IDEMIA is one of the biggest digital identity and security companies in the world, and has established itself as a leader across a diverse range of technologies and sectors. The company has consistently outperformed rivals in third party testing conducted by the National Institute of Standards and Technology (NIST) and the DHS; it’s helping to pioneer the emerging concept of biometric payment cards; and it counts even INTERPOL among its high-profile clients in the law enforcement sector. But IDEMIA is poised to accrue even more distinction through its trailblazing efforts in the area of mobile ID, with a biometric identity solution that is already getting serious attention from multiple state governments.
That Mobile ID solution is the focus in a new interview with three of the company’s top executives – Identity Solutions SVP Matt Thompson, joined by Chief Technologist Tim Brown, and Product Market Strategy & Partnerships head Dan Dabrowski. Speaking to FindBiometrics Founder Peter O’Neill, the executives explain how the COVID crisis helped to accelerate adoption of Mobile ID, lay out IDEMIA’s extensive work with DMV agencies, and detail the real advantages that their solution brings to bear for such agencies and end users alike. They also delve into the groundbreaking design philosophy that underpins IDEMIA’s Mobile ID solution – “Identity on the Edge”…
Peter O’Neill, Founder, FindBiometrics: How did the accelerated digital transformation caused by the pandemic affect the ongoing rollout of IDEMIA’s Mobile Identification?
Matt Thompson, SVP Identity Solutions, Identity & Security, N.A., IDEMIA: I think what we saw was that states that already had it in place were well-positioned to take advantage of the benefits of issuing their citizens a trusted digital ID. And where a state already had this program in place for their citizens, they were able to add on additional services and start leveraging the benefits of having digital ID in their state much more rapidly. Where we’d been in discussions with states for years on the benefits and working with them to launch their programs but hadn’t launched them, we really saw a slowdown in the rollout on the execution side, but we definitely saw an accelerated understanding of the benefits.
To say that more succinctly, while COVID slowed down their rollout of digital ID, it accelerated their thinking quite a bit because they were experiencing firsthand the gaps that they had in the state when they had to rapidly shift to digital service delivery and they were poorly positioned to support that transition.
Peter O’Neill: One fascinating example of your solution at work in the new normal is in Oklahoma, where your identity proofing and verification services are used for unemployment services. What challenges did IDEMIA solve for the unemployment office? And how does your identity proofing and verification services improve the unemployment application process for the consumers?
Matt Thompson: I’d say we had a national crisis that happened in terms of delivering benefits during the pandemic and the exposure of unemployment benefits that went to fraudsters is estimated by many in the tens of billions. The most recent article I saw had it at 60 plus billion dollars of benefits that were paid out to fraudsters. The challenge was you had all of these states receiving large dollars from federal assistance to go to unemployed residents in their state and all of their models of delivery were set up around brick and mortar and paper-based processes. And when these legacy service models couldn’t be used during COVID, they defaulted to these online application processes that were almost completely open, ungated and exposed to fraud. The fraudsters jumped right in and took advantage of those weaknesses in the way that identities were being vetted during unemployment applications.
So, we worked quickly and closely with Oklahoma to gate the unemployment application process so that only people who prove their identity upfront, and I’ll have Tim go through the actual process by which they prove their identity in Oklahoma, but what we did was we put a gating function at the front-end, or as the first step of the application process using the state’s identity bureau, which is really the DMV in Oklahoma to verify against, in order to make sure that it was a person that had a rightful claim to file in Oklahoma, as well as was the legitimate person for the unemployment benefit itself. Tim, do you want to speak more to that in terms of the process?
Tim Brown, Senior Director of Technology and Chief Technologist North America, Digital Identity at IDEMIA: So, we really leveraged our identity-proofing platform, ID&V which basically guides a user through the process of onboarding and sharing their identity attributes. We support the ability to collect physical credentials such as driver’s licenses and do that along with a selfie and provide a level of assurance attached to that. But I think where the big benefit is realized by states is in the use of a reusable credential, like a Mobile ID. Because the user has already gone through the proofing process, they already established this strong credential on their device, they can then share that through a consistent consent mechanism to help release that data to the agency. And then, on top of that, it can be reaffirmed without the user having to log back in. They can push confirmation or request for additional information back out to the individual for the Mobile ID infrastructure that we support.
Peter O’Neill: That ties nicely into this next question, and that is about IDEMIA’s long history of working with vehicle registries and the DMVs. How have those relationships influenced the development and deployment of IDEMIA’s Mobile ID? And just as an aside question, how do you expect Mobile ID to change the relationship between users and the DMV?
Matt Thompson: IDEMIA’s history in identity credentials in America goes all the way back to issuing the first photo driver’s license in the US in 1958. And again, it wasn’t named IDEMIA at that time, in fact, we’ve had over a dozen names if you go back and map the lineage back to 1958. But effectively, IDEMIA and the parts of IDEMIA that go back that far have effectively led every evolution in identity issuance and credentialing in the US. And we’re super focused right now, Peter, on the vision for the industry in the physical to the digital identity transition and we think that this is the most major evolutionary step in identity since going back to that photo driver’s license in the late fifties. And while it wasn’t issued as an identity credential then, it was purely recognized for the right of driving.
Nowadays, it’s become the most commonly used method of proving identity. We think this transition from physical to digital is the most significant step-change innovation that’s happened in this industry and it really changes everything in terms of the relationship that motor vehicle agencies have, which is really evolving from being about driver and vehicle services, to be more essentially focused on identity issuance and management, and the value that they create more broadly in terms of the credential that they’re now issuing in a Mobile ID form.
Mobile ID can be used across a broader range of use cases and for broader benefit to the end-user, as well as to the broader ecosystem as well as the protections that it has from a security and privacy standpoint that far exceed anything that you can do with a piece of plastic.
We’re excited about this transition. We are the incumbents in the space issuing about seventy-five percent of all the physical identity documents in America and we’re expecting to be the market leader in helping the industry make this transition. Dan, can you please add to my comments on this question.
Dan Dabrowski, Senior Director, Product Market Strategy & Partnerships — Civil Identity at IDEMIA: The one thing that I would add about the approach that we’re taking here that is fundamentally different from what’s being done, is we’re actually disintermediating the identity process. So, when we look at the types of federated credentials and identity verification capabilities that are being used widely today, they’re really about creating centralized repositories of identity data. What we’re driving towards here, is to take that away and put privacy back in the hands of the individual, putting that power and consent and control back in the hands of the individual, ensuring that the extent of the relationship between the individual, the relying party and the state government vouching for them is simply about a high assurance attestation and nothing else.
So, I think that that is fundamentally different from the way most digital experiences have come about today and that’s really the level of change that we need in order to build trust into this ecosystem and create long-term adoption.
Peter O’Neill: I’m going to ask you, Dan, to dive a little deeper into that particular topic, because given the current public perception around identity technologies in the wake of the horrendous data breaches, privacy and data security is a major concern when it comes to the handling of PII and biometrics on the scale that we’re talking about. I understand IDEMIA’s practices can be described as by design philosophy “identity on the edge.” What does “identity on the edge” mean in terms of protecting user data?
Dan: It means when that identity is proofed and that information is validated, it is only stored securely, encrypted on the secure element of the user’s device and at the DMV, or on one edge or the other. So, it’s not stored in the cloud where it’s IDEMIA’S identity database. So that is identity information that signed for by the state as matching the identity information that was created when that person actually went in-person and went through a strong proofing process to get their driver’s license issued. We are not keeping it in the middle. And we believe that this is important because when you look at the way that identity proofing is typically done today in the market, we’re looking at a whole bunch of different proxies, really tracing breadcrumbs around the internet, which inevitably becomes more intrusive as we look at people’s behaviors, their buying patterns, their IP addresses, their device fingerprints, their geolocations and everything that they’re doing across the web.
That, to me, is too much like surveillance capitalism. It’s too much of a threat to my ability to trust that that data is not going to be otherwise used in a way that I’ve never consented or was never aware of. It’s the reason why prior to the pandemic, my mother would never do online banking, she’d always go into the bank. She simply does not trust giving over all that information with little control. So with that said, there are a number of very intrusive techniques that have to be typically done in order to get the identity right when doing standard identity proofing in an online setting. And as a result, it’s very costly, which is probably driving a lot of the fundraising we’re seeing in the digital identity space today.
And that costly process not only includes integrating vast amounts of data sources, but it also includes a lot of manual intervention and a lot of human operational expense just to get through that identity process, subsequently creating an asset that on the backend is under constant pressure to be further monetized, which is not IDEMIA’s strategy at all. So, we are solely giving that identity information back to the individual, we don’t hold it. The individual has the right to release it to whomever they want, in whatever format and whatever capacity that they want, as needed. But it’s not us operating as this central figure.
Tim: And I would add there, Peter, to what Dan was just saying at the end there, and I think a keyword is transparency for the end-user as well. They’re consenting to the release of data from their device out to relying parties, but the relying party is requesting it and the user knows this. They’re presented with user experience that says, “Hey, relying party X is asking for your data. This is specifically what they’re asking. Do you consent to release that?” I think that level of transparency is sort of far above these data aggregators that are out there just collecting data on your behalf and kind of chewing through it and to establish your identity.
Matt Thompson: And again, we don’t want to replicate these honeypots especially some of these ones that, through recent fundraising, massive fundraising rounds, are going to be pushed to the edge in terms of what they do with all the data that they’re collecting on individuals today.
We’re deliberately taking the very opposite approach because we think that a relatively pristine digital identity record exists at least for 220 million Americans that have a driver’s license and who went through a powerful in-person identity vetting process at the motor vehicle agency and that identity record is bound with a face image that can be biometrically verified against in the form of the identity records that exist in every state at the driver’s license agency.
And again, our goal in all this is to put infrastructure in place that allows the state to issue their residents, their citizens, a more modern identity credential, and to keep that data safe and protected, but respond to a request to have it verified when the citizen is the one or the individual whose identity is associated with it is the one that is making the request. We just think that’s a really impactful role for states to play and really increases the level of trust that we can expect related to digital commerce or digital citizen delivery.
Peter O’Neill: It seems apparent that interoperability is key for any sort of mobile ID technology tasks with replacing or augmenting state-issued identity documents, especially in America where the driver’s license is about the closest thing we have to a national ID program, as you were sort of mentioning. How is IDEMIA ensuring Mobile ID can be as versatile as it needs to be?
Matt Thompson: Well, again, as the US leader for issuing physical driver’s license, which are governed by standards and need to be interoperable because those driver’s licenses are used outside of the US as well, not just within the US among states, and need to be verified not only when I cross state lines, but also when I travel internationally. And there are international standards that govern the issuance of physical documents. As such, we’ve been on a… I think it’s six-plus-year journey now of developing and working to support the broader industry globally on the development of international standards for the issuance and acceptance or verification of mobile driver’s license, ISO 18013-5 is the mobile driver’s license standard. IDEMIA has been investing heavily in the standards’ development during that entire period, as well as building our Mobile ID solutions to comply with that standard.
As recently as the first part of 2021, we announced a successful conformity assessment that was conducted by UL, Underwriters Laboratory, against what was the draft version of the ISO standard, just to show our commitment to the importance of the standards’ development, the need for interoperability. And we’re working on a ton of major, what we call trust use cases, Peter, that are places that we’re building the verification capabilities to accept mobile driver’s licenses and replace the use of physical driver’s licenses today.
Peter O’Neill: As you were talking there, Matt, I couldn’t help but think back to the early days of the biometric industry, when standards and interoperability were the chief challenges. And now that the industry is moving into these new areas, it’s absolutely critical that companies such as yours take a leadership position to make sure that those are all being dealt with upfront, so congratulations on that. It’s absolutely critical to see the growth in this particular part of the industry.
Matt Thompson: The one thing I would add, though, is as we’ve been helping states issue digital IDs, and while we’ve been working on the mobile driver’s license standard, as you’re aware, Peter, the standards in digital identity are much broader than just mobile driver’s license, or as we like to call them mobile IDs. So, we’ve been working with numerous different organizations to bring the standards’ development and other areas of digital identity to the state-issuing authorities, the DMVs, and educate them on the need for things like alignment with FIDO, alignment with Kantara, where I serve on the board as the president, which is heavily aligned with NIST 80063, the federal digital identity guidelines here in the US, as well as others abroad. We’ve been working across multiple standards organizations because when you get to digital identity, it’s much broader than just the MDL piece.
Dan: The key role we’re serving with our DMV customers is to bring the ecosystem to them, because this is a very complex ecosystem. There are a lot of players and a lot of initiatives and a lot of different approaches to identity being piloted and discussed. So, it’s really been our strategy to get ourselves in the middle of everything so that we can have a full understanding of what’s going on across different standards, across different industry influencer working groups, across different major technology and financial institution providers to truly understand what the best and most scalable model going forward will be, all while maintaining that foundation of giving trust and transparency back to the individual.
Peter O’Neill: Digital transformation is showing no signs of slowing down. How will Mobile ID fit into the identity ecosystem of the near future?
Matt Thompson: Well, I think it’s the bullseye or the centerpiece for it. I mean, if digital transformation accelerates and outpaces the development and the use of trusted identity services to support that growth, then you’re going to have a lack of trust, a lack of transparency, and you’ll never reach full potential or maximum impact. And I think you’ll get to a point where digital transformation may accelerate, but the value associated with it will start to erode if you outpace the growth and trusted identity.
Tim: I was going to say it’s absolutely foundational. It’s not just at the center. It’s the key to success. I mean, I think we see it across many different verticals. You’re establishing it as we move away from sort of in-person interaction into these more online use cases and doing business at a distance. Having this strongly-proofed identity credential that’s on your device is absolutely foundational, and it will springboard other interactions, other technology, I think it’s just going to be the big driver.
Matt Thompson: I would just really argue that digital transformation has struggled to take off until COVID due to the lack of trust. And what we are enabling here is digital trust.
Dan: Well, I do have a comment to piggyback off of the last question and the last comment. Matt, this is what we were discussing this morning about digital identity, truly being critical infrastructure for a variety of purposes. And just one of the things that I personally saw with COVID, living where I live here in South Boston. Tons of small businesses suddenly were no longer viable as they’re getting shut down. They had to rapidly adopt new digital capabilities, whether it’s QR code menus, take-out orders, clever ways of keeping themselves in business. The state and local city government changing licensing laws to allow for more outdoor dining, stuff to just keep folks in business. Things that should have happened probably a long time ago but simply didn’t happen.
And I just really feel that in order to fully open up this future world where every single business, whether it’s a small local or giant conglomerate, has to have an underpinning of a trusted digital identity in order to even have a chance. If we don’t have it, we’ll just continue to create breaches of trust, and those breaches of trust aren’t just in terms of data breaches and hacks, but it’s customer service experiences. It’s things like being flagged for first-party fraud because an Uber Eats driver never delivered your order. And then you claim that it never showed up. And the next time you go to order, you get flagged, and you don’t get the order.
So these things that occur in the digital world have all sorts of trickle-down effects because of just the sheer number of decision points that are being made with the absence of a true digital identity infrastructure and a true way of validating and verifying truth in the digital realm. And I just think that this is a critical turning point for us to really grow out of our digital adolescence and really mature as a nation and society.
Peter O’Neill: Dan, you raise a very interesting point in that the pandemic has really forced forward, a lot of trends that we’ve seen in our industry. And the one that comes to mind for me is in healthcare. We’ve been doing a lot of work in healthcare in identity over the past several years. But, oh my, talk about an industry that was behind and now has faced significant challenges trying to ramp up as quickly as possible. Matt, you and I have chatted about this in the past. Beyond the government there are so many industries that need this type of solution. Are you seeing growth there as well?
Matt Thompson: We’re seeing growth in identity and the need for it grow exponentially. I mean, it is everywhere. I would say where it’s not as prominent as it is in the top-tier financial institutions who had been investing in identity for quite some time because they recognized the need and the importance of it for their digital transformation. I think they’re further ahead than certainly state and federal government, certainly than healthcare when it comes to their digital transformation. But again, I think it’s really outside of that group where we’re seeing the biggest need and the need being in a lack of existing solutions and understanding, quite frankly.
Peter O’Neill: Well, thank you all for your time today. It is certainly an exciting time. And Matt, Tim, Dan, always a pleasure speaking with experts in our industry that have the wealth of experience you have. I look forward to our future discussions.
Matt Thompson: Thanks so much, Peter. And on top of the industry knowledge, I’d just say our group here, Tim and Dan, certainly, I’ll speak about them. I mean, I’ve never met as committed people, as passionate of people, to solving the identity challenges that we have, as these guys that are joining me here. And I think broadly as we look across our colleagues at IDEMIA, you’ve got a lot of very committed people to helping solve these challenges. We’re excited to do it and happy to be partnered with you.
Follow Us