A lot of people have asked me what I think about recent announcements by larger companies jumping into portable identity. The two big examples here are Plaid Layer and the Clear Partnership with Public. I thought it best to publish one post to keep my thoughts succinct. But before that, I want to congratulate both the Plaid/Cognito and Clear/Sora ID teams on their respective announcements. The demos are slick, and portable identity remains a very exciting topic near to our hearts.
Now, onto my thoughts.
Part I We Expected This
I wrote an update last June titled “Tomorrow, Tomorrow, and Tomorrow”. It’s about a book. And Plaid. I thought I’d share some quotes from it, and re-visit them today.
- “The first one-click does not matter without the first verification. We’ve long spoken about our goal to remove the toggle between fraud and friction. That cannot just be done by solely removing friction. In fact, we’ve seen what happens when you just remove friction: rampant fraud. It’s essential that the fidelity of any verification before an identity is made portable is done to the highest degree of accuracy. “
- This continues to be our core belief at Footprint. This quote stated if the initial verification was not done to a high degree of confidence, future verifications/one-clicks would not be valuable because of their susceptibility to fraud. This is why we invest so much in the fidelity of each verification, having built out our fraud suite to include behavioral, location, phone, and synthetic signals.
- “Footprint’s product is not trivial. From day one our goal has been one-click, which has meant building an incredibly sophisticated architecture to do just that. Not only that, but we built a security company first so that user data would be stored on behalf of our customers inside our vaults”
- And it got even more complex over the last year. Alex to this day says the most unexpected engineering difficulty of Footprint was the portability architecture. Even though we were purpose-built from day one to make identity portable, our architecture has undergone seven different versions since the start!
- “I still suspect Stripe to make a play in this space. My gut is they care more about unleashing Link to build a moat in ACH pay to (brilliantly) protect their card processing business in case bank pay really takes off. Their identity team should eventually be a part of it, just like their financial connections team with their product competitive to Plaid.”
- I still do! These products, at least in theory, make sense together. Plaid and Stripe had a fun little public dance when Stripe released Financial Connections. I don’t know the numbers, but my guess is they haven’t eaten Plaid’s breakfast there, moreso grown ACVs a bit for some accounts. We see it everywhere across tech: building outside of your initial core competency is difficult to get right. I also expect Clear to continue to try to grow market share in the space.
Part II So What is Portable Identity?
Let me say what portability is not: results. As I always explain, you still need to re-run KYC even if you have PII. Information may have changed (ie someone moved to a new address), companies have different risk appetites, and partner institutions have different CIPs (Customer Identification Programs). To explain the jargon there, Banks/BDs (Broker-Dealers) each make their own CIPs which customers need to properly comply with when they do KYC. Even with different risk appetites, Footprint prioritizes the fidelity of a verification above anything else. We try to minimize friction, but our belief is portability is only possible if you have high conviction in the initial verification.
A lot of the power of our one-click is our SDK being smart enough to adapt to each situation, and prompt the front-end to collect net new information. For example, if you got a credit card and then went to open an investment account elsewhere, we’d need to collect information about your income and employment. If you went to rent an apartment or car, we’d likely have to collect your Drivers License. Conversely, let’s say you apply to one investment platform which uses Apex, and then another on Alpaca. Same industry, ergo same result? Nope. Those two BDs have different CIPs around address match requirements—one is more likely to need a Drivers License (or SSN card). The same hold trues to fintechs working with different partner banks. A lot of our power lies in understanding these nuances and building a dynamic frontend for each instance. This lets us improve conversion even while we focus on the fidelity of the verification.
You’ll see different flavors of portability. The one others are focused on is centered around a quick retrieval of information to boost conversion—also known as pre-fill. The numbers they state are impressive—15-20% quicker onboarding is a big deal! As they describe, there are a few flavors of how they do this. One of the primary ones is comparing the phone number a user enters to their database of ACH accounts, seeing if there is a match, and then pulling the PII to run a KYC. To me, this is closer to pre-fill, most popularly seen today with vendors who use a database of linked PII info from phone numbers that TelCo carriers possess. Friction and drop-off are huge drivers of CAC, and reducing them can be a big win for companies. Put succinctly, pre-fill is when you take some live info, look up what the rest of it could be, and then pre-fill in the rest of the application. Footprint focuses on re-fill: we already collected the information so cna use strong-auth to re-fill it in. strong-auth are then just re-filling your info
How does this work? Because Footprint lives on the frontend, we collect user data as they enter it with our first customer. We run both behavioral tools and KYC to verify the identity matches in a database and we believe the person entering it is the person who should posses the identity. We then vault the data in secure nitro enclaves, and bind a strong biometric (passkeys) to the information. The next time we see a user, we have them re-authenticate (with the passkey), and then re-fill the information they’ve previously entered in Footprint for identity verification. In this scenario, there is the conversion gain you get in the re-fill scenario, but more importantly, a large fraud reduction angle. The initial verification had more fraud tools—we are triple binding identity around device biometrics and ensuring there is no more than one identity on the device. Strong-auth ensures there has not been a sim-swap or other method to gain access to a portable identity. Without these elements, you open up the possibility of one-click fraud. Get through the system once, and open accounts at ease.
Pre-fill solutions have taken a great first step towards solving a difficult problem. But, they have also created a new vector of risk and fraud. This is why we have built around identity, security, and auth from day one. And why Footprint is the only sole re-fill solution in the market.
Part III: How Footprint was Built to Help Customers Use Portable Identity
Other onboarding tools leave much to be desired. There is a bucket of ones that solely live on the backend, unable to analyze user behavior and conduct dynamic step-ups. And then there is a bucket of tools with rigid UX on their hosted flows, often rendering them to be backend tools like in bucket one. Often, KYC tools are point solutions which must be combined with others, or a heavy orchestration layer which give you the privilege of connecting together a bunch of APIs. These tools become check boxes at the moment of onboarding.
Footprint is a single SDK to handle KYC, Document, Fraud, Security, and Auth. We don’t just verify the user when they create an account, but also when they sign back in. And our initial check is far from a simple database check. This is why we haven’t lost a customer to a pre-fill solution (or, any other solution) to date. I think our KYC—today—is better. If you would not purchase someone’s KYC today due to fraud, I can’t imagine you’d want their network of previous users.
This is why Footprint re-fill is so different from pre-fill solutions. These are not users we look-up from partial information in a database. Rather, they are users for whom we have conducted a high-fidelity verification for account creation and sign-in. We understand their device and context around their actions from a risk perspective. We are creating a new space in identity built around the largest network of de-duped authenticated portable identities.
I mean it when I say I have a tremendous deal of respect for the Plaid + Cognito and Clear + Sora teams. And I really congratulate them on the launch of Layer. As weird as it sounds, I even root for them. The portable identity market is still very nascent--there is real education and technology still required to grow it. And, you have to be crazy to try to build big ideas. And I have a ton of respect for the folks working the hours to make that possible. They have a really nice product. I just think ours is better. And as we’ve said from the start, there is no shortcut to tomorrow. You need to build with portable identity in mind from day one.