Amazon is ready to use digital identity, even though its hard
Remote digital identity proofing is in the midst of a dramatic upheaval, but the change is not proceeding quickly. A panel of insiders explained the reasons why that is, some of them understandable and some more frustrating, at the FIDO Alliance’s Authenticate 2024 event this week.
Teresa Wu of Idemia moderated the discussion on “Private organization and government perspectives in navigating the technological landscape of remote digital identity proofing.” It featured insights from Paul Grassi of Amazon, Arun Vemury of DHS S&T and Bill Fisher of the U.S. National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE).
A multitude of moving targets
For Amazon customers, identity proofing is not a requirement. “We don’t know the underlying human,” Grassi says. “That’s not a bad thing.” He describes Amazon’s protections against account takeovers as “very stringent.”
In the case of vendors, or consumers purchasing age restricted goods, however, the company must verify their identity or age.
Vemury described S&T’s efforts to evaluate how well the different pieces of technology that go into remote identity proofing work. “The error rates are not trivial,” he observes, reaching as high as 10 percent even for legitimate users.
With the threat landscape shifting rapidly, he notes, the challenge of finding a balance between security and ease of access, which differs between applications and businesses, is not getting any easier.
Fisher presented the challenge of remote digital identity proofing as “not really a problem to be solved, but a tension to be managed.”
NIST wants to help organizations “understand the implications” of the tradeoffs that come along with making use of the various inputs available to them, he says. Fisher also points out that while biometrics is one of the strongest signals, it is still probabilistic, rather than deterministic.
These considerations all influenced NIST’s updates to its Digital Identity Guidelines.
Some of the guidelines include measures relying parties are already using when performing remote identity proofing, Fisher says. Checks if the applicant is deceased are an example, providing a way to spot a fraud attempt without adding any friction to the user experience.
Chicken-and-egg killers
Amazon currently uses “the simple demographic check” and ID document and selfie biometrics checks, “which we’re starting to hate as well from a usability perspective and a security perspective,” among its current measures, Grassi says. The ecommerce giant is planning to start accepting digital IDs like mobile driver’s licenses (mDLs) and European national IDs presented from mobile wallets in 2025, he revealed. Federated identity based on Aadhaar will also be added.
For ID and selfie biometrics checks, Amazon uses a multi-vendor approach, in part for redundancy, but in part to serve different regions. “But we are doubling down on digital credentials,” he says.
The panelists agreed that both document authenticity and digital ID checks are going to have to be supported for the foreseeable future.
While that remains the case, adding machine-verifiable capabilities to identity documents can help make the while remote identity proofing process more secure and reliable.
Fisher is leading NCCoE’s mDL adoption initiative, along with Ryan Galluzzo, which will explore their effectiveness for online identity proofing, account recovery, and other uses.
The lack of current use cases is one of the reasons that adoption of mDLs is slow, Wu notes. Acceptance by Amazon may help motivate states to issue digital IDs and people to use them. Despite a classic chicken-and-egg problem between issuance and adoption, “we’re hoping to be one of those killer use cases,” Grassi states.
The fragmentation among digital wallets, between platform wallets from OEMs like Apple, Google and Samsung, and providers like Idemia, SpruceID, and Scytales, which is making European identity wallets, forces relying parties to decide how secure they believe the biometric binding and issuance process in general to be, Fisher says.
Grassi says Amazon plans to apply lessons learned during the implementation of passkeys to mDLs.
Article Topics
Amazon | Authenticate Conference | biometrics | DHS S&T | digital identity | FIDO Alliance | IDEMIA | mDL (mobile driver's license) | NCCoE | passkeys | remote identity proofing
Comments