Stytch: Kill the Password

Announcing the Newest API-First Unicorn Saving the Internet

Nov 18

Welcome to the 1,309 newly Not Boring people who have joined us since last Monday! Join 87,317 smart, curious folks by subscribing here:

Today’s Not Boring is brought to you by… Masterworks

If you told me five years I’d be channeling my inner Nic Cage and try to acquire the Constitution with thousands of other people, I would have called you a liar.

ConsitutionDAO is electric. The DAO lets everyday people contribute to the purchase of a previously untouchable asset worth tens of millions. But this concept isn’t new. In fact, this isn’t even my first time doing it.

I literally bought shares in a Picasso masterpiece last night. I just went to Masterworks.io, and added shares to my portfolio, plain and simple. This Picasso was my 10th investment with Masterworks and won’t be my last.

Art as an investment is picking up steam like never before. With some blue-chip works selling for 15 times their asking price at auction, it’s no wonder the WSJ said “art is among the hottest markets on Earth.” Beyond the short-term hype, the asset class has performed well:

Contemporary art prices appreciate 14% annually on average (1995-2020)
Near 0 correlation to public equities according to Citi.
The global value of art expected to grow by $1 trillion in under five years

And Masterworks is how regular people like us can access it. They’ve got roughly $300M AUM, 260k+ members (many are Not Boring readers), and recently hit unicorn status.

If you want to join me on the platform, use my Not Boring link to get priority access*

Hi friends 👋,

Happy Thursday!

We are going to buy the Constitution! Since Sunday, ConstitutionDAO has raised over $40 million to go buy a rare copy of the US Constitution when it goes up for auction this evening at Sotheby’s. Follow the ConstitutionDAO twitter for real-time info.

Let’s get to it.

Stytch: Kill The Password

The crowds are wise.

Sometimes, when I syndicate a deal to the Not Boring Syndicate on AngelList, it takes a week or so to fill the allocation. Often, it takes a couple of days. Stytch filled in 64 minutes.

That was February 17th of this year. We invested in the Series A at a $230 million valuation, which honestly seemed high given that the company was six months old, but Stytch had all of the early markers:

Co-founders. Reed McGinley-Stempel and Julianna Lamb are the perfect people to build this, having worked together on bank account authentication at Plaid. Julianna went to Very Good Security as a PM after Plaid and worked on authentication there as well.
Team. A software business is only as good as the people it hires, and in its first six months, it brought in engineers and designers from Plaid, Coinbase, Workday, Udemy, Intuit, Zillow, Quizlet, Carta, and Stitch Fix.
Investors. Stytch is backed by the best. At the time of our investment, Stytch was backed by Thrive, Benchmark, and Index, plus Elad Gil, Lenny Rachitsky, and the founders of Plaid, Very Good Security, and Figma. That’s a gold-plated cap table.
API-First. Reed and Julianna set out to build the Stripe for Authentication with an API-first approach that’s more flexible and composable than the incumbents.

Speaking of incumbents, two weeks after our investment, Okta set a strong comp by purchasing 8-year-old authentication provider Auth0 for $6.5 billion on March 3rd, a 3.4x increase from its last private round at $1.9 billion in July 2020.

Stytch has a better, more flexible product. It’s building “user infrastructure for modern applications” in the form of APIs and SDKs that developers can plug in to create customized authentication experiences, like login and checkout.

And Stytch is on a trajectory towards besting Auth0’s benchmark. Today, Stytch is proving the wisdom of the crowds by becoming a unicorn itself: Coatue is leading a $90 million Series B at a $1 billion valuation, with participation from existing investors Thrive, Benchmark, and Index.

But as founders are trained to say, raising money is a means, not an end. The funding just means Stytch will be around longer, can move (even) faster, and can build more products. To that end, Stytch is also announcing the launch of its first biometrics product, WebAuthn, and its first acquisition, of YC-backed competitor Cotter, a no-code passwordless login product.

All of this is in service of one goal: kill the password.

Now normally, when I write these deep dives, I don’t like to speak ill of competitors. Real people work for competitors, and every company has strengths and weaknesses. But passwords? No one works for passwords. Passwords cause pain and agony, or even worse, a persistent, nagging, low-grade annoyance. Fuck passwords.

Stytch is an armory in the war against passwords from which its customers can select the weapons they need to eliminate passwords. In peacetime, it serves as a creative foundry on top of which customers can create new, seamless authentication experiences. In either case, Stytch makes digital products more secure while increasing conversion and revenue. It built API-first because it knows that its customers know more about their customers than Stytch can, and because it knows that the collective creativity will lead to emergent behaviors it couldn’t predict itself.

All of it feeds into Stytch’s larger mission: to eliminate friction from the internet.

That’s bigger than authentication. Stytch’s opportunity spans login to checkout, web2 to web3, inbox to face, and may be much larger than the $6.5 billion that Auth0 sold for.

To understand Stytch’s opportunity, we’ll cover:

Why Passwords Suck
The Founders’ Journey to Stytch
Meet Stytch: A Friction-Reduction Company
The Race to Replace the Password
API-First as a Competitive Advantage
Why Stytch Wins
The Big Vision

First, let’s take down passwords.

Why Passwords Suck

When I spoke to Gaurav Ahuja, the Thrive partner who led Stytch’s Series A and introduced me to the company, I asked him to lay out his investment thesis. He told me there were five points to his thesis, starting with the enemy:

First, the future should be passwordless. Actually, back up, first: passwords suck. And they suck in three ways:

They’re a terrible user experience.
They hurt user engagement, conversion, and revenue.
They’re a burden on IT support.

Gaurav’s a really nice guy. That’s the meanest thing I’ve ever heard him say. But passwords deserve it.

If humanity were designing authentication from scratch today with no preconceived notions, we would never come up with a system in which everyone has to memorize dozens of word/number/character combos and type them in to do anything online. We use passwords today because we’ve always used passwords. They’ve been around for millennia. Chances are, when you were a kid, and you wanted to get into your friend’s pillow fort, they asked you for the secret password.

But passwords are a relic. In a July blog post, Stytch walked through the history of the online password to explain why they no longer make sense. Each decade introduced its own authentication paradigm:

In the 1990s, as the internet went mainstream, passwords were the dominant form of authentication.

In the 2000s, as users opened more and more accounts, password managers—which encrypt and store online login information—were introduced to help them handle this increasingly complex landscape.

In the 2010s, as online technologies advanced, alternative auth methods—often referred to as “two-factor authentication”—embedded low-friction, secure hardware (like biometrics and YubiKey) and software (like APIs for programmatic text and email) into the user experience.

Today, we’re stuck with a weird compromise: enter a password and then do the thing that’s actually secure, like scanning a face, entering a texted passcode, or clicking a magic link in an email or text. The second factor hasn’t eliminated the first. In fact, thanks to the COVID-induced mass online migration, all of us are juggling 25% more passwords now than we were in 2019…

… and we forget them, a lot. In 2016, Intel Security found that 37% of people forgot at least one password every week. That’s undoubtedly gone up as the number of passwords we need to remember has more than doubled. A more recent 2019 study by HYPR found all sorts of damning things about passwords, including:

78% of respondents required a password reset in their personal life within the last 90 days
57% of respondents required a password reset in their work life within the last 90 days
35% Of people keep all their passwords in notebooks, Excel files, sticky notes, etc... (Password managers like 1Password are great, but they’ve struggled to gain mass adoption and usage)
72% of individuals reuse passwords in their personal life while nearly half (49%) of employees simply change or add a digit or character to their password when updating their company password every 90 days.

The result is a situation that’s incredibly annoying for users…

Jeff Atwood @codinghorror

If we don't solve the password problem for users in my lifetime I am gonna haunt you from beyond the grave as a ghost

...and terrible for security. Many of the major headline-grabbing hacks of the past year have been due to the vulnerabilities that passwords create. The Solar Winds and Colonial Pipeline hacks earlier this year both involved password weaknesses, and 81% of all internet breaches can be traced back to weak or stolen passwords.

Beyond hacks, though, passwords are bad for business. According to Stytch, 75% of people who click “forgot password” abandon whatever they were trying to do. Reed told me:

Passwords are an extremely high-friction hoop that we make users jump through, and this friction creates drop-off in both user sign-up and login flows, directly hitting companies key metrics like customer acquisition cost (CAC) and user life-time value (LTV).

It’s no wonder. This diagram that Reed and Julianna shared with me shows the process that people typically need to go through to reset their password:

To be fair, that’s exactly what someone trying to kill the password would say and exactly the diagram they would share. To which I’d respond: I bet you a dollar that you’ve gone through that exact flow at least once in the past month. I have a terrible memory and am very disorganized. I go through it once a day.

Plus, Reed and Julianna had great jobs. They didn’t have to do this. They’re not filling in anti-password facts post hoc; they started Stytch because they lived password pains every day.

The Founders’ Journey to Stytch

Julianna and Reed seem almost lab-designed to be the perfect Stytch founders.

Julianna grew up in Sun Valley, Idaho, home to, among other things, Allen & Co’s annual tech conference, dubbed “Billionaire Summer Camp.” After a year of high school in Paris and freshman year at Georgetown, she transferred to Stanford, a small engineering school in Palo Alto, California.

Reed was raised in Las Vegas, and there, he must have studied just a little bit harder than Julianna, because he ended up attending the nation’s greatest institution of higher education: Duke University.

(Story pause: after I wrote that last sentence, I went to pick up tickets for a Nets game on SeatGeek, and wouldn’t you know it… I forgot my password.)

Anyway, where was I? Sorry, that was distracting, lost my train of thought.

Oh yeah. So Julianna was at Stanford and Reed was at Duke. After school, Reed did a Fulbright in Germany and a stint at Bain & Company while Julianna got a job as a software engineer at Strava.

(Fun coincidence: on Tuesday, Max, an engineer at Stytch, made Strava art with the Stytch logo by running a path that spelled out the company’s name.)

In May 2017, Julianna made the move over to Plaid as a software engineer and three months later, Reed joined Plaid on the growth team. While at Plaid, both Reed and Julianna ended up working on a low-key critically important piece of Plaid’s product: bank account authentication, Julianna as an engineer and Reed as a product manager.

For those who haven’t been reading Not Boring closely when we’ve discussed Plaid in the past, it lets developers connect their apps to users’ bank accounts. If you’ve used Venmo or Robinhood or Coinbase, you’ve used Plaid. You click a button to connect your bank account, choose your bank, and fill in your credentials, and Plaid connects the accounts.

The problem is, if you’re like me, you’ve also failed at using Plaid because you forgot your bank account password because you just have it auto-fill in your browser or turned on FaceID in the app. So you enter your best guess, watch as the screen loads, and then moan as it tells you you got it wrong and asks you to do it again.

Sometimes you do it again. Sometimes you reset your password. Sometimes you say nevermind.

Authentication is such a crucial challenge for Plaid because its customers rely on Plaid’s APIs to connect with their user’s most sensitive information, their bank account details, which also happens to be mission critical to how Plaid’s customers make money. No bank account connection, no funded accounts, no transactions, no revenue. That means that Reed, Julianna, and their teams had to optimize both for security and for user experience. They couldn’t let hackers in, but they also couldn’t keep people from connecting their bank accounts. As Reed explained it:

As Julianna and I worked on an array of projects focused on improving both the security and conversion in bank account authentication, we realized that our biggest security and user experience headaches all stemmed from the same technological relic: the password.
And anytime we had to build anything related to authentication, we found ourselves building the authentication features out internally because none of the incumbent solutions had a flexible enough product to enable what we wanted to do.

When Julianna left to go to Very Good Security as a Product Manager in 2019, she found the same challenges awaiting her. “I ran into many of the exact same authentication headaches,” she said, “as we migrated away from a large incumbent vendor (Auth0) to an in-house authentication solution due to the inflexibility of Auth0’s product.”

That’s not necessarily a criticism of Auth0. The product does what it was designed to do. It’s a widget that’s really easy to plug in. It is, however, a criticism of our nemesis: the password. Because Auth0 is built for a world of password-based authentication, it’s actually wise to push customers to use widgets hosted by Auth0 so that the customer never has to tough or store sensitive credentials. The challenge for Auth0 is that we’re moving to a passwordless world.

Get rid of the password, and you get rid of the concern around storing sensitive user data. In the passwordless world, you can design flexible, developer-friendly products and let developers figure out where and how they want to authenticate users in a way that fits their specific product.

That’s the world that Julianna and Reed decided to explore. After Julianna left Plaid, the two kept in touch and met up for coffee every month or so. In December 2019, over one such coffee, they shared their ongoing frustration with passwords and the lack of a “Stripe for Authentication,” a simple, flexible product that developers love and that improves the end user’s experiences on the internet.

They spent the next six months researching. They talked to dozens of their friends at other tech companies in the Bay Area, and none of them knew of any good solutions, but many of them had the same frustrations. They were wasting sprint cycles and valuable engineering resources building their own authentication flows in-house.

So in June 2020, they quit their great jobs and founded Stytch. I’d encourage you to listen to the fireside chat that Gaurav and I had with Reed and Julianna to hear the story of the 0 to 1 founders’ journey in their own words: