Killing the password: for real this time?

PreSeed Now brings you an in-depth profile of a different B2B or deep tech startup every Tuesday and Thursday. Subscribe to get it straight to your inbox.

Hello there,

Another edition of PreSeed Now, another interesting startup.

Plenty of startups have promised to kill the password for good over the years.

So what does Zally have to offer to make the dream come true? And does it have a place in a world where initiatives like passkeys are increasingly popular?

Scroll down to find out.

In addition to having lots more startup profiles in the works, we’re working on some other types of pieces for the coming weeks.

Readers seem to like it when we mix it up occasionally.

Anything you’ve always wanted us to feature? Maybe an early-stage startup flying under the radar, a topic affecting pre-seed startups, or anything else?

Drop me a line. I’m always up for new ideas.

– Martin

Don’t miss:

What does due diligence look like at pre-seed? We found out over the summer. Don’t miss it.

Zally wants to make truly friction-free logins a reality

It sometimes seems like killing the password is an endless quest for researchers and startups alike.

But in recent times, it has felt like we might almost be at a point where we can truly say goodbye to clunky and easy-to-forget passwords and move to something more sophisticated.

One startup that wants to be part of that future is Zally. Its tech replaces the usual password login flow on websites and in apps. Instead, it uses the sensors in your device to determine whether it really is you trying to log in.

In practice, this means that on a mobile device, Zally looks at the vast array of sensors modern smartphones contain to measure things like how you’re holding and moving the device and how you interact with the screen.

On a desktop or laptop computer, it looks at things like mouse movements and how you use the keyboard.

This data is then used to build up a profile of your interactions that Zally says can tell you from anyone else. With that data, it can log you in instantly and without any friction.

But aren’t passwords already nearly dead?

You’ve probably come across websites and apps in recent times where you enter your email address and you then get sent a one-time ‘magic link’ email to log in.

This is convenient, but if someone else is trying to access your account and already has access to your email inbox or device, then it’s suddenly much less secure than a password.

Meanwhile, passkeys are increasingly popular as a way of using on-device authentication methods–like your phone’s face recognition or laptop’s fingerprint scanner–instead of a password. 

But in situations where you’re being physically forced to log into your internet bank by an attacker, for example, passkeys are less than ideal.

Zally says it can detect situations where you’re trying to login under duress… and it promises to be more frictionless than having to use a biometric sensor every time you log in.

Zally founder Patrick Smith says there’s enough difference between the way different users use a device to tell a ‘Martin’ from a ‘Patrick’ (or anyone else) anywhere and anytime. 

“We are able to then personalise user journeys online, remove fraud, and you no longer need to reset passwords, so you can remove all that friction you have with passwords.”

It’s a concept that has been around for a while. For example, BehavioSec was founded in Sweden in 2008 and acquired by LexisNexis last year. 

But while its basic principle of using a biometric signature from your use of a device is the same as with Zally, BehavioSec focuses more on use cases like fraud detection, rather than end-user convenience in contexts like ecommerce, which is the market Zally is tackling first.

How Zally works

Once a website or app has integrated Zally’s SDK, users will simply have to enter their phone number, which sends a device-specific token to the phone via SMS. On laptops, a similar process takes place, using the phone as authentication.

Zally then builds a profile of your behaviour, on a per-device basis, which is stored on your device.

Because the SDK tracks a user’s interactions from before they try to sign in, it already has data about them when they create the token to start storing that behaviour. 

If Zally needs more data, it might prompt a user to complete a simple, game-like action.

All of this means that next time you access that website, you don’t need to enter any login details. It just knows it’s you.

And once a device is set up for Zally, any other Zally-powered logins for other websites or apps can draw on the data from the token which is already on the device.

“We’re trying to get that down to as quick as possible to make this journey frictionless and seamless, both from a user’s experience but also on the merchant side,” says Smith.

So how can Zally be confident that the ‘digital DNA’ they build up about each user is enough to tell them apart from any other potential user with a strong enough degree of confidence? 

Smith says while it still needs to be tested on a global scale, they have done “a lot” of testing (he declines to give exact numbers) and he’s confident of the tech and its ability to tell people apart.

If all else fails and the tech won’t let you in, you can reauthenticate on the device, but the existing data will be used to make sure that it’s actually you. Oh, and in case you were wondering, Smith says Zally’s approach can support multiple users on the same device.

The story so far

Smith began his career as a software developer and DJ in Norway, before founding a digital agency in London and then becoming a freelance consultant.  

It was then, while working with ecommerce brands, that he says he first noticed the degree of friction caused by account creation and passwords. If a user had forgotten their password, they would more than likely abandon their activity on the site.

“I set out on a journey looking into behavioural biometrics as a way to authenticate users online. I invested some money into doing a study with 70 users in six different countries. At the end of this journey, I understood that passwords are a massive problem,” says Smith.

“I started to look at how we can create a technology that allows us to know who's behind the phone, then by knowing who is the right individual behind the phone, we’ll give them access. For that reason, we could kill passwords.”

Zally was founded last year and is now an 11-person team headquartered in Manchester.

”We have moved from doing a lot of the things outsourced, to doing everything in house. Everything that we produce now, which is data science and software engineering, is produced here in Manchester.”

Smith very much flies the flag for launching a startup in Manchester, citing the local tech community’s collaborative nature.

“Every time you go and ask somebody to help you out in London, they always ask you the question ‘what's in it for me?’ London can't compete with the community and the culture of helping each other we have now in Manchester.”

Go deeper on Zally:

Read much more on their funding, vision, competition, and challenges:

Investment:

Subscribe to Premium Membership to read the rest.