Check out all the on-demand sessions from the Intelligent Security Summit here.
Compromised passwords are responsible for some 80% of all data breaches, according to some estimations, leading to a mass industry-wide push to replace passwords with more secure authentication methods. Microsoft, for example, recently brought passwordless logins to all Microsoft accounts within its Edge browser, enabling users to sign-in using biometric authentication, FIDO-2 compatible keys, or Microsoft’s own Authenticator app.
The problem, ultimately, is that unique passwords are incredibly difficult to remember, meaning that people often reuse the same passwords across personal and work accounts. Password management tools such as 1Password certainly help with this, but there is a clear and growing demand for doing away with passwords altogether — a trend that Stytch is betting on by building a slew of tools to help developers bring “passwordless” into their own applications and websites.
To help, Stytch today announced it has raised $90 million in a series B round of funding, valuing the San Francisco-based company at a cool $1 billion. That’s quite an achievement, considering Stytch was only founded last year and launched out of beta in July — but such is the scale of the problem Stytch is setting out to solve, investors are keen to get in early on the action.
Stytch is the brainchild of former Plaid employees Reed McGinley-Stempel (CEO) and Julianna Lamb (CTO), who experienced first-hand the inherent shortcomings of password-based authentication — not just from a security perspective, but from a usability standpoint too. With more and more passwords to remember, be it consumers accessing their myriad online accounts or employees trying to get into dozens of enterprise SaaS apps, people tend to follow the path of least resistance to make their online lives easier.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
“As the number of online accounts each individual maintains has grown, both the security and user experience shortcomings of password-based authentication have become untenable,” Lamb told VentureBeat. “From a security perspective, people reuse passwords across many of their different accounts. When a breach happens and passwords are compromised, that leaves every account that a user has used that password for wide open.”
By way of example, a single compromised password was behind the massive Colonial Pipeline ransomware attack this past summer, which resulted in massive disruption to the oil pipeline’s operations and a $4.4 million ransom payment (some of which was later recovered).
“From a user experience perspective, it becomes challenging to manage hundreds of different passwords, leading people to reuse them or abandon accounts because they can’t remember the password, which creates significant costs for businesses in terms of lost revenue,” Lamb added.
Stytch offers passwordless infrastructure via application programming interfaces (APIs) and software development kits (SDKs). Among its products are so-called “magic links” that users click on via their email address, SMS passcodes, WhatsApp passcodes, OAuth logins, and more. The company is also in the midst of developing additional authentication mechanisms that work out-of-the-box, including mobile biometrics that makes it easier for developers to harness native fingerprint or facial recognition authentication features on iOS and Android.
Alongside its funding announcement today, Stytch also officially launched its WebAuthn product, which helps developers leverage built-in device biometrics (such as FaceID) or hardware keys as part the user sign-up and login flows through web browsers.
The API economy
Stytch fits into a broader trend that has seen businesses embrace microservices over monolithic software architecture, resulting in applications built from smaller function-based components that connect together via APIs. So rather than building every component themselves from scratch, developers can simply plug into the expertise and infrastructure of third-party providers and focus on their own core competences instead. It’s all about saving time and resources — and not reinventing the wheel at every turn.
“Building user authentication can be a challenging, multi-month process,” Lamb said. “We enable developers to get integrated and up and running in less than a day. In addition to handling the security aspects for companies to help them avoid introducing vulnerabilities in their apps, we also help enterprises design high-converting sign-up and login flows.”
There are countless other companies working on the same problem as Stytch is, including identity and access management (IAM) giant Okta, which recently acquired Auth0 for $6.5 billion. Other fledgling players include Hypr, which raised $35 million earlier this year; Magic, which secured $27 million; Beyond Identity, which raised $75 million; and Transmit Security, which attracted $543 million at a chunky $2.3 billion valuation.
So, where, exactly is Stytch differentiated? According to Lamb, its API-first approach is one area where it wants to stand out, which runs in contrast to some other players in the space that require developers to use a widget “which significantly limits companies’ ability to own the design and the types of workflows they can build,” according to Lamb.
“Similar to what Stripe has done for payments, by abstracting away the complicated pieces and giving developers a high quality API to build on, we’re enabling everyone to build authentication using passwordless methods,” Lamb said. “Companies can outsource all of the nitty-gritty authentication details to us, but still own the entire UX and design in their onboarding and login flows.”
Stytch had previously raised around $36 million, and with another $90 million in the bank the company is well-financed to prosper in the increasingly competitive password authentication space. The company is already putting its capital to good use, as it announced today that it has acquired Cotter, a no-code passwordless login platform for websites — Stytch plans to combine the two companies’ respective technologies to make it easier for all companies to go passwordless.
Stytch’s series B round was led by Coatue Management, with participation from Index Ventures, Benchmark Capital, and Thrive Capital.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.