Is Apple the Next Identity Verification Juggernaut?
How should operators and investors think about Apple’s threat to identity verification providers?
Alongside a growing banking and payments ecosystem, Apple has quietly built identity verification (IDV) capabilities that could disrupt a growing crop of startups within the IDV tech stack. Combined with unparalleled access to user data and a widespread consumer footprint, Apple appears to already have the capabilities to own identity verification and fraud for iOS users.
Will Apple solely use these capabilities to onboard iOS users into its own payment and banking ecosystem? Or will Apple monetize these capabilities to offer financial institutions a robust and frictionless digital onboarding experience for iOS users?
All indications point to the latter.
Apple’s ambition is to blend both payments and identity, to not only be the gateway to every transaction globally with Apple Pay, but every verification globally with Apple mobile identity credentials.
(For an introductory overview of the identity verification industry and tech stack, read our primer here.)
A recently granted patent covering identity document authentication envisions service providers requesting identity verification directly from Apple when opening a banking account, applying for a loan or for completing online age verification (e.g. buying alcohol using a gig delivery service). And, Apple filed a patent at the end of 2022 to provide user trustworthiness scores, inclusive of user and device identifiers, to banking providers — resembling the fraud and risk scores that IDV providers generate. These filings follow reports that Apple will oversee its own credit checks, risk management and lending decisions for Apple Pay Later.
In the medium term, identity verification companies could see up to 56% of US revenue at risk — the market share of iOS in the US. But taking a step back, the future doesn’t look as bleak. Despite iOS commanding over half of the market, one US neobank we spoke with told us that iOS users account for less than one third of total subscribers, split between iOS, Android and a web version of the app. Globally, iOS accounts for only 27% market share, and as little as 4% market share in other geos like India.
While an Apple IDV solution cannot be a one-stop-shop for all global consumer verification, we think that Apple is a strong contender to count itself among the 10+ companies powering the IDV tech stack for each financial institution today, due to significant structural advantages we detail below. We continue to believe there will always be a degree of duplication of capabilities within the stack because identity verification and fraud is best served with a layered approach, so this is not a winner take all market.
But, as the number of providers and sources of identity and trust data increase with the entry of companies like Apple, IDV winners will increasingly deliver value to customers by aggregating and standardizing data across these growing vectors. Therefore, operators seeking to insulate their business from disruption risk should aim to partner to take advantage of open APIs into Apple identity credentials like mobile driver’s licenses. To the extent possible, operators should ingest Apple’s data into their own identity, risk and fraud models, viewing Apple as a new channel partner. For example, in Apple’s November 2022 patent for identity document authentication, third-party IDV providers are granted access to data that Apple collects:
The subject system provides for authenticating a user’s physical ID with an identity provider (e.g., an issuer of the ID such as an agency that issues driver’s licenses) to create an electronic ID for a given service or domain of services. During an enrollment phase, the user’s device captures image(s) of the ID (e.g. a driver’s license, passport, or the like) and sends the image(s) to an issuer of the ID and/or a third party verification service that is capable of verifying the authenticity of the ID.
Everything We Know About Apple’s Identity Verification Playbook
Dating back to March 2019, Apple and the TSA have worked together to develop technology to read mobile driver’s licenses (MDLs) shared from Apple devices. As part of this partnership, in December 2021, Apple was assigned a patent for the use of a mobile identification credential for verification at security checkpoints.
We’ve seen these efforts come to fruition as the Apple Wallet now supports Arizona, Maryland and Colorado MDLs which are valid for identification at several TSA checkpoints within BWI, PHX, DCA, and DEN airports. Several additional states have agreements in place to utilize Apple’s MDLs including Hawaii, Mississippi, Ohio, Connecticut, Georgia, Iowa, Kentucky, Oklahoma, Utah and Puerto Rico.
To add MDLs to Apple Wallets, users take a picture of the front and back of the ID card which is matched to their selfie. Apple sends the images to the state issuing authority which has sole discretion over the approval process, usually rendered in a few minutes. Importantly, Apple also generates and sends a fraud score measuring the confidence that the person presenting the ID is the owner of the ID.
To present MDLs at TSA checkpoints for verification, users place their phone to the reader and use Face ID or Touch ID to consent to sharing their information, the same process as using Apple Pay in stores.
On the backend, Apple mints a verifiable credential of the license where both the issuing state and the device each “sign” a proof of the validity of the credential. The verifier, the TSA in this case, can then cryptographically prove the legitimacy of the MDL by examining the signatures. For more information on how verifiable credentials work, see our primer here. Through the creation of verifiable credentials and other security measures, Apple protects consumers’ information from being stored on any device or database or accessible to outside parties and bad actors.
Beyond the account onboarding process, Apple has taken steps to own the account login and authentication process as well by implementing Apple Passkey, which removes passwords for user authentication across websites and services. In the future, Apple will also enable users to add fingerprints to credentials and will improve authentication and security by taking additional steps to “bind” users’ identity to their biometrics, according to a recently granted patent.
Onfido, Persona and several other companies built large businesses by checking the image of a driver’s license against a selfie for identity verification, although they now have a suite of IDV capabilities aside from this document verification. Meanwhile, Apple leveraged their Face ID expertise to build this technology in-house, underscoring the threat operators face. At the end of 2022, Apple was granted a wide-ranging patent for enrolling, managing and using digital identity credentials.
Apple has Significant Structural Advantages but also Important Limitations
Advantages
1. Apple is building proprietary and direct connections into state issuing authorities’ internal databases, enabling a conclusive verification check of driver’s licenses against primary source data. In the same way that Plaid united bank account data previously in disparate data siloes, Apple is uniting state ID data. This data historically has not been easily accessible meaning other IDV vendors are using secondary checks to verify ID documents.
2. Apple is building a real-time data feed with state issuing authorities, enabling identity credentials be continuously updated, for example, if you change your address or have your license revoked. According to Apple’s T&Cs:
To help manage your driver’s license or state ID in Wallet, your state issuing authority will periodically tell Apple whether your driver’s license or state ID is still valid. Apple will also receive information about any identity card updates from your state issuing authority, such as whether your address was updated or your identity card status was changed (for example, from active to inactive).
Today, financial institutions conduct a check on a consumer’s identity at the point of enrollment, which represents an authentication at one point in time. While financial institutions have standard policies on re-verifying credentials to incorporate eligibility changes over time, the ultimate goal is what Apple is building — perpetual KYC — ongoing monitoring of the latest data which is incorporated in real-time to seamlessly update verification decisions. Meanwhile, the revenue model for IDV companies usually relies on re-verifying credentials with each subsequent check via API pull costing ~$1. Apple’s profitable core businesses mean the Company could offer perpetual KYC without the threat other IDV vendors face of cannibalizing their revenue.
3. Apple has more data than any other IDV company on its users, enabling them to build the most comprehensive risk and fraud decisioning models. Plus, Apple already shares the data it collects with card issuers, payment networks, banks and other service providers to prevent fraud when adding payment cards to an Apple Wallet. Therefore, Apple is already a trusted intermediary in the system.
For example, the data that Apple shares with these stakeholders to determine eligibility when adding cards to your Apple Wallet, per T&Cs, includes:
- Your credit, debit, or prepaid card number
- The name and billing address associated with your Apple ID, iTunes, or App Store account
- General information about your Apple ID, iTunes, and App Store account activity (for example, whether you have a long history of transactions within iTunes)
- Information about your device and, if using Apple Watch, the paired iOS device (for example, a device identifier, phone number, and the name and model of your device)
- Location at the time you add your card (if you have Location Services enabled)
- Account or device history of adding payment cards
- Aggregated stats relating to the information from payment cards you’ve added or attempted to add to Apple Pay
The data Apple could collect and share for fraud decisions doesn’t stop there. Apple will “know your everything” as Apple Wallet becomes consumers’ private information store across all facets of their lives. Today, Apple Wallet supports loyalty cards, employee badges, student IDs, home keys, hotel keys and even car keys. Thinking forward to tomorrow, Apple has filed a patent for utilizing an Apple mobile device as a badge to access electronic locks in hotels, gyms, and offices. And in late 2022, Apple was granted a patent covering the collection, storage and accessibility of health-related information from your workout schedule to your height / weight and from your medication history to your diagnoses.
4. Conversion is King: Apple could enable a one-click embedded identity check for iOS users, improving account onboarding conversion the same way that Apple Pay improved ecommerce checkout conversion.
Today, many financial institutions use document verification with only a subset of higher risk users. Why? Because it introduces massive friction to the onboarding process by adding several steps requiring users to find and upload their ID and then take a selfie. Instead, companies prefer requiring users to input a few pieces of info (name, DOB, address, SSN) to expedite the process. By offloading the credential enrollment and maintenance process to Apple, financial institutions could leverage the onboarding steps that Apple has already done to expedite their own processes.
Creating a frictionless, superior user onboarding experience is a competitive advantage for financial institutions competing for the same customer (we explain this in detail here). For example, when I was an employee at Stash, a key OKR was to increase week 1 subscriber activation. The quicker someone is approved for an account and starts trading on the platform, unit economics improved substantially over those who didn’t activate within the same timeframe.
One common retort is that large financial institutions would be the least likely to want to partner with Apple, however, we think this is less of a gating factor. Banks already work with Apple in many capacities (Apple Pay, Marcus x Apple Card, etc.), but most importantly, the business case for faster conversion of a customer trumps everything else.
Limitations
1. Financial institutions need identity verification coverage for all global consumers, but Apple’s distribution is limited to iOS device users mostly within the US where Apple maintains dominant market share. Therefore, an Apple IDV solution cannot be a one-stop-shop for all consumer verification. Globally, iOS accounts for only 27% market share, and as little as 4% market share in other geos like India, meaning companies like Monnai and MetaMap that specialize in global identity verification are insulated from disruption. To reach full US distribution, Apple needs to win the cooperation of individual state governments and issuing authorities, which will be time-consuming, but a massive unlock that could lead to viral adoption if it happens. But, even among iOS users there will be holdouts who refuse to adopt identity credentials. For example, within a year of launching Apple Pay, only 10% of iPhone users activated it (but today it stands at nearly 75%).
Understanding their distribution limitations, Apple has software and hardware system interoperability in mind. According to Apple’s mobile identification credentials patent, Apple envisions these digital credentials as portable across devices:
The [Mobile Identity Credential] itself is portable and can be provisioned to devices…smart watches, smart fitness bands, smart objects, smart phones, e-readers, tablet computers, smart televisions and displays, smart cameras, laptop computers, desktop computers, servers, kiosks, chips, flash drives, and USB drives.
Ultimately, Apple doesn’t need to achieve global IDV domination to justify its strategic investments in the area. Enabling seamless onboarding into their own ecosystem of banking and payments products is already a business win, and monetizing their IDV capabilities is an option call for the future.
2. To open a bank account, financial institutions are required to collect and verify the name, address, DOB and SSN of each consumer as part of the KYC process. Apple neither collects SSNs today nor has history of verifying this information, and will need to bolster their capabilities to offer a full-stack IDV solution.
In 2022, The Social Security Administration (SSA) launched eCBSV which permits banking entities to collect digital consent from consumers to check their name, SSN and DOB data against the SSA’s internal databases via real-time API. Although Apple does not collect or handle SSN information today, it is operationally easy for them to utilize this API to plug into the data, and would serve as another massive unlock to complete their IDV solution. However, according to operators we spoke to with experience using eCBSV, the data retrieved requires extensive cleaning and matching to ensure accuracy. For example, SentiLink, the first company to integrate with the SSA to offer eCBSV, provides insights around fuzzy logic, match rates and latency and could serve as a necessary partner to bolster expertise when verifying this data.
3. Apple has faced widespread criticism and scrutiny over privacy concerns and anti-competitive practices. As a result, consumers may be leery of providing their private information to Apple, whether due to security concerns or potential mis-use, limiting uptake. In addition, governments around the world have begun to regulate Apple more closely, with the potential to limit the scope of their identity ambitions. For example, the EU has alleged that Apple limited competition among mobile wallets on iOS devices by restricting access to the tech used for Apple Pay.
As we continue to stay up to date on Apple’s identity verification movements, we are also keeping a close eye on Google. The latest changelog sparked excitement that Google will enable users from select states to add driver’s licenses to their Google Wallet much sooner than expected after Google teased the idea earlier this year in their wallet revamp announcement.
