FB pixel

Amazon is ready to use digital identity, even though its hard

Authenticate 2024 panel considers remote identity proofing challenges
Amazon is ready to use digital identity, even though its hard
 

Remote digital identity proofing is in the midst of a dramatic upheaval, but the change is not proceeding quickly. A panel of insiders explained the reasons why that is, some of them understandable and some more frustrating, at the FIDO Alliance’s Authenticate 2024 event this week.

Teresa Wu of Idemia moderated the discussion on “Private organization and government perspectives in navigating the technological landscape of remote digital identity proofing.” It featured insights from Paul Grassi of Amazon, Arun Vemury of DHS S&T and Bill Fisher of the U.S. National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE).

A multitude of moving targets

For Amazon customers, identity proofing is not a requirement. “We don’t know the underlying human,” Grassi says. “That’s not a bad thing.” He describes Amazon’s protections against account takeovers as “very stringent.”

In the case of vendors, or consumers purchasing age restricted goods, however, the company must verify their identity or age.

Vemury described S&T’s efforts to evaluate how well the different pieces of technology that go into remote identity proofing work. “The error rates are not trivial,” he observes, reaching as high as 10 percent even for legitimate users.

With the threat landscape shifting rapidly, he notes, the challenge of finding a balance between security and ease of access, which differs between applications and businesses, is not getting any easier.

Fisher presented the challenge of remote digital identity proofing as “not really a problem to be solved, but a tension to be managed.”

NIST wants to help organizations “understand the implications” of the tradeoffs that come along with making use of the various inputs available to them, he says. Fisher also points out that while biometrics is one of the strongest signals, it is still probabilistic, rather than deterministic.

These considerations all influenced NIST’s updates to its Digital Identity Guidelines.

Some of the guidelines include measures relying parties are already using when performing remote identity proofing, Fisher says. Checks if the applicant is deceased are an example, providing a way to spot a fraud attempt without adding any friction to the user experience.

Chicken-and-egg killers

Amazon currently uses “the simple demographic check” and ID document and selfie biometrics checks, “which we’re starting to hate as well from a usability perspective and a security perspective,” among its current measures, Grassi says. The ecommerce giant is planning to start accepting digital IDs like mobile driver’s licenses (mDLs) and European national IDs presented from mobile wallets in 2025, he revealed. Federated identity based on Aadhaar will also be added.

For ID and selfie biometrics checks, Amazon uses a multi-vendor approach, in part for redundancy, but in part to serve different regions. “But we are doubling down on digital credentials,” he says.

The panelists agreed that both document authenticity and digital ID checks are going to have to be supported for the foreseeable future.

While that remains the case, adding machine-verifiable capabilities to identity documents can help make the while remote identity proofing process more secure and reliable.

Fisher is leading NCCoE’s mDL adoption initiative, along with Ryan Galluzzo, which will explore their effectiveness for online identity proofing, account recovery, and other uses.

The lack of current use cases is one of the reasons that adoption of mDLs is slow, Wu notes. Acceptance by Amazon may help motivate states to issue digital IDs and people to use them. Despite a classic chicken-and-egg problem between issuance and adoption, “we’re hoping to be one of those killer use cases,” Grassi states.

The fragmentation among digital wallets, between platform wallets from OEMs like Apple, Google and Samsung, and providers like Idemia, SpruceID, and Scytales, which is making European identity wallets, forces relying parties to decide how secure they believe the biometric binding and issuance process in general to be, Fisher says.

Grassi says Amazon plans to apply lessons learned during the implementation of passkeys to mDLs.

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

IntelliVision censured for misleading biometric accuracy and bias claims by FTC

The U.S. Federal Trade Commission has slapped IntelliVision with a consent order to halt claims about the accuracy of its…

 

Atos and partners blamed for EES delays

Atos and its consortium partners bear a major share of responsibility for delays in deploying the European Union’s delayed biometric…

 

CFIT pushes efforts on digital company ID to tackle economic crime in the UK

The UK’s Centre for Finance, Innovation and Technology (CFIT) has unveiled progress by its coalition of financial institutions, regulators, and…

 

iProov, iiDENTIFii help Standard Bank create network of trust

It’s one thing to know your customer, and another thing to know your customer is real. As GenAI becomes a…

 

World to spend $26B on IDV checks by 2029: Juniper

By 2029, the total global spend for digital identity verification checks will spike by 74 percent to reach $26 billion,…

 

Regula to replace SumSub as face biometrics provider for Maldives

Regula Forensics has been granted the contract to provide face recognition for the Maldives’ national digital identity, eFaas, after the…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events