The rising number of data breaches based on leaked passwords have revealed the holes in simple password and memorable-information-based verification systems. Today a startup called Persona, which has built a platform to make it easier for organisations to implement more watertight methods based on third-party documentation and more to verify users, is announcing a round, speaking to the shift in the market.
The startup has raised $17.5 million in a Series A round of funding from a list of investors that include Coatue and First Round Capital, money that plans to use to double down on its core product: a platform that businesses and organisations can access by way of an API, which lets them use a variety of documents, from government-issued IDs through to biometrics, to verify that customers are who they say they are.
Current customers include Rippling, Petal, UrbanSitter, Branch, Brex, Postmates, Outdoorsy, Rently, SimpleHealth and Hipcamp, and the list extends to any company involved in any kind of online financial transaction to verify for regulatory compliance, fraud prevention and for trust and safety.
(The company is young and is not disclosing valuation. Previously, the company had raised an undisclosed amount of funding from Kleiner Perkins and FirstRound, according to data from PitchBook. Angels in the company have included Zach Perret and William Hockey (co-founders of Plaid), Dylan Field (founded Figma), Scott Belsky (Behance) and Tony Xu (DoorDash).)
Founded by Rick Song and Charles Yeh, respectively former engineers from Square and Dropbox (companies that will have had their own struggles and concerns with identity verification), Persona’s main premise is that most companies are not security companies and therefore lack the people, skills, time and money to build strong authentication and verification services, much less to keep up with the latest developments on what is best practice.
And on top of that, there have been too many breaches that have laid bare the problem with companies holding too much information on users, collected for identification purposes but then sitting there waiting to be hacked.
The name of the game for Persona is to provide services that are easy to use for customers — for those who can’t or don’t access the code of their apps or websites for registration flows, they can even verify users by way of email-based links.
“Digital identity is one of the most important things to get right, but there is no silver bullet,” Song, who is the CEO, said in an interview. “I believe longer term we’ll see that it’s not a one-size-fits-all approach.” Not least because malicious hackers have an ever-increasing array of tools to get around every system that gets put into place. (The latest is the rise of deep-fakes to mimic people, putting into question how to get around that in, say, a video verification system.)
At Persona, the company currently gives customers the option to ask for social security numbers, biometric verification such as fingerprints or pictures, or government ID uploads and phone lookups, some of which (like biometrics) is built by Persona itself and some of which is accessed via third-party partnerships. Added to that are other tools like quizzes and video-based interactions. Song said the list is expanding, and the company is looking at ways of using the AI engine that it’s building — which actually performs the matching — to also potentially suggest the best tools for each and every transaction.
The key point is that in every case, information is accessed from other databases, not kept by the customer itself.
This is a moving target, and one that is becoming increasingly harder to focus on, given not just the rise in malicious hacking, but also regulation that limits how and when data can be accessed and used by online businesses. Persona notes a McKinsey forecast that the personal identify and verification market will be worth some $20 billion by 2022, which is not a surprising figure when you consider the nearly $9 billion that Google has been fined so far for GDPR violations, or the $700 million Equifax paid out, or the $50 million Yahoo (a sister company now) paid out for its own user-data breach.