Forget your passwords
Investment Memorandum #4 - 1Password
Hi, this is Clément from HUB612👋
You may have noticed by now, each week I try to cast light on different topics related to Fintech & Insurtech through 1) Market Reviews 2) News of the week 3) Investment Memorandum.
I hope you find it usefull, Do let me know your thoughts by replying to this email :)
Two weeks ago, I dug in the cybersecurity market and I was quite surprised to see how bad we are with passwords! The struggle is real. You want your password to be complicated enough not to be easily found, but you still want to remember it.
A “simple way” of penetrating a system is by guessing the users’ passwords, and from what I learned by reading and by doing, sometimes your password can be found in minutes.
That’s why today I’m sharing you a memorandum about 1Password, a credential management service that has been created 14y ago and that has grown organically since.
Disclaimer: I’m completely unaware of what’s happening from the inside, but this doesn’t stop me from having a point of view on their business ✌️
The Memorandum
1Password is a high-security password creation and management solution for individuals and enterprises. It provides a place for users to store passwords, files, and other sensitive information in multiples virtual vaults that are locked with a PBKDF2-guarded master password. The service works cross-platform and makes it easier and safer for everyone to share personal information.
___________________(👎: Problem | 👍: Awesome | 🤔: Question) __________________
Need
In 2005 the 1Password founders were running a web development consultancy when they decided to resolve a long-standing problem of logging into multiple websites, a particularly acute issue given their day jobs.
“We were developing many sites, and we were wasting time filling out forms to test them. We embarked on a month-long project in order to do our work faster.”
”We thought others might like to take advantage of it.”
Dave Teare - Co-founder 1Password
At first, 1Password was a B2C focused, perhaps ahead of its time in terms of time to market, even though identity management really took off in the early 1990s with the creation of the Lightweight Directory Access Protocol (LDAP). Many organizations began leveraging the LDAP protocol and its capacity to authenticate and authorize user access (with username and password information). But in fact, and for many years, identity management has been largely a sleeping industry.
Recently, the internet bubble could be seen as the starting point of a global reach of the internet and related services among individuals. Since then, identity management kept growing slowly and the recent massive adoption of the smartphone made everyone step in the digital world, or should I say the world of identification.
Passwords are simply secret words or phrases, they help in protecting online information such as emails, bank accounts, medical records, and more. They are critical information that can protect your life from an ill-intentioned person.
Yet, passwords can be compromised in many ways:
Users may write them down or share them, thus its no longer a secret.
Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
Passwords may be transmitted over a network either in plaintext or encoded in a way that can be readily converted back to plaintext.
Passwords may be stored on a workstation, server, or backup media in plaintext or encoded in a way that can be readily converted back to plaintext.
In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.
That is scary. If you are interested in checking if you have an account that has been compromised in a data breach, check this website. The best time to modify a password was yesterday, the second-best time is now!
👍 : Also, how many times have you been resetting your password? This study claims you spend up to 11h / year in this time-consuming task. Shouldn’t we do something more efficient? It’s a pure waste of time..
In regards to companies, the increasing compliance, regulatory, and risk management environment, pushed them to look after a solution. Companies regularly have to manage, synchronize, and monitor passwords across their workforce. As well as storing them in an encrypted environment and adding another layer to protect against data leaks/thefts.
Hereunder, I resumed the uses cases for a password manager and the value proposition offered by 1Password:
👍 : Due to cost and compatibility with legacy systems, the most popular form of user authentication continues to be a secret password
Market
The global identity and access management (IAM) market size was valued $9.53 bn in 2018 and is projected to reach $24.76 bn by the end of 2026, exhibiting a CAGR of 13.2% during the forecast year.
A submarket, Password Management market has grown from $311 million in 2014 to $709.6 million by 2019, at an estimated CAGR of 17.9 % from 2014 to 2019.
I mentioned earlier that for many years, identity management has been largely a sleeping industry. It was mostly a personal software industry.
Then, it started to spread out to SMEs, opening a new and lucrative revenue stream. And today I can see a few growth drivers creating market dynamics:
Substantial growth in data breaches, identity theft and hacking incidents among organizations
Enhanced prominence of compliance, regulatory, and risk management
Rising demand for mobility and remote workforce IAM
Increasing adoption of connected technology including IoT, cloud computing and BYOD (bring your own device)
Challenges related to employee on-boarding and off-boarding
On a bottom-up approach, everybody with internet access has a digital identity to protect. According to Statista, almost 4.57 billion people were active internet users as of April 2020, encompassing 59 percent of the global population. Among which 3.81 bn are active social media users, meaning they have a password and personal information to protect. Also, I’m not mentioning the growing interest of businesses in compliance management and cybersecurity. In fact, any company managing credentials for its employees, for its social media account, .. is a potential client.
👎 : The pitfalls and challenges I see in this market are the lack of knowledge about IAM solutions (after so many incidents!!) and the higher reliance on users to protect their ID and password (they need to be taught).
🤔 : Do people really care about their credentials? I can’t make up my mind on that. Some people shared frightening stories on the impact of a password hack had on their life. But it's always complicated to do preventative work...
“Most people don’t think about security until it’s too late,”
Guemmy Kim, lead of account security initiatives at Google
👍 : The industry is in a growth phase. The players are consolidating and there’s still no market saturation. Notably, because IAM companies are moving toward B2B offers.
👍 : From a technical point of view, there a lot of new stuff going on in the IAM market. More layers of technologies (such as biometrics or actual hard keys) are expected to be developed and adopted in the 5 coming years.
Product
1Password is a password manager that has one Master password which is your key to all of your documents and passwords for your accounts.
The product is available for all major platforms (Windows, OS X, iOS, Android) meaning you can use it on desktop and also on mobility. This is a much-needed feature because of the much larger use of the internet through your smartphone. On top of it, the product is available through browser extensions (for Chrome, Safari, Opera, and Firefox).
“You have secrets; we don’t, why our data format is public”
Jeffrey Goldberg | 1Password Chief Defender Against the Dark Arts
1Password is built on open-source software. The product security starts with AES-256 bit encryption and uses multiple techniques to protect your data at rest and in transit.
In detail: It has one Master password which is your key to all of your documents, a secure remote password that verifies the authenticity of the remote server before sending your information over TLS/SSL and a secret key, which authenticate you with our servers and also plays a direct role in encrypting your data.
👍 : “Go Ahead, forget your passwords” is such a great statement. No more sticky notes, password written in plain text, loss of memory, .. 1Password requires you to remember your Master Password and that is all! . Trust is a fantastic defensible moat.
🤔 : The differences between them and competitors really depend on use cases. Do people want a free password manager with fewer features or something even larger than a password manager? Do people want to use two-factor authentication with a FIDO U2F Security Key (like Yubico)? It’s really hard to see what users look after.
The trust you put into a service like this is important when you decide to be a client. One breach, one leak, or even one technical issue can be deadly for a security company.
Thus 1Password hosted services have been reviewed periodically by multiple independent security firms, to ensure it remains a secure way for you to share all your secrets.
When it comes to clients, 1Password has created through 14years of existence a constant base of individual customers, and more recently corporations.
👍 : The customer support is hyper-reactive, very precise, and really personalized. High-level support is something you expect when you put so much trust and value in the hand of a company
👍 : The exchange of information becomes frictionless and fearless. Either it is for families or teams within a company.
Team
This is undeniable, there is a strong founder market fit built after 14 years of existence.
The founders, Dave Teare and Roustem Karimov, recruited in 2012 Jeff Shiner for his BtoB background. The company then develops an offer for companies. This offer will be launched in 2016 and will increase its user base to 1 million people, of which 50,000 use the BtoB offer. In 2019, the professional offer, which includes IBM, Slack, PagerDuty, Dropbox, and GitLab among its customers, has grown by 300% in three years. Impressive acceleration in the past 5 years!!
They were 20 employees in 2011, the company now has 174 employees (twice as many as 18 months ago). And their first non-founder hire is also still with the company 14 years later, as the Head of Design.
Mapping
During my research, I have identified a few mappings on this market. I thought it was an interesting exercise to make my own from scratch. Here is my first draft!
Password Manager
A password manager is a type of software or online service that allows a user to manage his passwords, either by centralizing all his identifiers and passwords in a database (portfolio), or by calculating them on demand.
Physical Key
A security key is a small physical device that looks like a USB thumb drive, and works in addition to your password on sites that support it. It provides a high-level two-factor authentication.
Biometric Key
A biometric key is a small physical device (that looks often like a USB thumb drive), that is providing you very high-level two-factor authentication based on who you are (fingerprint recognition, voice recognition, .. )
Mobile Authentication
Helping organizations check the security health of a user’s mobile phone and devices and block access to a network by devices that are identified as risky. It is also about managing all of the digital keys needed for users to appropriately access specifics devices.
PAM | Privilege Access Management
Consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.
Identity verification
It can be about ensuring that users or customers provide information that is associated with the identity of a real person. The service may also verify the authenticity of physical identity documents such as a driver’s license or passport through documentary verification and even protect it from access.
Here are a few things I did not mention:
KYC & KYB, Fraud Prevention & Risk Management, Identity of Things, Customer Identity & Access Management, Identity Governance & Administration, User & Entity Behavior Analytics, Regulatory Compliance Transaction Monitoring, ..
Click for some cool other mappings!
“Not cool men, you forgot us😤”
Alright, my bad! Please comment on this post/email so that I fix this oversight :)
What is new about them?
# News 1 - They’ve raised $200M for their first round
1Password is a bootstrapped company that has been profitable from day one. That’s not something you hear from startups all that often.
And at the end of 2019, the company has completed its first fundraising and not the least of which is a $200 million Series A financing led by the Palo Alto-based venture capital firm Accel.
As mentioned by Forbes, this round indicates a tremendous shift in 1Password’s strategy - now focusing on aggressively expanding their enterprise base of 50,000 paying companies, including 25% of Fortune 100 companies - but several of their notable enterprise clients also joined the round (executives from current clients at Slack Fund and Atlassian).
# News 2 - They are recruting !
They now have 200 million new reasons to watch what’s to come. And that includes the recruitment of new talents! Join the ride here :)
Did I miss something huge?
There is a lot happening out there in Banking, Fintech, Financings, Exits, M&A, ..
I there something worth reading, Do let me know by replying to this email :)
See you next week 👋
If you enjoyed this, maybe I can tempt you with my Fintech newsletter. I write a weekly email full of market review, investment memorandum and news of the week :)
If you’ve enjoyed it please show some love to the thread on Twitter❤️
Previous issues
📧 I’m clement.parramon@hub612.com and @cparraam is my Twitter
Ps. If you like what I’m doing with Parram please feel free to share it on your social network of choice. Also, I’d appreciate it if you forwarded this newsletter to a friend you think might enjoy it ✌🏻