Trustworthy digital identification remains one of the main challenges of the internet because none of the traditional, offline methods of verifying that someone is who they claim to be apply. Yet, while digital identity is one of the most foundational and valuable digital assets we have - made even more apparent by the pandemic - many people question whether there is a business to be built around it.
The following article attempts to provide an overview of what digital identity is and why it matters, to explain it’s relevancy now and in the future, and to highlight startups and investors in the space. It is intended as a high level overview and is by no means comprehensive. This article was informed via conversations with ID2020, Okta Ventures, the Omidyar Network, and several digital identity startups.
What is Digital Identity?
Digital identity (DID) can be broken down into two distinct aspects. The first is “the fact of being who or what a person or thing is¹.” This first aspect can be referred to as foundational identity and is generally indicated by credentials: legal name, passport, SSN, and other officially issued forms of qualification. It is inextricably tied to the physical world (via artifacts or biometrics) and the institutions that govern it. ID2020 has created a useful framework outlining the properties of a foundational digital identity, advocating that a responsible digital ID be: personal, privacy-preserving, portable, and persistent. The Omidyar Network further outlines five design principals for Good ID: privacy, inclusion, user value, user control, and security. De-duplication and fraud prevention are top of mind concerns for foundational DIDs.
Policymakers and governments are instrumental in developing the foundational identities upon which functional identity can be further developed by the private sector.
The second aspect of identity can be defined as “the characteristics determining who or what a person or thing is¹” and is largely comprised of online attributes: email address, likes, follows, purchases, etc. This aspect of identity can be referred to as functional identity and is less reliant on the physical world, since these attributes are not usually verified by a third-party, and can be established entirely via one’s online behavior. Thus, functional identity is inextricably tied to data.
Functional identities require a different framework in which persistence may not be a desirable quality, as users may want to isolate different online interactions and prevent correlation in order to preserve privacy or operate under multiple pseudonyms.
Microsoft has put forth a framework that involves primary (persistent) and non-pairwise (non-persistent) digital identifiers to allow for this flexibility. Functional identity is often monetized in ways that are extractive.
Both forms of digital identity can be provisioned and verified using centralized or decentralized methods. Decentralized digital identity is often referred to as self-sovereign identity (SSI) and exhibits the principals identified by Christopher Allen below. Proponents of self-sovereign identity advocate for an architecture in which the user owns and controls their own identification data, to be provisioned out to service providers. This stands in contrast to the current system in which each service provider replicates and re-verifies a user’s data. Oftentimes, SSI leverages distributed ledger technology.
SSI is not to be confused with federated identity systems, which encompasses single-sign-on (SSO.) SSO (“Sign in with Google/Facebook/Apple”) attempts to create one on-boarding process that grants access across sites and services, but results in the accumulation of a large amount of personal data by the single authenticating party.
Why Does Digital Identity Matter?
At the most basic level, foundational identity consists of data points that are recorded on birth certificates, passports, and state issued IDs. The problem is, these forms of identification require the maintenance of physical artifacts in an increasingly digital world, are completely reliant upon the central authorities that issue and validate them, and are susceptible to theft and fraud. ~1.1 billion people globally lack a legal form of identification⁵, preventing them from accessing financial services, purchasing real estate, voting, and partaking in a myriad of other important activities. While this article will focus primarily on private sector approaches to functional identity, please see The Impact of Digital Identity for more on foundational identity.
From a functional identity perspective, since the Internet lacks a native identity layer, each Internet service provider is forced to conduct authentication procedures individually. Consumers are thus forced to share their personally identifying information (PII) with many different service providers. These service providers are, in turn, required to store and safeguard this sensitive data. Duplication and replication of this data is inefficient and creates many points of vulnerability. Enterprises don’t want this liability. This system also creates a negative user experience. When consumers have to provide the same authentication data to multiple service providers, it slows down on-boarding processes for new interactions and increases the time required to engage in existing relationships with service providers. Valuable time is wasted retrieving and resetting passwords and, given the number of distinct accounts consumers maintain, consumers are likely to use the same passwords across accounts. This leaves consumers vulnerable to identity theft.
Why is Digital Identity Challenging?
The Sovrin Foundation breaks down the challenges of digital identity into five categories, illustrated below. I’ve added completeness as a sixth challenge.
Finally, all identity solutions face an inherent trade-off between security (effectively and appropriately restricting access and excluding bad actors) and frictionless access (improving convenience and speed, and including more good actors.)
Why is Digital Identity Relevant Now?
While not immediately obvious, COVID-19 is a catalyst for DID. The most obvious impact, while fraught with ethical issues, is the need to monitor health status as we return to economic activity during the pandemic. This process could require citizens to carry “immunity certificates,” which are essentially digital IDs tied to health data.
A large portion of the global population may soon be equipped with a digital wallet that holds their unique digital identity and digital assets (ie. health certificates.)
There are also many second-order catalysts related to the pandemic. Given the shift to remote work, enterprises face a real authentication challenge as their workforces access sensitive data and engage with an increasing number of applications (approaching 100, on average³) via remote devices. The reliance on processes that leverage in-person verification has resulted in delays and dysfunction across a large number of critical processes and, in some cases, has resulted in increased fraud. Finally, digital identity is a key enabler of the move towards cashless societies, accelerated by the pandemic given the need to quickly and accurately distribute funds and the desire to avoid physical currency.
What are the Components of Digital Identity?
There are many aspect to one’s identity. The World Economic Forum breaks down the technical identity stack into the above layers. The layers are discussed in more detail below, somewhat proportional to the level of startup activity in each.
Standards such as SAML, WebAuthn, OpenID Connect, OAuth have been, and will remain, critical to the development of the digital identity ecosystem. New digital identity protocols and standards, many for decentralized architectures, are also being developed. Solid, an open source project led by Sir Tim Berners-Lee; Sovrin; Blockstack; and Microsoft’s ION(Identity Overlay Network to be built on the Bitcoin protocol in conjunction with the Decentralized Identity Foundation) are examples. Protocols tend to be open source and are often viewed as public utilities. While value can accrue to these “public utilities” (ie. Ethereum), they could require a longer investment horizon as they must effectively incentivize developers to build services and products on top of a new network.
Attribute Collection involves the processes by which characteristic data is collected and stored and encompasses personal data stores. 3Box and Blockstack are startups building decentralized solutions in this layer.
Authentication is perhaps the most crowded space within the digital identity stack. Authentication answers the questions “how do I prove who I am?” and “how do I prevent others from pretending to be me?” It also encompasses identity-related fraud reduction and security solutions such as Sift Science (leveraging machine learning to reduce fraud) and SentiLink (combating synthetic identity fraud.)
- Comprehensive ID: Completeness is one of the key challenges of DID. Global iD is working on this challenge by operating a sort of “DNS for identity”, in which identity verifications are attached to a name located in GlobaliD’s public namespace. Users can have more than one name (which can also be privacy-preserving), but GlobaliD enables traceability in a way that creates a complete view of a user. GlobaliD acts as a sort of identity backbone, connecting to identity verifiers across silos, including self-sovereign identities. Unum ID is a startup that is working to create a decentralized, federated ID so that users have one digital identity that they can use to access all services.
- Reusable ID: Reusable know your customer (KYC) verifications aim to reduce duplication and redundancy in the authentication process. Civic and Trusted Key (acquired by Workday) are blockchain-based startups working with enterprises to facilitate reusable KYC. Once an entity has verified a user, other enterprises can leverage this KYC, provided they trust the authenticating entity. Authenticating entities are compensated for their verifications.
- Passwordless ID: In 1995, Bill Gates claimed that passwords were dead², a claim that has been repeated over the decades. However, advances in both hardware and software, combined with government efforts on foundational identities (you need something against which to match biometrics), may finally have created a conducive backdrop for passwordless solutions to succeed. Beyond Identity, Secret Double Octopus, and HYPR are all working on passwordless authentication. Companies like Smile Identity and Element are combining biometrics with mobile phones to enable authentication in developing economies in Africa and Southeast Asia. Callsign is similarly leveraging biometrics, and other advanced techniques, to enable mobile authentication globally.
Attribute Exchange involves how data is exchanged between entities and encompasses privacy-preserving methods for data exchange. Data encapsulation is one approach, which keeps data private and confidential while allowing identity verification via a protocol that enables a common source of truth. These systems can then leverage selective disclosure, whereby third parties can verify attributes without accessing the entirety of the underlying data (ie. a person is above 18 years old, a passport matches the one on file, etc.) uPort and Oasis Labs are two companies building decentralized protocols for attribute exchange.
Authorization involves permissioning and access management. It answers the questions like “is this person allowed to enter?” or “is this person allowed to access this file?” Companies such as Proxy enable authorization via mobile access (turning a user’s mobile phone into an accepted ID.) Since more US adults own a cellphone than a driver’s license, access is improved while overcoming the challenging economics of non-smartphone, hardware-based access approaches. OpenPath is another startup enabling mobile access. In practice, authorization relies on authentication, and therefore startups that operate in the authorization layer also authenticate users.
Service Delivery encompasses identity-as-a-service providers and password managers. This is the layer in which the biggest valuations, and public companies, reside. Identity-as-a-service providers abstract the complexity of authentication workflows and enable many different authentication approaches. Okta is a public, cloud-based, enterprise identity management solution with +100M users and Auth0, recently valued at $1.9B, is an identity-as-a-service provider for developers that abstracts the complexity of identity management. ForgeRock and OneLogin are later stage startups that operate identity and access management platforms. Persona is an early stage startup that has built developer tools that essentially create an API for identity, which is needed by companies that lack the expertise to build strong authentication and verification services in-house. Veriff is another startup that has built developer tools that aim to provide the fastest and most thorough log-in experience for users by collecting the most information about users in the fewest steps. Password managers are also important players in this layer, including Dashlane, 1Password, and LastPass. All of these services reduce the complexity of identity flows.
Is Digital Identity “Investable?”
It’s hard to define what constitutes an identity company. For starters, identity is a hard sell as an application in and of itself, but many times identity is actually at the core of a business. For example, Fast enables one-click authentication and check-out, which improves the e-commerce experience for both shoppers and merchants, but is also a very powerful combination for taxes, investing, job or mortgage applications, and even checking in at the doctor’s office. There are many such companies, that upon closer inspection, are actually identity plays.
While identity is not a sector, it is relevant in very large sectors including communications, financial services, and healthcare. Even the gig/passion economy is highly dependent on identity as a means to create trusted marketplaces (see Passbase.)
Even so, the direct identity opportunity set remains limited to 300–500 startups and it’s difficult to make the case that there are deep exit opportunities as the list of potential buyers is limited. Identity solutions face very high minimum scale requirements and, therefore, identity startups must create or connect to a platform of some sort to generate real utility (ie. Okta has +6,500 integrations.) Thus, IPO opportunities for standalone entities also seem limited.
Identity startups face real barriers to entry (regulatory, compliance, and trust challenges at par with FinTech.) They also have to compete with platforms like Microsoft/Salesforce, which may ultimately become the dominant purveyor(s) of digital identity. Partnering with consortia may be a way for startups to “bootstrap” scale and compete against these established platforms, and some are employing this strategy. For example, a consortium of banks has been partnering with SecureKey as an authentication provider and PayID is a consortium of blockchain-based payments companies hoping to establish a universal payment identifier.
Whether you view identity as an “investable” opportunity will depend on whether you take a narrow or broad view of identity, whether you’re thinking of foundational or functional identity, whether you view it as a technology or a service, and whether you’re more interested in access or security.
Foundational identity efforts are better suited to grant or impact funding. The Omidyar Network, the Gates Foundation, and the Mozilla Foundation all invest in foundational DID. Functional identity isn’t viewed as a category of it’s own, so it’s hard to find venture investors that focus specifically on identity. Funds that invest in identity range from dedicated funds such as PTB VC, to strategic investors such as Okta Ventures and SamsungNext, to generalist funds like First Round Capital (Persona), Kleiner Perkins (Proxy, Dust ID), NEA (Beyond Identity), and Andreesseen Horowitz (SentiLink.)
The best identity solutions are privacy-first, nearly invisible, and improve convenience and/or security for customers. The most compelling opportunities are in authentication and service delivery and have go-to-markets that target enterprises or developers rather than end consumers. Consumers don’t want to take on the onus of identity management and customers are not interested in the underlying architecture of DIDs. The best identity solutions are intelligent, secure, simple, and convenient.
Successful startups enter the market with a narrowly scoped initial use case (ie. mobile access or compliance with new regulations) and then gradually expand, adding products and features as they move closer to an identity platform over time.
What is the Future of Digital Identity?
The centrality of digital identity in our increasingly online lives means DID will only grow in importance. Below, I’ll outline just a few future opportunities.
- Identity infrastructure for Web 3.0 is still nascent. Magic has created tools that abstract the onerous key management process required for authentication in Web 3.0, enabling end-users to log-in into d’Apps without the use of third-party software.
- As new browsers without cookies gain traction (Brave, Opera, Puma), identity providers will either have to figure out how to work with privacy-preserving browsers or a tokenized identity system will need to be integrated into browsers, potentially replacing the current constant monitoring system.
- As bad actors increasingly take advantage of siloed identity systems, shared or pooled intelligence between organizations will be required to effectively combat fraud (remember the completeness challenge?)
- Peer-to-peer authentication could enable peers to verify each other’s identities, which could allow a user to verify they’ve been picked up by the correct ride-sharing driver or to leverage and “lend” their reputation to a friend.