How Nametag is providing reusable identity verification without apps or browsers
“Apple is very excited about what we’ve built on App Clips. There are very few companies using it,” says Aaron Painter, CEO of Seattle-based Nametag. His firm uses what is called App Clips on iOS and Google Play Instant (formerly Instant Apps) on Android to let customers conduct biometric identification against a user’s government-issued ID credential – without an app download or web browser.
Exploiting the processing power of smartphones and locating a verified identity on the handsets’ secure enclaves without web browsers or app downloads is the firm’s approach, which Painter claims is “just fundamentally different than any other product in the market.”
Lightweight but heavy duty
Digital identity apps are readily available. But the downloading of such apps and going through registration is still a barrier, “even if it’s a high value scenario,” says Painter in a video call.
“And so then we had this really big breakthrough and build something using these little clips which came out from Apple in 2019 and a similar version called Instant Apps. And it’s rarely used.”
The team developed a product called Sign in with ID, initially intended as a password replacement for secure logins for website accounts. A QR code is generated on the site or a link is sent by SMS or email. This launches an App Clip or Google Play Instant sequence.
Users scan their government-issued physical credential (their software recognizes more than ten thousand varieties worldwide). A selfie with liveness detection carries out a biometric match with the credential.
The process makes use of the phone’s hardware such as depth of field sensing, on-device processing power and secure enclave, paired with cloud-based AI, to run anti-fraud checks and the store the verified identity check. A cloud account is also created.
“[It] lets us create this native app-like experience that feels great, that’s slick, it’s fast. It’s also incredibly secure. It allows us to do things in a totally different way to prevent fully digital manipulation. And as you take that off the table, then you can focus in on physical manipulation.”
Secure enclaves for Selfie Chaining
“We’re able to leave an encryption key in the secure enclave of the device, which makes it reusable. So in the second use, when someone is using Nametag with that company or any company on the second use, they don’t necessarily have to scan their ID again, they can simply go through with a FaceID or maybe another face scan to verify themselves.”
This use of the secure enclave or Android equivalent (Apple introduced a secure, isolated area in its system-on-chip for saving facial biometric data, which was then replicated by Android handset makers) for secure reverification they’ve dubbed “Selfie Chaining.”
The encryption key remains in the secure area unless there is a major change to the device or the person gets a new handset. At this point, they still have an account in the cloud. They can resume its use by rescanning the ID to “create a new trust with that device.”
Using the secure enclave also prevents the use of smartphone emulators on desktop computers in fraud attempts, a growing security threat for IDV and eKYC conducted via mobile web.
Don’t mention the App Clips – rules for dating, and accounting
Nametag shies away from telling companies and people about how their product works, instead emphasizing the security features introduced by the phone “as most people haven’t even heard of App Clips.”
“We feel like it’s almost our role to do what Apple could have done and educate the market,” says Painter.
Nametag is seeing particular interest from customer service and business service providers, particularly for “high-risk moments” such as changes to an account, recovering access, authorizing payments. Customers are in financial services, HR tools, accounting platforms, pension providers and even within large companies.
“IT helpdesks struggle the same way that customer support help desks,” says Painter, as so many people work remotely.
One of their most recent customers is one of the world’s largest domain name registrars. “And as it turns out, they get hundreds of calls, people trying to challenge ‘No, I’m actually the owner of blah blah dot com’ and they have no idea over the phone.”
There is no tech integration needed for developers to incorporate Nametag, says the CEO. The hope is that this will let the ID verification be added to ever more services.
“Most of the top names were all fascinated,” said Painter, referring to online dating applications. A particularly big name is apparently involved. “I would argue that that entire industry is going to have to move towards some sense of verifying who the user is”
Facial age estimation and age verification
“And then all of a sudden came the age verification requirements out of the UK,” says Painter, referring to the upcoming Online Safety Bill and child appropriate design requirements.
But Nametag has also built a facial analysis model for facial age estimation, akin to that of Yoti in the UK. Though using the App Clips approach with the secure enclave, they offer a reusable product without the friction of an app.
To develop the face estimation, Painter says they “merged our own in-house and some third parties into some sort of a common or consistent experience. But one of the unique things is because of our because our product revolves around ID verifications, we’re actually able to train our AI models in really unique ways because when someone completes the full flow, we know what was correct. And so, it can be converted to train our AI models.”
The model is trained on the faces of users of Nametag’s ID product. “Nametag’s age estimation is powered by government-issued IDs users consent to share with a given site or company,” wrote Painter in a follow-up email.
“Opt-in consent is core to the experience so that users know exactly what they are sharing and with whom.”
We use limited biometrics to verify your identify by comparing your government photo ID with a scanned photo of your face. (The comparison provides a % match of the two or more photos.) We do not retain or share this underlying biometric information or use it for any other purpose. Where required under applicable law, we will request your prior consent to use biometrics in this manner.
For age verification regulation “In California, in the UK [it has] been clear what needs to happen, but not clear on how it needs to happen. All these companies are scrambling to figure out, hey, what technology or platform could I do to help me do this and then what policies to implement around it.”
Even how frequently age estimation may need to be reassessed is not clear and can come down to company policy while regulation is still being developed.
“That’s a question that companies are trying to make policies around because they didn’t necessarily get clarity yet on how to interpret or how to kind of roll out the program.” Although he does see the UK as playing a leading role in shaping policy.
Whatever happens, the time is up for SMS as a way of checking someone’s ID. Data breaches, such as from telco T-Mobile, are making that clear to Painter.
“And if they [telcos] can’t protect your phone number, then how can others rely on it? And so I think we’re just at this crisis stage. And frankly, I think the infrastructure of everything that we rely on that use this mass verification today is at risk.”
To conclude, Painter is particularly bleak about text messages: “And we’re opening ourselves up to probably more fraud and impersonation than we’ve ever seen before. So I think we’re on a collision course today with SMS verification.”