Stytch is building a developer platform for companies to implement frictionless authentication methods. For developers building out authentication flows, Stytch eliminates much of the time-intensive maintenance required via passwordless options, effectively removing application security burdens. Stytch’s authentication flows can help users avoid password overload and reduce the risks of password breaches from diverse attack vectors levied by malicious actors.

Founding Date

Jan 1, 2020

Headquarters

San Francisco, California

Total Funding

$ 126M

Stage

series b

Employees

11-50

Careers at Stytch

Memo

Updated

January 25, 2024

Reading Time

26 min

Thesis

User authentication is the process of identifying verified users who are trying to gain access to a system. Most commonly, this is asking a user for a username or email along with a password. Password hacking has become increasingly prevalent, with over 24 billion passwords exposed in 2022 and a 65% increase in compromised passwords from 2020 to 2022. Of confirmed breaches, 80% are due to stolen, weak, or reused passwords.

Password managers, which emerged to allow users to encrypt and store login information, are likewise susceptible to security breaches regardless of any zero-knowledge models in place. In August of 2022, LastPass’s cloud-based development environment was compromised by an external threat actor who employed stolen source code to exfiltrate approximately 200 repositories, gaining access to cleartext embedded credentials and digital certificates for development infrastructure.

As such, increased layers of security such as single sign-on (SSO), multi-factor authentication (MFA), and social sign-on (or OAuth) have become more prevalent, with the MFA market projected to have a compound annual growth rate of 18% from 2023 to 2028. Beyond its importance for security, user authentication is a key step in user sign-up and onboarding. A streamlined user onboarding experience can increase conversion and bolster retention.

Embedding additional layers of security, however, forces consumers to undergo superfluous actions within the registration and log-in flows. Users notoriously despise MFA as a mechanism for warding off security threats, citing cumbersome processes for enterprise log-ins and friction within the registration process. Friction at login, including password resets, could lead to user churn or abandoned carts, and minimizing conversion hurdles remains key for businesses looking to ensure repeat user visits.

Stytch* is building a developer platform for companies to implement frictionless authentication methods. The company’s APIs and SDKs streamline user onboarding and bolster retention by eliminating passwords and replacing them with secure, lower-friction authentication options such as email magic links, single sign-on (SSO), OAuth, and more. Stytch aims to provide a developer-friendly approach to passwordless authentication. For developers building out authentication flows, Stytch eliminates much of the time-intensive maintenance required via passwordless options, effectively removing application security burdens. Stytch’s authentication flows can help users avoid password overload and reduce the risks of password breaches from diverse attack vectors levied by malicious actors.

Weekly Newsletter

Subscribe to the Research Rundown

Founding Story

Stytch was founded in 2020 by Reed McGinley-Stempel (CEO) and Julianna Lamb (CTO). McGinley-Stempel and Lamb met at payments infrastructure provider Plaid while developing bank account authentication, where the duo quickly recognized that building authentication workflows remained cumbersome for developers.

Prior to Plaid, McGinley-Stempel spent over a year at Bain & Co. as a consultant. Realizing that there was a disconnect between his work spinning decks and feeding analysis back to the C-suite, he moved out to the Bay Area after a Plaid recruiter reached out to him regarding a growth role at the startup. For the first half of his stint at Plaid, McGinley-Stempel worked on the go-to-market team before moving to the product side, where he was responsible for deploying features relating to adaptive authentication.

Before Lamb joined Plaid, she spent a year as a full-stack web engineer at Strava, an exercise tracking application. McGinley-Stempel met Lamb on Plaid’s adaptive authentication team, who was working as a software engineer responsible for building client solutions via the Plaid API. At Plaid, the pair realized that users often struggled to recall their username-password combinations, leading to friction within the authentication process, and by extension, Plaid’s ability to integrate consumer-facing applications with user bank accounts.

As they grappled with potential tradeoffs between security and user conversion within the bank authentication experience, they realized that incumbent solutions were often inflexible, forcing companies to build out authentication features in-house. Although Lamb later left Plaid for Very Good Security, the two continued to meet regularly, exchanging frustrations around the lack of a flexible, accessible authentication solution geared towards developers. In June 2020, McGinley-Stempel and Lamb founded Stytch.

Product

Stytch allows its customers to offer secure user authentication, intending to drive higher conversion rates at onboarding and during the login process. Stytch’s developer-first approach has enabled the company’s passwordless solution to drive traction among engineers tasked with figuring out how to integrate log-in functionality into their applications.

Stytch aims to build solutions to reimagine user infrastructure via either out-of-the-box or customizable passwordless authentication solutions. The platform supports B2C and B2B companies’ core authentication needs when building sign-up and login flows via passwordless authentication.

The authentication solutions it offers are intended to be modular and flexible, ranging from one-time passcodes to magic links and biometrics. It has also built a full suite of authentication/authorization products to obviate the need to develop identity or access management systems in-house. Stytch’s SDKs provide the flexibility to use pre-built UI components, enabling developers to customize the user authentication experience.

Consumer Authentication

Source: Stytch

Passkeys

Passkeys, developed by Fast Identity Online (FIDO), provide a biometrics-based, phishing-resistant password alternative. When users are prompted to sign into applications, the user may opt to sign in with the same biometric used to unlock the device (e.g. FaceID, TouchID), and the application can then use this mechanism in favor of insecure traditional username and password logins. Passkeys, based on FIDO authentication, are proven to be resistant to phishing threats, credential attacks, and other common remote attacks.

While the public key is registered with the application, the private key is stored locally on the device or client originally used for biometric verification. When users send login requests, the application’s server will submit a challenge decryptable only with the private key. Once the user has verified their identity via biometrics, the private key can be used to resolve the challenge and the device sends a signed response back server-side, verifying the response and admitting users to the application.

Passwords, which are susceptible to phishing and credential stuffing attacks, remain insecure methods of authentication. Even second-factor authentication — notably, one-time passwords (OTPs) and external mobile approvals — pose issues relating to user accessibility and can be vulnerable to phishing as well. Stytch’s Passkeys offer a complete replacement for passwords as a more secure, user-friendly approach to verifying user credentials by combining the security of web authentication (WebAuthn) with biometric authentication.

OAuth / Social Login

OAuth / Social Login options like Google, Facebook, Apple, and Microsoft enable users to easily sign up and log into applications without creating new credentials. Google One Tap, which detects the user’s existing logged-in Chrome or Gmail sessions, provides the option to continue with a recognized account. If the user opts to use an existing account and is already logged into the account on their device, sign-up becomes a one-click process. As of January 2024, Stytch’s B2B SaaS Authentication API supports Google and Microsoft.

One-Time Passcodes

Stytch’s one-time passcodes (OTP) enable users to log in using temporary-use passcodes which are delivered via SMS, WhatsApp, or email, and can be used to prevent seamless cross-device logins and account takeover attacks. Authentication flows can be built with Stytch’s APIs and SDKs, with a single screen to accept a phone number or email, and a secondary screen to confirm the one-time passcode. By default, OTPs expire within two minutes, but developers can adjust the expiration time to their preferred duration. After clicking on the link, users are verified and authenticated instantaneously, and developers can choose to include additional verification at any point within the user session.

Web3 Logins

Stytch’s web3 logins allow companies to add support for crypto wallets by employing the company’s APIs or SDKs to onboard or authenticate users via Ethereum (such as Metamask, or MyEtherWallet) or Solana wallets (such as Phantom or Glow Wallet). Stytch-supported Vessel enables users to explore the web sans passwords or seed phrases. Users can opt to manage their digital identity and crypto assets from one centralized, encrypted browser extension. Vessel obviates private keys or seed phrases, meaning that users can make transactions (sending, swapping, or holding digital assets) while ensuring ease of access to their wallets across devices.

Session Management

Stytch’s session management tools provide granular session management controls over the validation and revocation of sessions. Stytch user sessions are identified by a session token or session JSON web token (JWT) stored client-side (interoperable, both returned on every API response) and authenticated on each request. Stytch’s JSON Web Tokens (JWTs) provide a means of locally verifying user sessions without needing to contact Stytch’s servers on every request, which proves particularly useful for developers looking to lighten server load and bolster latency.

B2B SaaS Authentication

Source: Stytch

Organization Authentication Settings

Stytch’s organization authentication settings product allows organizations to manage multi-tenant requirements related to memberships, self-serve or enterprise onboarding, and organization-wide settings.

Organizations, which refers to groups of end users (e.g. businesses and their constituent employees), are designated as top-level tenants in Stytch’s B2B offering and have configurable settings for access control along with regulation of authentication and member provisioning. Organization controls encompass specification of approved authentication methods, restrictions around email domains members can sign up with, disabling or enabling invites to join the organization, management of SSO connections, and storing of application or business-specific attributes.

Members, or end users who belong to the organization, can be identified via email address. Stytch supports the following mechanisms for creating members: invites (Magic Link-powered email invitation), just-in-time (JIT) provisioning (organizations can specify trusted sources like identity providers or verified email domains), and manual provisioning (direct API calls).

Single Sign On

Single Sign On (SSO) allows users to access multiple applications based on authenticated identity on another application (i.e. users can sign into a different application that will then vouch for the user’s identity when they attempt to login to another application). SSO involves both the service provider (SP), the application the user is trying to access, and the identity provider (IdP), or the application responsible for authenticating the user. If the user opts for SSO, the service provider redirects the user’s browser to the IdP, where they’re prompted to enter their credentials to the IdP (unless already authenticated), and the IdP may then redirect the user’s browser back to the service provider.

On the developer end, SSO helps prevent security vulnerabilities by storing fewer user identities or passwords that could become avenues for credential stuffing. Stytch is compatible with major identity providers (e.g. Okta, Azure, Google Ping, Auth0, Cloudflare) and supports both Security Markup Language (SAML) and OpenId Connect (OIDC).

Email Magic Links

Stytch’s email magic links enable end users to sign up or log into organizations via a single click of a tokenized URL. Users enter their email address at sign-in. If there’s a matching email address, they will receive a unique URL in their inbox. By clicking the link in their inbox, the users establish that they're the owner of the email address and are brought to an authenticated session.

Embeddable Magic Links

Stytch’s embeddable magic links create one-time, one-click mechanisms to authenticate users, eliminating reset password flows or external password managers. While email magic links are constrained to inboxes, embeddable magic links can be included within any outbound messaging of choice. By embedding tokens into CTAs within email, SMS, or other marketing channels, users can access applications without re-authenticating.

From Stytch’s embeddable magic link endpoint, developers can generate tokens to include in preferred communication channels before sending the magic link to customers. By clicking on the link, users are instantly authenticated and can begin sessions. Developers are given the optionality to include additional authentication at any point within the user journey.

Multi-Factor Authentication

Stytch offers phishing-resistant multi-factor authentication solutions for maximum flexibility and security, along with a suite of standard MFA methods (SMS one-time passcodes, email verification, and authenticator application-based authentication). Phishing-resistant MFA, built upon WebAuthn, employs device-based biometrics or hardware keys (e.g. YubiKey) to derail hackers looking to launch remote attacks. Unlike passwords, user biometrics are not stored or transferred over the internet. Biometric authentication in tandem with security key-based authentication leverages physical interaction to access relevant resources.

Fraud & Risk Prevention

The modern threat landscape continues to evolve, with malicious actors permeating applications via identity theft, business email compromise (BEC), phishing, AI bot attacks, and other forms of fraudulent activity. Stytch adopts a multifaceted approach to addressing this, equipping users with the ability to identify malicious application traffic with built-in controls for responding to bots, web scrapers, and bad actors.

Device Fingerprinting

Source: Stytch

Stytch’s device fingerprinting (DFP) product identifies unique devices based on aggregated information (e.g. browser type or version, operating system, IP address, and installed fonts), enabling organizations to differentiate between authentic users and potential bad actors. While DFP provides unique identifiers used to detect and block fraudulent actors, many existing solutions can be reverse-engineered by malicious attackers.

Stytch’s DFP approach obfuscates fingerprinting methodologies and maintains encryption at rest and in transit, effectively thwarting potential reverse engineering attacks. DFP identifiers function across incognito browsing, WebViews, VPNs, IP addresses, and other masking tools employed by such individuals. Stytch’s front-end authentication SDKs integrate directly with DFP, ensuring that developers can obviate tasks relating to authentication flows while ensuring additional layers of security afforded by DFP.

Device fingerprinting can be employed in stopping bot activity, enforcing paywalls (detection of unique users and tracking of articles seen), personalizations for returning or anonymous users, and prevention of account takeover (detection of whether bad actors are attempting to credential stuff endpoints). Based on fingerprint review, suggested actions are categorized into allow (verified device profiles that align with the characteristics of known groupings), block (known bad or malicious device profile that should be restricted from completing actions), and challenge (potentially malicious devices that should undergo 2FA or other extended user verification).

Strong CAPTCHA

While traditional CAPTCHAs are employed as a basic bot protection measure, they remain susceptible to CAPTCHA farms, where bad actors exploit public key architecture to generate scalable attack vectors for bots. Stytch’s strong CAPTCHA insulates users from bots by eliminating the public key components from client-side browser environments, eliminating bot attacks that may lead to account takeover fraud.

CAPTCHAs can be added to existing signup, checkout, or login flows, integrating with Stytch’s authentication solutions. Users are prompted to respond to simple questions before being granted full access to services. Online education platform Gather notes that Stytch creates tokens and appends them to user sessions, enabling users to go from their inboxes to Gather’s applications fully authenticated.

One 2023 report found just over half of all web traffic is human-generated, with bots forming a significant volume of traffic while stealing credit card numbers, sensitive logins, and personally identifiable information (PII). Sites looking to distinguish between humans and bots have traditionally employed CAPTCHAs, but modern CAPTCHA systems often expose their public key, enabling bots to scrape and submit public keys to CAPTCHA-solving services where individuals can then manually resolve tests for bots.

Stytch’s Strong CAPTCHA removes the public key site from CAPTCHA architecture, eliminating the possibility of bots scraping or mass attacking applications. McGinley-Stempel notes that users of ecommerce sites are “inundated with stimuli and friction . . . they’re asked to accept these cookies, create an account with multiple fields required, and remember yet another password,” and Stytch may be positioned to provide quality commercial experiences while obstructing bots’ ability to distort user interactions.

Breach-Resistant Passwords

Stytch’s breach-resistant passwords enable members to sign up for or log into organizations via email addresses and passwords, with the optionality to add more granular restrictions around password length, character types, and password strength enforcement during the authentication process. zxcvb and Lowercase Uppercase Digits Special Characters (LUDS) form part of Stytch’s password strength assessment, with the former flagging the presence of common patterns or usage of dictionary words, and the latter checking for the presence of lowercase or uppercase letters, digits, and special characters.

Breach detection, powered by HaveIBeenPwned, works in tandem with password strength enforcement to restrict unauthorized access to sensitive information by tracking compromised credentials and triggering password resets. Stytch supports an array of password hashing algorithms for migrations (e.g. bcrypt, scrypt, argon2i, argon2id, md_5, and sha_1), along with account deduplication for stronger fraud protection to mitigate password breaches and any compromise of user information.

Market

Customer

Stytch offers authentication solutions across SaaS, ecommerce, fintech, web3, consumer tech, and healthcare companies. Instead of spending developer cycles building bespoke user authentication flows, enterprise or B2B customers employ Stytch in building out SSO or MFA.

As of January 2024, notable customers of Stytch include Zapier, Clearbit, Hex, Replit, and Tome.

Source: Stytch

Other notable customers include automated financial collaboration platform Standard Metrics, gene sequencing company 10X Genomics, and employee background screening solution Checkr. Stytch’s customers report more than a 20% increase in sign-ups relative to Google One Tap and approximately a 62% increase in conversion after transitioning to passwordless authentication.

Usage-based pricing startup Orb offers SSO had previously evaluated Auth0, but came to the conclusion that Auth0 would be incapable of handling session management. Many other SSO providers evaluated necessitated additional coding, extensive customization, and branching paths for auth customers. With Stytch, Orb was able to abstract away complexity from the authentication process, ensuring that the platform could manage diverse auth SSO requirements with minimal lift.

Irish fintech company, Unbanx, which allows consumers to sell aggregated anonymized data to ethical buyers, employs Stytch’s passwordless SMS passcodes to optimize its sign-up flow. With Stytch, users can complete Unbanx’s three-step onboarding flow quickly, and verification takes place via text instead of the lengthier process demanded by Amazon Cognito.

Real estate lender Flatiron Realty Capital similarly needed a full-service authentication solution to aggregate relevant documents within the umbrella of a single user account. Within a week, Flatiron was able to implement Stytch’s sign-up and login flows, with the optionality to tack on SMS OTPs or TOTP authenticator applications downstream in the user journey.

Bitcoin.com opted to implement Stytch’s EML solutions instead of an in-house build to resolve support tickets from users losing their keys. While developers had already built sign-up and login flows, they quickly realized that their approach necessitated overwhelming maintenance at scale, especially with the addition of new use cases, features, and product suites. The company’s partnership with Stytch has eliminated much of the authentication maintenance previously required, especially given Bitcoin.com’s cross-platform presence across web, mobile, and external partners.

Market Size

The global passwordless authentication market size is expected to reach nearly $55.7 billion by 2030, with the rise of ecommerce and mobile banking contributing to the need for robust mechanisms for consumer authentication.

The need for multi-modal security across the cloud has accelerated demand for customer identity and access management (IAM) solutions, with the global IAM market projected to expand from $15.7 billion in 2023 to $32.6 billion in 2028. Enterprise identity providers have moved beyond enterprise offerings to include customer identity management (e.g. Okta’s Auth0 acquisition), with leading authentication/authorization platform Okta expected to generate a sizable chunk of its revenue from customer IAM.

With over 66% of smartphone users expected to use device-native biometrics by 2024, passkeys have begun to built the foundation for a passwordless future. Authentication protocols (notably, FIDO2 and WebAuthn) have set the stage for developers to add passwordless authentication methods (in tandem with OTPs, magic links, and other forms of authentication) to their applications.

Competition

Auth0 (Okta): Founded in 2013, Auth0 raised over $330 million before Okta acquired the company for $6.5 billion in an all-stock deal in March 2021. The acquisition, an approximate 3.5x jump in Auth0’s valuation from the previous year, expands Okta’s workforce identity management coverage to include customer identity.

Auth0 was expected to generate over $200 million in annual recurring revenue (ARR) in 2022. While Auth0 might prove sufficient for developers looking for boiler-plate authentication with limited customizability, Stytch supports a broader range of biometric logins (native biometrics on Apple devices via an iOS SDK), along with web3 logins (built-in support for Ethereum and Solana logins).

Developers commonly implement Auth0 via universal login, a modal hosted by the platform that provides login methods out-of-the-box. Because universal login is Auth0-hosted, users are redirected away from log-in or sign-up pages, forcing them to authenticate via Auth0 or another custom domain before redirecting them back to the original page or application. By opting to use Stytch, developers fully own the UI/UX, eliminating redirection and bolstering user conversion rates — Lighthouse notably claimed that it improved conversion by 62% after switching from Auth0 to Stytch.

Fingerprint: Fingerprint, a Javascript-based client-side browser fingerprinting library, queries browser attributes and computes a hashed visitor identifier. The commercial version of Fingerprint enables developers to implement fingerprinting in non-production environments, with over 6K companies using Fingerprint’s real-time device intelligence to ascertain user intentions as of January 2024. Fingerprint provides a wholesale view of users across web and mobile applications, with up to 99.5% accuracy in identification accuracy by employing fingerprinting, fuzzy matching, and server-side techniques.

While Fingerprint performs some transport layer security (TLS) fingerprinting, such fingerprinting returns identifiers client-side where they are then vulnerable to tampering. Stytch offers priority TLS and network fingerprinting, both performed entirely server-side, along with encryption on-wire and at rest.

WorkOS: WorkOS was founded in 2019. It offers a suite of enterprise-ready solutions for identity and access management (IAM). Its product lineup includes tools and APIs that enable developers to integrate crucial features into their applications. In June 2022, WorkOS raised an $80 million Series B round at an undisclosed valuation led by Greenoaks, with participation from Lachy Groom, Lightspeed Ventures, and Abstract Ventures. As of January 2024, WorkOS has raised $95 million in total funding.

Amazon Cognito: Amazon Cognito enables developers to add user sign-up and sign-in features via a scalable identity store with support for both social and enterprise identity federation. Processing over 100 billion authentications each month as of January 2024, Cognito helps users implement customer identity and access management (CIAM) into both web and mobile applications. Notable customers include NHS Digital, Trend Micro, and Neiman Marcus.

Amazon Cognito may prove sufficient for simple authentication flows built around passwords and social OAuth logins or companies already using AWS but may prove constricting in terms of advanced authentication features and backend stack flexibility. While Cognito’s advanced security features only support multi-factor authentication (MFA) via SMS and TOTP, Stytch’s API-first approach enables developers to construct more nuanced, bespoke application logic. Apart from authentication, Stytch also provides flexible fraud tools including device fingerprinting, which provides more granular logic around addressing or triaging traffic according to risk level.

Apart from the competitors described above, other relevant startups in the IAM space include Descope, which provides drag-and-drop authentication and identity management for consumer-facing businesses and Ory, a web-scale API for identity and access control.

Business Model

Source: Stytch

Stytch’s B2B SaaS offering offers tiered subscription pricing, with Starter, Pro, Scale, and Enterprise tiers.

The Starter tier is geared towards prototyping allowing developers to begin for free with authentication and authorization features (multi-session management, multi-tenancy, role-based access control), along with complete APIs and SDKs, pre-built UI components available out-of-the-box, and multi-factor authentication (SMS, email, auth apps, and WebAuthn).

The Pro plan ($249/month), designed for production applications seeking full branding control, provides all of the features included in the Starter plan, along with three enterprise SSO connections, multiple SSO connections per organization, just-in-time provisioning controls by SSO connection, and the ability to remove Stytch-specific branding and fully customize email domain designs.

Stytch’s Scale plan ($799/month), includes all of the features included within the Pro plan, with an added 100 free external active organizations, 5K free external active users (members), and eight enterprise SSO connections.

Stytch’s Enterprise plan ensures a very high percentage uptime SLA, along with a dedicated Slack channel, enterprise support, and volume discounts based on the quantity of external active organizations and users. The plan (bespoke pricing) also encompasses unlimited SSO connections, along with bot detection and prevention, device fingerprinting, and strong CAPTCHA.

Traction

In November 2021, 3.5K developers were using Stytch’s platform, up from just 350 in July 2021. Stytch has also ventured into the web3 space. The platform helps power over 70 million ETH addresses with positive account addresses and 2 million phantom wallet monthly active users as of January 2024. Most organizations lack a standard “buyer” for authentication products, so Stytch’s directed approach to introducing solutions at developer-centric conferences was a critical aspect of the company’s product-led growth (PLG) strategy.

Stytch’s change log indicates that the company has continually released features, product improvements, and broader bug resolutions. In December 2023, the company announced the availability of role-based access control (RBAC), along with passkeys for consumer applications. Just the previous month, RBAC and SCIM solutions were made available to users requesting early access, along with OAuth custom parameters and device fingerprinting-protected authentication just a few weeks prior.

Valuation

In November 2021, Stytch secured $90 million in Series B funding in a round that valued the company at over $1 billion and brought the company’s total funding to $126.3 million. The round, led by Coatue Management, included participation from Contrary and existing investors, notably Benchmark, Thrive Capital, and Index Ventures. Stytch’s Series B came just four months after the company’s $30 million Series A, which valued the company at approximately $200 million. Prior to this, Stytch raised a $6 million seed round led by Benchmark in the summer of 2020.

Key Opportunities

Strategic Acquisitions

Following the company’s Series B, Stytch acquired passwordless authentication startup Cotter at the time of its Series B in 2021. Cotter simplified logins via mobile app prompts, OTPs, magic links, and WebAuthn-based biometric authentication. In line with other acquisitions by relevant competitors in the space, such as Bitwarden’s acquisition of Swedish passwordless startup Passwordless.dev, Stytch may expand existing offerings to help modernize applications that presently rely on passwords for authentication. In a similar vein to Cotter, Passwordless.dev provides APIs built atop WebAuthn, simplifying the process for developers to bring WebAuthn to software via just a few lines of code.

End-to-End Identity Management

Stytch has positioned itself as an end-to-end identity platform for developers. Announcements around the general availability (GA) of passkeys in December 2023 signaled increasing interest in expanding cross-platform authentication methods and facilitating the migration to more secure, passwordless alternatives.

Stytch intends to become Stripe for passkeys by handling the building and implementation of passkeys from scratch. McGinley-Stempel noted in December 2023 that he remains bullish on passkeys being the largest accelerant towards passwordless adoption, with major players adopting passkeys as their preferred mode of authentication. Existing passkey solutions often constrain developers’ ability to customize application logic and UIs, creating disjointed user experiences and widening attack surfaces for security vulnerabilities.

As a broader provider of IAM solutions, Stytch may be well-positioned to become the platform of choice for companies looking to deliver enterprise-grade authentication alongside frictionless user experiences. By enabling businesses to centralize efforts around building core features instead of in-house authentication, Stytch can help reduce the engineering overhead required to build and manage authentication for applications. Stytch may become the authentication platform of choice for companies as they scale by providing the flexibility to support both status quo and future authentication needs.

Key Risks

IAM Incumbents & Emerging Players

Apart from Okta’s Auth0, startups operating in the identity and authentication space have developed customizable solutions around biometric onboarding and passkeys, along with KYC capabilities. Footprint, for example, vaults identity, payment card, and customer key-value data; identity data originating from user onboarding flows is verified via the decisioning platform and then secured.

Beyond authentication, Footprint bridges the gap between onboarding, authentication, and identity access management, providing an end-to-end approach that eliminates tradeoffs between fraud and friction. Footprint also links security to fraud and KYC, ensuring that individuals with verified identities can create accounts within the given ecosystem once cleared.

Within the identity access management realm, startups like Opal Security provide consolidated views and more granular employee access control to internal tooling, company applications, and environments. Other vendors including SailPoint and Veza are among a myriad of solutions operating in the enterprise identity security space.

Boston-based Transmit Security, meanwhile, offers biometric-based authentication capable of handling over 9K authentication requests per second. The company counts UBS, Lowe’s, and SunLife Financial among its enterprise customers, but also services a broad range of non-profits, fintechs, retailers, and other health systems via the company’s suite of customer identity solutions.

Stytch aims to differentiate itself from other identity and access management (IAM) solutions via a developer-friendly, API-first approach. in contrast to other players that require developers to utilize widgets, Stytch provides flexibility in terms of owning both the design and core workflows that can be built around the company’s APIs and SDKs. In a similar manner to how Stripe has streamlined payments, Stytch aims to abstract away nitty-gritty details around authentication so that developers have more control over user flows.

Deployment Hurdles

Beyond optimizing the developer experience of constructing authentication flows, Stytch grapples with reshaping traditional reliance on passwords. Organizations considering a transition to passwordless authentication might require compatibility between passwordless solutions and existing systems. Enterprise adoption requires full verification of application compatibility, with planning required to ensure that all applications and company-sponsored devices can support passwordless solutions.

For legacy solutions incompatible with passwordless authentication, identifying outliers in use cases might require alternative authentication remediation paths. Organizations capable of easily adopting emerging solutions (such as Stytch) may avoid needing to replace legacy infrastructure and embrace passwordless forms of authentication. But passwordless deployment typically requires a phased approach, with deployment occurring first via a VPN or remote access portal. Microsoft notes that the process of transitioning to passwordless mechanisms may take a considerable amount of time, and organizations looking for passwordless options should be willing to commit resources and time to the development of password replacement offerings.

In addition, IAM leaders are often uncertain of what passwordless authentication might entail, and the lack of universal solutions can prove difficult for both enterprises and their customers. Even if larger enterprises are seeking ways to eliminate security risks associated with weak passwords, workers might be also resistant to biometric authentication, especially in the face of possible privacy concerns.

Weekly Newsletter

Subscribe to the Research Rundown

Summary

Standard username-password login mechanisms have become untenable as modes of authentication. According to a 2021 LastPass survey, the average employee utilizes over 190 different logins, with employees typing out their login credentials approximately 150 times on a monthly basis. To mitigate friction affiliated with consumer log-in flows, along with security vulnerabilities arising from password-based logins, companies are increasingly seeking passwordless systems for authentication.

Stytch is striving to become the preferred solution for developers across enterprises. In service of the company’s mission to kill the password, Stytch has developed a suite of tooling across consumer and B2B authentication mechanisms, including device fingerprinting, MFA, SSO, email magic links, OTPs, etc. Stytch has developed an identity platform specifically geared towards developers, ensuring that companies are able to build end-to-end authentication flows regardless of tech stacks are already in place.

Specifically, Stytch provides an IAM infrastructure for developers transitioning or implementing frictionless authentication alternatives into their applications. With Stytch’s APIs and SDKs, companies can bolster user retention by eliminating passwords from applications altogether, replacing existing log-in mechanisms with more secure, lower-friction authentication alternatives.

*Contrary is an investor in Stytch through one or more affiliates.

Disclosure: Nothing presented within this article is intended to constitute legal, business, investment or tax advice, and under no circumstances should any information provided herein be used or considered as an offer to sell or a solicitation of an offer to buy an interest in any investment fund managed by Contrary LLC (“Contrary”) nor does such information constitute an offer to provide investment advisory services. Information provided reflects Contrary’s views as of a time, whereby such views are subject to change at any point and Contrary shall not be obligated to provide notice of any change. Companies mentioned in this article may be a representative sample of portfolio companies in which Contrary has invested in which the author believes such companies fit the objective criteria stated in commentary, which do not reflect all investments made by Contrary. No assumptions should be made that investments listed above were or will be profitable. Due to various risks and uncertainties, actual events, results or the actual experience may differ materially from those reflected or contemplated in these statements. Nothing contained in this article may be relied upon as a guarantee or assurance as to the future success of any particular company. Past performance is not indicative of future results. A list of investments made by Contrary (excluding investments for which the issuer has not provided permission for Contrary to disclose publicly, Fund of Fund investments and investments in which total invested capital is no more than $50,000) is available at www.contrary.com/investments.

Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Contrary. While taken from sources believed to be reliable, Contrary has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Please see www.contrary.com/legal for additional important information.

Authors

Jen Yang-Wong

VP of Product

See articles

Catherine Zhao

Fellow

See articles

© 2024 Contrary Research · All rights reserved

Privacy Policy