The identity verification model most enterprises rely on is falling apart. Authentication used to be a checkpoint; you know the password, you have the device, you’re in. But voice clones, deepfake video, and AI-synthesized identity data have turned social engineering into something that runs at an industrial scale and that humans can’t spot anymore. Attackers don’t need to breach your perimeter. They call the help desk, say their phone is lost, and wait. The threat model that IT help desks were built around is gone. The problem isn’t whether your MFA is configured right. It’s what you do when someone says they can’t use it.
In this episode, Ori Eisen, founder and CEO at Trusona, makes a case for getting out of the AI detection arms race entirely. He argues that trying to catch AI-generated fakes with AI detection is the antivirus playbook, and we know how that ends. Trusona instead anchors verification to authoritative sources, DMV records and physical-world signals, things AI can mimic on screen but can’t actually own. No pre-registered devices required. And it works in both directions: attackers calling your help desk, and attackers calling your employees while pretending to be IT. Joining him are Eduardo Ortiz, VP and Global Head of Cybersecurity at Techtronic Industries, and Mandy Huth, SVP and CISO at Ultra Clean Technology.
Want to know:
- Why do MFA and SSO still leave gaps attackers walk right through?
- How Trusona verifies identity with no pre-registered devices or tokens?
- Why building AI detection on top of AI fakes is a losing strategy?
- How is a false rejection rate of zero achievable without locking out real employees?
- What deployment actually looks like, and how fast you can be live?
- Which departments beyond IT need identity verification, and where do you start?
- How to measure the business value of this beyond just counting blocked account takeovers?
- Why is a solid help desk protocol still not enough on its own?
Check out the episode for the answers you need.
Join the conversation on LinkedIn.
Huge thanks to our sponsor, Trusona
Trusona ATO Protect empowers your team to thwart these attacks across business units and channels.
GenAI supercharges identity impersonation and social engineering. It’s rapidly eroding traditional authentication, especially in high-risk workflows like help desk password or MFA resets, vendor payment changes, remote employee hiring, and customer account access.
Trusona’s ATO Protect addresses deepfakes and social engineering directly—without adding friction or relying on legacy MFA.
Full Transcript
[Music]
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Music]
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today, we’re talking with Trusona and what they’re doing in the identity impersonation detection space. It’s never been hotter. If you listen to cybersecurity headlines, we are covering adjacent topics like this all the time.
And the problem that they’re fundamentally addressing is just figuring out how do you know who you’re dealing with online, kind of verifying identities, getting some kind of certainty there. Helping us get answers to why this is suddenly a problem is Eduardo Ortiz, the VP and Global Head of Cybersecurity at Techtronic Industries, and Mandy Huth, SVP and CISO at Ultra Clean Technology.
Eduardo, let me start with you. Why are we having this problem of knowing who we’re dealing with online? It seems like everybody’s struggling with it right now.
[Eduardo Ortiz-Romeu] I think GenAI has changed the mathematical equation here. I mean, we look at the last two years of attacks, voice clones, deep fake video, AI synthesizing identity data have made that social engineering, industrial scale and borderline, undetectable by humans, right?
Like before it was kind of like a Star Trek type of thing or Star Wars. It’s like now the threat model, [Laughter] any type of help that was built against the normal threats no longer exists. It has become a bigger issue. I haven’t talked to a single company that has not had these type of problems.
[Rich Stroffolino] Mandy, what about for you? Is it commodification of deepfakes or is there something else going on too?
[Mandy Huth] Well, when I stepped back and I really thought about it, right, identity used to be used as a checkpoint, right? And the assumptions that we use for identity validation have collapsed. Now it has to be this continuous risk signal, right?
It changed from do you know your password to is this person or this device or this behavior actually trustworthy in this moment, right? And that goes from whether that’s time span or how we do those authentications or whether it’s a technology that enables acceleration of those things.
We have to shift our approach because the assumptions no longer provide the protection that we trusted for so long.
[Rich Stroffolino] All right. Well, today we’re going to be talking with Ori Eisen, the founder and CEO at Trusona. Ori, to start out, you got to help us out here. We need to answer some preliminaries here. How do I explain the value of your solution to my CEO?
What does your solution do? What does it not do? And help us out with the pricing model. Can you set the table for us here?
[Ori Eisen] First of all, thank you for having me. I do agree this topic is super, super timely because every time I’m on a call with a CISO, they’re like, “Don’t tell me about the problem. Just tell me how you solved it.”
[Rich Stroffolino] [Laughter]
[Ori Eisen] If I were talking to a CEO, I would ask him a simple question. Have you noticed in the last three years ever since GenAI became part of our lives that you can’t really tell who wrote this email? It’s the same problem in security. If I show you a driver license, and I know this is just a video and the audience cannot see that I’m showing you a driver license, you can’t tell anymore just by imagery if it’s real or not.
You can’t tell if this is my voice and I’m not a GenAI agent talking to you right now. And as Eduardo said, even the video. So, the problem is we can’t tell video, audio, and visuals anymore, what’s real and what’s not. And if your security for account takeover or for MFA resets or password reset is dependent on it, good luck.
[Rich Stroffolino] And then what about the pricing model?
[Ori Eisen] The way we work is we confirm with authoritative datasets, just like the DMVs. We were the first company who had access to say, “Is this driver license really in the state records?” So, we charge per hit, meaning per transaction, and not with anything weird.
So, if you have 5,000 password resets a year that you want to pass through and know that you have the right person, you will pay for 5,000 events.
[Rich Stroffolino] All right. Well, we’ve gotten a taste for the solution, but I’m sure our panelists have a lot of questions. Mandy, I’m going to start with you. What other questions do you have for Ori and for Trusona?
[Mandy Huth] Yeah, I think that’s really great, and I really appreciate what you’re listing out that we do. A lot of companies, such as my own, we have MFA. We have single sign-on identity, right? Where does Trusona add value to those controls that aren’t fully covered, especially during either a Help Desk interaction or a high-risk transaction?
How do you provide value?
[Ori Eisen] So, I’ll just use different definitions. I would consider SSO and MFA as part of authentication, meaning you already provided credentials to a user and now they’re using it. I add value when they call in and say, “I lost my phone and my bag and the YubiKey.
Let me in.” How do you establish who is on the other end when MFA is not working? If authentication is perfectly working, you actually don’t need anything else. It works. The way hackers call you is they say, “I work here, but my stuff doesn’t work,” or “I forgot my password.” Anything other than the happy path.
And now you’re left with, is it really my employee and I’m going to help them? Or this is an attacker? Ergo, I cannot use your MFA for this. I cannot use the credential you gave because they are simply not there.
So, we have established a way to identify who is the true persona, that’s why we’re called Trusona, in a way that has not been broken yet. Let me repeat this to all the listeners. We offer money to anybody who can break what we do because we are practitioners first and salespeople next.
If you can prove that you are me, Ori Eisen, in our system, I will pay you. So, far, 80,000 people tried and nobody broke it. And yes, I’m inviting you to break it because I really want to solve this problem.
[Eduardo Ortiz-Romeu] So, I’m going to jump in with a follow-up question based on Mandy’s. What’s the false rejection rate that you have seen? Because we…
[Ori Eisen] Zero.
[Eduardo Ortiz-Romeu] Zero. So, it’s zero, still zero.
[Ori Eisen] Zero. Let me explain why because I know I’ve… I used to be the head of risk at American Express. So, I was on the other side of this podcast and I’m like, “Really? Come on.”
[Eduardo Ortiz-Romeu] Because the pushback is like we cannot block legitimate employees from getting help. So, you’re saying it’s still zero.
[Ori Eisen] It will always be zero. Let me explain why.
[Eduardo Ortiz-Romeu] Okay.
[Ori Eisen] If you are you and you are driving home and a policeman stops you, how do you prove to them who you are? What do you do? You don’t use your MFA, do you? You don’t use an algo to say, “Hey, does this voice sound like…?” You don’t, you just say, “Here are my credentials that we have agreed as a society that if they’re real and the policeman can check with the DMV are real, that it is you.” And of course, your picture matches and all those things.
I use the same exact thing and then add layers that are simply not needed in the real world. Meaning what? You all heard about man-in-the-middle attack. So, somebody can call you and say, “I am the employee,” but they’re also puppeteering the employee on another line to give you the answers, right?
So, we solve for that. We solve for SIM swaps, right? If you send a text with the OTP, how do you know it really got to me and not to a bad guy who just called my telephone company 10 minutes ago? So, we are taking the baseline check of show me that you are you based on what society agreed and now adding all the layers that could be diverted or subverted online, and the net, net, net equation is when it’s you, it’s you, and when it’s not you, you simply cannot make my phone line registered to you, Eduardo, in order to prove that you’re me.
You just can’t do it without triggering all the other signals that would say, “Okay, this is probably fake.”
[Eduardo Ortiz-Romeu] Okay, thanks for that. The follow-up, I heard you saying some insurance. I didn’t hear the amount.
[Laughter]
[Ori Eisen] I love that question. When Trusona started 10 years ago, we were the first and still only insured authentication up to $1 million per login, but that required you to meet us in person, get a token that is still unbreakable. And while we solved that problem for sure, the friction was too high for our first product.
As the founder, I’ll admit to that. But the problem was solved. Nobody broke that ever. Every customer we had, we asked, “Well, what do we need to do that the general population of your users could use it?” They say, “Oh, take away the in-person meeting and take away the very, very super-duper token,” and now we are left with some technologies that were not perfect.
So, what I’m saying is in our latest product, if you go to our website, you see that we’d offer you $10,000 as a hacker, we kind of have a hack the box contest to show us how you broke it, and that has not been broken yet. So, it’s different than giving you insurance in production, but it is showing you that I’m a vendor that really worked on this, and I care to know that it works more than that I care to sell it to you.
And that’s why I want this to be a practitioner’s talk and not just vendor product talk and price. I don’t care about that. I want to solve the problem because we’re leaving this internet to our kids, and God help us. Let them have something that is better than what we got.
[Eduardo Ortiz-Romeu] Thanks.
[Mandy Huth] So, I have another question. So, I love that you said that because my question is really, I know we’re talking about Trusona and you’ve solved this problem for us, for practitioners that might be listening. I want to take it back a step and talk about how to, whether it’s Trusona or others, what are some advice you would give users or practitioners to detect a real human versus a convincing fake, right?
Like when an attacker has stolen credentials or can mimic a voice or have someone on the string giving you answers, what signals can they use and Trusona does or does not provide that can actually determine whether the person is actually a legitimate account owner?
[Ori Eisen] Yes. The problem, first of all, comes from two directions and we solve both. The first is when employees or hackers call into the IT Help Desk, but the second problem is the hacker call your employees and say, “I’m calling from the IT Help Desk.” So, we solve both.
That’s the first thing practitioners need to zoom out and see the whole problem. If you’re familiar with the Turing Test that determines, “Is this human?” Imagine that we have created a Turing Test, but for you, the person. So, it’s no longer is it machine or human, but is it you, the human?
And the advice I would say is this. If you’re thinking you can fight AI with AI, we are definitely disagreeing on the strategy. You’re doing what we did with antivirus 30 years ago. They develop something, you detect it, you block it, they detect, you’re going to be in a continuous cat and mouse because LLM models just keep improving.
What we have done is taken two steps backward in time. You heard me right. Backwards where AI cannot chase us. AI cannot own my phone. AI cannot go to the DMV and get something physical that the DMV will say is right. AI can make a lot of fakes that look good to the human eye, absolutely, but it still does not mean that you have the actual user.
And to add to your question, of course, you need to add to that layers of the SIM swap, layers of the man in the middle. Otherwise, again, I’ll be in the same problem. I will believe the lie. But unfortunately, I don’t have good news here. If you don’t have all those layers, you are probably letting some bad stuff in as we speak.
[Mandy Huth] In my space, we’ve called it sometimes a simple protocol is the best one, right? Like we don’t need a technology, we need a process.
[Eduardo Ortiz-Romeu] Right.
[Mandy Huth] Or a protocol that we can depend on, which is what you’re pointing to, which is great.
[Ori Eisen] If you don’t mind, I’m going to give you one caveat to that, which again, one of our largest customers is an airline. We won’t mention names. When we started the relationship, they said, “We’re going to let you listen to a recording from our IT Help Desk with the voice of our CEO screaming at the agent that they’re getting into a board meeting, and they need their password reset,” okay?
Even the CEO of that airline says, “I would not believe that it’s not me because it is that good.” So, my point to you is even if you have an SOP, a standard operating protocol that says you need to do X, Y, Z, that is still not good enough. I’m pausing because if you threaten the employee and they fall for the threat, you just have social engineering.
What you need to establish in your protocol is this, hear me out. I will fire you for not following the process. I will not fire you if the CEO yells at you and you stick to your guns. If the employees in your IT Help Desk are not empowered with this, it doesn’t matter.
You can buy from me, and you will still fail because the power of the social engineering is to bypass you, whether it’s technology, MFA, protocols. They’re hitting the human. That’s why they’re so good at it. So, you must blend empowerment to say you must go through this process.
Otherwise, you [Inaudible 00:13:18], and not the reverse. You’ll get fired if you don’t do what I tell you because I’m the CEO.
[Eduardo Ortiz-Romeu] And along those lines, I came to my deployment. What does deployment actually look like in this case? Who owns it? Is it IT, security, HR? In this case, typically? Or it’s a combination of three. It could be the three of them, right?
[Ori Eisen] Great question. So, I’m zooming out. We usually start with the IT Help Desk because that’s where you can bring the company down. We start with side-by-side, meaning no integration whatsoever. You just use our portal, and you add us to the process.
So, before you change the password, use this. Later on, most people just bring us into their ITSM. Most commonly, it’s ServiceNow. But the problem doesn’t end there. Have you heard about the DPRK IT workers who are trying to infiltrate you? So, that is not CISO’s problem.
That’s HR.
[Eduardo Ortiz-Romeu] I was going to ask you about that. Okay.
[Ori Eisen] Yeah. So, then the CISO said to HR, “Hey, listen, we just solved the problem of people coming in through this door, but they’re now coming through your door.” So, HR buys from us next. Guess what? We’re not done. Finance is the next department because I can call and say, “I’m from one of your vendors.
We changed our bank account. So, wire us money next time here.” You’re going to be taken down that way. And the fourth door is your customers. People are calling your customers and pretend to be you. How do you expect them to know if it’s real or not?
So, that’s the last leg of the stool. But we don’t do it all at once. Eduardo, we start with IT Help Desk because that is happening as we speak all over the world.
[Eduardo Ortiz-Romeu] Yeah. So, quick follow-up. You can give me a baseline number. Deployment for a company that it’s a thousand employees. What’s typically the timeline? I just want to have an idea.
[Ori Eisen] You know what entering a DNS record is, right? Like a CNAME?
[Eduardo Ortiz-Romeu] Yeah, yeah, yeah. Yeah.
[Ori Eisen] How long does it take you to do that?
[Eduardo Ortiz-Romeu] Less than a minute.
[Ori Eisen] Okay. That’s the deployment because we are…
[Eduardo Ortiz-Romeu] [Laughter]
[Ori Eisen] So, that is the only work our customers need to do, and the reason we want you to do it is that you don’t send emails or text or anything with trusona.com. No one knows who we are, but they know who you are. So, you are inheriting us something that allows us to generate domains with you.
The rest is all hosted in the cloud. Part two, after you want to bring it into ServiceNow, now I’ll ask you the same. Do you know who your ServiceNow admin is? Because that’s the longest part in the [Laughter] equation. And then they simply install an app or use a side-by-side.
But it is less than an hour in most cases to get going.
[Rich Stroffolino] We’ve got time for one more question.
[Mandy Huth] So, when I have what is the value prop, I know you kind of talked about what you tell the CEO. How should a CISO or practitioner measure the business value? Is that fewer successful account takeovers? How do we know which ones were successful?
Reduced Help Desk risk? Faster recovery? Are there some tangible things I can count to provide a value counter?
[Ori Eisen] Yes. The first one, and I hate saying it because it’s not why we’re in business, but if you had 10 reps today who are taking calls, you can also use our API and have 3 reps. So, the first value is I can reduce the number of humans taking calls.
Why? Because they are susceptible to social engineering. So, that is number one. Number two, there is no registration needed in the system. Pause. Every MFA you ever used, you needed to register people so they can use it. Here, I’m taking you cold because you could be on vacation without anything.
So, the value is customer service in the sense that you really helped me.
And the last is the holding time or how long does it take to resolve something with absolute confidence? Look, you can chase deepfakes all day long, but it will take two hours per ticket. Who wants to do that? So, all in all is the confidence for you to sleep at night that you know you’re going through layers that nobody has broke into, and you can have a red team in your company before you do anything.
Try to break into but also doing it in a cost-effective way and to automate it if that’s what your CFO really wants. You can operate us either with humans or with an API.
[Rich Stroffolino] All right. All right. Before we get out of here, what’s one thing we didn’t ask about that we need to know?
[Ori Eisen] I love it. So, you’ve hit most of the things that I wanted the audience to know. I’ll talk about UX just because it’s not the thing B2B software talks about usually. You want your CEO to use this software and tell you, “Oh, my God, that was a great experience for me.” You do want that.
Why? Because usually we security people are associated with friction, hard stuff, difficulty, didn’t work the first time, all those icky things. No, this actually gets kudos even from the people who use it. And I do think we have to elevate our game.
We can’t just be associated if we want to do good security work with, okay, but it’s going to be a nightmare to go through us. No, we can blend it in. And the team at Trusona worked, I’m just going to say, for over 10 years to perfect the process. So, it feels easy and simple.
And yes, we have some confetti and things like that to make it all not consumer-ish per se, but make it feel that this is a process that is joyful to go through and not just, “Ugh. Here we go again. They want me to take out my birth certificate.”
[Music]
[Rich Stroffolino] That’s it for this episode of Security You Should Know. To learn more, head on over to trusona.com. And if you have any feedback for this show, feedback@CISOseries.com. Thanks to Eduardo and Mandy for helping us learn more about what Trusona is all about, and a huge thank you to Ori for your time and being game to answer all of these questions.
Really appreciate it from everybody. And thank you for listening to Security You Should Know.
[Music]
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.