2025 Podcast Roundup
Heya,
In 2025, I was on a few podcasts and livestreams, talking about CIAM as well as other topics. Here are some where I discussed CIAM and security topics, along with some takeways so you don’t have to listen to the whole thing.
There is no single silver bullet for authentication. There isn’t one perfect authentication solution that works for everyone. Organizations will need to support multiple authentication methods simultaneously, such as passwords, magic links, OTPs, MFA, and passkeys. Different users have different needs and preferences. This means authentication platforms need to be flexible and comprehensive rather than betting everything on a single approach.
While passkeys represent an exciting passwordless future using public-private key cryptography, the current user experience still has friction. Issues like unclear feedback during authentication (waiting 2-3 seconds without visual indicators) and complexity around implementation across different platforms are there. Despite these growing pains, passkeys eliminate the need to repeatedly send credentials and have large security benefits. I’ve started to see them pop up on lots of webapps in the last few months.
Both magic links and one-time passwords (OTPs) share similar challenges around deliverability timing, email link checkers that can inadvertently and confusingly consume them, and discontinuity in the user experience. However, OTPs can avoid some of the complexity that magic links encounter with browser-based issues. Shared password managers (like 1Password) allow teams to share not just passwords but also OTP codes, creating new authentication patterns and risks.
AI agents are fast and non-deterministic, falling into a middle ground between slow unpredictable humans and fast deterministic traditional software. The real danger comes from what’s called the “lethal trifecta”: agents have access to private data, exposure to untrusted content, and the ability to communicate externally. Because agents can follow arbitrary instructions from untrusted sources, they can be manipulated to access private data and send it elsewhere.
Just like with human users, the principle of least privilege should apply to agents. Having different subagents with access to different sets of tools or data makes it much harder for attackers to compromise the system. The best practices that work for securing traditional software (separation of concerns, sophisticated authorization schemes like RBAC, ReBAC, or ABAC) remain relevant and should be applied to agent systems.
Rather than reinventing the wheel, the industry is adapting existing protocols like OAuth for agent authentication and authorization. The Model Context Protocol (MCP) has standardized on OAuth, though some of the scenarios require optional extensions. The IETF and OAuth working groups are actively extending these specifications to better handle agent-specific scenarios. Developers should build on these established standards rather than creating new authentication systems from scratch.
Minimizing latency, increasing performance, and reducing compile times are essential elements that make a development environment better. Some developers prefer a “local first” approach, where they run development environments on their own machines rather than in the cloud. This approach not only improves developer experience through faster feedback loops but also has security implications, as developers have more direct control over their environment and can integrate security tools more seamlessly.
Adding useful tests and useful security tools creates an even better development environment. Security shouldn’t be an afterthought bolted on at the end, but rather integrated into the developer workflow from the start. When security tools are part of the natural development process and provide value without significantly slowing developers down, they’re more likely to be used effectively.
If you’d like to be interviewed on a podcast, I love to introduce experts to hosts I know. Just respond to this email with your area of expertise and I’ll try to connect ya!
Happy new year!
Dan