in ,

Startup Opportunities In the $80B+ Identity Market

Startup Opportunities In the $80B+ Identity Market

I’ve spent more than a decade building infrastructure for managing digital identity. Before I became a Partner at Mayfield investing in early stage enterprise software companies, I was the CEO at Gigya, which created the Customer Identity & Access Management category starting back in 2011, powering login & registration as a service for 700 customers and becoming Forrester leaders in the space. Now as an investor at Mayfield, we’ve continued spending time on the Identity Stack, investing in Berbix (Instant Identity Verification), OwnID (Distributed Customer Identity Platform), and Vector Flow (Physical Identity & Access Management Platform).

Why so much focus on the Identity Stack? First, it’s critical enabling infrastructure for digital transformation. Without being able to verify “we are who we say we are” and “what we can access”, nothing online really works. Second, the Identity category has produced meaningful companies with more to come, including Okta’s $16B market cap and Auth0’s $6.5B acquisition. In fact, Okta claims an $80B total addressable market (TAM). But despite this, Identity is still very broken – I would even argue that identity is going through a renaissance of sorts, driven by megatrends including customer experience, frictionless security, & privacy. New enabling technologies like no code / low code, cross platform networks, and specialization are changing the way the markets work. The end result is massive opportunities for entrepreneurs.

In this post, I provide a primer on what the identity stack is, discuss the trends causing disruption and evolution, and share a viewpoint on where startup opportunities exist to build companies in the modern Identity Stack.

Identity Stack Primer

The identity stack is historically made up of 4 categories – Authentication, Authorization, Directory, and Identity Governance & Administration. Here’s what these categories mean in plain English:

  • Authentication (e.g., Login & Registration) -> Who are you?
  • Authorization (e.g., Permissions) -> Are you allowed to do that?
  • Directory (e.g., User Database) -> System of record of user data
  • Governance & Administration (e.g., New users & access permissions) -> Management of User

Identity Evolution

As employee and consumer expectations around customer experience, security, and privacy change, Identity is going through an evolution that is redefining the identity stack. Further, enabling technologies, including no code / low code, frictionless authentication like FaceID and FIDO2, and advanced security techniques are changing the landscape. Finally, there is specialization occurring in various use cases including B2E vs B2C VS B2B VS B2B2C.

Modern Identity Stack Opportunities

All together, these changes are resulting in an evolving modern identity stack, where solutions are being redefined to keep end users – particularly developers, customers and employees – in mind. Further, these solutions are moving beyond just thinking about security requirements, to considering customer experience, privacy and security. To put this in context, I think about major categories of the identity stack moving up an evolutionary curve along 2 axis: 1) User Focus (e.g., IT vs Customers, Employees) and 2) Feature Focus (e.g., Security vs Customer Experience, 1st Party Data, Web3 & Privacy)

Examples of opportunities within this modern identity stack could include:

Passwordless Authentication -> Many large companies have been built around the concept of services for authentication, including Okta ($16B+), Auth0 ($6B), Forgerock ($2B), and Ping Identity ($2B), but these companies were primarily architected around the concept of a password. The password is the bane of the internet. It’s insecure and provides a broken experience for users. Good news! Passwords can now go away thanks to new enabling technologies like FaceID and FIDO2, enabling a much better customer experience compared to previous attempts that require physical keys (e.g., YubiKey), separate mobile applications, or magic links. Next generation companies range from those looking to replace the entire identity stack like Stych or Transmit Security to be passwordless, or those that are looking to distribute identity management into the hands of consumers like OwnID (Mayfield Portfolio Company). Both approaches have their merits, and it’s likely that there will be numerous billion dollar next generation companies built in the passwordless authentication space.

Crypto Wallet Login -> In the last decade, the big innovation enabling easy “single sign on” authentication into websites and applications was leveraging Social Login providers like Facebook and Google to easily sign in and register to any website or application. While still very valuable and ubiquitous, there is now a movement to take advantage of decentralization on the blockchain versus centralization on the big tech platforms. The big unlock here is the more mass availability of crypto wallets like Metamask, that can serve to authenticate users into websites and applications. As we saw with Social Login, new companies like Dynamic are emerging to provide crypto wallet login-as-a-service, aggregating the many crypto wallet providers and providing a single authentication API.

Self Service Admin Panel -> Identity Governance and Administration, or the onboarding and management of users, is a category of identity technology that has again produced large companies such as Sailpoint ($6B). Legacy vendors were primarily architected for employee oriented, low volume and high touch use cases. In today’s world of consumer scale digital experiences and consumer grade expectations, previous approaches that required a manual touch to onboard individual users no longer work. New approaches will allow for complete self service, both by employees, customers, and the administrators that manage their accounts. Next generation companies working in this area are beginning to emerge, including companies like WorkOS and FrontEgg.

Instant ID Verification -> Identity Verification (IDV), or the process of knowing someone is who they say they are, becomes a lynchpin enabling technology for moving previously offline transactions online, whether it’s banking, telehealth, or e-learning. Big companies have been built here, including numerous unicorns like Jumio and Veriff. For almost a decade, first-generation digital identity verification technology companies have offered basic online services that confirm customers’ identities by having them upload a selfie that a human screener, usually in a low-cost labor market, could compare to the passport or driver’s license photo on file. But this can take minutes, is quite expensive, and people make mistakes. New IDV services leverage machine learning and automation to provide instant verifications without human involvement, dramatically improving customer experience and overall costs and enabling a whole set of new use cases to be possible. This is also replacing some of the traditional identity proofing mechanisms like the Knowledge Based Authentication (KBA) or Database Checks, that can be inconvenient and inaccurate. Next generation companies in this area include Persona and Berbix (Mayfield portfolio company).

Customer Onboarding & Management -> In the identity world the concept of the “Directory”, or the system of record for user data, was brought about when IAM was primarily an employee oriented, IT concept. Microsoft Active Directory is the most commonly used legacy software in this category, with nearly all fortune 1000 companies as customers. Active Directory and other similar legacy approaches work great when use cases are focused on employee name, employee role, etc but doesn’t work in today’s modern customer oriented world where 1st party data, privacy & security are ultimate concerns, with a need to give users transparency & control over their data. Looking forward, the concept of a directory will be redefined, with a few principles in mind: 1) Enable the streamlined onboarding of 1st party customer data with no code / low code hosted UX forms, that would maximized data collection while obtaining the necessary identity, data purpose, missions, permissions etc securely; 2) Securely store & manage the customer 1st party data in the cloud, encrypting the data and ensuring the requisite data residency & privacy laws are met; 3) integrate & orchestrate the data into requisite relying systems such as CRM, Marketing, Advertising & Loyalty solutions. There are some early next generation companies starting to emerge here including User Flow, Heyflow, and Arengu.

Summary

Identity is a critical enabler to digital transformation and deserves the time and attention it’s receiving from entrepreneurs and investors. Although Identity is made up of many long established categories – Authentication, Authorization, Directory, Governance & Administration – it’s going through an evolution, driven by megatrends like customer experience, frictionless security, & privacy and enabling technologies like no code / low code, cross platform networks. The end result of these changing dynamics are a re-defined modern identity stack, creating massive opportunities for entrepreneurs and the investors that back them.

What do you think?

California drought requires water rationing

California drought requires water rationing

‘Operation Mincemeat’: Compelling WWII Spy Tale

‘Operation Mincemeat’: Compelling WWII Spy Tale