Future Secured Ep 45 Karim Toubba CEO, LastPass on Passwords, Passkeys, and the Shadow IT problem

Show Notes

What does a world without passwords actually look like and how close are we?

In this episode of Future Secured, Karim Toubba, CEO of LastPass, explores the shifting future of password management, identity security and user authentication in an era defined by AI, Shadow IT and cloud-first business models. With over 25 years in cybersecurity leadership at companies like Cisco, Juniper Networks and Kenna Security, Karim shares how his journey from network engineering to the helm of LastPass has shaped his approach to building secure yet user-friendly solutions at scale.

We dive into how password managers are evolving into identity management platforms, the challenges of driving user adoption and cybersecurity education and how multi-factor authentication (MFA) and passkeys are reshaping the way organisations secure their digital identities. Karim explains why passwordless authentication will take time to reach critical mass in enterprise environments, even as consumer markets move faster and why businesses must prepare for a hybrid future where passwords and passkeys co-exist.

The discussion also tackles the risks of Shadow IT and Shadow AI, the need for SaaS visibility and policy-based controls and how incident response should be used as a learning loop to strengthen defences. Karim underscores the cultural and behavioural barriers to better security practices, arguing that education and prevention are critical if organisations want to reduce breaches and build lasting trust.

For the first time, Karim also shares insights about LastPass's cyber breach.

Whether you’re a CISO, SOC manager, or MSP supporting small businesses, this episode offers practical strategies to improve identity and access security while preparing for the next wave of authentication technology.

Key topics
Identity as the front door: user-to-app is the new perimeter; convenience and security must ship together.

Passwordless, realistically: consumer apps are moving faster than B2B; expect a hybrid of passwords + passkeys for the medium term.

Culture and tooling: adoption lags without user training and simple onboarding.

From consumer to business: prosumer habits seed enterprise rollouts; MSPs now bundle password managers to lift hygiene and reduce liability.

Shadow IT / Shadow AI: why SaaS visibility is step one, and how policy-based controls can monitor or block unapproved apps.

Learning from incidents: invest, communicate, improve, then keep going.

Chapters
00:00 Intro and Karim’s journey into cyber

02:26 Early security days: firewalls and the late-90s stack

04:45 Why LastPass; identity heats up again

06:53 User-to-app model, MFA, and convenience vs security

09:54 Consumer to enterprise: 70% B2B / 30% B2C.

12:56 Culture, basics and making MFA stick

14:50 SSO gaps, SSO “tax”, and where password managers fit

20:45 Passwordless in practice; storing passkeys and passwords together

22:25 Why B2C is adopting passkeys faster than B2B

25:07 Incident response and rebuilding stronger

35:26 Shadow IT/AI → SaaS monitoring and policy controls

38:59 Australia vs US: same problems, different rollout

43:09 Trust, simplicity and prevention

Quotes (sound bites)
“Authentication is one of the few security controls that’s front and centre to the user.”

“We’ll live in a co-mingled world, passkeys and passwords, for years.”

“Start with visibility, then fix the basics: unique credentials and MFA.”

Takeaways
Make it easy: remove friction, auto-fill, streamlined onboarding, and clear policies.

Train and nudge: simple, repeated prompts beat policy documents.
See first, then control: inventory SaaS usage; apply monitor → warn → block policies.
Plan for hybrid: support passkeys and passwords; let the vau