The proliferation of data breaches based on leaked passwords, and the rising tide of regulation that puts a hard stop on just how much user information can be collected, stored and used by companies have laid bare the holes in simple password and memorable-information-based verification systems.
Today a startup called Persona, which has built a platform to make it easier for organisations to implement more watertight methods based on third-party documentation, real-time evaluation, and AI to verify users, is announcing a funding round, speaking to the shift in the market and subsequent demand for new alternatives to the old way of doing things.
The startup has raised $17.5 million in a Series A from a list of impressive investors that include Coatue and First Round Capital, money that it plans to use to double down on its core product: a platform that businesses and organisations can access by way of an API, which lets them use a variety of documents, from government-issued IDs through to biometrics, to verify that customers are who they say they are.
Current customers include Rippling, Petal, UrbanSitter, Branch, Brex, Postmates, Outdoorsy, Rently, SimpleHealth and Hipcamp, among others. Persona’s target user today is any company involved in any kind of online financial transaction to verify for regulatory compliance, fraud prevention and for trust and safety.
The startup is young and is not disclosing valuation. Previously, Persona had raised an undisclosed amount of funding from Kleiner Perkins and FirstRound, according to data from PitchBook. Angels in the company have included Zach Perret and William Hockey (co-founders of Plaid), Dylan Field (founded Figma), Scott Belsky (Behance) and Tony Xu (DoorDash).
Founded by Rick Song and Charles Yeh, respectively former engineers from Square and Dropbox (companies that have had their own concerns with identity verification and breaches), Persona’s main premise is that most companies are not security companies and therefore lack the people, skills, time and money to build strong authentication and verification services — much less to keep up with the latest developments on what is best practice.
And on top of that, there have been too many breaches that have underscored the problem with companies holding too much information on users, collected for identification purposes but then sitting there waiting to be hacked. While a number of services have arisen to help protect identity for repeat users of products — for example Duo and Okta on the enterprise front, or authenticators for online applications as a more secure alternative to two-factor authentication using text messaging — these don’t really fill the use case of verification for the kinds of companies that are typical Persona customers.
The name of the game for Persona is to provide services that are easy to use and as wide as possible in their applicability. For those who can’t or don’t access the code of their apps or websites for registration flows, they can even verify users by way of email-based links.
“Digital identity is one of the most important things to get right, but there is no silver bullet,” Song, who is the CEO, said in an interview. “I believe longer term we’ll see that it’s not a one-size-fits-all approach.” Not least because malicious hackers have an ever-increasing array of tools to get around every system that gets put into place. (The latest is the rise of deep-fakes to mimic people, putting into question how to get around that in, say, a video verification system.)
At Persona, the company currently gives customers the option to ask for social security numbers, biometric verification such as fingerprints or pictures, or government ID uploads and phone lookups, some of which (like biometrics) is built by Persona itself and some of which is accessed via third-party partnerships. Added to that are other tools like quizzes and video-based interactions. Song said the list is expanding, and the company is looking at ways of using the AI engine that it’s building — which actually performs the matching — to also potentially suggest the best tools for each and every transaction.
The key point is that in every case, information is accessed from other databases, not kept by the customer itself.
This is a moving target, and one that is becoming increasingly harder to focus on, given not just the rise in malicious hacking, but also regulation that limits how and when data can be accessed and used by online businesses. Persona notes a McKinsey forecast that the personal identify and verification market will be worth some $20 billion by 2022, which is not a surprising figure when you consider the nearly $9 billion that Google has been fined so far for GDPR violations, or the $700 million Equifax paid out, or the $50 million Yahoo (a sister company now) paid out for its own user-data breach.