The following report is by Biometric Update:
Remote digital identity proofing is in the midst of a dramatic upheaval, but the change is not proceeding quickly. A panel of insiders explained the reasons why that is, some of them understandable and some more frustrating, at the FIDO Alliance’s Authenticate 2024 event this week.
Teresa Wu of Idemia moderated the discussion on “Private organization and government perspectives in navigating the technological landscape of remote digital identity proofing.” It featured insights from Paul Grassi of Amazon, Arun Vemury of DHS S&T and Bill Fisher of the U.S. National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE).
For Amazon customers, identity proofing is not a requirement. “We don’t know the underlying human,” Grassi says. “That’s not a bad thing.” He describes Amazon’s protections against account takeovers as “very stringent.”
In the case of vendors, or consumers purchasing age restricted goods, however, the company must verify their identity or age.
Vemury described S&T’s efforts to evaluate how well the different pieces of technology that go into remote identity proofing work. “The error rates are not trivial,” he observes, reaching as high as 10 percent even for legitimate users.
With the threat landscape shifting rapidly, he notes, the challenge of finding a balance between security and ease of access, which differs between applications and businesses, is not getting any easier.
Fisher presented the challenge of remote digital identity proofing as “not really a problem to be solved, but a tension to be managed.”
NIST wants to help organizations “understand the implications” of the tradeoffs that come along with making use of the various inputs available to them, he says. Fisher also points out that while biometrics is one of the strongest signals, it is still probabilistic, rather than deterministic.
These considerations all influenced NIST’s updates to its Digital Identity Guidelines.
Some of the guidelines include measures relying parties are already using when performing remote identity proofing, Fisher says. Checks if the applicant is deceased are an example, providing a way to spot a fraud attempt without adding any friction to the user experience.
Amazon currently uses “the simple demographic check” and ID document and selfie biometrics checks, “which we’re starting to hate as well from a usability perspective and a security perspective,” among its current measures, Grassi says. The ecommerce giant is planning to start accepting digital IDs like mobile driver’s licenses (mDLs) and European national IDs presented from mobile wallets in 2025, he revealed. Federated identity based on Aadhaar will also be added.
For ID and selfie biometrics checks, Amazon uses a multi-vendor approach, in part for redundancy, but in part to serve different regions. “But we are doubling down on digital credentials,” he says.
The panelists agreed that both document authenticity and digital ID checks are going to have to be supported for the foreseeable future.
While that remains the case, adding machine-verifiable capabilities to identity documents can help make the while remote identity proofing process more secure and reliable.
Fisher is leading NCCoE’s mDL adoption initiative, along with Ryan Galluzzo, which will explore their effectiveness for online identity proofing, account recovery, and other uses.
The lack of current use cases is one of the reasons that adoption of mDLs is slow, Wu notes. Acceptance by Amazon may help motivate states to issue digital IDs and people to use them. Despite a classic chicken-and-egg problem between issuance and adoption, “we’re hoping to be one of those killer use cases,” Grassi states.
The fragmentation among digital wallets, between platform wallets from OEMs like Apple, Google and Samsung, and providers like Idemia, SpruceID, and Scytales, which is making European identity wallets, forces relying parties to decide how secure they believe the biometric binding and issuance process in general to be, Fisher says.
Grassi says Amazon plans to apply lessons learned during the implementation of passkeys to mDLs.
AUTHOR COMMENTARY
Adding on to this, Authenticate 2024 highlighted in a blog post Amazon’s vision for digital IDs. “The central thing that brings us together, and the foundation of our bond, is the desire to realize a better, safer internet,” Arynn Crow, Sr. Manager, AWS User Authentication Products, and Director of Governance and Transparency at the Digital Identity Advancement Foundation (DIAF), said.
Amazon will be one of the primary monopolies moving forward that will exact further dominance and control over the everyday lives of Americans and Westerners, and their leverage of digital IDs appears to be no different.
Read up more on digital IDs here.
Proverbs 29:5 A man that flattereth his neighbour spreadeth a net for his feet.
[7] Who goeth a warfare any time at his own charges? who planteth a vineyard, and eateth not of the fruit thereof? or who feedeth a flock, and eateth not of the milk of the flock? [8] Say I these things as a man? or saith not the law the same also? [9] For it is written in the law of Moses, Thou shalt not muzzle the mouth of the ox that treadeth out the corn. Doth God take care for oxen? [10] Or saith he it altogether for our sakes? For our sakes, no doubt, this is written: that he that ploweth should plow in hope; and that he that thresheth in hope should be partaker of his hope. (1 Corinthians 9:7-10).
The WinePress needs your support! If God has laid it on your heart to want to contribute, please prayerfully consider donating to this ministry. If you cannot gift a monetary donation, then please donate your fervent prayers to keep this ministry going! Thank you and may God bless you.
