Beyond Passwords: A Conversation with Dan Sarel

Passwords should be dead by now. Yet here we are in 2025, still juggling passwords, authentication codes over text messages, and clunky login experiences that frustrate both users and developers. It’s a problem that has overstayed its welcome.

That’s where Dan Sarel, co-founder of Descope, comes in. I’ve known Dan for over 20 years, dating back to his time at Check Point Software when I was Chief Architect of SofaWare, a Check Point company. Watching his journey has been nothing short of fascinating - he’s gone from securing networks at Check Point to reshaping the way security teams operate with Demisto’s pioneering SOAR (Security Orchestration, Automation, and Response) platform, which Palo Alto Networks later acquired.

Now, he’s tackling something that feels even more fundamental to security: authentication.? Descope is taking a fresh approach with its no-code Customer Identity and Access Management (CIAM) platform, allowing developers to build secure, frictionless login experiences in minutes instead of wrestling with months of complex integrations.?

Having struggled with the frustration of authentication challenges myself, I can’t wait to dive into this conversation with Dan !

Aron: Dan, you've built and scaled multiple security products in the past. What key lessons from that experience are influencing your approach to authentication and identity management at Descope?

Dan: When my partners and I looked at Customer Identity and Access Management (CIAM), we knew it was a large market with many vendors, but after evaluating existing solutions, we felt that everyone was approaching it the wrong way.

At Demisto, our work was all about automating and orchestrating Security Operations Centers (SOCs). When we looked at CIAM, it became clear that similar automation and orchestration tools could modernize the space.

For us, CIAM isn’t just an authentication solution - it’s a way for customers to design and manage their users’ journey.

Like Demisto, this involves orchestrating multiple tools that customers already use. We provide a flow engine that not only makes it easy to design and manage the user journey but also allows for continuous adaptation as needs evolve.

Aron: Authentication has long been a tug-of-war between security and user experience. How do you see this balance evolving?

Dan: Secure authentication makes it much harder for bad actors to access customers’ apps. We focus on enabling secure access without compromising user experience in two key ways:

1. Eliminating passwords. Passwords are one of the few security mechanisms that are both insecure and frustrating for users.
2. Customizable security orchestration. Our customers can define their own security levels and control when and how to introduce friction. For example, a user might start an app session anonymously. As they engage further, they may be prompted to verify their phone or email, complete an anti-bot check, or undergo identity verification.

We facilitate this process by integrating with third-party tools our customers choose, ensuring security while minimizing unnecessary friction at each stage of the user journey.

Aron: How does Descope change the way software developers build their user authentication journeys?

Dan:? The biggest advantage of using our flows, beyond the ease in which our customers can design, test and run their user journeys, is the decoupling (or descoping) the user journey from the rest of the application. This means that you can change the journey (from simply adding a new type of authentication to completely changing the login/signup/step-up process WITHOUT touching the application.?

Our slogan used to be “we do auth, you do you” and we really believe in it. Customers should really focus on their core capabilities, and leave this complex issue to experts.?

In many projects we do, we replace authentication mechanisms that customers have developed in-house. Unfortunately those often contain vulnerabilities and other mistakes that result (for example) in unnecessary friction for end users.????

Aron: Can you explain how your adaptive authentication works ?

Dan: Adaptive authentication works like any other multifactor authentication system but adds a step to determine which credentials are needed, if any. Customers can choose from various anti-fraud and security checks, some requiring user input and others running silently in the background.

For example, detecting an anomaly like an "impossible traveler" is a clear red flag, as is behavior suggesting the user might be a bot. Customers define, per process (e.g., sign-up), what data to collect, which tools to use, and what additional authentication steps to perform based on the results.?

Aron: Passwords continue to be one of the weakest links in security, yet adoption of passwordless authentication has been slow. What do you think it will take for businesses to fully embrace a passwordless future?

Dan: You’ve touched on my biggest frustration over the past three years since we started Descope: I thought it would be much easier to move customers away from passwords. In 2025, it makes no sense to have passwords anywhere. I used my first password on a computer in 1984 - back when we still used punched cards to translate code for computers. I expected that by now, passwords would be as obsolete as punch cards.

Yet, some organizations still fear that removing passwords will cost them users. Our job is to make it technically seamless to move away from passwords, and we enable our customers to migrate users effortlessly to more secure and user-friendly passwordless authentication.

In our experience, most users happily adopt passwordless solutions when given the option. And with the migration approach we recommend, many users won’t even notice they’ve stopped using passwords altogether.

Closing Words

It's surprising that in 2025, passwords remain deeply embedded in digital experiences despite being one of the weakest links in security. The challenge is about shifting habits, overcoming inertia, and helping businesses recognize that better options exist.

Descope is making security invisible yet effective, bringing us closer to a future where secure authentication is seamless rather than a burden.