724 Secure Help Desk Operations with Nametag

[Uncle Marv]
Hello friends and welcome to Uncle Marv's IT Business Podcast presented by NetAlly. Today I have a special guest, Aaron Painter, the CEO and founder of Nametag, the world's first human identity platform. And at Nametag, Aaron is tackling the pressure issues of identity theft and social engineering.

And his innovative solution aims to protect users from impersonation and fraud, ensuring that identity verification is both secure and user-friendly. This episode is proudly sponsored by Super Ops, where they want to help you streamline your MSP operations for maximum productivity. So sit back folks and enjoy the show.

Hello friends, Uncle Marv here and as you heard, welcome to another episode of the IT Business Podcast presented by NetAlly. So this little story is something that most of us should remember. A while back, we all made fun of the North Korean hacker that got himself into a job, even with video.

So that's going to be a story that we can talk about today. Aaron Painter was somehow involved in uncovering that or something along those lines. So Aaron, first of all, welcome to the show.

[Aaron Painter]
Thanks Marv, I'm excited to be here. I'm a big fan of the show.

[Uncle Marv]
Well, thank you very much. So I guess a great place to start is that North Korean hacker that weaseled his way into a job. And what can you tell us from your perspective about that story?

[Aaron Painter]
I can tell you this is on the minds of almost every company I speak with today, particularly if they're US-based. All sizes, all industries. I spent the last two days in rooms of security officers, CISOs, and the stories were just outrageous, including people applying for jobs on the security teams themselves, risk specialists, experts in A and B and C that perfectly would suit the position with impeccable resumes.

And unfortunately, not the real person, almost too good to be true. And in fact, too good to be true. It's a hot topic.

And it's a hot topic because in today's world of remote work, we don't often interview for a job the same way we might have once upon a time. And downstream, separate from the HR process, you hire someone, you go through the interview process. If it goes well, you issue an offer letter.

All along, you don't really know who you're interviewing, by the way. Maybe it's an email address, technically, you're interacting with. And then after that, you say, okay, we're going to hire this person.

IT, go create an email address for them, send a temporary password to someone's Gmail account. They join the network, they have credentials, they have access. And then maybe on day three to five in the US, we do what's called an I-9 verification on the HR side to sort of see if they have legal work permissions, which is also not superficial, but a regulatory checkbox and not a process built for security.

And then we wonder how weeks later or weeks into or months into a job, we might have hired someone who we didn't intend. And so the process as it exists today, unfortunately, is not set up for security. And it's not set up to prevent folks like North Koreans, maybe, or similar nation states, or even just imposters applying and taking jobs.

[Uncle Marv]
When you talk about that process, you know, going through an I-9, and most of the time, a lot of companies only ask for a copy of the driver's license. And so that may be it. So in this world of remote work, I think companies thought they were being smart by doing, you know, Zoom meetings and stuff like that.

But it turns out, you know, deep fake is real. So I guess the first question is, you know, let me go back and first ask, how was the North Korean hack actually detected? And then how did you go back and figure out what had happened?

[Aaron Painter]
You know, it's actually it's not one, there's so many stories, we're using this as kind of a placeholder category, because there have been more than one now detailed report and story. And, you know, several made public and different reporters have done some good work. Some security practitioners have done good work.

So it's actually no longer one incident. It's many incidents of this happening. And then some trace back to North Korea, some not.

But typically what happens, I'll say there's scenarios that come up a lot. And if you work on this scenario of hiring fraud, the two biggest ones are impersonating someone who has a resume, let's say it's a resume, you want to be I wish I was Marv. Gosh, Marv is so smart.

He's so experienced. I'm going to pretend to be Marv. Maybe I'll make a LinkedIn page.

Maybe I'll mimic everything about Marv. Maybe I'll put my photo though on there, right or something. I'm going to report that that's me.

And that's my link. I'm going to apply for jobs based on that. That's impersonating someone else.

The other typical one is the opposite, which is, you know, you get the job, but you're going to then willfully willingly allow someone else to impersonate you, which is I applied for this job and now I'm going to outsource it to three people in a, you know, somewhere else in the world who can do the job for me. And so in both cases, the way that typically gets detected is there's an abnormality from what you expected. So let's say not easy, by the way, but it's and they say I have expertise in a certain area or they're certified in a certain thing.

And then in the course of doing their work, it sort of appears that way that maybe wasn't accurate or, hey, you know, we haven't really seen this person. They're always sick or their webcam is always not working or gosh, they're really active on code reviews and virtual things, but they're not appearing on video calls. It's been sort of human suspicion that actually in each case has stopped it, but often well into the life cycle of someone working in the organization.

And we've seen that quite consistently.

[Uncle Marv]
Interesting. So these are, of course, all tools of AI. You know, we can do the voice, you know, now we can do the deep fake videos.

And as we try to add security to all of these, I guess the questions are going to be, you know, how can we effectively balance this need for stronger security, but at the same time, you know, maintain a positive candidate experience for legitimate people that are trying to get jobs?

[Aaron Painter]
Yeah, it's interesting, you know, deepfakes and we'll talk a lot more about them. It's definitely made it more challenging. But in some ways, people have been able to take advantage of this in these hiring scenarios and other, by the way, bad actor scenarios outside of hiring without really even using deepfakes.

They've now just also had these tools. And so the term we often refer to this in the security community is social engineering, you know, which in the old world, we would just say someone being a con artist. But people are using social engineering techniques like calling and pressuring someone, hey, oh, gosh, I'm, I got to get, you know, I locked out of my account and my manager, I don't know who my manager is, we just got reorg, you know, I'm trying to log in and see I'm on vacation on this, come on, you got to help me out like, and you listen to these calls.

And it's a wide variety of tactics. But they're not necessarily using deepfakes. And they're not, they're just using sort of pressure tactics to circumvent the technology.

Things like MFA are secure, and they are necessary. They are really critical that we think about protecting access to accounts with multi factor authentication. It comes to different flavors, of course, like many things.

And, you know, there's like, the cheap product you buy at Amazon, and there's a good product you buy at Amazon when you're looking for, you know, and the low caliber one in this case is SMS verification, sending a text message is not a secure way to do MFA. Using an authenticator app or a YubiKey or hardware backed technology is a much better way. And it's necessary.

But it's not sufficient. Because the natural way that people take over accounts today that the leading way, particularly in the last 12 months, has been that people call and pretend to be you. They call a help desk, a support person, you know, they pretend to be a client.

And they say, Oh, I don't have that authenticator app, and I'm locked out, I need help to recover my account. And so MFA has become only as secure as the reset or recovery process, which typically involves a human. And now bad actors are using deep fakes in those social engineering techniques to whole new levels.

[Uncle Marv]
So let me ask this question, because you brought up an incident that I dealt with a couple of months ago. And I knew the person. So I, I'll be honest, I didn't take all the precautions that I could think of, if I did not know the person, but somebody at one of the clients that, you know, I manage, we had multifactor on their 365 account, they called, got a new phone, couldn't get in, when we basically temporarily disabled the authentication, got them logged in, put it back on.

This sounds like a big old loophole that could be used for somebody to call in and say, Hey, got a new phone, I need to be set up. And if we don't know the person, and we can't verify them, sounds like a perfect scenario.

[Aaron Painter]
You're absolutely right. And it's you, you did actually, you did the industry standard best practice thing today, you did nothing wrong. And yet, in Microsoft, I mean, I worked at Microsoft for 14 years, I love Microsoft, I love Office 365.

Right? I love MSPs that sell and support and manage and maintain, I love. And I used to, you know, we would tour data centers, when we started launching the cloud offering of 365.

And you go through the seven layers of security to enter and how important physical security was. And we, we have these incredible network around the world of detecting bad actors and preventing them for threat response and mitigation, like so advanced, so advanced. But even today, if you are locked out of 365, the process is you have to call Microsoft, or you call a support partner who can help you.

And the outcome is we will call you back. That is the level of security that ultimately protects these accounts today. It's a just, it's just a gap.

It's sadly a gap in 365. It's a gap in Microsoft Entra. It's a gap in Duo, it's a gap in Okta.

The process of recovering or resetting, or by the way, provisioning and onboarding new users, like call it, you know, your North Korean colleague is it's just exposed. It's a gap today in the security infrastructure of the internet that we're all dealing with. And hackers are exploiting it like crazy right now.

So you did the best thing you could. But what you're a lot of people are unfortunately using that same technique to take over accounts and to turn what you did into sort of being maybe not the right thing without any ill intention.

[Uncle Marv]
Right. All right. So we're going to jump around here.

So what I want to do is let's go back to what got you involved in helping fix this problem. So you started Nametag. So tell us, what was it that triggered something in your mind that said, hey, I've got to figure out a solution?

[Aaron Painter]
You know, it was deeply personal for me. I was at Microsoft for a long time. I ran a company in the UK that was focused on cloud solutions.

We were AWSs, had a first and largest partner in Europe and an MSP. And I left just before the pandemic. I was living in London.

I moved from London to Seattle and February of 2020. And I started to think about what's next and what the next job might be. And then it felt like the world was falling apart.

Pandemic started. Nobody was going anywhere. Everything was moving digital.

And then a bunch of my friends and family members all of a sudden had their identity stolen and sort of all these accounts in their lives taken over. I was like, what is going on? Like, all right, we're going to figure this out.

I'm going to be a good friend. I'm going to be a good son. You know, we'll jump on the phone.

We'll call these companies. And everyone we called would say, well, before I can help you, I need to ask you some security questions. And it was this silly list, right?

We've all been through this of things that rather wildly, what street did you live on in 1960, whatever, or what's your favorite color? I mean, nonsensical things that were either too hard or too easy. And it turned out someone had called in every case before we did and used publicly available information or info they got from other data breaches to answer those questions and to take over our accounts.

And so he said to me, this is crazy. Like, how is it in the modern world we don't actually know who's behind the screen? And this was a little bit pre-deepfake.

But we said, well, how is it that you don't know this? And where do you do identity verification? We said, all right, well, identity verification happens when you open a new bank account, for example, a KYC or a customer regulation.

We said, why is it that a bank does that? But then when you call the bank to transact, they again ask you these silly security questions. And so we said, can we make kind of the KYC process reusable?

And then it turned out we couldn't, because all the vendors, and there were many that did this, like scan your ID and take a selfie process. They all existed in a web browser. And by being in a web browser, it meant it was susceptible to things like digital manipulation, or now what you would think of as deepfakes.

And so it led me to say, there's got to be a better way. And it's like, I got some really smart minds in security, and we ended up building a solution that would revolve around particularly using mobile phones. It basically means if you ask an end user to do the same thing, scan an ID and take a selfie, but you have them do it on a mobile device, not using just the mobile camera, but in really a secure way, you're able to take advantage of all these security features of the mobile platforms, like the encryption and the secure enclave that they operate in.

Things like app attestation, meaning, is the app in the phone talking only to that phone? So somebody can't inject, they can't put a deepfake in, they can't put in a fake PDF that they made. And you get to use all the advanced camera toys, like the 3D depth map camera that powers Face ID.

Turns out that takes a really good selfie, not for Face ID, but to be able to compare it to a government ID document. Things like that allowed us to sort of reinvent what it meant to do an identity verification for these security use cases. And then that became sort of a whole journey of kind of figuring out where can we add value, where can we help people by landing this technology.

[Uncle Marv]
So before we go further down the path, I want to ask a question. So I went to rent a truck from U-Haul, and they allow you to do just about everything online. Even when you show up to pick up the truck, you can check in, you scan a picture of the truck and the license plate, the dings and all that stuff.

You take a picture of yourself, scan your license, and then you can take the truck and go. And part of me was like, well, that's interesting. That sounds like some of this, although I don't know how much verification they actually did, because you could just scan the stuff and take the truck.

But it sounds like that's on the way to what we're going to be dealing with. Does that sound accurate?

[Aaron Painter]
And that's, I believe, the pathway of the future. I don't know that experience. It sounds like the customer experience you might want to have, where it's fast and easy.

I would venture to say they're not using us, which means they're probably susceptible to deep fakes. I don't mean to go target them and try out a deep fake, but my guess is if somebody wanted to have a forged ID document or impersonate someone else and go through that experience, they would probably be successful. And so you have to ask yourself, are you doing regulatory compliance or is it about security?

Or really, in that case, is it about preventing fraud? And I don't know how much fraud they might have from people with a fake ID trying to go through that experience. But that would definitely be something to watch for if you were building an experience like that.

[Uncle Marv]
Okay. All right. So now let's move a little forward.

So you have all this happen with your friends. Sounds like family, too. And you said, there's got to be a better way.

And I'm all for a better way, because I'm tired of calling into a support desk and answering those questions, getting transferred, answering those questions again. I mean, who was it? AmeriGas.

I called up to cancel my account. And literally, all they did was asking my email address, my street address, my phone number. And I'm like, why am I doing this?

You're not really validating me. But in terms of what nametag does, tell us now what the start of fixing all of this is.

[Aaron Painter]
Yeah, you're right. Those kinds of experiences, personally, I find them very frustrating. When I call on someone, I need to verify you.

And I emailed someone the other day for help, and they emailed back and said, Can you please tell us your email address to verify you for security? I literally just emailed. It's just nonsensical, right?

And I don't want to be rude. I mean, that's the irony is that you go into these roles of wanting to help people. And yet you're stuck as an identity interrogator.

And you're frustrated, you're embarrassed to ask these silly questions. No one likes answering them. It's not keeping the account safe.

And if you do a really good job and ask hard questions, well, then no one's happy with you. And you've taken too long and your performance numbers are bad. It's a tools issue.

And so what we've tried to do is to create tools for frankly, anyone who needs to verify someone that they're connecting with. And so it's, you know, we say help desks, but it means the same thing if you are in any sort of client facing role, you know, maybe one of your clients calls in and needs to make a change or to do something on their account or true point reset access. We have a very simple web-based portal that a person can go to and send a request.

You get a one-time link and you can send that link through a variety of channels. The person who receives it clicks on it; it opens up on their mobile device. They go through a process that averages 23 seconds.

The first time they don't have to pre-enroll, they don't have to set anything up. They don't have to download the app. And then you as the person who asked get confirmation that you know who you're speaking with.

And that was sort of the basis of how we got started. And a lot of big companies in particular started using us to power their help desk operations, to power these scenarios when people got locked out of accounts. And that led us to then go create sort of a self-service way for people to unlock their account in the first place.

So maybe they don't need to call the help desk. They can go to a website; they type in their email address and we verify them. And then we reach into Okta or Duo or Entra and perform the reset so that maybe you don't need to call and waste someone's time to get that account reset.

You can do it in an automated way.

[Uncle Marv]
All right. So this is what intrigued me and said, this has got to be on a show for solution providers because this is what we deal with. Small or large password resets are probably behind printer questions.

The number one thing that we get frustrated dealing with. So it sounds like implementing name tag can, I don't want to say eliminate, you know, the help desk when it comes to password resets. But I saw on your website that it can actually do MFA resets as well.

[Aaron Painter]
Fully MFA and versioning and resets. And, you know, we actually strive for, we aim for 90 percent. You'll actually get high 90s.

But if you aim to eliminate 90 percent of those calls, it's, we do it in a way always that is a choice. So you say, hey, user, do you want to do this self-serve or do you want to contact the help desk? And most people will choose to do it self-service, but there are elements of, you know, you have to have a phone nearby, you have to have your government issued ID.

Usually that's a much quicker experience. You have to be okay with consenting to the use of biometrics. And some people will be like, nope, not for me.

Awesome. Those become the single digit percent usually who want to call. But if you can get rid of most of your volume of caseload and then focus on the people then who really might need extra hand holding or explanation or accessibility support, great.

But I would love to automate what are for most people over 50 percent of their ticket volume.

[Uncle Marv]
All right. So also when it comes to help desk, and this is, these are the words that ring, you know, loud for MSPs is, you know, being able to verify who you're talking to when it comes to the ticket support. So, you know, I think most listeners are going to think, oh, this is for the big companies only because I know all my customers.

I don't need to verify them, but this is for small and large, right?

[Aaron Painter]
That's right. And happens on a few different levels. You know, back to our conversation on deep fakes.

It is now, you know, even five years ago to do a deep fake, you would read a script of 20 pages and you would record your voice, reading those specific words, and the system would learn and maybe could replicate your voice. Now, Microsoft researchers have proven in three seconds of your audio clip from a podcast and social media post, a voicemail, they can recreate your voice. So that person that is a small MSP providing customized support, hey, I know my buddy when they call, it is now wildly easy for a bad actor to impersonate the voice of the person you're used to speaking with in real time.

And unfortunately it's very easy for them also to sort of spoof that phone number or to take control of the maybe the incoming phone number. So the I'm picking up the phone. I recognize the number and I recognize the voice is not a trusted channel.

And as time goes on, I worry it's going to get worse.

[Uncle Marv]
Oh, how much worse?

[Aaron Painter]
Well, I think this rise in deep fakes are getting more significant. I think the tools are getting easier and easier. And the reason why the phone numbers aren't secure is that when you call your telco, they have the same problem.

If you call and say, I got a new phone, can you move my phone number over? They struggle to say, well, are you actually the rightful account owner? And that in that world, we call it a SIM swap.

The SIM swap is a major form of fraud. And it's why we can't trust SMS verification because in many of these coordinated attacks, people are using, they're taking over the phone number as kind of table stakes. And then they proceed with the other elements of their attack.

So it's very common to have control over a phone number. And that was very easy to replicate someone's voice. So that pick up the phone and provide personalized support as your friendly MSP is, it leaves open room for a significant vulnerability.

[Uncle Marv]
Okay. So I understand the vulnerability in SMS. The SIM swap, does that also hurt MFA?

[Aaron Painter]
If MFA relies on the text message, then yes, a hundred percent, which is why it's sort of the lightweight version of doing MFA properly. MFA properly would be an authenticator app or a, you know, a hardware token, things like a YubiKey.

[Uncle Marv]
Yeah. But like for instance, the last time I got a new phone, all I did was I, there's apps out there that will just copy what's in my phone from the old one to the new one, including the authenticator apps. Couldn't that be cloned by bad actors?

[Aaron Painter]
Yeah, in a different way. Fortunately, it's not as related to the SIM.

[Uncle Marv]
Okay.

[Aaron Painter]
So it's a little bit disconnected from the SIM swap experience. But if you have someone else's hardware, you can, yes, you know, the iPhones, for example, they make it easy to transfer to a new piece of hardware. Actually, more often than not, that transfer isn't so smooth, which is what leads to people getting locked out so frequently.

[Uncle Marv]
Okay.

[Aaron Painter]
Because they upgraded their phone and they tried to move it over and some of them moved and some didn't, and then they can't access things and that's...

[Uncle Marv]
Okay. Yeah. So now when we go back to looking at the solution provided by Nametag, is there any sort of AI involved in this solution?

[Aaron Painter]
There is, but we don't use AI alone. Because my concern is that in a world of deepfakes, people often talk about deepfake detection. And that's like AI versus AI.

You know, can my AI model beat out the bad person's AI model? And I think that's an arms race. I think somebody will always win.

More often than not, it's the bad actor. And so our strategy is to try and take other elements of technology to compete against AI. Now, that includes AI, but we use AI, we use, let's say, cryptography, which has been around now for decades, protecting a lot of transactions, financial and otherwise.

But the cryptography enabled on modern mobile phones means you can't deploy a deepfake easily, because the phone itself is encrypted. So you take cryptography, you take biometrics, for example, the ability to compare a three-dimensional photo that you capture with an advanced camera to the two-dimensional photo on a government-issued ID, that's using the power of biometrics. So suddenly if you take biometrics and cryptography and AI and you use that in your arsenal against an AI deepfake, we're much better positioned as a society to sort of win that battle, you know, to be the good person on that equation.

And that's the core of at least our approach today.

[Uncle Marv]
Okay. Side note here, you said AI versus AI. I'm thinking of the T-800 versus the T-1000 in Terminator.

[Aaron Painter]
Not far off. Yes, not far off. I've been meaning to rewatch some of these good old movies.

I was reading an article the other day about war games, you know, the simulation. And I was like, gosh, I need to rewatch that movie. It's so relevant in today's world.

[Uncle Marv]
Isn't it amazing that back then, let's see, that was a 1980s movie, I think. And looking at what they did with the machine learning, you know, at the very end where they just made it play a game to learn about, you know, biochemical warfare. And that's kind of what we're doing now with a lot of this stuff.

[Aaron Painter]
That's exactly right. It's wild. And it's, unfortunately, people are using deepfakes in all these ways.

Misinformation, disinformation, political influence, you know, public embarrassment, all those things are real. But one of the really practical ones we're seeing it is in these impersonation attacks. And that's the stuff that scares me the most.

And because I see the real life implications of that, our lives are digital. The accounts we care about whether you're a social media influencer or you're working in the physical world and you have your money in a bank, like we each have things that matter to us in the digital world. And they're not really protected well enough because of this vulnerability today.

[Uncle Marv]
All right. So it seems like we've got two battles that we've got to fight here. One of them is just simply education, helping our clients understand that these threats are getting more and more real and, you know, helping them understand what we're doing to try to protect them.

And then us ourselves actually using the security to help make them more secure. How much of what you're doing right now is really about education as opposed to just applying the tool?

[Aaron Painter]
I think both are really important. They're great points. And that's partly why I'm on here today.

It's like we built some stuff we're really proud of and a lot of companies are using it and we can be helpful. That's awesome. But I really believe that the more we all understand this issue, understand deep fakes and how they're used, we can all be human in creating creative and how we try and prevent them.

You know, even in a personal context in our lives, there are some things that I tend to think about. I think about the people. I think about the channel.

I think about the context. So let's say you're in a large WhatsApp group with a bunch of folks and someone from that group reaches out to you. Maybe I don't know that person very well.

The channel is a large public group. I don't know if I trust that as much, whereas if it's a one-on-one thread with someone you know really well and you've been chatting for a long time on that thread and they start saying something, I might trust the person. I might trust the channel.

But then let's say they start talking about something really unusual or out of character for what that conversation's been. Maybe the context is off. And so there's sort of these human lenses I try and bring to a lot of things today and say, is this a real conversation?

Is there a chance someone's impersonating this here? And I feel like all of us need to have that healthy dose of skepticism in the way that the digital world is evolving. That's one core layer.

[Uncle Marv]
Okay. So now as we go back and look at nametag, let me go ahead and ask the hard question that a lot of listeners are going to ask. What are we looking at when it comes to an MSP getting on board?

Because it sounds like a lot of these great technologies start off on the enterprise level. So is this something that a small MSP, a solo tech can get into and utilize for their clients even if they don't have a huge help desk?

[Aaron Painter]
Yeah. We try really hard on the product side to make this something that works for the smallest of organizations. I think in practice, we found some of the larger organizations find value so high in it so quickly that they've been faster to adopt.

But we really continue each day to challenge yourself. How do we make sure we support organizations of all size? If we're going to protect the internet, which is our broader goal, we have to be able to.

And so there are really a couple of flavors. One, you say, hey, I want to be able to verify on one-off scenarios. And that's someone calling you, that's someone emailing for support.

Maybe that's a service that you sell today. Let's say you charge per ticket resolution. Maybe you want to offer verified tickets and verifying the person as part of a more premium ticket.

Awesome. You can offer that service and charge more for it as an MSP. Great.

It's actually more valuable. It's a more secure transaction. Another might be how can you automate it?

So let's say you're responsible for an employee base and you charge per number of employees to do a bunch of different things. Well, hey, if you can then offer a self-service functionality for things like setting up a new account or getting locked out of MFA or password resets, then, hey, you can increase your profitability and probably charge more because you're giving a better experience to your end user and it's going to cost you less. And so those are the two flavors that we often see people most often try and use us.

And, you know, most of it is as much as possible is really out of the box. Frankly, it's connect and sync a directory. It's immediately you can spin up.

Actually, you can go to the website, do it on a free trial to start doing one off requests.

[Uncle Marv]
Okay. So you've mentioned a couple of times new user setups, because part of me imagines that it's easy if we've got, you know, all of our existing users in a 365 portal and we just add this. You've mentioned tools that we're all familiar with, Duo, Okta, Intra, password resets and stuff.

But in terms of a new user, how do we incorporate this into our onboarding? Is it just another checkbox tool that as we set them up, it's going to send out information for them to verify?

[Aaron Painter]
Yeah. You know, we get two flavors. One where you can go send one off request, no pre-enrollment required, and you know who you're talking to.

Okay. Simple, straightforward, very easy, high fidelity. And by the way, there's a really neat element of the way we built this thing.

Once you verify someone, if they're on the same mobile device, the next time they come to be verified, we only need a selfie. And one of our patents is this concept of just taking a selfie and comparing it to the earlier selfie back to the government issued ID photo. So it's sort of an express re-verification, but at the same level of assurance as the first time.

If they get a new phone, then we say, okay, we don't know who you are this time, we need your ID again. But if you're on the same device, you can sort of repeatedly re-verify someone very quickly, which is why it's a nice substitute for when someone calls in or wants to make a quick change on an account. You can send off sort of a ping, have them verify with a selfie and know it's them.

All that said, that's one option. The other option is really around, you go in and you sync a directory, you sync, let's say, an active directory, an entry instance, and all the members of the directory suddenly appear, and you can create a micro-site for your organization. We host one, you have an option.

You can host one if you want with custom DNS. Think of it, you know, nametag.mycompany.com, and that's where your users will go when they're locked out or if they're a new hire. So your onboarding flow for a new hire starts to become, dear new hire, your email address at the company will be this, first. Lastname at mycompany.com.

Go to nametag.mycompany.com from here, and it will guide you through the rest of the process. So the new user goes there, they type in the email address they were given, it prompts them to verify their identity, you've captured that, and then it knows from your directory that you've created an email account for them, and it takes the user through first-time provisioning to set up a password, MFA provisioning for the first time to configure their authenticator app, and other things, and they're done.

But you know who you just gave that account to, which is really different than kind of the hiring fraud scenario we were talking about before.

[Uncle Marv]
Okay, and I guess we should probably also mention that this is something that can be both used internally and externally. So if you're a big enough company that you need to verify your techs that are actually assisting in doing this, it can be used that way as well, right? That's right.

Okay, and that brings us back to hiring the North Korean. It sounds like this is something that we all should be doing, and I'm sure that there are other companies that have come out and said, hey, we've got these verification processes in place to help. So let me ask you, I mean, are there a lot of other companies doing what you're doing, or are you just that far ahead of the curve?

[Aaron Painter]
No, we're extremely few. You know, we thought this was kind of a niche space to play, and we sort of found it because we listened to some of our early customers really well, and they were like, hey, you've got this really unique way of doing identity verification. Can we apply it at the help desk?

Can we apply it when someone calls? Can we apply for MFA resets? And we thought it was sort of niche at first, but it was helpful in adding value.

So we started building those products, and then it got really mainstream because all these companies sort of got hacked this way. You know, MGM, the unfortunate but most common one, and the casino going down for two weeks because someone called the employee help desk and pretended to be the employee and got access and deposited ransomware. And so it's become something that we are now very good at, and it's become a very big space.

There are some companies that are trying to move from doing identity verification for consumers into the workforce, very, very few, like low single digits. And those folks, it's challenging because they're taking that regulatory compliance model, which was sort of a check the box, their browser-based models, and trying to apply them to security. And they don't do the same thing.

They might be great for their initial use case, but they're not great for this. Think of things like ID.me or Clear in these platforms. Clear works well at the airport.

In theory, you go to the airport, someone's watching you, they see you, they sign up. Someone's supervising. You're probably not using a deep fake if you signed up for Clear at the airport.

But the majority of their membership today are virtual people that have signed up remotely, not using the same standards or level of fidelity. So Clear was really meant for consumers. It wasn't meant for the workforce.

ID.me started as a shopping discount program for members of the military and students. Amazing, super high value. They then added that you could add a government-issued ID into your shopping experience.

Great for consumers, right? They're not workforce-grade solutions that you can rely on for security. And that coupled with then this idea of linking into Okta and Entra and all the other things just kind of became our space.

And we're early there.

[Uncle Marv]
Okay. So I just thought of two questions. One, if we were an MSP using this, is it something that can be used beyond the help desk?

For instance, if we want to protect when somebody tries to connect to SharePoint or a OneDrive or something like that, can this also be used to verify them that way?

[Aaron Painter]
You can. You can throw up a request for first-time or express re-verification anytime you need to. Sometimes it's a security operation center, see suspicious behavior, and sometimes it might be elevated access permissions.

We're dealing with some, shall we say, entertainment companies now who have very high-value digital assets, and they're worried about, hey, I don't want someone to go steal the pre-release of whatever this might be. How do we really throw up additional layers of security? And we fit nicely into those scenarios, too.

[Uncle Marv]
All right. My second question is, for us as an MSP, is this something that we would just simply utilize ourselves in our stack, or is it something that we could resell to maybe a large customer that we have? What are the options that we have?

[Aaron Painter]
I would love for as many listeners as possible to find a way to resell it and add it into their stack, whether that's to make more money or to reduce the cost in what the service is you're growing up in the Microsoft partner ecosystem. And so the exciting part for me was helping partners grow their business and find more profitability and add new services to their customers. I believe heavily in that.

And so, yeah, something you can use internally, great. Again, I would hope to reduce your costs or to improve your security so you could position yourself to your clients as more secure than the next company out there. But I'd also love for you to be able to put it into your offerings and make more money at it or off of it or adding to it as an enhanced service.

That's kind of the dream.

[Uncle Marv]
Okay. And then we also did not do this ahead of time. I know that the website is getnametag.com.

And there's basically a place where you can sign up for a trial, sign in, blah, blah, blah. But is there a special application for service providers?

[Aaron Painter]
You know that trial experience you can get started right out there actually gives you all the, a little bit limited, but for the most part, it's all the stuff that we've been talking about. You can start sending those one-off requests or you can sync a directory, for example, in your internal org and see what that's like and kind of go from there. So it's a great place.

We've really tried to design that experience for, you know, MSPs, smaller service organizations and the like. It's not as great of an experience for the large enterprise that wants to try it out, but we get some of those too.

[Uncle Marv]
Okay. And without going too far into numbers, if we are an MSP and we're looking to do this as a discount or resell option, can you give, is there a percentage out there you can talk about or is it?

[Aaron Painter]
You know, we have a reseller program for actual reseller and, you know, standard agreements and standard competitive rates on this. Like we want to be very partner friendly. And so, yeah, we totally have a model for that.

But I encourage people, there's different ways to think about it. There's the pure reseller, let me sell this to my client. There's also the let me deploy this on behalf of my client and charge sort of a markup on that.

And so I really like both to be competitive depending on your business model. Okay. Right.

Let's say that if you're charging per employee to manage a variety of services, you know, putting this in will reduce your costs, make the employee experience better, let you be able to offer stronger security. Like that's worth doing, whether you can add more and charge more, pass it on to your customer or not. But that's the logic we try and bring into this.

[Uncle Marv]
Okay. And then getting back to the website. So get nametag.com, obviously nametag.com wasn't available. But I probably should ask why the name nametag? I mean, that talks about something you're sticking on your shirt for our conference or whatever.

[Aaron Painter]
Yeah, you know, actually was that conference experience that kind of inspired us. Okay. Because if you go to the average conference and you check in, right, they actually say, hey, can I see your business card?

Can I see your ID? And if they kind of verify you in person, they give you a name tag coincidentally to wear. And then you operate in that conference kind of in a trusted space.

People know that someone's kind of vouched for you. You've been verified. They know that if they meet you and your name tag says this, and you're from this company, it's probably true.

And so it was sort of a trusted community. And the idea was how can we create trusted digital communities or digital spaces where you know the people once they're in. So that was the idea of nametag.

It turned out that, yeah, there's a company nametag.com that sells like physical desk plates, and they have a good little business. I'm very excited for them, but very unrelated to what we do. So we don't have their domain, but we now surpass them on Google in most cases.

So we got a little bit more traffic than they do, but very different spaces, kind of the digital world and the physical world.

[Uncle Marv]
Maybe you can buy them out. You guys can all be one big company.

[Aaron Painter]
Maybe one day, maybe there's a world where digital and physical collide that way. But yeah, we're excited today.

[Uncle Marv]
All right. So, I mean, there's things we could talk about all day long because there's so many scenarios that come up. But this sounds like a very good solution, especially for us as service providers.

We need to be more secure. And, you know, if we were to allow an employee of one of our clients to get in and do something, that's a huge liability bill that we're stuck with. So thank you very much for doing this.

[Aaron Painter]
And it's honestly, it's important that we all understand the risks associated with deepfakes, risk of these sort of cyber-attack factors bad actors are using. And again, if we can be helpful, amazing. We'd love to be, if we can help you grow your business and sell more or earn more, save money, we'd love that too.

But please share this episode with your friends, help educate them on what's going on in this space, just so everybody can make more informed decisions.

[Uncle Marv]
Sounds good. And I'll probably get a lot of email questions that I'll forward to you and maybe we can chat again down the road.

[Aaron Painter]
I'd love that. Thank you for having me, Murph.

[Uncle Marv]
Thanks for coming on. And folks, you have just listened to Aaron Painter of Nametag, basically where you can secure your help desk and automate MFA resets, passwords, and a lot of other things. So hopefully you'll do that.

Head over to the show notes and click the link and check them out. The trial is 14 days, so that should give you enough time to set it up and check it out and see if you want to use it. But again, Aaron, thank you for coming on.

And those of you that listened to this, thank you very much. Download and subscribe and share the episode. And we'll be back with another episode of the IT Business Podcast real soon.

And until then, Holla!