To The Point – Cybersecurity
Episode Summary: Beyond Passwords: Identity Security as Hospitality's Frontline Defense
Guests:
- Jasson Casey (CEO & Co-founder, Beyond Identity)
- Josh Johansen (Director of IT, Brent Hospitality Group)
Hosts: - Rachael Lyon
- Jonathan Knepher
Air Date: January 20, 2026
Overview
This episode dives deep into the unique cybersecurity challenges facing the hospitality sector, with a focus on the increasing sophistication of cyber threats, the enduring risks of phishing, and the critical need for modern identity security solutions beyond traditional passwords. Real-world stories illustrate how technology and human behavior intersect to create vulnerabilities—and opportunities for stronger defenses. The conversation also explores how AI advancements are exacerbating risks, and what organizations can do to bolster trust, authentication, and data privacy.
Key Discussion Points & Insights
1. The Human Element in Hospitality: Attackers Exploit Hospitality’s Culture
- Josh Johansen describes how the warm, accommodating “get it done” attitude of hospitality staff makes them enticing targets for cybercriminals.
- Phishing attacks often exploit business processes, such as invoice payments from travel agencies, where staff are pressured to act quickly.
[02:22] Josh Johansen:
“We're looking for those folks that can really build relationships and are warm, accommodating—pretty much everything that a cyber attacker would love to see in a person. They want to make things as easy as possible.”
- Attackers are sending highly convincing fake invoices, mimicking travel brokers and requiring staff to “log in to view” documents, baiting them into credential phishing.
2. Real-World Incident: Stopping a Phishing Attack with Passwordless Identity
- Josh shares a near-miss incident where a general manager almost fell for a phishing invoice, but was stopped by a passwordless security system (Beyond Identity).
[03:32] Josh Johansen:
“She said, well, I put in my email and it's popped up. I have the Microsoft login screen and it says password. I'm like, that's a phishing attempt. You can just delete it and ignore it. If it was valid, Beyond Identity would have kicked in...”
- Since rolling out Beyond Identity (device-bound passkeys), phishing attempts are frequently stopped at the door, offering tangible, ongoing value.
- Credential-based attacks remain prevalent, and even seasoned staff routinely mistake advanced phishing for legitimate requests.
[05:22] Josh Johansen:
“I get this call probably quarterly about somebody who needs to get into something and it's asking for a password and they haven't equated that connection yet.”
3. AI-Driven Threats and the Next Generation of Impersonation
- The discussion shifts to the evolution of phishing and impersonation—AI-generated emails, image manipulation, and especially voice cloning ramp up the threat.
[07:02] Jasson Casey:
“We've seen a lot of voice cloning for vishing... I even did this myself. Over the course of a day I basically got Claude to write a Christmas rhyme… then built a voice cloning pipeline... It matched my execs. Seven out of eight of them were impreciated. Like no one would have questioned it.”
- Voice cloning requires as little as 10 seconds of audio, and the technology is now easily accessible and shockingly effective.
- Impersonation risk has skyrocketed; the ease and low technical barrier to entry means anyone who has public recordings is at risk.
[10:06] Jasson Casey:
“This was all accomplished in a day. I did all of this with basically zero knowledge before the day in the area... These tools are life changing in how we do work... The bad guys have jobs too, and it's going to change how they come after us.”
4. Why Detection Isn’t Enough: The Case for Attestation
- The focus needs to shift from detecting deepfakes or AI impersonation ("Is this fake?") to building systems of identity attestation: verifying the origin, device, and pathway of communications and documents.
[11:54] Jasson Casey:
“The detection or presence of AI is not a meaningful question to even ask... The solution is attestation... Products need to actually start attesting to the author's identity, the device's identity they worked on, and that sort of thing.”
- Systems can leverage hardware roots of trust, TPMs, and secure enclaves to "watermark" and trace provenance. This is a rising trend and critical for the future of authentication.
5. Strong Authentication vs. Privacy: A Nuanced Balance
- Tension exists between demands for robust authentication/attestation and the preservation of user privacy.
- Historical context: Tools like Tor were created for privacy by government agencies, but now privacy is a moving target.
[16:14] Jasson Casey:
“Privacy and security are always two sides of the same coin... There are technical solutions... but if you think about Bitcoin... once I can actually associate you with a transaction, I can kind of unravel your entire history.”
- Some solutions will be technical (trusted intermediaries, zero-knowledge proofs), but many are societal and policy-driven—strong consequences for adversarial misuse must exist.
6. The Challenge of Ubiquitous Personal Data and Brands’ Response
- With so much personal media publicly available, attackers have abundant resources to generate convincing impersonations.
- The “blue checkmark” analogy: brands and individuals must lean into identity attestation and verified communication channels.
[19:28] Jasson Casey:
“If you've put more than 10 seconds of audio of yourself on anything that's public, you are cloneable... People need to stand behind what they're producing in a way that attributes back to them... If you're a company or a public figure, you need to speak and communicate through attested channels.”
7. Practical Hospitality Security: Managing Complexity and Identity Lifecycle
- Josh Johansen outlines the operational complexity of working with big hospitality brands (Marriott, Hilton, etc.), each with their own systems and requirements.
- Centralized control over onboarding, access, and deprovisioning is critical—delays or oversights leave hotels vulnerable to old accounts, orphaned access, and password reuse.
[22:11] Josh Johansen:
“When somebody’s hired, within an hour, we’ve got their account created... When they leave we can tear down that license, revoke that passkey, and we've moved on. Versus relying on a GM to go into a portal… and then suddenly they leave and I forgot to terminate them.”
- Passwordless, device-bound passkeys dramatically reduce employee friction and improve security.
- Smaller organizations often lack dedicated IT, making them susceptible unless they work with MSPs (Managed Service Providers).
[25:21] Josh Johansen:
“As we add more and more systems into hospitality and we're asking people to put passwords into all of this, that just creates another... failure point or another breach point. My biggest concern is employees that leave.”
[26:40] Josh Johansen:
“I've been on a mission to. I'm so passionate about removing the password for hospitality folks because not only does it make their life so much easier ... the GM called [the experience] 'automagical.' He’s like, this is amazing.”
Notable Quotes & Memorable Moments
-
On voice cloning risk:
"If you've put more than 10 seconds of audio... you are cloneable." — Jasson Casey [19:28] -
On AI adversary capabilities:
"Let's not forget the bad guys have jobs too. And it's going to change how they come after us." — Jasson Casey [10:06] -
On password fatigue and user experience:
"The GM called [it] automagical. He's like, this is amazing... he was logged into everything. Every time... no passwords." — Josh Johansen [26:40]
Key Timestamps
- 02:22: Josh describes the hospitality industry’s human-targeted phishing risks and a specific phishing incident.
- 05:35: The increasing frequency and sophistication of phishing attempts—even with training and compliance.
- 07:02: Jasson shares live experiments with voice cloning and the ease of generating convincing audio deepfakes.
- 11:54: Why attestation (not just detection) is crucial in an era of AI-enabled deception.
- 16:08: How privacy and authentication collide (Tor, bitcoin, and societal solutions).
- 19:28: The inescapability of public data and the need for verified communication.
- 22:11–27:15: Tricks and pitfalls of identity lifecycle management in hospitality—brand platforms vs. direct control, why passwordless is transformative.
Tone & Language
The conversation is both pragmatic and urgent, combining technical insight with relatable stories and humor. Jasson’s candid analysis, Josh’s practical anecdotes, and the hosts’ thoughtful questions create a dynamic and informative episode that resonates with anyone responsible for digital trust—especially in service-focused industries.
In Summary
The hospitality industry faces relentless, sophisticated attacks that prey on its strengths—human warmth and urgency. The future of cybersecurity will require not just passwordless identity solutions, but full-spectrum attestation of files, communications, and devices—because soon, everything can be convincingly faked. As organizations and individuals, we must be ready for a world where trust is engineered, not assumed.
