The Modern Identity Stack: Startup Opportunities in the $80B Identity Market
Modern Identity Stack Opportunities

The Modern Identity Stack: Startup Opportunities in the $80B Identity Market

I’ve spent more than a decade building infrastructure for managing digital identity. Before I became a Partner at Mayfield investing in early stage enterprise software companies, I was the CEO at Gigya, which created the Customer Identity & Access Management category starting back in 2011, powering login & registration as a service for 700 customers and becoming Gartner & Forrester leaders in the space. Now as an investor at Mayfield, we’ve continued spending time on the Identity Stack, investing in Berbix (Instant Identity Verification), OwnID (Distributed Customer Identity Platform), and Vector Flow (Physical Identity & Access Management Platform).

Why so much focus on the Identity Stack? First, it’s critical enabling technology for digital transformation. Without being able to verify “we are who we say we are” and “what we can access”, nothing online really works. Second, the Identity category has produced meaningful companies with more to come, including Okta’s $16B market cap and Auth0’s $6.5B acquisition. But despite this, Identity is still very broken - I would even argue that identity is going through a renaissance of sorts, driven by megatrends including customer experience, frictionless security, & privacy. New enabling technologies like no code / low code, cross platform networks, and specialization are changing the way the markets work. The end result is massive opportunities for entrepreneurs.

In this post, I provide a primer on what the identity stack is, discuss the trends causing disruption and evolution, and share a viewpoint on where opportunities exist to build companies in the modern Identity Stack.

Identity Stack Primer

The identity stack is historically made up of 4 categories - Authentication, Authorization, Directory, and Identity Governance & Administration. Here’s what these categories mean in plain English:

●     Authentication (e.g., Login & Registration) -> Who are you?

●     Authorization (e.g., Permissions) -> Are you allowed to do that?

●     Directory (e.g., User Database) -> System of record of user data

●     Governance & Administration (e.g., New users & access permissions) -> Management of User

No alt text provided for this image

 Identity Evolution

As employee and consumer expectations around customer experience, security, and privacy change, Identity is going through an evolution that is redefining the identity stack. Further, enabling technologies, including no code / low code, frictionless authentication like FaceID and FIDO2, and advanced security techniques are changing the landscape. Finally, there is specialization occurring in various use cases including B2E vs B2C VS B2B VS B2B2C. 

No alt text provided for this image

 Modern Identity Stack Opportunities

All together, these changes are resulting in an evolving modern identity stack, where solutions are being redefined to keep end users - particularly developers, customers and employees - in mind. Further, these solutions are moving beyond just thinking about security requirements, to considering customer experience, privacy and security. To put this in context, I think about major categories of the identity stack moving up an evolutionary curve along 2 axis: 1) User Focus (e.g., IT vs Customers, Employees) and 2) Feature Focus (e.g., Security vs Customer Experience, 1st Party Data, & Privacy)

No alt text provided for this image

Examples of opportunities within this modern identity stack could include:

Passwordless Authentication -> Many large companies have been built around the concept of services for authentication, including Okta ($20B+), Auth0 ($6B), Forgerock ($2B), and Ping Identity ($2B), but these companies were primarily architected around the concept of a password. The password is the bane of the internet. It’s insecure and provides a broken experience for users. Good news! Passwords can now go away thanks to new enabling technologies like FaceID and FIDO2, enabling a much better customer experience compared to previous attempts that require physical keys (e.g., YubiKey), separate mobile applications, or magic links. Next generation companies range from those looking to replace the entire identity stack like Stych or Transmit Security to be passwordless, or those that are looking to distribute identity management into the hands of consumers like OwnID (Mayfield Portfolio Company). Both approaches have their merits, and it’s likely that there will be numerous billion dollar next generation companies built in the passwordless authentication space.

Crypto Wallet Login -> In the last decade, the big innovation enabling easy “single sign on” into websites and applications was leveraging Social Login providers like Facebook and Google to easily sign in and register to any website or application. While still very valuable and ubiquitous, there is now a movement to take advantage of decentralization on the blockchain versus centralization on the big tech platforms. The big unlock here is the more mass availability of crypto wallets like Metamask, that can serve to authenticate users into websites and applications. As we saw with Social Login, new companies like Dynamic are emerging to provide crypto wallet login-as-a-service, aggregating the many crypto wallet providers and providing a single authentication API.

Self Service Admin Panel -> Identity Governance and Administration, or the onboarding and management of users, is a category of identity technology that has again produced large companies such as Sailpoint ($5B). Legacy vendors were primarily architected for employee oriented, low volume and high touch use cases. In today’s world of consumer scale digital experiences and consumer grade expectations, previous approaches that required a manual touch to onboard individual users no longer work. New approaches will allow for complete self service, both by employees, customers, and the administrators that manage their accounts. Next generation companies working in this area are beginning to emerge, including companies like WorkOS and FrontEgg.

Instant ID Verification -> Identity Verification, or the process of knowing someone is who they say they are, becomes a lynchpin enabling technology for moving previously offline transactions online, whether it’s banking, telehealth, or e-learning. Big companies have been built here, including numerous unicorns like Jumio and Veriff. For almost a decade, first-generation digital identity verification technology companies have offered basic online services that confirm customers’ identities by having them upload a selfie that a human screener, usually in a low-cost labor market, could compare to the passport or driver's license photo on file. But this can take minutes, is quite expensive, and people make mistakes. New IDV services leverage machine learning and automation to provide instant verifications without human involvement, dramatically improving customer experience and overall costs and enabling a whole set of new use cases to be possible. This is also replacing some of the traditional identity proofing mechanisms like the Knowledge Based Authentication (KBA) or Database Checks, that can be inconvenient and inaccurate. Next generation companies in this area include Berbix (Mayfield portfolio company).

Customer Onboarding & Management -> In the identity world the concept of the “Directory”, or the system of record for user data, was brought about when IAM was primarily an employee oriented, IT concept. Microsoft Active Directory is the most commonly used legacy software in this category, with nearly all fortune 1000 companies as customers. Active Directory and other similar legacy approaches work great when use cases are focused on employee name, employee role, etc but doesn’t work in today’s modern customer oriented world where 1st party data, privacy & security are ultimate concerns, with a need to give users transparency & control over their data. Looking forward, the concept of a directory will be redefined, with a few principles in mind: 1) Enable the streamlined onboarding of 1st party customer data with no code / low code hosted UX forms, that would maximized data collection while obtaining the necessary identity, data purpose, missions, permissions etc securely; 2) Securely store & manage the customer 1st party data in the cloud, encrypting the data and ensuring the requisite data residency & privacy laws are met; 3) integrate & orchestrate the data into requisite relying systems such as CRM, Marketing, Advertising & Loyalty solutions. There are some early next generation companies starting to emerge here including User Flow, Heyflow, and Arengu.

Summary 

Identity is a critical enabler to digital transformation and deserves the time and attention it’s receiving from entrepreneurs and investors. Although Identity is made up of many long established categories - Authentication, Authorization, Directory, Governance & Administration - it’s going through an evolution, driven by megatrends like customer experience, frictionless security, & privacy and enabling technologies like no code / low code, cross platform networks. The end result of these changing dynamics are a re-defined modern identity stack, creating massive opportunities for entrepreneurs and the investors that back them. 

 I've laid out a few of the opportunities here, but there are always more to come from innovative entrepreneurs, and would love to hear from anyone building in this space.

Note: A version of this article was originally posted on Forbes.com, where I am a contributor.

I remember being one of gigya’s earliest customers, way before the pivot to identify mgmt.

Like
Reply

This is (SOT) "So On Target". In your summary you tell the renaissance of the Identity space. I do have one question regarding Orchestration. How important is Orchestration as it relates to The Modern Identity Stack?

Like
Reply
Vijay Zharotia

Talks about #medicaldevices #iot #connectedcare #interoperability #digitalhealthcare #architechture #graphs #ai, #ml #computervision #digitalidentity #dataprivacy #digitaltrust

1y

Great Article!! We at SelfyID are working towards a password less world with seamless onboarding experience for customers.

Matt Caulfield

VP of Product, Identity @ Cisco

1y

The Internet just wasn't built for identity or security and we are still feeling the effects of this architectural decision 50 years later. Until that is fixed, fundamentally and holistically, this will remain an area of opportunity and innovation. I really love seeing the incremental improvements to parts of the identity stack but at the same time, I am still holding out hope for a game-changer someday to truly disrupt the status quo. Great article Patrick Salyer!

Neha Prabhu Salgaonkar

CISSP | IAM Specialist | IGA | IAM | PAM

1y

Great article!

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics