Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.
Cameron D'Ambrosi, Senior Principal at Liminal
Mike Tuchen, CEO
Cameron D’Ambrosi [00:00:03] Welcome to the State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Onfido CEO Mike Tuchen. Mike, welcome to the state of identity.
Mike Tuchen [00:00:12] Thanks for having me.
Cameron D’Ambrosi [00:00:14] So before we dive into, you know, what you’re building in Onfido and this reusable identity and digital identity space in general, which I think is white hot right now, a lot of global initiatives taking shape. And I think an area of intense interest for me personally, as well as our audience, you know, you’ve had, if you don’t mind me saying, rather long and illustrious career at the head of several different tech companies. What’s a little bit about your background and how did you make your way into this digital identity space?
Mike Tuchen [00:00:49] Well, thanks for the kind words. You know, I started out actually as a super techie geek designing computer chips at Sun Microsystems. So if you hear me kind of lapsed back into geek speak, that’s why. But more recently, to your point, I had a chance to be a CEO of Rapid7 and Boston Security Company then. And CEO of Talent is a data integration company out in the Bay Area. And of course, now most recently on video that we think has an opportunity to reshape the utility space.
Cameron D’Ambrosi [00:01:24] Fantastic. Well, you know, I would presume to some degree that our audience is somewhat familiar with Onfido, we’ve actually had the pleasure of having multiple folks from Onfido join us over the years. But on the off chance that they are not familiar with the platform, what’s a quick 15,000 foot overview of what Onfido does?
Mike Tuchen [00:01:47] The problem that we solve is helping companies connect with their customers digitally. And so many customers start out with physical relationships and they need to move them to digital. We can, of course, help them with that. And more recent digital native companies want to sign up a whole bunch of customers purely digitally. And so that’s what we help them do, where you need to confirm who you’re dealing with, not just dog lover at AOL dot com, but you know, you’re actually my toucan and here’s a confirmation that you’re a real human being and you’re actually physically present right now. We solve that problem with a complete end to end onboarding platform. And we think that gives our customers a really exciting, you know, springboard into the future of where digital identity is going.
Cameron D’Ambrosi [00:02:39] So, what are the market forces driving this opportunity in digital identity? I certainly have my own perspective that I have been shaping over the years I’ve been in this industry, but would love to hear your perspective on, you know, is it regulatory forces? Is it trust in safety? Is it something else that you see pushing more of your customers and potential customers into thinking about, you know, how they need to really understand who is behind these transactions and these accounts?
Mike Tuchen [00:03:11] You know, we’re seeing different forces in different areas. So, you know, some customers, certainly to your point in financial services, are driven by regulatory requirements. They have the know your customer KYC requirements. So therefore, they have to do something like what we do in order to prove that their customers are really. Other companies that don’t have those requirements wanting to manage risk. And they see this as the best way. Like, for example, a ridesharing company wants to make sure that these are real drivers and or that the a hotel company wants to make sure that this is actually a real person before they check into a room. And so for all of these companies that don’t have a regulatory requirement, their primary driver is managing risk. And across all of these companies want to onboard more customers and do it more efficiently and cheaper. So those are kind of the four major drivers that we’re seeing. But as I said, different drivers end up popping and being more prevalent based on who the customers and what’s important for them.
Cameron D’Ambrosi [00:04:25] So I think it’s safe to say that we are in the midst of a really interesting inflection point in the digital identity space, which is, you know, we’re beginning to transition into this realm of reusable digital identities finally. It’s a path that I think many of us in the industry have had our eyes on for a long time. And it’s been happening in fits and starts to some degree with limited progress. But it seems like globally, with initiatives coming out of the EU, with initiatives here in the U.S., that both kind of regulators, relying parties and consumers are finally coming to terms with how we might put digital identities that are reusable in the hands of people and begin building these ecosystems that are going to take some of the friction, pain and potentially, you know, excess cost out of the system. But the go to market, I think, has been the single biggest challenge we have seen folks face when it comes to getting these reusable identities in market. And I think we have seen, you know, platforms succeed. Some platforms maybe struggle a little bit. From your perspective, what are those keys to success when it comes to going to market with reusable digital identities?
Mike Tuchen [00:05:48] Well, first thing I want to do is just double down on, you know, some of what you talked about there. I’ll talk about go to market a second. But to me, the current state of digital IDs or of ID broadly online is completely broken. Right. Where you literally have to fish a piece of plastic out of your wallet or your passport, even worse and, you know, confirm who you are using that. And if you step back for a moment and say, what’s wrong with the picture? Well, thing number one that’s wrong is it’s awkward. It takes a lot of times, a lot of extra steps. You’ve got to worry about things like lighting, noise, etc. But the number two is you’re needing to do it over and over and over and over again for every account that you want to sign up for. And thing number three is it’s not nearly as it costs more and is higher risk than it should be. And so it’s it’s awkward for customers. It’s awkward for businesses that are using it. And so with the hope and promise of digital IDs is it just makes that dramatically easier, right? You can sign up for a digital ID once and then every other time someone wants to ask who you are, it’s just a couple of clicks out of your wallet that’s dramatically simpler, dramatically easier, dramatically, faster, cheaper, more secure. It’s a win win win in all different directions. So with that in mind, when you ask the question of how can you take it to market successfully? Companies like FIDO are uniquely well positioned because our customers are already asking us to identify people hundreds of thousands and millions of times a day. And so for us, being able to ask the question of. Would you like to store this to save time later. To the end user and then allow them to solve to take every further request and serve it out in the wallet. Dramatically simpler, faster. You get all of those benefits. So we’re uniquely positioned in the ecosystem where it fits directly into what we’re already doing. And then, of course, you can start solving secondary problems. If you step back and ask for a moment. You know, some companies need to verify not identity, but age. I don’t care who you are, I don’t care that you’re camera. I just to make sure that you’re over 18 or over 21 or whatever it is for that customer segment. Showing your I.D. your full I.D. for that is a whole lot of information, a whole lot of private information. And it’s something that end users oftentimes wouldn’t be comfortable sharing. And it’s something that companies oftentimes, certainly in light of increasing privacy regulations, don’t want to have access to and don’t want to have to store. And so I think that’s one of the solving that privacy dilemma and that information leakage, if you will, I think is one of the massive opportunities and benefits of these reusable I.D. schemes if done well.
Cameron D’Ambrosi [00:09:20] So, you know, I think that and to follow up on on all your points, I think you’re 200% right. I think consumers understand inherently that there are massive privacy advantages to getting reusable identity. Right. We’re only seeing more and more regulations come into effect around things like age restrictions, age verifications, what’s coming out of Utah, what they’ve already passed in Colorado, California, what they are set to pass in France. And I think from our perspective, we expect to see more and more markets coming online, whether that’s restrictions around adult content, restrictions on social media, restrictions on marketing or advertising to minors and or collecting their data. But, you know, you can’t it is not protecting a minor if in exchange for saying we’re not going to collect your data, you require that minor to surrender a whole bunch of data or even an adult to surrender a whole bunch of data. So I think consumers are fundamentally on board. Getting relying parties on board, I think has been one of those main challenges. And pivoting back to that question around go to market, do you think relying parties are ready to finally shake loose, having a mishmash of point solutions and are ready to embrace reusable digital identities at scale?
Mike Tuchen [00:10:45] For sure. The answer is we can say definitively the answer to that is yes. Here’s where some of the friction remains, though. Some of the regular regulations that some of our customers are subject to requires them to store information for a period of time. And so they would love not to do that. And so the question is, can they and they’re trying to work with their own internal compliance and in some case with the regulatory body to see if they could actually have the user’s private information stored and retained by the user and have them only confirm that it exists and really dramatically limit the scope and sensitivity of the data that they store on their website. And so enthusiastically, companies want to get out of that business. It’s it’s a really, really tricky business for them to manage. And so, assuming we can help them find that path through it, I think there’s a ton of excitement around that. And the you know, if you think about if you step back for a moment and say moving out of the sort of current state of the of play in the regulations and people’s internal compliance and say, what’s the trend line? Right. Where do we think this is going over the next few years? And, you know, you just went through a whole bunch of states in the US that are doing individual things. And now you step back and multiply that by all the different countries worldwide that are doing different things. The one observation that I would make is that every single one of those in every state and in every country is going in one direction, which is towards more and more user control of privacy. So in one direction, no one’s known backtracking on that. And once you step back and look at that, then it’s clear with anyone that’s, you know, thinking strategically about the market, whether it’s us or any of our customers getting in front of that trend and looking for a way to be compliant in every jurisdiction around the world, not just today, but tomorrow as well, means you have to start by focusing on. A privacy first approach with end users controlling their own information. If you start with that and stay true to that, then you’ll be compliant everywhere and you’ll be compliant not just today, but also tomorrow. And that’s a really comforting and exciting approach for our customers. And what you’ll see in the in the in the market right now is a minority of of companies have chosen that approach and those will be the ultimate winners. And other companies are still trying to maintain some sort of centralized model. And you know all the you know what I say, heavy lift and, you know, privacy leakage that comes with that. And I don’t think they’ll succeed very, very clearly.
Cameron D’Ambrosi [00:14:01] So to drill down on, I guess, what we think this future landscape is going to look like. I think intuitively speaking, we can all agree and I would echo all the comments you made around the shifting regulatory tide. You know, that tide is only coming up. Privacy is top of mind for regulators in every market. And I think, you know, pursuant to our previous comments, consumers even absent regulatory push are seeking to do business with platforms, browse the Web, whatever activities they’re conducting, they want to do so in a privacy preserving way. And, you know, as digital natives continue to account for a greater portion of economic activity as older generations, you know, not to be too mixed up about it, but shuffle off this mortal coil. I think you’re only going to see the consumer demand for these types of privacy. First, reusable identity solutions grow. But that still leaves, you know, the fundamental business model to be settled, which is, you know, we’ve been operating in a world where it’s every man for himself, every platform for themselves. They’re paying usually, you know, a per check basis to bring identities into their ecosystem. And that happens. You know, separately for your bank and for the social media platform you’re using for the credit card company you use for the ride sharing platform you use. What do you think this business model is going to look like, where you are going to start to see reusable identities in the hands of consumers? And, you know, how will that liability question be solved for relying parties that did not create a reusable identity? And you know, who who’s going to get paid and how, in your opinion?
Mike Tuchen [00:15:50] Yeah, that’s a great question. I think the simplest answer for that is what exist today. And, you know, can we use that as a model? If you look at where the in the classic quote, the future art exists today is just a little unevenly distributed. And so, you know, there’s digital ideas exist in kind of two states in two forms, let’s say. One form is digital ideas issued by countries. There’s some countries that have done a great job of issuing digital ideas that have almost universally universal usage. Estonia is a perfect example of that. In India, the Aadhaar, although the most common form factor, is a QR code on a printed piece of paper. It is still a fairly digital I.D. stored in the Digilocker. And so those exist in a couple of different places. The probably most successful and probably clearly the most successful existing analog for a privately owned digital ID is bank ID in the Nordics. Bank I.D. has universal usage across a broad swath of the economy. And, you know, their model is also a paper transaction of a different price. But it’s exactly that they, and they have a lot more different types of transactions that they do. So I think there’s a very clear, very successful use case at very high scale of a paper per transaction model still being the route forward. Now, now clearly, if you’re using it as many times you look at the use of stats for bank I.D., you know, no one’s going to pay the current rates of the I.D. verification market. They’re, you know, an order of magnitude different. That I think we have to accept because, you know, done well, the transaction volume should also go up by order of magnitude. So that’s be the game that we’re all shooting for.
Cameron D’Ambrosi [00:18:03] I love it. And on that liability front, you know, do you see there being a model that enables some liability shift or, you know, how do we how do we see squaring that circle? I think for regulated industries like financial services? You know, we’ve in the U.K., at least, I think, seen some promising signs that regulators are going to adapt the existing frameworks that really could not account for the notion of a reusable identity. But obviously here in the U.S., as it stands right now, you know, if I bank A, Bank B passes me reusable identity. If something happens where it turns out that person was like a sanctioned individual, you can’t point to, hey, my vendor or my partner proof this person. And that did not shake out. Okay. You know, do you see regulators coming around or do you think private industry is going to come up with a liability shift model that helps sand some of the rough edges off those concerns?
Mike Tuchen [00:19:04] Yeah, I think that has to be or at least solved by the industry, not by a regulatory approach. From my perspective, we already have a model in place for today’s ID market. For every customer arrangement we have, we agree on, you know, what the liability, who holds the liability, what the caps and how they think about it. And I think that model translates pretty cleanly. Another you know, and having a model that says just because the first person that sponsored an ID verification, do you think about that someone paid for the first conversion of a physical dot to a digital one and then everyone else is reusing that in some way just because of the first, let’s say, bank in that chain happened to be the first one, doesn’t mean that they hold some unique responsibility. That would be a completely crazy model for which not a single customer signed up. I think a better conceptual framework for that is to think about how the credit card business works. And so you have relying parties that are, you know, using the credit cards you have issuing banks and you have the card brand themselves and they have a clear framework of, you know, where the liabilities are and what the limits are. And I think you have to look to a model, an analog like that. So I think we have to existing at scale analogs that work are proven to work, but I don’t think we need to spend a lot of time trying to create a new one. But I think your example of should, you know, liability flow between relying parties, no, that be absolutely crazy and no one would ever sign up to that. So I, I wouldn’t say I would suggest the industry move in that direction.
Cameron D’Ambrosi [00:21:03] All right. Well, shifting gears slightly, you know, government I.D. initiatives, state level initiative, ID initiatives, I think have been making some waves in 2023. Obviously, you’ve had the European Commission continue to refine their approach for this use, you know, EU Digital identity wallet. And you’ve seen a number of U.S. states begin to launch digital credentials. Maybe we’ll take the U.S. first. You know, from our perspective, we see and for the foreseeable future, I think we’ll continue to see a pretty fragmented landscape where you’re going to have, you know, the Apples and the Googles trying to come in over the top with their wallet solutions. And then on a state by state level, a mishmash of private state wallets, big tech compatible IDs, and then other kind of one off initiatives led by maybe, you know, funky state legislatures that are trying to, you know, kick contracts to some in-house smaller players. What role do you see? You know, platforms like UNFI playing in easing some of these fragmentation challenges in the U.S. market in particular?
Mike Tuchen [00:22:15] Yeah, You’ve just described the you know, one of the core challenges that our customers have today, and I think we play the same role tomorrow as well, which is mess management. Right? You know, companies with a global footprint want to acquire customers globally right now. And, you know, it turns out there’s 6000 different physical IDs, roughly order of magnitude that they have to deal with if they really want to have global support. And, of course, no one can do that, which is why companies like us exist. And so, you know, we’ll see outside of Europe and we’ll see exactly how homogenous Europe ends up getting into, but we’ll see a similar fragmentation develop. And so now you have not just the universe of roughly 6000 physical blocks, but now add on a universe of. Thousands of digital docs as well, of all different flavors and or digital ideas, let’s say. And, you know. Hope folks like us will play the exact same role that we’re playing today in the digital world. So same problem, different technology, and some of the more forward leaning like us. We’ll also create a reusable set of confirmed ideas that, you know, end up becoming more and more high conviction and more and more lower and lower risk as we have more and more relying parties using them successfully. And so that’s a it’s a critical role that we can play in the ecosystem, just given that crazy fragmentation. And, you know, I think what we’re seeing right now is. You know, the European Union doing what it does best, which is trying to create standards top down and try to, you know, sort of cram on the market. They’ve stopped it. So a couple of times I think the current one is running a little bit late, but actually has pretty good odds of success. We’re also seeing private standards emerge like W3C, the PSI standard. And I think we’re now getting to the point where we have enough standardization that we can start getting interoperability, which is, I think, a critical step forward for the industry as well. But I you know, as you pointed out, it’ll be there’ll be a lot of fragmentation and there’ll be, you know, I think winners and losers. I think amongst that set that you mentioned, some are more likely to succeed than others. And, you know, it’ll be a really exciting market, we believe, over the next 5 to 10 years as this all plays out.
Cameron D’Ambrosi [00:24:59] Well, I certainly agree with you in that regard. Obviously, I’m I’m fond of calling myself a digital identity. HAMMER So to some degree, everything does look like a nail. But I think even a true outsider will be hard pressed to not get excited about these latest market rumblings, if you will, in the reusable identity space. So I will attempt to elegantly segway that to our closing question here, which is, you know, where does digital identity go from here? I always love to get my guests perspective, you know, fire up their crystal ball and make some predictions for the next couple years down the road. Do you think we will see major breakthroughs in adoption in the next couple of years or is it going to be a bit of a long slog and, you know, any other direction in which you want to take some of these prognostications? We’d love to hear your $0.02.
Mike Tuchen [00:25:48] So one prognostication I’ll make very simply is we expect the travel vertical to be a really exciting driver of change. And you’re seeing that in a couple of ways. You know, you saw the TSA approve or the TSA approved third parties like Airside to be able to do a mobile check in. Apple is trying to do something with RFID and they’ll hopefully get that approved sometime soon as well. But what’s exciting about travel is it’s it’s a very high security requirement. And you have both the online digital identity work that you do up front, but you also then have it confirmed by a human being as well in a, you know, really important high stakes use case. And it’s one that people do over and over and over again. So the need for streamlining that process goes way the heck up. And so that we see is a really exciting high volume entry point. And as a result of that, we’re excited, too, that we just recently announced the acquisition of Airside. And so that brings us into that world as an entry point to start to bootstrap this network of high confidence confirmed identities that can then be reused for other purposes over time. So I think, number one, you’ll see these kind of entry point use cases that will, you know, you’ll start seeing networks emerge and start to scale aggressively. And as I said, travel is a real obvious one. I think there will be others as well. I think you’ll see each device manufacturer making their own plays. Apple obviously has the Apple wallet. They’re now extending that into this travel use case as well. I think you’ll see Google not far behind Samsung’s. We’ll be having a play as well. So I think those players will be clearly will be at the table. And then I think there are a whole bunch of other ecosystem players that have the opportunity to either partner with folks like us or some of the other people I just mentioned or go with themselves that have a real high volume use cases with direct user interaction and, you know, an opportunity to build a network. And so I think that’s going to be a you’ll see that dynamic starting right now this year and you’ll see it playing out. I think, you know, within the next five years, you will already see who the winners and losers are. I think the race gets won or lost probably in the next three. So I think this will be a very dynamic space in the next several years.
Cameron D’Ambrosi [00:28:46] Well, congratulations on the close of of that acquisition. Obviously, we’ve been following that very closely and are big fans of the team over at Airside. So really exciting news there and you know strong cosign on on all of those predictions you laid down. I think you know this next three years is going to be crucial. And to your point around, you know, all of these hardware manufacturers and kind of consumer facing players looking to throw their hat in the ring, you know, to that earlier point you made around mess management, I think in some ways that’s only going to strengthen the market opportunity for the platforms that are going to be able to knit all of this together on behalf of those groups because, you know, it’s not going to get any easier. In fact, it’s going to get much more complicated in the short term. And, you know, an element that we didn’t touch on here because I suppose it is a little bit rearward looking, but, you know, physical identities and the need for physical document based identity verification is not going to go away anytime soon. You know, we’ve seen from a regulatory perspective, both the U.S. and EU codify that you are going to have a right as a consumer to opt out of digital identity completely if you do not wish to participate within these ecosystems. And I think you’re going to see a non-zero percentage of folks making that decision. So, you know, will there be for.
Mike Tuchen [00:30:08] Sure you have, you know, just the classic in technology adoption curve and with older segments of the population, you know, they have something works and you know, why change it? And so I think you’ll see these two coexist for many years to come. But I think the the the ratio will change it. All right. Now, the world is nearly 100% physical documents where people fish something out of their physical wallet, in their pants. And, five years from now, that won’t be the case. And ten years from now, it’ll be even further down the line. So I think that, you know, it will be a fairly rapid shift over the next five years and then a long, slow tail that might never go down to zero, but is clearly, you know, trending in that direction.
Cameron D’Ambrosi [00:30:55] Yeah, agreed, Agreed. But again, you know, from a ruling party perspective, you won’t be able to afford to write those folks off who want to use a physical document. It’s one thing if you’re, I don’t know, a fast fashion brand that’s only targeting millennial iPhone users. But, you know, if you’re any sort of bank or anyone with a remit to serve a wide swath of the population, you’re going to need to account for these edge cases for many years to come. And I think those who don’t think about that element are doing themselves a disservice. So to bring us to a close opportunity for what I like to call shameless plug, Mike, where should folks go if they’re excited about, you know, jumping into this reusable identity pool or maybe thinking about the mess that they have yet to manage as a relying party successfully, what’s the best place for them to learn more about on Fito or to reach out to you and your team?
Mike Tuchen [00:31:50] Yeah. If you’re excited about the concept of this digital identity future and want to work with a company with a clear roadmap and an offering that is in-market in the very near future, then please come to Onfido and click Contact us. We’d love to work with you
Cameron D’Ambrosi [00:32:16] Fantastic. Mike, thank you so much for your time. I greatly appreciate it. Enjoy your weekend coming up here and we will talk to you again soon.
Mike Tuchen [00:32:25] Thank you.
In the latest State of Identity podcast, hosted by Cameron D’Ambrosi, we’re joined by Laura Spiekerman, co-founder and president of Alloy, a global identity risk solution for financial services and a Liminal 2023 Company to Watch. We’ll discuss its pioneering role in the orchestration-centric approach to Digital Identity in Fintech. Spiekerman delves into the challenges Alloy addresses in the fintech space, where compliance and fraud often hinder innovation. Join us to explore the evolving landscape of digital identity in Fintech, trends in fraud prevention, and the critical intersection of customer experience and security.
In the latest episode of the State of Identity podcast series, we delve into the ever-evolving world of customer identity and access management (CIAM). Join host Cameron D’Ambrosi from Liminal as he sits down with Brian Pontarelli, the founder and CEO of FusionAuth, to explore the exciting developments and challenges in the realm of passwordless authentication, user data management, and the quest for seamless transitions in the digital landscape. Bryan shares his expertise and unique perspective, shedding light on the fascinating journey of FusionAuth and its pivotal role in this dynamic landscape. Tune in for a thought-provoking discussion that promises to expand your understanding of CIAM and its critical role in the modern enterprise.
Tune in to the latest episode of the State of Identity podcast series, where Data Security expert Shane Curran, Founder and CEO of Evervault, dives deep with host Cameron D’Ambrosi into the intricacies of data security. Discover why basic encryption methods aren’t enough, understand innovative data security strategies that ensure functionality, learn how encryption safeguards AI model training without compromising customer data, and grasp the significance of prioritizing current cybersecurity threats over quantum computing concerns.
In the latest episode of the State of Identity podcast, host Cameron D’Ambrosi is joined by Gadalia Montoya Weinberg O’Bryan, an ex-NSA crypto mathematician and the Founder and CEO of Dapple Security. Learn about Gadalia’s remarkable journey from the National Security Agency to the forefront of identity-focused cybersecurity. Learn about the limitations of current passwordless approaches, particularly in scenarios involving lost or stolen devices, and delve into the crucial distinction between authenticating the user behind the device rather than the device itself. Gadalia introduces Dapple Security’s unique solution, which involves generating an on-demand passkey using a user’s fingerprint—emphasizing the company’s commitment to user privacy by avoiding the storage of biometrics on the device or in the cloud—and how this approach is a key element in enhancing overall security posture.
In this episode of the State of Identity podcast, host Cameron D’Ambrosi talks with Eric Olden, the co-founder and CEO of Strata Identity. Join us as they discuss the challenges faced by today’s multi-vendor/multi-cloud enterprise technology landscape and how forward-looking executives view identity as an opportunity, not a cost center. They also delve into the importance of moving towards passwordless authentication and the role of identity orchestration in addressing these challenges.
In this episode of the State of Identity podcast, Liminal host Cameron D’Ambrosi and Justin McCarthy, the co-founder and CTO of StrongDM explore the dynamic landscape of digital identity and access management, addressing the challenges and trends that shape the industry. They talk about what it means to move towards a “credential-less” world and discuss the complexities of authentication, authorization, and the role of proxies in bridging old and new technologies. McCarthy highlights the imperative for convergence among various tools, including the essential role of AI, providing a unified approach to access control, governance, and policy enforcement.