Stytch’s API-First Approach to Passwordless Authentication
Though managing passwords has been a nightmare for years, decades really, during the pandemic more people were ordering dinner delivery and buying online everything from mole repellant to dog food.
That only increased awareness of the pain involved for users in remembering passwords for all their different accounts, and for companies dealing with security and customer conversion woes.
That’s added impetus to the drive to create alternate solutions to password-based authentication.
One such startup, San Francisco-based Stytch aims to help developers more easily and securely add authentication to their applications with an API-first approach.
Founders Reed McGinley-Stempel and Julianna Lamb came from Plaid, which created technology for users of sites like Venmo, Robin Hood or Coinbase to connect their accounts with their banks. There they found passwords to be their biggest security threat and most likely reason for potential customers to bail.
“Those are some of the things that got us really excited about the idea of what if you could build a developer experience company that just made it easy for every engineer to embed passwordless authentication from the get-go when they’re building an application or website?” CEO McGinley-Stempel said.
Gartner has predicted that by 2022, 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases. That’s not necessarily reality, though. Microsoft recently reported that only 22% of customers using its cloud identity solution, Microsoft Azure Active Directory (Azure AD), are using strong identity authentication protection.
“We offer basically APIs and SDKs for developers to embed passwordless authentication into their apps. So we have a platform of different products that you can pick and choose from and stitch together in the way that makes sense for your users, your use case,” said Lamb, Stytch CTO.
The offerings include email, magic links, SMS, WhatsApp links, timed one-time passcodes as well as authenticator apps like Google Authenticator, sign-in with Google, Facebook and OAuth integrations.
The company recently announced its first biometrics product using WebAuthn, which allows users to log in with either built-in device biometrics such as TouchID or FaceID or hardware keys such as YubiKey. One of the features it’s exploring is biometric login to websites, McGinley-Stempel said.
The company also made its first acquisition, Y Combinator-backed Cotter, a no-code passwordless competitor.
Client Libraries and SDKs
Its authentication API is organized around REST principles and has resource-oriented URLs, returns JSON-encoded responses, and uses standard HTTP response codes.
You can integrate it into any backend language of choice.
“The API gives you just so much flexibility and ownership over the end-user experience that you’re building. So you can integrate our authentication into your product, and then build your entire sort of frontend and UX yourself so that you don’t have to compromise any of your branding, design and UX elements,” Lamb said.
“Having a really clean API abstracts away all the complicated pieces of authentication, but gives developers sort of maximum control over what their user experience looks like.”
It also gives you the flexibility to integrate authentication at the point in time that it makes sense for your app, she explained.
“So one thing we talk a lot about is route-based authentication, which basically means doing a step up from within a logged-in session. So you might do one authentication factor to get read access to an account. And then if you go to do a more risky or sensitive action, like updating a shipping address or viewing billing information, etc., you can do another authentication event then to increase the security of that action.”
McGinley-Stempel cited Auth0 and Okta as its closest competitors, though Okta bought out Auth0 last year in a $6.5 billion deal. There also are a rash of other rivals as well, including HYPR, Magic, 1Kosmos, Authentiq and more.
He points to Stytch’s API-first approach as a major differentiator.
“A lot of the complaints that we hear about the incumbents today are that they’re really inflexible, and so it’s hard for engineers to do what they want with them. It’s also very difficult for them to own the UX and the UI and design,” he said.
“ And if you’re, you know, a company that’s using a third-party for signup and login, you have to give them a lot of trust to take over that core part of user experience during user onboarding. A lot of companies that have best-in-class design, and frontend engineering teams want to own that experience, which is not something you can really do with the incumbents.”
One of the reasons they’re less flexible is that they built their entire architecture around passwords as a service, he explained.
“If you’re building third party for passwords as a service, it makes sense for you to be inflexible, because you want to make sure that you never allow those developers to touch the password, because then that becomes a risk to other applications. If the developer could store passwords for a user and say that user uses that same password at 10 different sites, that’s actually a security liability, if you’re providing that flexibility.”
The nice thing about passwordless authentication is the ability to better user experience, but also to provide developers more flexibility because they’re not dealing with that can be used to exploit other accounts, he said.
Stytch is an armory in the war against passwords from which its customers can select the weapons they need to eliminate passwords. In peacetime, it serves as a creative foundry on top of which customers can create new, seamless authentication experiences. In either case, Stytch makes digital products more secure while increasing conversion and revenue. It built API-first because it knows that its customers know more about their customers than Stytch can, and because it knows that the collective creativity will lead to emergent behaviors it couldn’t predict itself.
Creative Use Cases
The team is often surprised at the ways customers use its tools, McGinley-Stempel said.
“There’s a popular example that we’ve been using where it’s a Shopify for cannabis platform that wants to create a user account for you at checkout. So once you’ve already added your credit card information, they want to enroll you in loyalty rewards.
“If we just gave you a widget said, ‘Here’s your signup and login widget,’ we probably wouldn’t have imagined people at payment checkout flows were going to want to create user accounts, and then authenticate them when they come back to merchant B, C, D, in the future.
“And so there are a lot of scenarios like that where … we’re going to come up with far fewer creative use cases than you can imagine yourself as an engineer, when you have a problem to solve.”
A year ago January, Stytch announced a $6.25 million seed round, followed by a $30 million Series A in July and $90 million Series B in November. Its headcount has grown from six a little over a year ago to 37 and expects to roughly triple that number over the next year, McGinley-Stempel said.
It has brought in engineers and designers from Plaid, Coinbase, Intuit, Zillow, Quizlet, Carta and Stitch Fix.
It’s not the only one raking in investment to fix the password problem. Last June, Boston-based Transmit Security raised a massive $543 million Series A round. San Francisco-based Magic followed a month later with a $27 million Series A.
Insight Partners, which owns The New Stack, invested in Transmit Security, as well as password manager 1Password’s $620 million Series C round, announced last month.