Digital ID & the Metaverse

Cameron D’Ambrosi [00:00:36] Welcome everyone to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Erin Painter, CEO at Nametag. Erin, welcome to State of Identity.

Cameron D’Ambrosi [00:00:46] Cameron it’s a pleasure to be here.

Aaron Painter [00:00:48] Really excited for this episode. You guys are right at the intersectionality. I think of, you know, these burning hundred billion dollar questions that are at the heart of the digital identity space. So before we get into all of that, maybe just a quick hit on your bio, your background and how you came to lead the team over at Nametag for sure.

Cameron D’Ambrosi [00:01:09] I spent about 14 years at Microsoft. I started in Redmond in Seattle, where I now live. But after a couple of years, I moved outside the U.S. and spent most of my career there in different parts of the world. A couple of years in Brazil, seven years in France, four years in the UK. Then ultimately about five and a half years in China where I was building kind of the enterprise business from the ground up. I left, I wrote a book on the importance of customer and employee satisfaction and how often when an employee feels heard and listened to, they carry that same sentiment to engaging with with their customers. And it brought me a lot into this kind of customer experience through domain. And then I went to run a cloud computing consulting firm that was based in the UK, owned by a large private equity firm. We were eight of us largest partner at the time in Europe and it was just a crazy period of early cloud adoption and growth to expand a lot in Europe and North America to manage services and other things. I left that just at the end of 2019, just before the pandemic, and then came name tag.

Aaron Painter [00:02:09] Love it. And what is name tag? I think for consumers it might be a bit more obvious and in some ways than folks in industry, just because when you’re talking with a digital identity professional and you say, oh, you know, I’ve built a platform that’s kind of in the authentication and identity verification space. There’s so many things that that might mean and in so many different approaches fundamentally to the challenge of how can we help platforms, you know, establish a high level of trust with their users? And how can users onboard themselves in a trusted privacy preserving and low friction way? So a bit of a loaded question there. But, you know, how are you at nametag kind of tackling this very sticky wicket?

Cameron D’Ambrosi [00:02:57] We have several beliefs, I would say, that could be guided what we built. And for me, it started very practical. You know, at the start of the pandemic, I had several friends and family members who had their identity stolen and. All right, well, let’s you know, let’s jump on some customer support calls together. Let’s call and get things sorted out. And everyone we’d speak with had no other way to validate the identity of the person except essentially knowledge based questions, which we know are not really the best from a security perspective. But it’s what they had. And these hardworking customer support reps were asking questions that were either really simple, you know, what’s the last phone number you dialed once upon a time? Or, you know, what’s the name of your pet or something from a credit profile? You know, what street did you live on in Exeter? And they were either too hard or too easy to answer. And we both hang up the phone and we’d say, Gosh, no wonder my identity was stolen. Like, this is how my accounts were protected. And so all of these efforts we think about is as they really start to embrace and kind of take my experience in product and enterprise and security into this true kind of identity space as we might think of it. I said, Gosh, we’ve got this fundamental problem in cybersecurity where if you don’t trust the identity of a user on the phone or online, it is very difficult to keep an account or even an infrastructure protected. And in the online world, unfortunately, it’s not much better. You know, all these efforts of multifactor authentication, you know, to fail to set up an authenticator app. Those efforts have been great in improving the security of someone accessing an account, assuming you know who the person is. And I would argue today that all of the technology in the market looks at authenticating devices and not necessarily people. And then there’s other world that obviously you know so well and that we kind of live in today. This ID verification world are often one time efforts of Hey, we can in digital way today at someone for a trusted document like a government issued ID, we can ask them to take a selfie. We can match those two things up. But they’re typically done as a one time experience. And there’s not that sense of can we can we make sure that that is the same person each time returning to a website to log in or on the phone with that customer support agent? Because they’re cyclical. When you get locked out online or you need to reset your password or you’re provisioning the account or maybe you’re provisioning, you know, my voice is my password. That’s a wonderful if you provision to the right person. And typically it goes back in this loop to customer support to say, hey, I’m locked out. I lost my phone, my authenticator app didn’t work, I got confused. And we’re stuck with these silly knowledge based questions as the way to keep accounts protected. So the on the phone, the online experience in our minds are very linked.

Aaron Painter [00:05:38] Yeah. I mean, I think you are you’re really asking the fundamental question, which has been the challenge of our industry, which is how can I answer the question of who is behind this device and can I trust them? And more critically, is this the same person that had maybe opened the account previously? And, you know, the the big challenge there is it’s one thing if you are working for a startup that’s starting from scratch. And so every new account that comes in, you can just say, hey, we use name tag, sign up. That’s not the world we live in. Every consumer already has 100 plus accounts and many of the organizations coming to you as name tag trying to solve their identity problems. They maybe have, you know, in some cases 20, maybe 30, 40, depending on the, you know, age of the organization, 30 or 40 years of cruft of of legacy, technical debt, of earlier stage identity systems, you know, layered and taped together, stapled on top of one another. You know, how are you thinking about solving those challenges? And and what is the, I guess, fundamental difference in how you might approach working with a company that maybe already has an existing stack they’re trying to supplement or replace or someone who’s coming to you. With a clean sheet that you get to draw on.

Cameron D’Ambrosi [00:07:02] I think the biggest learning for me in this space so far has been how many companies are struggling with what they have implemented today. You know, they they had employees logging in with single sign and credentials and they say, oh, things are things are good. My network is protected. It was oh, that’s wonderful. What do you do when employees locked out? Oh, gosh. You know what? We just had that problem. Oh, did you hear about our recent data breach? Or did you hear about our I.T. person? Not sure that they were helping the right employee who called in and it was really a fake employee claiming to be locked out. It’s it’s these examples where in the employee context. In the customer context, obviously, we know the amount of fraud. These scenarios where what they’re using today has been so focused on device based protection or authenticating with the username and password, it hasn’t gone as deep as to know who the person is behind that screen. And that fundamental disconnect has created an enormous amount of security, vulnerability, risk and fraud. And I ground to your point, I ground in a process that I think works really well offline, which is all the technologies IT and methods that companies use today. The gold standard, sadly, is still why don’t you come into the, quote, branch or security office or headquarters or pick your place and show me your government issued ID and someone there is going to look at that ID and they’re going to look at you and they’re going to say, this ID looks this looks real and you look like the person on it. Great. Let’s get things set up for you. Let’s get them reconfigured. Let’s get things reset. And somehow that physical experience that we still rely on, it’s portable, it’s reusable for the end user. It’s grounded in kind of a route of trust of a third party government entity, meeting you, taking your photo, looking at a bunch of documents, that process that works offline. We have not been able to carry that into the digital realm, and I think it’s caused an enormous problem.

Aaron Painter [00:08:53] Well, in the you know, the other challenge around those legacy processes is that’s presuming that person in real life knows what they’re doing, knows what they’re looking at like is your I guess i t i t desk say that three times fast. Is your i.t desk guy or gal that is responsible for looking at the person’s face and looking at their id trained to do something like detect counterfeit california driver’s licenses or a fake passport. I would argue they are not. So, you know, even with those fallbacks that are not so vulnerable, like, you know, knowledge based authentication, as you alluded earlier, still subject to a bunch of different challenges and vulnerabilities. So pivoting slightly back to, you know, your approach at at nametag. You, it seems and correct me if I’m wrong here, but you are looking to build a network as an identity provider where when when someone comes in to onboard themselves for the first time with a company that’s leveraging name tag, they’re going to complete, you know what we would call it liminal and identity proofing session. You know, give me your driver’s license. Give me your face. Let’s bind those together securely with your device in some way and now give you a reusable identity token in the form, as I understand it, with a QR code that lets you then take that identity and federated out to any number of relying parties or platforms that want to use nametag. You know, how have you gone about the challenge of building that ecosystem up? I think it’s it’s a model that we know can be successful. But the challenge is always, you know, I’m looking to build a consortium of relying parties. And the first question those relying parties often ask is, well, how many consumers do you have on your platform? And it can be a bit of a, you know, what we refer to as a chicken egg problem, which is I can’t get users on my platform until I have a critical mass of applications and end use cases for them. And getting those and use cases requires those those critical mass of users. So how have you gone about kind of tackling that cold start challenge?

Cameron D’Ambrosi [00:11:08] You know, when we started building name tag, that was very much top of mind and we focused on how do we grow users as a way to bring that immediate value of someone sort of already in role to a company. And I think what was surprising for us and continues to be is how much the companies and scenarios that we engage with have said, I don’t care. They said, Yeah, sure. You know, it’d be really nice if you had a pre enrolled user and he was even faster for them. That’s great. But let me tell you about my challenge problem scenario and the range of scenarios that we encounter are so broad, but they are typically, you know, I don’t have a way to be able to trust even one time the person whose calls on the phone or the one time they log in, let’s say, online or sign up for an account. And even beyond that, I certainly don’t have a way to reach verify. It’s actually the same person if they come back multiple times. And so one of the earliest areas that we saw were actually a bunch of companies that said, I love this for my customers, but can I start with my employees? I have an issue with hiring. I have an issue with people coming to interviews. I don’t actually know who they are. I’m interviewing them, let’s say on Zoom or teams. I don’t know if they’re the same person. I’ve had issues where I’ve actually even offered someone a job. In the U.S. you have several days before you go through kind of an I-9 verification process. And we heard stories of companies hiring employees and then day one, them stealing IP and disappearing, or even more so them saying, hey, yeah, this person’s really qualified for the job. And that person has then outsourced their work to someone else or a friend or family member, or let’s say if they’re a customer support rep, maybe they’re not available that day and the friend or family member logs in with their username and credentials that day. There are all these scenarios where companies have said to us, You know, it’d be great if you brought me tens of millions of users. But gosh, the ability to make sure that the person I think I’m engaging with my employee or my customer is the one that I hope it is, gosh, that is incredibly valuable from day one. And so that culture problem for us hasn’t hasn’t been there in the way we might have initially envisioned it because of the value in just this reusable ID verification each time.

Aaron Painter [00:13:13] From that perspective of the relying parties in your network, you know, what are they telling you with regard to what their expectations and desires for an ID are? Obviously, you know, I have my thoughts as to from a consumer perspective what I want to see out of a platform. You know, what are the big questions that your platform customers are coming to you with? Like, are their concerns mostly around the friction side of things? Are there concerns around how much data they have to store? Like what are the the main questions they’re coming to with in terms of like, why should I implement this platform? And what are the biggest challenges that they’re hoping you can solve for them?

Cameron D’Ambrosi [00:13:54] And I think those are the right categories. And fortunately, we’ve been able to kind of check them off in a way one, one by one. You know, we built a data model from the beginning that was that was very advanced. We call it privacy masking. And it works two ways. It works for consumer. Back to your in-person example, one of my favorite is, you know, going into a bar and you see you need to be 21, right, to enter the bar to have a drink. It’s kind of creepy to give that person at the door often your whole ID, you know, particularly they need to know really where I live. Like we just need to know that I’m over 21. Don’t even need to know my name really. Right. So is there a way to limit, even though let’s say you’ve scanned your ID to limit what it is you’ve shared with that provider? The bar in that example might be another. Let’s say you’re logging into a website that needs to make sure you’re over 18. Maybe age verification alone is enough and so we can mask what you share in a very specific consent or in. Way and the other side is for the company. So we created from day one a platform where companies didn’t have to store any. I think if they want, they can not even store the name and literally just kind of encrypted personal ID. That then calls on us when they might need to know it in case something went wrong. Or let’s say they wanted to, you know, send out an email to an email address if it’s information that the consumer has authorized to share. The company doesn’t have to store it. They can call when they want the APIs. And so that helped us a lot in the privacy side. I think another big one to your point was sort of the user experience and it was how do I make this secure and just fast and how do I make it seem kind of slick? And when we got started, we built sort of a third party apps. You can think of them almost like identity authenticator apps because to the best of sort of multi-factor authentication with ID verification. And then once we go do once we’re able to store an encryption key in the secure enclave and make it reusable so that in the second go, a person doesn’t need to necessarily scan their government issued ID if it’s on the same phone, but they might be asked to use face ID or traditional selfie scan. And so it’s reusable in that sense. Got some really neat things on recovery if you lose your phone. But that’s a separate discussion. Once we had those apps in place, it was, All right, how do I get users enrolled in those apps? And we then had this really big breakthrough just earlier this calendar year where we were able to use this technology called app clips from Apple. And there’s a similar one called Instant Apps on Android. App clips for Apple came out at just before the pandemic, and I think they had a different plan for how to use them. And because of the pandemic, they just didn’t get the uptake in the developer ecosystem that was possible for us. It essentially is a full security functionality of a native app without the end user needing to go to the app store. So when you go to a website, let’s say, and you scan a QR code and say you want to log in instead of a username and password standard name tag flow. Or let’s say you get a text message link on a customer service rep on the phone, you click on the link. Either way, it launches on an Apple device, this thing called an app clip. It’s custom branded for the company you’re talking to. It looks like it’s just part of your phone look. Feels like it’s part of the OS. In fact, it’s a mini app, so to speak, that’s delivered over the air in a small package. It pops up, it asks you to scan your government, ID asks you to do a selfie. Any other information the company companies asked for you? Review the information you’re going to share. If you consent to share it, you click share or sign in and that information goes in your logged into the website or the customer support rep knows who you are, but it feels incredibly slick and modern. You didn’t download an app and the cool part is we get all the security properties of a native app. So unlike traditional I.D. that might say, Hey, hold up your ID to a webcam and things like that, we’re able to cut down a lot of threat vectors simply by using all the security properties inside that mobile device. You know, things like the G is the camera that it was taken on actually in the device app attestation, you know, 3D mapping, liveliness detection. We can analyze the advanced cameras on looking at the dimensions of the document and blur and things associated with it. And then even most importantly, we can use a secure enclave and leave that reusable sort of encryption key that allows you to the next time you come, not necessarily have to scan your government issued ID again. So that was a really big breakthrough that responded some early customer feedback on how do you make this as easy, fast and kind of slick as possible.

Aaron Painter [00:18:17] Document scanning piece, I think is the other really interesting area of flux right now in our ecosystem. Obviously with IDs 2.0 coming out of the EU, with mobile driver’s licenses in the U.S., with other initiatives, whether it’s bank ID or other kind of federated, large scale digital identity schemes that are either already out in market or coming to market soon. How do you see name tag interfacing with those programs? You know, I think from my perspective. Having outlets where, you know, if a platform has engage name tag, you can be the vessel that lets them connect to what could shape up to be five, ten, 15, 20 different and disparate ID schemes and allow a kind of a single access point for relying parties to authenticate and verify those identities. Seems like the path forward. How are you thinking about what this landscape is going to look like when you know, consumers have a mix of both physical and digital credentials at their fingertips?

Cameron D’Ambrosi [00:19:23] Yeah, I love the vision. I think it’s very aligned with how we view the world. We want to be something that you can use from a variety of vendors, from the security perspective to it, it allows us to help better protect the individual because really a company is asking us, Hey, at this moment. And I believe identity, by the way, is a real time topic at this moment. Is this person who they claim to be. And someone could be trying to impersonate that person. They might be a variety of factors. We want to be able to give a high competence amateur back to the company. And so the more an end user is using nametag, either with one company or multiple companies, it gives us more check points on that individual. And more recent time they might have taken a selfie for confirmation. Maybe we can check location changes, behavior patterns, things that are all in the spirit of protecting the end user. They’re fully in control of what they share, but it’s giving them a greater sense of their identities accurate. So in one part, I believe a lot of those data points alone can help us answer a real time question of someone’s identity. Not simply want to know, did I get a DMV or did I put that, you know, a credential at one point on the blockchain at a certain point in time? I don’t want to just make sure that was valid. I want to make sure that identity is a real time question can be answered in a really sincere way. To your other question, I believe a lot in a governments increasingly digitizing their document types. I personally, when we built nametag, we wanted to focus on the privacy preserving elements, companies not having to store data. They didn’t want to authenticating actual people and not devices. But I really didn’t want to have to get into this scan your ID and make sure it’s an accurate ID. And governments that have taken some slightly more advanced steps or the steps that are now in discussions and proposals I’m thrilled about if a government can give me a better way to say, Hey, we know that this ID is valid in a digital sense, I’d be thrilled to take those credentials and allow someone to sort of import those into nametag so they can then go use it in the recurring way and choose what they share and have a sense of history and the information they’ve given to others. I love that angle of it, so I’m very supportive of the increasing amount of efforts to say how do we validate the ID as it came from the government piece? Scanning it today kind of feels like the most basic something we want to be good at, but I’m excited that there’s a growing innovation in that space.

Aaron Painter [00:21:40] I think it’s look, it’s really set to be. And interesting in an in many cases, critical moment, I think, for the industry. And look, if we lived in a country that maybe had a. Chance, shall we say? I’m trying to pick my words somewhat delicately here, but let’s just say, given what I understand about our current political moment and kind of a long and checkered history that Americans have had with the notion of kind of a centralized federal identity, whether that’s a physical card or looking forward to a digital identity, I think, unfortunately, we as Americans are going to be stuck with kind of a 50 state patchwork. Of identity schemes when it comes to how credentials are put into the hands of individual users. And that’s going to put the onus on us as an industry to make that patchwork work, make that patchwork work. I guess I can say that to make this patchwork successful, right, for the industries that that need identity to function. And again, you know, I would argue every industry needs identity. If you’re not thinking about how digital identity is impacting your business, I would I would argue you’re not thinking hard enough. So towards that end, you know, the critical role that platforms like Nametag are going to play, I think in many cases is is outsized is magnified by this adoption of digital identity schemes because rather than than this being, you know, a panacea that’s going to solve our existing fragmentation, I think in some ways it’s going to accelerate fragmentation for the time being until we can kind of figure out what this future state really looks like.

Cameron D’Ambrosi [00:23:18] I’m 100% with you. What concerns me is that we have a problem today. And so a lot of the discussions on identity that feel very forward centric or next generation or we could even of talking about in more modern places like Web3 or in the metaverse where you might use your identity. I think we have a problem with today’s Internet. I don’t necessarily think that someone needs to always use their real name. I believe in pseudonyms. I believe enormously in privacy and selective disclosure. But I think, for example, social media platforms have a responsibility to know or have the ability to know who the person is behind a username. I think it’s critical in building trust in many scenarios and scenarios today that are already high trust, like the digital accounts that govern our lives, whether it’s, you know, government accounts or banking accounts or like goodness, if you’re, you know, your whole life comes from being a digital gamer or other things like, gosh, through accounts in our lives that really matter and need to be protected. We need to make sure that the right person has access to that account. And today we are not set up for that. So if I need to import the physical IDs that someone has and the piece of plastic or the laminated this that they got from their government, and I can get enough source to trust out of that and add the benefits of a kind of biometric face match and other things. I’ll take it because I think it can take us much farther than where we are today as a society, and then we’ll keep rolling with it as other additional innovations come out and governments step up even more there. But I, I think with what’s out there today, we can and frankly, we have built something that is secure, reusable, and I think can really help society for a lot of the challenges we’re facing.

Aaron Painter [00:24:55] Could not have said it better myself. I think we’re we’re very much simpatico when it comes to, you know, where we are in this current moment and. Again. I thought that was really elegant the way you framed it. Like this is a now problem. I think with digital identity, letting the perfect be the enemy of the good has always been a fundamental challenge. You know, when you start talking about adoption of solutions that we can deploy now, people want to say, well, it’s, you know, maybe not perfect for for X, Y and Z reasons, but you cannot compare what is being proposed and what’s on the table now with an idealized future state. You have to compare it with, well, what do we have now? You know, have we made things better for more people? Have we reduce risk? Have we, you know, reduced the amount of friction that people are needing to subject themselves to when creating an account? And is that going to get us closer to our target state, which is minimizing data breaches, minimizing the risk to platforms from fraudulent accounts, while at the same time making it that much easier and safer and more secure for the average person to transact. So I could not be more in agreement that, you know, getting folks really thinking about these questions from a different angle is really, really critical. And what’s the cliche I’m looking for, you know, the best time and apologies if I’m screwing this up everyone. But what’s like the best time to address your digital identity problems was yesterday. The second best time is now. Like there’s no excuse. And this is a critical, critical need and we need to act.

Cameron D’Ambrosi [00:26:31] I think it’s amazing the work you folks are doing in Liminal. It’s one things I’ve been very excited since. Seen some of your early research and reports. The fact that a firm like yours even exists is speaks to the need that’s out there on the market.

Aaron Painter [00:26:43] Awesome. Well, we will leave it there. But before we go, shameless plug time, Aaron, for folks listening who are intrigued by name tag, who want to learn more, who want to get involved, what’s the best place for them to go? Should they reach out to you? Should they reach out to someone else on your team? What are the best choices for them?

Cameron D’Ambrosi [00:27:01] Yeah, check out our Web site, get name tag, AECOM and LinkedIn, both me and Nametag. We produce a whole bunch of content. We love kind of ideas and having a discussion on the stuff that we’re really passionate about. So if you have an interest in this space to please come and engage, reach out. We we love we love the discussion.

Aaron Painter [00:27:19] Amazing. And we will make sure to include those links in the show notes below. Erin, thank you again for your time. Really, really appreciate it.

Cameron D’Ambrosi [00:27:25] True pleasure, Cameron. Thank you.