybody going. And so we launched the first one, which was breach password detection. So we’re the ones now scraping all of those databases that are leaked on torrents and dark web building up these huge databases and then basically telling people like, Hey, your password has been breached. You need to change it. So that was one of our really cool features. And then we’re just building out a bunch of other premium features. So we’re looking at things like adaptive threat detection. So it’s like, Hey, I logged in from this IP and then all of a sudden I’m on another one, the keystroke detection thing that you’re talking about. That sounds really cool. That would fit perfectly into this. So we’re looking at a lot of ways to determine whether or not the login looks like a threat, looks suspicious. And then we’re building some cool things just for customer UI stuff, like allowing the people who are using Fusion Off to build out these really complex registration forms because historically they had to build all of that themselves. Once they collected and validated all the data, they would push it over to Fusion Off. We’re just like, well, why don’t we just have a really cool registration builder where you can drag and drop and make up all bunch of rules and just make people’s lives so much simpler so they don’t have to implement that.
Frank Bria (18:06):
Nice. So your business model is built on a smaller set of features that are available for free for developers, right? And then you’ve got bigger packages with more enterprise features that are available in a paid model.
Brian Pontarelli (18:23):
Yeah, exactly, plus support. So if you want support plus the features.
Frank Bria (18:26):
Great. Excellent. You know, as the CEO of a software company, it’s always an exciting roller coaster ride. Any of us who’ve done it before can tell you. If you had to go back to a younger Brian and kind of whisper in your ear some advice that you’d give yourself based on, as you look back now and what you guys have been able to accomplish so far, what advice would you give yourself? And therefore anyone else who’s thinking of starting a software company at this point?
Brian Pontarelli (19:02):
So I think the core thing that changed it for us was really branding and messaging and persona as well. Sothe product used to be called Passport a disaster of a name. Everybody’s got a password product, there’s Password JS, like Passport literally was probably the worst name we could have picked. And it wasn’t even Passport by itself, tt was actually called Inversoft Passport. So we had a parent company and then we had this sub-brand, the website was inversoft.com, it was a mess. And we struggled for so long to get this to go and we’re just like, why isn’t anyone finding us and buying our cool software. So finally we’re just like, we have to rebrand this and we have to basically pull it out to its own website, pull it out to its own brand, get a new logo. And then we actually started to give it away for free and that’s really when the whole thing changed. We were on this path, we shifted, made a hard left and then all of a sudden we’re going up the hill and gaining traction. And that was super exciting but it took me about three to four years to come around to that idea. We battled it out for three to four years before that that happened.
Frank Bria (20:26):
It feels to me like every software company has a story like that at the beginning. There’s a really good book called Getting to Plan B, which I love because it seems to just really articulate the fundamental issue, which is your plan A probably isn’t going to work. You know, as smart as we think we all are. You’re probably going to have to get out into the marketplace. It’s consistent with sort of the lean methodology that’s really popular now. You have to get out in the marketplace, you have to get some feedback and you’re just not going to know till you actually start selling stuff and try to get people to make decisions and get adoption and then you start to figure out what’s working, what’s not working in that whole process. And I think that’s great advice, you’re going to have to look for that, prepare for it. You’re going to make a hard left. That’s just the way it goes.
Brian Pontarelli (21:21):
That’s how it goes, yeah. And you gotta kind of weather those storms. There’s a lot of ups and downs emotionally and there’s a lot of people that aren’t really designed for that, especially employees. So you kind of have to shield them to some degree, but you also have to be honest with them, and that’s a hard balance and then you’re always going to have employees that are like, I can’t do it, I need out. This roller coaster ride is not for me.
Frank Bria (21:43):
Right. Well, in a startup environment, I mean there’s a very special sort of emotional makeup that you have to, I don’t care if you’re a founder or employee in order to stomach some of the ups and downs and the churns of that. It’s not for everybody, that is definitely for sure. Brian, it’s been great chatting with you about this. It has been fascinating, you guys got a great journey behind as well as ahead. I think you’re working on some really, really cool stuff. A lot of changes, a lot of cool things are coming down the pike in the little bit as the listeners want to check out a little bit more about what you’re doing, where’s a good place for them to go?
Brian Pontarelli (22:28):
So you can find everything about FusionAuth just at the website. It’s fusionauth.io. You can watch us on Twitter, the FusionAuth handle’s just FusionAuth. And then I’m regularly in LinkedIn as well as Twitter and both of my handles are Void Main on Twitter and LinkedIn.
Frank Bria (22:46):
Great. Excellent. Okay. Those links are in the show notes page, so if you’re out and about listening to this audio, come on back, click on through, connect with Brian and FusionAuth and all the cool stuff they’re doing. Thanks Brian for being with us. Really appreciate your time.
Brian Pontarelli (23:00):
Yeah, absolutely. Thanks for having me on.
Frank Bria (23:02):
Absolutely. And thank you so much for being with us on the SaaS CX show. I’ve been your host, Frank Bria. Just a reminder, if you want to reduce customer churn by 10 to 25% the next three to six months, check out our SaaS churn checklist, it covers the seven things you need to have in place to ensure your ideal customers stay, use and love your software download it at sasscx.show. That’s saascx.show. We’ll see you next time. Make it happen. Bye bye.