SafetyDetectives spoke with Slavik Markovich, the CEO and co-founder at Descope. A serial entrepreneur, Slavik is passionate about solving hard technology problems. Before Descope, Slavik was co-founder and CEO at Demisto, a leader in the SOAR industry that was acquired by Palo Alto Networks, where he then served as SVP Products. Prior to co-founding Demisto, Slavik was VP & CTO of database technologies at McAfee (Intel Security). He joined McAfee via the acquisition of Sentrigo, a database security startup, where he was a co-founder and served as CTO. Slavik is an investor in dozens of startups and serves as a board member and advisor to several security startups as well.
Can you please introduce yourself and talk about what motivated you to co-found Descope?
My name is Slavik Markovich and I am the CEO and co-founder of Descope. I am a serial entrepreneur with a passion for solving hard technology problems, which has led me to co-found three companies in the cybersecurity space – Demisto, a leader in the SOAR industry that was acquired by Palo Alto Networks; Sentrigo, a database security startup that was acquired by McAfee; and now Descope, an authentication platform built for developers
Descope was founded by eight members of the core team that built Demisto. This team has built multiple companies before and understands firsthand the pain of building authentication and user management in-house. Our vision is to “descope” authentication and user management from every app developer’s daily work, so that they can focus on business-critical initiatives without worrying about building, updating, and maintaining authentication. In addition, our team believes that passwords should be phased out of our daily lives due to the poor user experience they create and, more importantly, the lack of security they provide.
What are the top services or features that make Descope stand out?
The Descope platform helps developers add authentication and user management capabilities to their B2C and B2B applications with a few lines of code. Descope offers different integration flavors based on developer preferences – a no-code workflow builder and screen editor, a set of SDKs, and comprehensive REST APIs.
One of Descope’s core differentiators is Descope Flows, a drag-and-drop workflow editor and screen designer that developers can use to create and customize authentication flows for their applications without writing a single line of code. This speeds up time to market and makes it easier to modify and update user journey flows. These no-code workflows abstract away the complexity of building authentication while still giving app builders control over their UX and UI.
Descope is built on a scalable multi-tenant architecture that can support modern B2B requirements. Descope makes it easy for developers to add single sign-on (SAML SSO), tenant management, roles and permissions, and automated user provisioning to their B2B apps – greatly accelerating their ability to sell to large enterprises.
In addition, Descope was built by a team with decades of security experience that have brought multiple innovations to market. Descope enables app builders to identify risky user signals, add a second authentication factor, stop bot attacks on login pages, and ensure secure session and token management.
What are the benefits of implementing passwordless authentication in an app?
It has become increasingly clear that using passwords as an authentication method isn’t effective – in fact, over 80% of basic web application attacks last year were attributed to the use of stolen credentials, according to the Verizon DBIR report.
Passwordless authentication using methods like magic links, social login, passkeys, and authenticator apps, offers many benefits. Most importantly, passwordless authentication delivers improved security since it eliminates the risk of password-related security incidents like brute force attacks, credential stuffing, and account takeovers and improves user experience since it removes the need for users to create – and remember – complex passwords.
How does RBAC (Role-Based Access Control) enhance the security of B2B apps?
RBAC is critical for organizations to maintain a strong security posture by ensuring that employees and users only have access to appropriate applications and actions. This is important for compliance, privacy, and upholding confidentiality on an ongoing basis. It also limits lateral movement by attackers, even if they take over a victim’s account. Without proper access control, an attacker can cause untold damage if they are successful in an account takeover and get admin rights from the victim’s account.
What is FIDO2 authentication, and how does it help secure an app?
FIDO2 is an open standard developed by FIDO (Fast IDentity Online) Alliance that enables users to log into applications without using passwords on both desktop and mobile environments. Rather than passwords, FIDO authentication uses registered devices or FIDO2 security keys to validate user identities.
Since FIDO authentication doesn’t use passwords (or any other shared secret), no sensitive user information is stored on application servers. This reduces the attack surface and makes applications less attractive targets for attackers. Removing passwords also prevents identity attacks like credential stuffing, phishing, and account takeover.
Beyond security, FIDO2 authentication also improves the user experience by eliminating the need to create and remember passwords, and streamlines the user journey by allowing users to authenticate using built-in device capabilities like fingerprint readers or cameras, or by leveraging easy-to-use FIDO security keys.
How will the authentication and user management landscape evolve in the next 2-4 years, and what implications might that have for developers and app users?
Today, users still have concerns about passwordless methods like biometrics and default to passwords despite the known security shortcomings. As breaches and attacks continue to rise, I predict that users will come to terms with the pitfalls of passwords and become educated on the benefits of passwordless authentication. As user education continues to improve, we’ll see a shift in the demand for passwordless authentication. In turn, we’ll see an increase in tools that help app developers add passwordless methods to their apps in a more streamlined manner.
In addition, as passkeys continue to be a point of conversation within the industry, there will be an increased emphasis on compatibility. While the advent of passkeys is a crucial stepping stone on the way to a passwordless future, then every application (not just Google, Apple, and other big tech companies) needs an easy way to adopt passkeys and weave them into current user authentication flows. Making the Internet passwordless will take a collective effort, and the more resources developers have to adopt passkeys for their applications, the larger the impact of passkeys will be.