Identity verification at the point of onboarding — the process of confirming that a new user is who they claim to be, before granting them access to a product or service — is a problem that looks solved but is not. National identity documents, facial comparison algorithms, liveness detection models, and government database lookups are all deployed in commercial KYC flows. But the verification chain has gaps that matter enormously in high-stakes contexts: financial account opening, healthcare record access, regulated service onboarding. When we made our seed investment in Ondato, the thesis was not that biometric identity verification needed to be invented — it needed to be rebuilt as infrastructure rather than integrated as a compliance checkbox.
The distinction between "compliance checkbox" identity verification and "infrastructure-grade" identity verification shows up most clearly in how the two approaches handle failure cases. A compliance checkbox implementation is optimised for the happy path: the user has a well-lit, undamaged, government-issued document; the selfie matches the document photo; the liveness check passes on the first attempt. The failure handling is typically a manual review queue that creates operational bottlenecks. An infrastructure-grade implementation is designed around the full distribution of users — including those with worn documents, atypical facial features that create false negative matches on shallow models trained on limited demographic data, accessibility needs that make certain liveness interaction patterns difficult, and regulatory environments that require specific document types not covered by a generic model library. These are not edge cases; they are the tail of a distribution that determines the real-world performance of an identity system.
Ondato's architecture addressed a specific part of this problem: making high-assurance identity verification accessible to developers without requiring months of compliance engineering. The verification flow was designed as an API-first product — a developer could integrate biometric document verification, liveness detection, and identity scoring into their onboarding flow in days rather than months, with compliance documentation and audit logging built into the platform response rather than requiring separate implementation. This matters because the companies that need identity verification most urgently are often those without the resources to build and maintain a compliance engineering team: fintech startups building regulated financial products, healthcare platforms handling sensitive records, marketplace operators with KYC obligations. The infrastructure abstraction lets these teams focus on their core product while relying on a continuously maintained verification platform for the identity layer.
We should be transparent about the regulatory complexity in this space. Biometric data is special category data under GDPR Article 9, subject to enhanced protection requirements and, in some EU member state implementations, additional restrictions beyond the base Regulation. The lawful basis for processing biometric data in an identity verification context — typically either explicit consent or necessity for entering into a contract — must be carefully established, and the data minimisation principle requires that biometric templates are not retained beyond the purpose for which they were collected. Building a biometric infrastructure product that operates across the EU requires not just technical quality but genuine regulatory competence. Our diligence on Ondato included a detailed review of their data processing architecture, retention policies, and legal basis documentation — because a biometric infrastructure product that creates GDPR liability for its customers is not a product we would back regardless of its technical quality.
The trajectory for biometric identity infrastructure through 2024 and into the EU Digital Identity Wallet rollout under the revised eIDAS 2.0 regulation creates an interesting architectural question: as national digital identity schemes become more prevalent and legally recognised, does the commercial identity verification market contract (because government-issued digital credentials displace commercial verification) or expand (because commercial platforms that can accept, verify, and integrate wallet credentials become necessary middleware)? We believe the latter is more likely in the near term. eIDAS 2.0 wallet-based identity assertions will cover specific use cases — particularly high-assurance scenarios like financial services and healthcare — but the long tail of digital identity use cases will continue to require commercial verification infrastructure for the foreseeable future. The infrastructure companies that invest now in wallet credential acceptance and integration will be better positioned than those that treat government identity schemes as competitive threats.