It was a landmark year for the identity industry in 2017. Driven by a series of high-profile news events, the importance of identity was catapulted to the forefront. The Equifax data breach illustrated the importance of data privacy, while the success of bitcoin, highlighted the excitement around decentralization. As such, consumers, regulators, and private industries alike have begun to realize there is tremendous value in understanding identity as a concept, the importance of identity, and how it can be leveraged to improve everything from an individual’s daily routine to corporate business strategies.
This shift in focus sparked an incredible amount of growth across the industry. Over the past year we have witnessed a bevy of new startups be created to help solve the challenges of identity of things (IDoT), regulatory concerns, personal fitness, and many others. Established legacy firms are also racing to understand how they can better protect the data of the consumers while also trying to realize new opportunities with the identity data they already have.
On the heels of this monumental shift in the identity space, OWI has created the second edition of its market defining Identity Industry Landscape. Last year’s inaugural landscape featured 230 companies across 13 industry verticals. A year later, our 2018 OWI Identity Industry Landscape contains 755 companies across 3 segments, 22 categories, and 46 sub-categories.
OWI’s 2018 identity landscape contains 755 companies across 3 segments, 22 categories, and 46 sub-categories.
Prompted by drastic changes in scope and scale, the second OWI Identity Industry Landscape reflects a quickly growing and evolving market segment. To reflect on the industry changing events of 2017, OWI offers its list of the top events affecting the development of the identity landscape over the past year:
The top identity moments of 2017
- Equifax and Alteryx data breaches: In 2017 over 270 million data points of personal information were exposed: 145.5 million people through Equifax and over 123 million American households through Alteryx. For many consumers, these events exposed the potential dangers of sharing personal data online.
- General Data Protection Regulation (GDPR) preparation: GDPR is essentially a massive overhaul to the data privacy laws in the European Union which places a great amount of onus on private companies to responsibly process and maintain the data of their consumers. This bill was passed on April 14, 2016 and is due to go into effect on May 25, 2018, making 2017 the year to prepare. This frantic sprawl to overhaul internal processes to stay compliant sparked many conversations regarding best practices over data privacy.
- U.S. presidential election and the power of social media: In review of the 2016 U.S. presidential election it became clear Russian entities purchased over 3,000 Facebook ads targeted at specific groups to drive further tension among racial issues in the United States. Facebook was able to collect data on its’ users, group them based on characteristics, and sell ads on their ability to target a specific market segment with incredible accuracy. Not only did Facebook’s business case for collecting its users’ data become clear but the potential dangers of grouping people based on similar identity characteristics was exposed.
- Bitcoin and decentralization: On January 16th 2017, the price of bitcoin, built on the blockchain, was on average $830.26. By December 16th, 2017 that price had soared to $19,343. In 2017, we saw an explosion in hype and excitement around blockchain and its potential to power aspects of a decentralized economy disparate from any centralized authority. Consumers are not only excited by bitcoin itself, but what its success means for other potential use cases such as IDoT and distributed ledgers around identity.
- Aadhaar and Estonia ID: State sponsored identity schemes have gained more traction over the past year. Long has India’s Aadhaar stood as the premier use case for a proven national identity schemes with over 99% of adults enrolled in the program. In 2017, Estonia launched a state sponsored e-identity program where anyone in the world could enroll online to become an Estonia citizen. This new program offers citizens an efficient mode of authentication for a variety of benefits and services across the economy. Moreover, on the heels of Brexit, Estonia’s eID program is a new vector for entities to continue leveraging the economic benefits of being a citizen of the EU.
- Identity of Things (IDoT): As IDoT continues to drastically expand, there still remains uncertainty around the viability of existing cybersecurity measures to protect the transfer of data from network nodes to central servers. With the explosive adoption of blockchain as a potential solution to this concern, many are expecting to see an even higher rate of adoption as companies such as Filament! begin to successfully leverage existing blockchain networks to securely verify and authenticate the identity and addresses of network nodes. As companies begin to solve this security concern, we will start to realize the true benefits of IDoT.
- Apple Face ID: This year Apple announced the release of the iPhone X which features Face ID – a new authentication paradigm which unlocks the phone with the user’s facial biometrics. This is not a new technology, but Apple’s endorsement drastically increases its visibility as a mainstream medium of authorization and makes fingerprint authentication appear antiquated.
- National Institute of Standards and Technology (NIST) 800-60-3: In June 2017, NIST 800-63, new authentication standards and recommendations, were published. These new standards created a clear delineation between Identity, Authentication, and Federation. In these categories companies have the option to select from varying options of authentication techniques depending on their needs and current business structure. It also asserted that SMS is no longer an officially recommended mechanism for multi-factor authentication. And lastly, companies are required to detail requirements for account recovery in case of theft from an authenticator. Overall the new standards embrace the complexity of the identity issues and empower federal agencies to be more flexible with their design and operation.
Clearly this was a busy year for identity and the increase of attention caused by national news coverage caused people to take notice. This new consumer perspective served as a catalyst for a great deal of change within the industry. During the creation of the landscape we noticed three major developmental trends in 2017:
- Silos beginning to break down
- The API-ification of everything
- Self-sovereign identity
Silos are breaking down.
Historically, identity has developed in silos across industries or even within individual companies. For example, customer leads are traditionally handled by the sales team. If the customer signs the contract then their data is passed over to the data management team who is responsible for cataloging the information and making it available for product managers, customer service, and technology support to make decisions to support the user. However, this process is slow, can cause poor data integrity, is expensive, and ultimately provides the consumer with a poor experience.
As a result, Customer Identity Access Management (CIAM), was created as a solution for companies to make real-time decisions off of their consumers’ data to offer a fully immersive and interactive experience. Companies such as Janrain, Forgerock, and LoginRadius have gained incredible traction in the space by showing the value of being able to know your customers identity, and leveraging that data to offer a tailored, consistent, and seamless experience across a variety of platforms. The success of this horizontal integration came to a climax when SAP bought GIGYA for $350 million USD in September, 2017.
In addition to silos being broken down horizontally, we are also seeing a great deal of vertical integration. Companies such as CrossVerify, Biocryptology, and Daon are authentication companies who have vertically integrated their stack and offer proprietary hardware or software, white label solutions, and consumer facing applications. These companies have acknowledged the growing demand for solutions at every step of the identity life cycle and are vertically integrating in response. As happy as we are for companies like those detailed above and many others, these industry developments made it hard to categorize them into segments.
The API-ification of everything.
Globally, banks possess large caches of personal data attributes which have been identified as an excellent source of record to authenticate consumers. As a result, there has been a global push for banks to open their APIs to allow other companies to prevent and reduce fraud risk of consumers with which they transact. To that end, there have been several successful examples of this being done. For example, the SecureKey concierge service in Canada illustrates how open bank APIs can be used to securely authenticate consumers without exposing their data. Even in Norway, Zignsec has used the open API laws to provide merchants with a way to verify consumers before transacting with them.
There has been a global push for banks to open their APIs to allow other companies to prevent and reduce fraud risk of consumers with which they transact.
Additionally, PSD2, the financial services reform act that is due to go in effect in December of this year will force banks in the United Kingdom to open their APIs to the public. With all these global success stories, and even laws being passed in the U.K. there is mounting pressure for banks to open their APIs in the United States. Either the banks move first to monetize on the data they currently own, or they can wait to see if the government forces them to open it for free.
Another major development over the past year was the rise of self-sovereign identity solutions as more people want to own their personal data. This demand is driven from concerns drawn from the Equifax news or even Facebook’s use of consumer data. As such, companies such as Yoti and uPort have developed applications that empower consumers to securely store their data, decide what data they would like to share with decentralized apps, and even digitally sign contracts. These solutions are part of a much larger push to restore control of a user’s data to the user without the need of a centralized authority. The development of new technologies, such as blockchain, have made these solutions possible.
After analyzing the industry, the growing amount of companies and what they are looking to accomplish, OWI expects even bigger things in 2018. First and foremost, we believe that identity silos will continue to be broken down, through both horizontal and vertical integration. Second, we believe that with a focus on endpoint security IDoT will continue to experience rapid growth, especially in respect to smart cities and resource management. And lastly, trust and safety will make its way to the fore. Consumers have seen the growing importance of data privacy and they must be able to trust and feel safe with the companies they are interacting with online to protect their data and use it only to the extent they agreed to.
As bright as the future appears to be, we believe it is important to take a moment and appreciate how far the identity industry has grown over the past year. An increase in national news coverage has caused consumers to care, and as such, both the market and government have responded to the concerns, ultimately driving identity into the mainstream.
For more, please see the 2018 OWI Industry Landscape.