🥷 Deep-Dive on B2B Identity Software
Hi, it’s Alexandre from Eurazeo (ex. Idinvest). I’m investing in seed & series A consumer and consumer enablers startups all over Europe. Overlooked is a weekly newsletter about venture capital and underrated consumer trends. Today, I’m sharing personal learnings from the deep-dive done by my teammates on B2B identity software.
My colleagues Nicolas, Clément and Lousiane spent the past couple of months digging into the B2B identity software space. They did an outstanding work that you can check here. If you are building a company around identity, you should definitely reach out to them!
Today, I want to share some personal learnings from their work and the numerous conversations we had about this space. It's not a summary but more an invitation to push you to dig further into their work.
We define B2B identity software space as "products that are used to identify, authenticate and authorize people and businesses to access services or conduct online transactions".
We break down the identity software landscape into 3 segments:
Authentication & authorization (Okta, Auth0): solutions for businesses to manage securely logins and accounts of their employees or customers.
Identity verification (Onfido, Checkr): solutions to verify the identity of a person or a business before creating an account or processing a transaction.
Web3 authentication (Metamask, Phantom): solutions using blockchain technologies to authorize and authentify users.
For each segment, we used a classical break down between protocols (open-source projects setting the identity standard for Web2 and Web3), developer tools (toolboxes to enable developers to build their own customised identity verification, authentification and verification processes) and applications (turn-key solutions).
Below are my 5 main learnings from their deep-dive:
Identity management is a tricky balance between convenience and security
Passwords must die because they are neither convenient nor secure
Identity verification is now mainstream and not only used by financial services
Orchestration platforms are everywhere and identity is not an exception
Web3 is a new paradigm in which you must reinvent all the infrastructure layers including identity
Learning n°1 - Identity management is a tricky balance between convenience and security
Identity software providers are in a never ending race with hackers to build stronger identity verification and authentification processes. At the same time, any time you increase the level of security in a process, you automatically add friction into your experience.
For instance, double authentication will force you to authentify twice from two different sources (e.g. a password and a confirmation code received by SMS) which is a painful if you are in a rush or if you don't have access to both sources at the same time.
I'm convinced that we're still very far from the perfect user experience when it comes to identity management for both consumers and businesses. Any drop in user experience can have meaningful impacts on key business metrics like conversion or retention.
Learning n°2 - Passwords must die because they are neither convenient nor secure
I discovered that passwords were the worst identity authentification solution because they provide a poor user experience and are easy to target for cyberattacks. Most people use the same simple password for all of their services. When it's not the case, they tend to forget them from one service to the other.
We are moving toward a password-less authentification paradigm in which passwords are being replaced by alternative authentification methods that are both more convenient and secure like magic links and single-sign-in (e.g. login with Google).
Learning n°3 - Identity verification is now mainstream and not only used by financial services
"Historically, many of the identity verification providers were built for financial services. Whether it’s a bank or other payment providers, the majority of financial services require an id proof before you can conduct a financial transaction in order to avoid theft and other money laundering problems."
Identity verification is becoming mainstream for several reasons: (i) increasing regulation pressure, (ii) financialization of our economy (many service providers process transactions), and (iii) the rise of entrepreneurship and independent work.
As a result, old school providers are not always adapted to new use cases which opens opportunities for newcomers that can be divided into two categories: verticalised identity verfication solutions and developer tools to build more customised identity verification processes.
Learning n°4 - Orchestration platforms are everywhere and identity is not an exception
With Clément and Nicolas, we've become obsessed in the past couple of months with verticalised orchestration platforms. We're seeing them popping out everywhere in our dealflow with some companies having an impressive growth/funding trajectory (e.g. Primer in the payment category valued at $425m and backed by investors like Iconiq, Balderton, Accel, Speedinvest and RTP).
Orchestration products enable companies to quickly build flows in a drag and drop interface by tapping into existing services. They make sense when a vertical becomes increasingly complex with many specialised providers.
In the identity space, we need orchestration platforms for several reasons:
The number of authentication methods has dramatically increased: password, OAuth logins (Facebook/Apple/Google/Microsoft Connect), email magic links and SMS/Whatsapp/email passwords. Same for identity verification (ID documents, biometric data, video, selfies, background checks).
For both identification and authentification, you want to have fallback options depending on the user's preferences or if a method is not working.
Depending on local regulations and sectors, you don't have the same constraints to identify and authenticate users.
There are two European orchestrators that we like: Ondorse for identity verification and Arengu for authentification.
Learning n°5 - Web3 is a new paradigm in which you must reinvent all the infrastructure layers including identity
Web3 is a new paradigm. It implies a new infrastructure with elementary bricks like developer tools, storage management or identity management. These bricks are being rebuilt from first principles to be compatible with the blockchain technology and the crypto philosophy (decentralisation, transparency, secured).
Web2 identity solutions are centralised. You give your identity data to third party providers. As a result, there is a security and privacy risk. With Web3, you would be the single owner of your identity data. Your credentials would be stored on-chain and validated once by credential verifiers. Third party services which want to verify your identity will just have to make an API call to the blockchain.
Thanks to Julia for the feedback! 🦒 Thanks to Nico, Clément & Louisiane for their amazing work! Thanks for reading! See you next week for another issue! 👋