Safe Mode Podcast

Episode: No exceptions: How Amazon killed the password and unified security

Date: February 12, 2026
Host: Greg Otto (A), Editor in Chief at CyberScoop
Guests:

Derek Johnson (C), Reporter for CyberScoop
Stephen Schmidt (B), Senior Vice President & Chief Security Officer, Amazon

Episode Overview

In this episode, host Greg Otto explores two major topics:

The security and privacy implications of AI health apps, with a deep dive into the difference between legal and voluntary data protections (featuring Derek Johnson).
Amazon's approach to unified identity management and the elimination of passwords across its massive enterprise, featuring an in-depth interview with Amazon CSO Stephen Schmidt about the company's internal authentication system, Midway.

Listeners gain actionable insights on practical security, governance challenges, and the imperative of making the secure path the easiest path—both for users and for massive development teams.

Key Discussion Points & Insights

1. AI Health Apps and Data Privacy (00:32 – 10:00)

Main Points:

Big AI companies (OpenAI, Anthropic, Google) are launching health-focused products, raising privacy and legal questions.
These AI tools’ data protections are not upheld by law (like HIPAA); rather, they're governed by terms of service.
HIPAA applies to healthcare providers, not tech companies developing AI health chatbots.
Legal ambiguity means end-users bear the privacy risk when entering health info into these tools.
Even though companies claim to support or voluntarily follow HIPAA, there is no enforceable legal standard.
Anecdotal and practical risks: Sensitive personal health info is entered into AI tools without full protection, in a scenario reminiscent of the 23andMe data handling controversy.

Notable Quotes:

“There’s a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement.” — Derek Johnson (04:17)
“OpenAI and Anthropic...will not say we are HIPAA compliant, they will not say we follow HIPAA, but they do certain elements...to support HIPAA. And that's really something that kind of flips the accountability back onto the user.” — Derek Johnson (06:17)
“If you look at sort of, you know, a couple of folks that I talked to compared this to the 23andMe situation...this is a voluntary thing.” — Derek Johnson (07:39)

Timestamps for Key Segments:

[02:00] – Overview of AI health apps' privacy risks
[04:17] – Legal protections vs. voluntary compliance
[07:15] – Who/what HIPAA actually covers
[09:37] – Anecdotal perspective: widespread use, but few understand privacy tradeoffs

2. Amazon's Unified Identity Management & "Killing" the Password (13:17 – 36:08)

The Fragmentation Problem in Identity (13:17 – 16:37)

Large enterprise environments tend to accumulate fragmentation, with divergent authentication standards between cloud vs. legacy, tests, contractors, etc.
Attackers actively seek out weak spots caused by this fragmentation.

Quote:

“Our adversaries understand the fragmentation problem...they realize that the newer systems...are relatively well secured. So what they start doing is looking for that crack in the armor, the chink...” — Stephen Schmidt (14:12)

How Amazon Built No-Exceptions Authentication (Midway) (16:37 – 21:17)

Midway is Amazon’s internal authentication system, requiring high, uniform security everywhere (prod, test, personal accounts).
The cornerstone: make the secure path the simplest and default for developers.
Amazon used two strategies:
1. Security team provided easy-to-use tooling for developers
2. Strong institutional support: Schmidt reports to the CEO, signifying security’s importance.

Quote:

“We use one standard, one process and one bar. So how did we get here? …The security team building tools that made it easy to do this correctly...and an institutional desire to do it.” — Stephen Schmidt (16:37)

Why Hardware Authentication (U2F Security Keys)? (21:17 – 24:03)

Amazon replaced passwords and weak MFA with mandatory hardware tokens (security keys like U2F).
Passwords and OTPs are highly susceptible to phishing, social engineering, and nation-state-level attacks.
Physical security keys provide a cryptographic “anchor” that dramatically raises the bar.

Quote:

“Passwords, sorry, their time is gone. They're not really useful.” — Stephen Schmidt (22:03)

Case Study: Defeating Midnight Blizzard (APT 29/Russia) (24:03 – 27:46)

Russian APT “Midnight Blizzard” targeted Amazon and other major firms via password spraying.
Amazon forced all access—even for test accounts—through Midway, eliminating password-based logins.
Another major tech firm, with an exception for a legacy test account, was breached and had leadership email compromised.

Quote:

“It's really hard to understand trust relationships between accounts that you think don't matter and accounts that really do matter...That stuff happens behind the scenes…And then that's the chink in the armor that the adversary needs.” — Stephen Schmidt (25:59)

Preventing “Exception Creep” and Organizational Governance (27:46 – 30:58)

Amazon uses “mechanisms”—automation and tooling that enforce standards and detect/revert any deviations (i.e., no unsupported password auth, anywhere, ever).
Security team has rights to revert dangerous changes universally and immediately.
Standard security practice of relying on alerts and tickets is too slow—automated responses must occur within minutes, not hours.

Quote:

“It's got to be a reaction that occurs automatically within a couple minutes to really protect you appropriately.” — Stephen Schmidt (28:27)

Developer Velocity: Security as an Enabler (30:58 – 33:29)

Mandating secure behaviors isn’t enough—security processes must save developers time.
Schmidt’s team has KPIs on friction reduction; implementation time for Midway has dropped from an hour to less than 15 minutes through internal investment and tooling.
The cost/benefit equation: money spent on central tooling is repaid many times over through company-wide developer time saved.

Quote:

“Secure path is the fast path...we measure the amount of time that a builder has to take to do the things that we’re asking them to do, and we have goals to reduce that time every single year.” — Stephen Schmidt (30:58)

Building a Playbook for Other Security Leaders (33:29 – 35:29)

It starts with “humans”: win leadership buy-in by showing real risks in a balanced way.
Security should be seen as an enabler, not a roadblock.
Report metrics on security “cost” to developer time, and continually improve.
This is a long process (years), but iteration is key.

Quote:

"The sky is falling security people...you are the worst thing that you can do for anybody, because no one's going to believe you." — Stephen Schmidt (33:29)

Final Thoughts: Security as an Accelerant (36:00)

Good security processes, if implemented right, accelerate the business rather than slow it.

Quote:

"Security, if done right, can be an accelerant for your business. Turn it into that positive. Turn it into something people want to embrace." — Stephen Schmidt (36:00)

Notable Quotes — Quick Reference

“There’s a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement.” — Derek Johnson (04:17)
“Passwords, sorry, their time is gone. They're not really useful.” — Stephen Schmidt (22:03)
“It’s really hard to understand trust relationships between accounts that you think don’t matter and accounts that really do matter.” — Stephen Schmidt (25:59)
"The sky is falling security people...you are the worst thing that you can do for anybody, because no one's going to believe you." — Stephen Schmidt (33:29)
"Security, if done right, can be an accelerant for your business." — Stephen Schmidt (36:00)

Key Timestamps

[02:00] – AI health apps, privacy risks
[04:17] – Legal vs. voluntary data protections
[07:15] – HIPAA and its actual coverage
[13:17] – Intro to Amazon’s identity strategy and Midway
[16:37] – How Amazon achieved “no exceptions” for authentication
[22:03] – Why hardware tokens became the standard
[24:03] – Real-world attack defeated: Midnight Blizzard password spraying
[27:46] – Preventing exceptions, automated governance
[30:58] – Developer velocity: Making security the fast, easy path
[33:29] – Building the security leader’s playbook
[36:00] – Final thoughts: security as a business accelerator

Summary Conclusion

This episode of Safe Mode offers a dual-track look at the future of security:

For individuals and CISOs using AI in health: Be aware that privacy promises from tech companies aren’t legally enforceable like HIPAA is, with the implication that users carry new risks for their personal data.
For enterprises: Amazon’s push to eliminate passwords and unify authentication under Midway’s strict, exceptionless regime is a model for blending user experience, automation, and top-level commitment. Key success factors include making the secure path the path of least resistance, automating enforcement and remediation, and quantifying and reducing developer friction.

The tone is practical, candid, and intentional—good security requires both strict governance and strategic investment, but with the right approach, it becomes an accelerant for innovation, not a brake.

Safe Mode Podcast

Episode: No exceptions: How Amazon killed the password and unified security

Date: February 12, 2026
Host: Greg Otto (A), Editor in Chief at CyberScoop
Guests:

Derek Johnson (C), Reporter for CyberScoop
Stephen Schmidt (B), Senior Vice President & Chief Security Officer, Amazon

Episode Overview

In this episode, host Greg Otto explores two major topics:

The security and privacy implications of AI health apps, with a deep dive into the difference between legal and voluntary data protections (featuring Derek Johnson).
Amazon's approach to unified identity management and the elimination of passwords across its massive enterprise, featuring an in-depth interview with Amazon CSO Stephen Schmidt about the company's internal authentication system, Midway.

Listeners gain actionable insights on practical security, governance challenges, and the imperative of making the secure path the easiest path—both for users and for massive development teams.

Key Discussion Points & Insights

1. AI Health Apps and Data Privacy (00:32 – 10:00)

Main Points:

Big AI companies (OpenAI, Anthropic, Google) are launching health-focused products, raising privacy and legal questions.
These AI tools’ data protections are not upheld by law (like HIPAA); rather, they're governed by terms of service.
HIPAA applies to healthcare providers, not tech companies developing AI health chatbots.
Legal ambiguity means end-users bear the privacy risk when entering health info into these tools.
Even though companies claim to support or voluntarily follow HIPAA, there is no enforceable legal standard.
Anecdotal and practical risks: Sensitive personal health info is entered into AI tools without full protection, in a scenario reminiscent of the 23andMe data handling controversy.

Notable Quotes:

“There’s a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement.” — Derek Johnson (04:17)
“OpenAI and Anthropic...will not say we are HIPAA compliant, they will not say we follow HIPAA, but they do certain elements...to support HIPAA. And that's really something that kind of flips the accountability back onto the user.” — Derek Johnson (06:17)
“If you look at sort of, you know, a couple of folks that I talked to compared this to the 23andMe situation...this is a voluntary thing.” — Derek Johnson (07:39)

Timestamps for Key Segments:

[02:00] – Overview of AI health apps' privacy risks
[04:17] – Legal protections vs. voluntary compliance
[07:15] – Who/what HIPAA actually covers
[09:37] – Anecdotal perspective: widespread use, but few understand privacy tradeoffs

2. Amazon's Unified Identity Management & "Killing" the Password (13:17 – 36:08)

The Fragmentation Problem in Identity (13:17 – 16:37)

Large enterprise environments tend to accumulate fragmentation, with divergent authentication standards between cloud vs. legacy, tests, contractors, etc.
Attackers actively seek out weak spots caused by this fragmentation.

Quote:

“Our adversaries understand the fragmentation problem...they realize that the newer systems...are relatively well secured. So what they start doing is looking for that crack in the armor, the chink...” — Stephen Schmidt (14:12)

How Amazon Built No-Exceptions Authentication (Midway) (16:37 – 21:17)

Midway is Amazon’s internal authentication system, requiring high, uniform security everywhere (prod, test, personal accounts).
The cornerstone: make the secure path the simplest and default for developers.
Amazon used two strategies:
1. Security team provided easy-to-use tooling for developers
2. Strong institutional support: Schmidt reports to the CEO, signifying security’s importance.

Quote:

“We use one standard, one process and one bar. So how did we get here? …The security team building tools that made it easy to do this correctly...and an institutional desire to do it.” — Stephen Schmidt (16:37)

Why Hardware Authentication (U2F Security Keys)? (21:17 – 24:03)

Amazon replaced passwords and weak MFA with mandatory hardware tokens (security keys like U2F).
Passwords and OTPs are highly susceptible to phishing, social engineering, and nation-state-level attacks.
Physical security keys provide a cryptographic “anchor” that dramatically raises the bar.

Quote:

“Passwords, sorry, their time is gone. They're not really useful.” — Stephen Schmidt (22:03)

Case Study: Defeating Midnight Blizzard (APT 29/Russia) (24:03 – 27:46)

Russian APT “Midnight Blizzard” targeted Amazon and other major firms via password spraying.
Amazon forced all access—even for test accounts—through Midway, eliminating password-based logins.
Another major tech firm, with an exception for a legacy test account, was breached and had leadership email compromised.

Quote:

“It's really hard to understand trust relationships between accounts that you think don't matter and accounts that really do matter...That stuff happens behind the scenes…And then that's the chink in the armor that the adversary needs.” — Stephen Schmidt (25:59)

Preventing “Exception Creep” and Organizational Governance (27:46 – 30:58)

Amazon uses “mechanisms”—automation and tooling that enforce standards and detect/revert any deviations (i.e., no unsupported password auth, anywhere, ever).
Security team has rights to revert dangerous changes universally and immediately.
Standard security practice of relying on alerts and tickets is too slow—automated responses must occur within minutes, not hours.

Quote:

“It's got to be a reaction that occurs automatically within a couple minutes to really protect you appropriately.” — Stephen Schmidt (28:27)

Developer Velocity: Security as an Enabler (30:58 – 33:29)

Mandating secure behaviors isn’t enough—security processes must save developers time.
Schmidt’s team has KPIs on friction reduction; implementation time for Midway has dropped from an hour to less than 15 minutes through internal investment and tooling.
The cost/benefit equation: money spent on central tooling is repaid many times over through company-wide developer time saved.

Quote:

“Secure path is the fast path...we measure the amount of time that a builder has to take to do the things that we’re asking them to do, and we have goals to reduce that time every single year.” — Stephen Schmidt (30:58)

Building a Playbook for Other Security Leaders (33:29 – 35:29)

It starts with “humans”: win leadership buy-in by showing real risks in a balanced way.
Security should be seen as an enabler, not a roadblock.
Report metrics on security “cost” to developer time, and continually improve.
This is a long process (years), but iteration is key.

Quote:

"The sky is falling security people...you are the worst thing that you can do for anybody, because no one's going to believe you." — Stephen Schmidt (33:29)

Final Thoughts: Security as an Accelerant (36:00)

Good security processes, if implemented right, accelerate the business rather than slow it.

Quote:

"Security, if done right, can be an accelerant for your business. Turn it into that positive. Turn it into something people want to embrace." — Stephen Schmidt (36:00)

Notable Quotes — Quick Reference

“There’s a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement.” — Derek Johnson (04:17)
“Passwords, sorry, their time is gone. They're not really useful.” — Stephen Schmidt (22:03)
“It’s really hard to understand trust relationships between accounts that you think don’t matter and accounts that really do matter.” — Stephen Schmidt (25:59)
"The sky is falling security people...you are the worst thing that you can do for anybody, because no one's going to believe you." — Stephen Schmidt (33:29)
"Security, if done right, can be an accelerant for your business." — Stephen Schmidt (36:00)

Key Timestamps

[02:00] – AI health apps, privacy risks
[04:17] – Legal vs. voluntary data protections
[07:15] – HIPAA and its actual coverage
[13:17] – Intro to Amazon’s identity strategy and Midway
[16:37] – How Amazon achieved “no exceptions” for authentication
[22:03] – Why hardware tokens became the standard
[24:03] – Real-world attack defeated: Midnight Blizzard password spraying
[27:46] – Preventing exceptions, automated governance
[30:58] – Developer velocity: Making security the fast, easy path
[33:29] – Building the security leader’s playbook
[36:00] – Final thoughts: security as a business accelerator

Summary Conclusion

This episode of Safe Mode offers a dual-track look at the future of security:

For individuals and CISOs using AI in health: Be aware that privacy promises from tech companies aren’t legally enforceable like HIPAA is, with the implication that users carry new risks for their personal data.
For enterprises: Amazon’s push to eliminate passwords and unify authentication under Midway’s strict, exceptionless regime is a model for blending user experience, automation, and top-level commitment. Key success factors include making the secure path the path of least resistance, automating enforcement and remediation, and quantifying and reducing developer friction.