Multifactor

What do they actually do

Multifactor provides an account vault and secure account‑sharing tool available as desktop, mobile, and browser extension clients. Users store passwords, passkeys, and 2FA tokens and can share access to any online account via "Checkpoint" links that grant specific, revocable permissions (e.g., view‑only) to a person or an AI agent. Access happens in an isolated session where raw credentials aren’t revealed, actions are recorded, and access can be revoked instantly without changing the underlying password or passkey (site, downloads, Checkpoint, blog).

The product is live with public downloads, docs, and a public demo that showcased a read‑only link to a corporate bank account, indicating the sharing and revocation model works end‑to‑end. Early adopters include individuals, advisors, and some enterprise pilots using agents in supply chains (PR/demo, site, downloads).

Who are their target customer(s)

• Individuals and households sharing accounts with family or personal assistants: Need to let someone see or do limited things in accounts without handing over passwords; want easy revocation and a clear activity record to avoid account takeovers or confusion.
• Financial advisors and virtual assistants managing client accounts: Require tight, per‑action permissions (e.g., view balances but not move money) and auditable trails to maintain client trust and reduce liability exposure.
• Small teams and manufacturing partners using agentic workflows: Must give tools or external partners access without exposing credentials; need instant revocation and forensic logs when incidents happen.
• Enterprise security and IT owners (CISOs, SRE/security teams): Worried about autonomous agents and contractors in corporate accounts; need SSO/RBAC, enforceable policies, and audit‑grade logs for compliance and incident response.
• Developers and platform teams building AI agents or integrations: Need programmatic, scoped, and revocable access for agents plus verifiable logs, so integrations don’t leak credentials or create untraceable actions.

How would they acquire their first 10, 50, and 100 customers

• First 10: Run hyper‑targeted concierge pilots with a handful of households and a few advisors/VAs from existing networks and YC intros, with white‑glove onboarding and rapid fixes to iterate on real workflows.
• First 50: Package a 4–6 week pilot (templates, onboarding, success metrics) and run parallel pilots across advisors, small manufacturing partners, and households via targeted outreach and referrals, producing one‑page case studies from each.
• First 100: Open a self‑serve consumer path (extension + templates) to drive referrals; add a small channel program (security consultancies/MSPs/developer partners) for enterprise pilots, plus monthly technical webinars and a low‑cost security‑pilot SLA for CISOs.

What is the rough total addressable market

Top-down context:

Multifactor straddles password management (≈$2.7–3.2B), enterprise Privileged Access Management (~$3.6B in 2024, high growth), and parts of IAM (~$18–22B near term) (password mgmt, Mordor, PAM, IAM).

Bottom-up calculation:

A conservative near‑term TAM is the sum of password managers plus PAM: roughly $6–7B, aligning with Multifactor’s current vault + scoped sharing + PAM‑style controls. If they capture relevant authorization/audit slices of IAM, the broader opportunity pushes into the $20–30B range (password mgmt, PAM, IAM).

Assumptions:

• Avoid double‑counting between PAM and broader IAM; password‑manager revenue overlaps only partially with PAM/IAM.
• Near‑term product fit targets consumer/SMB vaulting and PAM‑like controls; IAM contribution grows with enterprise features/integrations.
• Developer/platform spend is largely embedded within PAM/IAM rather than a separate market.

Who are some of their notable competitors

• 1Password: Consumer and business password manager with shared vaults and developer‑facing Secrets Automation; overlaps on vaulting/sharing but not built around agent‑scoped, revocable action links (Secrets Automation).
• Bitwarden: Open‑source, cross‑platform vault with organizations/collections and APIs; lower‑cost shared‑vault alternative but not focused on fine‑grained agent action controls or auditable agent sessions.
• HashiCorp Vault: Infrastructure secrets manager offering dynamic credentials, policies, and audit logs; strong for infra/DevOps use cases rather than end‑user vaults and browser‑mediated account access.
• CyberArk: Enterprise PAM with credential brokering, session isolation/recording, and rotation; competes in high‑risk enterprise accounts that need auditable privileged sessions.
• Okta: Enterprise IAM (SSO, RBAC, MFA, policies); overlaps at the control‑plane level. Multifactor may be used alongside Okta or compete for parts of authorization/audit workflows.