Your Digital Footprint

Cameron D’Ambrosi [00:00:05] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosio. Got a great episode for you. Please welcome Eli Wachs, co-founder and CEO, and Alex Grinman, co-founder and CTO of One Footprint. Welcome, state of identity, everyone.

Eli Wachs [00:00:20] Hey, Cameron, thanks so much for for having us. Great to.

Alex Grinman [00:00:23] Be here.

Cameron D’Ambrosi [00:00:24] Yeah, it’s my pleasure. Really, really excited. You have kind of a mission statement for Footprint that you’re bringing trust back to the Internet. I think one much needed, but to I think a really elegant way of kind of phrasing the problem statement that we are facing collectively, you know, both as a society but also as a digital identity industry. So really excited to unpack that with you, I guess is a fairly inelegant segway from a 15,000 foot level. Like how would you describe what you have built at footprint beyond obviously that that mission statement of bringing trust back to the Internet?

Eli Wachs [00:01:09] Yeah, it’s a great question. At the highest level footprint for consumers is the last identity form they fill out. We really think about footprint over time is kind of like an Apple wallet for forms. Once you fill something up, we don’t want you to have to do it again for companies. Footprint is five lines of code that handles both your onboarding, such as your account creation and your KYC, and it also offloads the cost and risk of securely storing data. So things like encryption, vaulting, access, control, etc. footprints able to take care of for companies.

Cameron D’Ambrosi [00:01:45] Amazing. And so at a more granular level, I suppose, I think we have folks tackling digital identity from all different facets and pieces of what we at Liminal, you know, refer to as the digital identity lifecycle, you know, starting with the creation of an identity, then moving into how those attributes are verified, how you authenticate yourself once you return back into an ecosystem, the kind of permissions or authorization you have within that system. And then finally, the federation of those various facets of your identity, you know that you have verified those underlying authorizations, all of that good stuff out to a new relying party, a new ecosystem, if you will. It sounds like you guys are taking a stab at kind of bringing several of these different areas of the lifecycle into your purview. Where are you focused in? I guess, you know, on a more exciting level to me, you know, how did you decide on where you want to kind of make an impact on this landscape where you set your sights and how did you come to that conclusion?

Eli Wachs [00:02:57] We really consider ourselves a security company, and we say that because we think a lot of KYC companies are really kind of doing incremental things. And as a result, they often come out with some pretty large claims about kind of very flashy, like selfie scans or cutting edge artificial intelligence to get more accurate identity verification. We think that you can throw as many people as you want at those things, but there’s actually not much to do to improve on the actress side from where people are currently at with those methods. We often think that what you can do is you can charge more by throwing a lot of edge cases at customers, but we don’t think that’s really the best thing to be aligned with what people actually need. We think that if you’re just trying to that you’re just trying to solve a small sliver of the problem because at the end of the day, once somebody creates an account, it shouldn’t. And you’re one monitoring of their identity. But as a company, your journey with them is just getting started because then you’re given this batch of PII things like Social Security numbers, a date of birth address that you have to figure out how to store. And not only is that storage not fun, but it’s pretty expensive and it’s pretty risky. I’ll let Alex jump in in a minute with how that’s currently done and how we do it. But our belief is that by solving the core security problem, which is every company has to source information. And we kind of took a step back and we said, well, it’s the same information that everybody’s accessing. So what if we can build the controls that we can kind of securely make it portable, but we can offload this we sell by solving that will make it so convenient for companies that we’ll be able to solve the friction aspect. Because once you sign up for a company once using footprint going forward, creating accounts is easy as one click and we do face ID on you by solving the friction, we think that’s how you solve accuracy. We think you solve accuracy by actually being the source of truth. It continuously. It’s getting these attestations of identity and linking the accounts. You know, people really talk about some of the best identity tools or things like how old is your email? And you know, how old is your. How long have you had a phone number for? It’s often times not the sexiest things if you don’t really talk about it because they’re trying to sell very, very fancy solutions for us. We’re trying to solve very accurate solution. But our limits really on security and I’m happy to, Alex, kind of jump in and talk about kind of this state of how storage and records maintenance happens today and how we’ve totally flipped that paradigm with footprint.

Alex Grinman [00:05:20] Yeah, absolutely. So, you know, companies collect a lot of data, especially if they’re they’re doing KYC themselves and doing that identity verification. And there’s sort of three kind of buckets that companies fall into. And unfortunately, the first one is that they just don’t use encryption at all. And it sounds crazy in 2022, but it’s just the state of the reality. And this encryption is hard. It’s not clear how you how you have to do. It doesn’t come as part of a regular computer science education or software engineers don’t know this super well. And and so a lot of software has been developed to try to fix this. And so the next kind of bucket is what we call encryption at rest. And this is kind of the baseline encryption that you would expect could defend against some. Hacker, not even a hacker, but some adversary running into a data center, yanking out a hard drive from a rack of computers and then running away with it. That’s what encryption at rest actually prevents sometimes. We like to say it’s like keys under a doormat. It’s like, imagine you’re walking into a house, right? And your job is to lock that house. That’s that’s what the compliance check checkboxes ask you to do is to make sure you’re using encryption. They don’t tell you how. And so the easiest thing is, you know, you put a lock in the front door of your house, but you still have to manage this key. And where do you keep this key? And so the easiest thing is just to put it under the doormat. And so that you’ve checked the box, the house is locked. But of course, any anyone that breaks in, if they just look under the doormat, they’re going to get in. Everybody who works around the house, works in the house, knows that the key is there. And that’s sort of analogy to kind of the insiders of an organization, right? The engineers that it staff customers support. They all essentially have access to all of this data because it’s not really preventing internal kind of access control. And so then the third bucket is, is what we’re doing and what very few companies are building kind of in the advanced faulting infrastructure encryption infrastructure space, which is separating the keys in a completely different location and building very kind of secure, tested, isolated compute environments that process. So we’re using a technology called Nature Enclave’s very recent runs on us, but we get this hardware level attestation that it’s running our sign code and this VM that’s isolated inside of the enclave is network gapped, it’s CPU gapped, it’s memory gap. Even if we connect to this box where it’s running, we can inspect what it’s doing. And the analogy that is different than the kind of encryption at rest is that we’re using public key cryptography, asymmetric cryptography. So as soon as data enters our system, it’s encrypted to a public key. The corresponding private key is bound to one of these enclaves. And the only way to get into this enclave is to send it encrypted data for it to decrypt and process inside of its secure environment. And so you have this very clear entry way, exit way that’s over the secure connection to the enclave. And the nice thing is because there’s this very clear defined path, we actually can do very fine grained at it, our audit logs of exactly what is being decrypted, who is requesting it, but more importantly, access control checks to make sure that whoever is requesting a specific data attribute to be decrypted actually knows, actually has access to that data. And that’s something that most systems do not support today. And that’s one of the main value props of using our kind of secure infrastructure love.

Cameron D’Ambrosi [00:08:51] I mean, I think that’s very cognizant of the fact that as we now know, you know, insider threats may be more pernicious than than outsider threats these days when it comes to concerns around PII platforms, storing PII and. Right. You know, balancing this this fundamental seesaw, if you will, that I think most, you know, CISOs and and enterprise risk folks are thinking about, which is what how much data can I store? What do I need to store? Right. And they’re dueling mandates often, you know, I mean, if you if you look up some of the guidance around like for banks, like what do they need to store? Like the mobile act tells them, well, you can collect someone’s driver’s license scan, but then you need to get rid of it. But then a lot of banks feel under the Bank Secrecy Act that they do need to keep that scan to show that they, you know, met their regulatory required KYC and CIP requirements. So. Figuring out how you can be allowing folks to to tick that box. But at the same time, not create these kind of external risks as well as the insider threat risks, I think, is really, really critical not to to pull us too much away from the technology. But I think, you know, where I find the different facets of how folks are tackling this problem to be perhaps most interesting is go to market strategy and and how folks are bringing their you know, better mousetrap, as it were, to market and breaking through some of that inertia that’s in place now. You know, to some degree at this this first mover problem of a lot of these enterprises are kind of not sure where to start. They see so many different potential path forward with regard to digital identity, different competitors, different standards, different, you know, in many ways fundamental approaches in there. They’re trying to figure out like how to make heads from tails, how is this competitive landscape going to shake out? And and where should I go? You know, how are you helping your customers kind of quantify these challenges and and wrap their heads around, like, you know, how do I pick someone to help me solve these challenges? And and how are you differentiating yourself from some of the other, you know, players out there in the space who are maybe taking a different technical approach, but but trying to solve that same fundamental pain point that folks have around identity currently.

Eli Wachs [00:11:12] Yeah, it’s interesting that when you look at this space or you read a website, a lot of companies really look the same. And we actually think we’re quite philosophically different from a lot of other companies out there. And we often think that it translates. We both sell things and we also are pretty transparent about what we’re not selling. I’m glad you brought up these different requirements. What’s interesting, you said driver’s licenses, for example, a lot of excitement in the minute about kind of technical and accuracy things around them. But, you know, if you’re a fintech or maybe you’re a gig marketplace, you maybe aren’t running a full KYC, what you’re really looking for is identity verification, and that may mean you don’t need a driver’s license. That said, every company in our space is going to sell your driver’s license because they make an extra dollar or the only one that actually won’t recommend it. Because we’ll say we actually think it’s not going to add accuracy. Not much. Not nearly as much as our face I.D. and it’s a waste of your money. So we’ll do things like that. Well, we’ll tell companies that, you know, we’re actually not going to kind of do this crazy lot of science that we spoke about earlier about AI. And what we really do is we lead with security. We say, look, everybody is making huge claims about accuracy and preventing bad actors from day one. What we know we can do is we know we’re going to give you probably an incrementally more accurate solution because of face ID, probably easier developer experience where five lines of code, we promise anybody listening. If we can integrate in an afternoon, we’ll give you a thousand verifications for free. We’re quite confident how easy it is to integrate, and part of that is because for us, KYC is not a choose your own adventure. Like, we definitely missed the memo on when this was supposed to be a fun multi week activity to integrate and do all of these custom flows without customization to a degree. But you know, we don’t think this should be like this isn’t a video game. Like we don’t think that that you should be you should have a lot of choices. We know what KYC should be done. We tried to be very intellectually honest about what levers you need, but we do all of that to package it in that our belief is that, you know, slightly more accurate is it over experience? But we’re also going to solve this really expensive problem. We’re actually working on a pricing calculator on our website, tough to quantify to companies how much they’re spending on the security. Here. We hear people who use vaulting tools can be six figures a year, really just like vault assassins. Then there’s also encryption. On top of that, there’s access, control. It’s all of these things on top of that. So what we say is we instead essentially charge end credits and it’s pretty transparent and it’s essentially a unit credit or so a year for kind of storage, which it’s our security product, it’s storage, encryption, vaulting, access management. Then we charge for the normal KYC and we charge about twice that for one click. And really that’s because one click, you know, people, we are on a low end. 50% of people will drop off due to a form we often hear higher. So people are often willing to pay more for that. What’s cool is that when we think about generating our network, in fact what we said to customers that for anybody who goes through a normal KYC with you, which isn’t bad, that’s a better experience like you can get today. But for us, it’s not because we think average everything should be frictionless, will essentially give you a credit back each time 21 clicks in the future, which means you will get the money back that you spent. So it’s nice for early users that not only are they getting the security and saving a lot of that, not only are they getting KYC from us, which is more accurate because it actually uses face ID, but they really take ownership in the network. In fact, they. KYC is really expensive companies and millions of dollars a year on it. And it’s nice to be able to not just get you know, we think there is we think there’s a reason why we’ll give you a free thousand verification. We can integrate because that’s on us. But there’s a reason, unlike other companies, we don’t just start off and give you 5000 of verification. We think there’s a real value signal actually charging for a product, but we’re willing to do things to incentivize a network effect. And also, I know it may be kind of controversial to come on a podcast like this and kind of say like maybe driver’s licenses should be scanned for everything. So we’ll let Alex jump in there and kind of speak about why our face is so good and why, frankly, the driver’s license that people are being sold in may be good for not telling. You may need it, but why? Maybe you shouldn’t be paying for it.

Alex Grinman [00:15:30] Yeah, there’s it’s an interesting problem and something I’m sure everyone listening to this has done probably many times, which is you’re signing up for a product. They ask you to scan your license, the front of the back of it, and then they ask you to take a selfie of yourself and sometimes move your head left or right. And what what kind of what we’re being sold in this is that, you know, they’re saying, okay, we need to verify your document. Kind of like when you go to the post office and they check your driver’s license. That’s step one. Step two is we need to make sure that the data that’s actually on the license matches what you’ve inputted onto the site or onto the product you’re signing up. And step three is this selfie check, which is actually doing two things kind of under the hood. One thing is they claim that they’re matching your face to your documents. Kind of get back to that in a second. And the second thing is they’re asking, you know, they’re detecting that you’re a real person, right? That you’re moving your head. It’s it’s not a just a still like photo frame that somebody is putting up. And and this is kind of there’s kind of a couple of problems here. The first is, you know, scanning the document that makes sense. I mean, it’s a fairly easy thing to do. It’s fairly commoditized, optical character recognition, to pull the information off the card. You can do it that way. You can also just scan a barcode in the back. That’s really easy. But the really invasive part of this process is getting the user to enable their camera to show their face. And this is all just a sign up to a bill to use like a stock trading app or any kind of financial product or a gig economy app. And so that that’s kind of where this falls apart. And the issue is that when this actual, you know, AI and machine learning that’s used to match your face, the driver’s license is very poor. I mean, people, you know, they wear hats, they have different glasses. They’re wearing headphones. Their driver’s license is many years old. They you know, they they they get older, right? So these checks don’t really work. And so what they’re really getting out of this is the liveness. And so what our approach is, we’re utilizing some of the newest technology to actually get liveness in a way that’s not invasive, that doesn’t sort of breach this privacy threshold of asking you to turn on your camera and show your face. And we’re using face I.D. to get this attestation from Apple or from Google, the equivalent biometrics on an Android device to really know that you’re using a non jailbroken non tampered with real device from one of these manufacturers that it’s running our sign code and this actually gives us that same liveness check that we we actually get this attestation is cryptographic proof that somebody in somebody real was authenticating to that their device and triggered those biometric sensors to work without actually asking you to scan your face. And so we’re happy to kind of provide services along the lines of scanning driver’s license. That’s fairly simple to do. We’re even happy to do the selfie check if that’s something that is required. But we what we do is we replace that with face I.D. to actually make that a much more frictionless process for end users, much more privacy preserving and actually better results. Because we’re not we’re not pretending that, you know, that we’re matching your face to a document, which is kind of what what happens when you’re asking someone to show their face and present a license.

Cameron D’Ambrosi [00:18:47] And, you know, I think the other part that’s left unsaid there, I think you you know, Eli, to some degree alluded to this was specifically the notion that, you know, bringing a driver’s license in will get you better results as a platform when, you know, we know 100% of fraudsters who are trying to perpetrate this type of theft like can usually access fraudulent documents. I mean, you can go there’s a few extremely sophisticated sites that I keep tabs on that for, call it 2 to €3. They will actually generate you all sorts of different angles and synthetic photos of an actual driver’s license template or passport template, as well as views as if it’s laying on a table and, you know, can be used directly for injection style attacks into these sorts of darkly flows and automated to the degree these guys have an API you can. I mean, it’s kind of incredible stuff. It’s like literally a fraud API. And what’s so pernicious about that in particular is the sense of scale that that can bring to these types of attacks. Right. And if you build your flows around these types of things and don’t have robust enough defenses, and once these guys figure out, you know what, my automated document I generated from one of these sites can get through, they spin up the API and they’re going to start pushing tens, thousands, hundreds of identities through your platform on a rapid basis. And, you know, one or two folks getting through. That’s a problem, not a fundamental threat to your business, like an automated threat vector that can be scaled basically only in limit with the amount of funding you have to dedicate to it is that’s a true existential threat, which, you know, I don’t think people are really talking about enough in that regard.

Eli Wachs [00:20:43] It completely agreed. And I think that goes to kind of how we view. This issue. You know, we say it may sound weird, but we say we’re much more interested in figuring out who good actors are and making it easier for them to create accounts going forward. And this is for a couple reasons. One is that company will lose a lot more money by good actors not getting in them. A bad actor is being kept out. And I think part of this is that it’s kind of this unspoken job because it’s tough to quantify, you know, how many the amount you lose by good people not getting in. It’s tougher to see than the amount that you see from the actual fraud that as a result, companies really focus on tools that they say will prevent fraud. Even if we know, as you just said, they’re probably not the best tools. And that’s why our approach really is to say, let’s actually just be very honest about the things that will make it tough and will delay the ability, make it logistically very difficult to create an account. But also, once you create an account, what’s the best bound identifier? And that’s really kind of like that face ID attestation going forward. You know, for us, it’s not about like we don’t want to sell complexity. We really want to sell just results. And I think part of that goes on it this acknowledgment that are really underlying zero trust principles that Alex is architecting, which is, look, things are going to happen. Like, there are these things that you can buy online. So let’s just make that very difficult. Let’s also if all the tools are served to prevent that, fraudsters are always going to be smart and sophisticated. We’re always going to be building tools, make it tough. But we think it’s interesting. Now, he’s actually spent the time to build the tools for the 99 plus percent of people who are good actors. Just make it much easier for them going forward, because if we do that one, that makes it easier for us to spend even more time on the people who haven’t proven that they’re good actors. But too, it just treats the problem as two separate problems, which is what it should be. And that’s how we think you can. One get better actors. In part, that really starts by acknowledging that you just said that was like, Hey, a lot of the tools that we use today are much more so like 80 yard signs that like we have a security system more than like anything preventative to that. Like it’s often just checking a box, which is fine, but here is going to check a box. You’re missing out a lot of opportunities that you can actually just do meaningfully good things for your business.

Cameron D’Ambrosi [00:22:52] So to kind of bring us on home here from the perspective of. Digital identity and verifiable credentials and models. And I’d like to point out in Europe, you know, this push from more, you know, issuing level of authorities to put verifiable credentials that can be kind of tied back to an issue or using some form of cryptography. You know, how do you see that playing into what you’ve built with footprint? You know, compatible replacement. Good, you know, threat like. Where do you see this broader push around mobile driver’s licenses and, you know, ID fitting into your approach for for your customers?

Eli Wachs [00:23:36] Yeah, we think mobile driver’s licenses are great. Like, we are big fans of Google and Apple and like think that it’s great that people are going to have that. Like, we’re huge fans of mobile phones as identifiers for verifiable credentials. Wisdom is a great opportunity. We’ve begun to explore some of it. We have a partnership in the web space to put a beneficial owner token and people’s kind of footprint wallet if they own a company. And then, you know, if you’re like me and you write very like philosophical investor updates and the board kicks me out in a couple of years as a result. Footprint will get back a token and they can give it to the next owner. Or kind of you can assign it. We also are working on similar credentials for education, for kind of employment history, for income, even for kind of, you know, people when you have a fintech account or let’s say you have stock issued on card or poli. We think that that should be a credential because that impacts kind of like your income as an individual. And that should go to things kind of such as can you qualify for deferred loans? So we think credentials are really interesting. That said, we think that the timeline for verifiable credentials will be much longer. Like we don’t think that as much as we’d love it. I don’t see people like it requires three parties essentially to be involved for the verifiable credential to really be issued. And also something is essentially the person who’s issuing it presumes accepting it, and then the person in the middle to request it both ways. And that is requires a lot of by and that, I think has a kind of higher level of activation than I think maybe we all take credit for. So for us, we try to be like, I have to make an analogy that we’re trying to build visa stamps over here because if you want to get in the flight from like New York to Tehran, like you probably have a good reason. You’re like you’re willing to go to an embassy and like sit for an hour and we’re much quicker. And that probably has that verifiable credentials at the start should be things that maybe are a bit tougher to get and things that you don’t want to go through again. Then kind of just any certification, like a badge from a course because we just don’t know if people do it. Alex I’m not sure you have anything to add there about though. How if we reached that point where kind of an as we get into our integrations, cards are easy for us to put that credential in the wallet.

Alex Grinman [00:25:46] Yeah. The nice thing is that, you know, the fundamentals of our system are based on public cryptography and the user maintains their their own kind of private key. And as they add more credentials, more proofs, proofs of X, proofs of why those become associated with that credential. And so one of the you know, you kind of bring it back to an earlier point you made about driver’s licenses. We love we love that standard because we think ultimately it’ll be easier for users to onboard with these proofs of. Proofs of identity. But you still need authentication. You still need to tie that back to a credential to continuously prove who that user is, no matter what application or real world situation they’re in. And so any kind of verifiable credential system must be based on strong cryptography. And really public key cryptography is a great way to solve that problem.

Cameron D’Ambrosi [00:26:40] Yeah. I think look, all of this is is really speaking my language. And I think what’s so exciting about the platform that you’re building in my eyes is the focus on the actual, you know, needs of platforms and consumers and not necessarily what folks think they need in terms of technology, but like turning that into usable features that actually address the true pain points, which is how can we move away from needing everyone to scan a driver’s license? How can we put usable tools and granular controls in the grasp of the platforms that help them, you know, understand what information they have and protect what what they have already collected. So, you know, hats off to you guys really, really excited to see what the future holds for you. You know, on that note, shameless plug time and an opportunity, I should say, you know, for folks who are listening, who are intrigued, like how do they get in touch with you? How do they, you know, kick the tires on the platform? How can they get involved? Like, what’s the best way for them to go? And who should they reach out to?

Eli Wachs [00:27:49] Yeah. First off, thanks so much for having us. This is great. And for us, we just announced a $6 seed round that was led by index, also with participation from founders of companies like Plaid Ramp and a bunch of other Moonbat and a bunch of the great companies. We’re launching our early access next month and we’re going commercially live at the end of October where we have a long waitlist, but we’re really excited to roll out the platform to as many people and customers as we can. Eli won for Broadcom. Alex is Alex at one footprint dot com. We’re friendly. Hit us up on Twitter too, but have it again in addition to anybody else I’ve done on the promise says hold. We’ll come to the office one afternoon and your KYC API storage needs, you know, done away with forever.

Cameron D’Ambrosi [00:28:39] Love it. Well, I will make sure to include those links in the show notes below. Eli Alex, thank you so, so much for your time. I really appreciate it. And yeah, wishing you the best in and I think it’s going to be hopefully a long and fruitful journey for you guys as you look to roll this out as probably is again.

Eli Wachs [00:28:59] Thanks so much.