Let’s talk about digital identity with Aaron Painter, CEO at Nametag.

In episode 69, Oscar and Aaron discuss identity in the metaverse – including Aaron’s vision for how both people and organisations can prove their identity in the metaverse, and what virtual platforms can do to make their communities safer/more trustworthy.

[Transcript below]

“I’m deeply optimistic that we can create this metaverse environment, or the next generation of the internet or Web 3.0, with a greater sense of authenticity behind people to create safer and more trusted spaces.”

Aaron PainterAaron Painter is the CEO of Nametag Inc, the company who invented “Sign in with ID” as a more secure alternative to passwords. He is the former Vice President and General Manager of Microsoft China, Hong Kong, and Brazil as well as best-selling author of LOYAL, where he describes his key to leadership: fostering a culture of listening.

Find Aaron on LinkedIn.

Nametag is the fast, safe, everywhere ID with a mission to bring authenticity to the internet and enable people to build more trusted relationships. Through sophisticated, proprietary AI-technology, Nametag verifies people, not passwords, creating the next generation of digital security. The app uses multi-factor authentication, government ID verification, and biometric recognition to ensure only users have access to their own data. Nametag never stores, sells, or mines a user’s data. By putting privacy first, Nametag gives the consumer control over sharing your personal information, and the power to choose when it’s shared, where it’s shared, and for how long.

Find out more about Nametag at www.getnametag.com.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello. And today, our guest is a very special guest – it’s Aaron Painter, and he is the CEO of Nametag, the company who invented “Sign in with ID” as a more secure alternative to passwords. He is the former Vice President and General Manager of Microsoft China, Hong Kong, and Brazil as well as best-selling author of LOYAL, where he describes his key to leadership: fostering a culture of listening.

Hello, Aaron.

Aaron Painter: Hello, Oscar.

Oscar: Welcome. It’s a pleasure talking with you.

Aaron: Thank you. It’s an honour to be here. I love the show. I learn so much from each episode so it’s really a privilege to be on.

Oscar: Fantastic. Definitely, super interesting, the conversation we’re going to have actually about a topic we have not talked before in this show is the metaverse. So, let’s get started. Let’s talk about digital identity. And of course, we first want to hear about our guest, so what was your journey to come to this world of identity?

Aaron: My journey was really growing up in technology. I spent about 14 years at Microsoft, started in Redmond near Seattle. And then the rest of my career was outside the US. I spent four years in France, two-and-a-half years in Brazil, five-and-a-half years in China, mostly doing international development, working with large customers of Microsoft’s, partnerships, helping Microsoft expand into new geographies. I loved it. I got to experience so many different people and cultures around the world.

I left and then went to run a cloud computing consultancy firm based in the UK called Cloudreach for a couple of years. And I left in December of 2019, just before the pandemic. That’s where it all started.

Oscar: Since when you started in identity, already in your work in Microsoft, you start entering, immersing yourself in this world of identity, or it came much, much more recently?

Aaron: Identity came to me much more recently. And it was because so many customers that I was working with at Microsoft and later at Cloudreach were fascinated with security. Increasingly, everyone had a question of how do I help protect my infrastructure? How do I make sure I’m speaking to the right customers, that I’m speaking to the right employees, that I’m hiring people, and the people that I hire are the ones accessing the network and accessing my services? But for me, the real start of it was much more personal.

And at the start of the pandemic, I had several friends and family members, mainly in the US at that point, who had their identity stolen. And I tried to help them recover. And I said, “Alright, let’s do this together. Let’s, you know, let’s call customer support. Let’s try and have some conversations and figure out how we can get things back on track for you.” And everyone we spoke with, to me felt like sort of the Dark Ages. It was the opposite of what I had learned and experienced in China where you could do almost anything from your mobile phone.

But in the context of – particularly in the US at that point – validating who you were when you’re on the phone with someone in customer support or trying to log into an account, people had no idea. They were using antiquated methods to try and validate a person. And almost every conversation resulted in “Well, why don’t you come see me in person? Or why don’t you come into the branch?” But it was the pandemic, everything was closed. There was no branch to go to. There was no office to go to. And that’s when I realised that this problem of identity was paramount in what we’re trying to solve in the world of cybersecurity.

Oscar: Yeah, that makes sense – I heard some stories like the one you just said that. Personally, or someone very close, got compromised, lost their identity, how to recover was one of these realisations that yeah, this is a big problem, it is a big problem. So fantastic, knowing you are working now in the world of authentication, identity verification.

And I know because you just have a quick chat before this conversation that your services you are offering to companies who are entering into this, I don’t know how new we could say but a new, sounds exciting world of the metaverse. The metaverse, I guess we’ll have several metaverses, right, in the future. If you can start telling us what is the metaverse?

Aaron: Yeah. The metaverse has certainly grown in popularity in the last couple of years, probably most notably with Facebook rebranding their overall corporate brand as Meta has sort of a commitment from that organization that the metaverse really stands for the future. You know, other organisations like Microsoft have been very vocal and feeling like they’re able to create kind of a metaverse or a virtual community in the business world or in the enterprise.

And ideally, over time, it’ll be a place where people can interact in a virtual way, which oddly sounds similar to some of what we do today, right? We interact often, you might think of video game platforms as metaverse-like environments today where people spend their time, they interact, they make new friends, they play, they speak, they chat, and they build relationships with other people.

The metaverse ideally will provide more and more compute power, richer experiences and ways for people to build those relationships in new ways. And even richer technologies, perhaps things like holographic, 3D, augmented reality, wearing glasses, a whole bunch of richer ways to make those interactions seem more real life or more human.

For me, though, one of the scariest things about the metaverse is that we are inheriting a problem that we haven’t really solved in today’s world. And that’s this concept of how you trust someone online or over the phone or in a virtual or digital context. The history of identity to me gets really fascinating, because when you think about it in a physical world, you know, governments have mostly gotten pretty good at identifying their citizens.

I’d like to say, more so in developed markets, and… but you go to examples like India, or China and India with Aadhaar, and their digital identity programme to bring so many citizens into that realm of being recognised and identified. There’s been radical progress. But it wasn’t always that way. And if you go back hundreds of years, even in Europe, somebody would go somewhere new into a new territory, and they weren’t recognised. First, people would give them a letter or an attestation, saying, “Yes, this person is… I vouch for them.”

Eventually– maybe that was a king or some kind of leader. Eventually, that became a passport as we think of it in the modern form. So that when someone went somewhere new in the physical space, you could say this person can be trusted, because they have been identified, someone has gone through a process to make sure that they are who they claim to be.

And in the digital world, and then particularly in the metaverse, as you take that to the next level, we haven’t found a way to carry that over. In today’s online world, the closest thing we have to a passport is really a password. And a password is just not the same thing. You know, in the early days of computing, it was a smaller group. It was a more trusted community when networked computers started coming together, and you sort of knew who someone was based on the way they identified themselves, maybe it was an email address identified to an academic or a government institution, a password protected that account. But it wasn’t the same as a passport.

And as the ecosystem of the online world has gotten so big and encompasses so many people now, I would argue we have not as a society or as an industry come up with a solution yet that allows someone to be recognised and to keep their account protected. When you take that into the metaverse, it gets even worse.

Oscar: Yeah, indeed, indeed, it’s a problem that yeah, your company, my company, many, many people are working on that. It’s a problem still being solved as you said. And how do you envision when people are already on the metaverse? So, what will be, I don’t know if the ideal or how do you think… Today there’s already some metaverse, right? But it’s based mostly on a Discord account or, yeah, whatever we have today, right? How do you think it’s going to be when the metaverse has become more popular, more people inside, how – yeah, how do you envision?

Aaron: What I’ve realised as I’ve dug so much into this space is that we often fall back on kind of the least secure method, particularly when things go wrong. So, if you take a parallel world and Web 3.0, separate from Metaverse slightly, but you think of NFTs, for example, you go and buy an NFT because it’s someone’s digital work of art, which is a wonderful thing. And it’s a great way to give creators the ability to express themselves through new means and to protect the ownership of what they create. But the creator in that sense is often identified by a Twitter handle, right? So, this person is selling me this NFT they created and you might go look them up on Twitter and see if their handle is the same on Twitter as it is as how they identify themselves in the NFT. And if they have a profile, and they posted some things, you say, “Oh, that must be the creator.”

And unfortunately, that doesn’t work. The least common denominator in that case is Twitter. And as we know in recent discussions alone, we don’t really know who people are on Twitter. Some celebrities or certain government officials might have a verified badge and maybe we trust that, but the vast majority of folks on Twitter, we don’t actually know who they are. Yet when you take that as the underlying framework of identifying someone and carry it into things like NFTs the problem gets even more challenging.

Oscar: Yeah, absolutely. That illustrates what you say, that the problem from the Web 2.0 is coming to the metaverse. And what do you think could be a solution for that? Have you heard from standards that will – or the same standards that are now in the Web 2.0 will come to the metaverse, what do you think is going to happen?

Aaron: Well, most of what we’re seeing in the metaverse today is identifying people based on their crypto wallet. You know, our wallet address, you can have as many wallets as you want. You can have them with different providers. And your wallet in a Web 3.0 or crypto-based environment is often like an email address, meaning just like a Gmail account, you can go spin up a new one and be identified by that. That’s how people typically identify themselves in this kind of Web 3.0 environment.

Other Metaverse communities, depending on who’s kind of running them will default back on whatever their method of authentication is. So, if you think of it in Microsoft context, let’s say, it might be your Xbox gamertag, and you take your Xbox gamertag and carry that in, or your username or handle on Roblox, or similar on kind of a gaming platform. All these concepts are sort of pseudonyms, the ability to operate by a username of some kind that recognises who you are.

My premise, though, is that safe communities know their members. It’s OK to operate by a pseudonym, or to have an alias when you’re in one of these environments. But I think that the platforms have a responsibility to know the authentic identity of the person behind it. Because when they do, it creates a deterrent for people to misbehave, to conduct themselves poorly, or, frankly, to be able to disappear and come back under yet another account.

I believe that platforms need to know the real identity of their users. A lot like, let’s say, you go to an event, and you walk into the room and there’s someone checking you before you walk in and they say, “OK, can I see your government-issued ID maybe? Can I see the invitation that you’ve got?” If so, they give you, coincidentally, a nametag that you might wear and you walk into that room, and then you know that the people in that room have all sort of been vetted. And they are who they say they are and the nametag that they’re wearing is accurate.

Similarly, when you board an airplane, they don’t ask you for your email address, they don’t ask you for your wallet address from your crypto account. They ask you for a government-issued ID. And with that, they allow you to come inside. And in theory, the area inside that airport is kind of a secure and a safe zone.

In the digital world, it’s the same thing. Platforms have a responsibility, in my opinion, to know the identity of the people that enter so that they can create a safe community where people can operate by pseudonyms or aliases or other things.

Oscar: So, it’s going to be, clearly, it’s going to be the platform is the one that run the metaverse’s big responsibility, as you are explaining pretty well, to have some sort of vetting or verification of the identity of people who are inside.

And another thing is, there will be several metaverses, right? You mentioned, I think you mentioned Microsoft as well, Facebook, there will be let’s say Disney, yeah, the gaming companies, so that there will be ultimately several metaverses who are somehow isolated, the same way Twitter is isolated from Facebook, for instance. And there might be of course a benefit that one person could go from one metaverse to another. So, what do you think– how do you envision that? Will it be possible that if I have one account in one metaverse, should I be able to come to the other one with my assets? And how do you think this could happen?

Aaron: Again I think is sort of a situation we haven’t fully solved well in Web 2.0, in the current environment. You can use your email address and go from place to place. And you might have a different username or an alias, let’s say on Twitter versus Reddit versus, you know, maybe even a dating platform, each of them have their own way of creating a sense of community, allowing you maybe to have a slightly different username or profile.

But again, the challenge we have in today’s world is that you don’t necessarily know who’s underlying that. You don’t know the real identity of the person who’s actually underneath that pseudonym, or that alias. I feel like there’s a solution from what we see in the real world and the physical world, the offline world, which is that of using someone’s government-issued ID. And some of the things as you know, we’ve talked about or you’ve spoken with others on this podcast, allow people to take their government-issued ID and put it into a digital context.

The most basic might be a, you know, scan your government ID, do a selfie, do we match these two things? More advanced might be new methods of using blockchain technologies to understand the raw certificate and where someone’s identity was issued, or from whom. All those things matter but I would argue there is a way to take something that’s consistent like your government-issued ID and make it pervasive so that you can use it across different platforms.

Oscar: Yeah, so you think that the government-issued identities, like passports, should be part of this identity solution for the metaverse?

Aaron: Yes, but what’s fascinating to me is today that’s where things often break down. Again, going to kind of the lowest common denominator, because the closest that people do with that today is sort of one-time ID verification. And typically it happens in financial services, typically with some sort of financial regulatory requirement like KYC, Know Your Customer, right? Where you might say, in order to open this bank account, I need you to scan your ID so that the bank can validate that you are the person maybe that you come from a certain nationality that allows with anti-money laundering laws or other things. The bank might check the box, OK, they’ve done that.

But then every other time you interact with the bank, they don’t use that anymore. They default to then asking you a password or PIN code or security questions. Maybe they’ve added things like multi-factor authentication to make your PIN code more secure, your password more secure, so they send you an SMS, or they asked you to set up an authenticator app. But those processes become disconnected.

And what typically happens then is when someone is not able to get into their account, because let’s say they lost their phone, they were locked out, their account password was compromised, they don’t remember the complicated answer to a credit check security question. Then they’re back on the phone with customer support, trying to get back into their account. And we fall to the lowest common denominator of that poor customer service agent who was trying their best to essentially be an identity detective and ask the person all these different questions, the best they can to guess, is this person who they say they are in order to reset access to their account?

And that becomes the weakest line of defence. That’s where typically in today’s world, accounts get penetrated. It’s where account takeovers happen. It’s where accounts are compromised. And as we all know, if somebody can be you, if they can impersonate you, they essentially can take over access to your digital assets.

Oscar: Often when we talk about identity, we think of identity of people, most of them. Most of the use cases go in that direction. But of course, there’s also identity of companies, organisations, more broadly speaking. So, with someone who is on the metaverse, there will be of course company, there will be business, you can buy something, or you could be able to buy even well-known brands should be– I guess they will be in the metaverse, so you can buy a property, right, real estate. How do you deal with these businesses, how they would prove their identity in the metaverse?

Aaron: We’re seeing growth and you’re absolutely right, different metaverse communities, Decentraland probably being a popular example, where brands are putting up shops. They are purchasing real estate, so to speak. And they’re putting up virtual storefronts as a way to make their brand known in new environments. And that’s an exciting development, that makes a lot of sense. It’s great for brand outreach for people that are engaging in those platforms to be able to see those brands.

Unfortunately, though, we run into the same kind of know your business, or the business-to-business same identity challenges that again, you talked about with so many on this podcast, where it’s difficult to know the authenticity of the of the brand, partly because we don’t know the identity of the individuals behind the brand. And so, if we haven’t solved the way to know who people are, when they’re interacting with platforms, or in a digital way or over the internet, it makes it even harder to link those individuals to brands to be able to trust that those brands are authentic.

And so, I think one of the first steps in solving for business is solving for the individual. If we can identify individuals in a consistent and secure way, we can then link those identities to business entities. And we can have a greater sense of confidence, is this business the one that we think is who they’re purporting to be on a platform?

Oscar: Yeah, proving the identity of the individuals first, the ones who are behind the… yeah, those businesses that we could see on the metaverse. So, have you been yourself exploring them, some metaverses already?

Aaron: We have. You know, they’re so interesting right now, because we have a lot of new companies that are starting up trying to build metaverses as kind of the next generation of really building online communities. And a lot of them were fascinated with this concept of building trust. In fact, some of the newer upstarts that we’ve been working with that are kind of all getting ready to launch are very focused on building trust in their community in a way that hasn’t been done in a Web 2.0 context. And they see this identity as a solution to that.

Now, I’ll give you one of the worst examples I think today, unfortunately, is dating. You know, the dating industry online today is kind of scary. You know, you sign up with a username. Sometimes it’s linked to a social account. I don’t personally do a lot on the dating app scene, but it is a very big area where we engage on the business side from Nametag today. Because someone shows up on a dating app, you’re starting to get to know that person, you’re going to go meet in person offline, which requires an enormous amount of trust.

But unfortunately, we hear these stories. You’ve seen the Netflix show on catfishing. And, you know, The Tinder Swindler, and all these sorts of activities, because we don’t authentically know, the dating platforms don’t authentically know the identity of the people that are on there. And so, it’s difficult to build trust with someone that you’re about to meet online, if you don’t really know or the platform doesn’t know who they are.

So in the metaverse, companies that are trying to think about building next generation experiences, have either been kind of in two camps, I would say. One, they’re extreme on anonymity. And unfortunately, their early environments have seen high cases of harassment and in many different forms and places where people don’t feel comfortable or welcome. And then we’ve seen, I think, a newer generation that we’ll see emerge more even in the coming months, where they’re putting a greater priority on knowing the identity of the people to create a safe space.

Oscar: Well, definitely, it’s interesting hearing from your experience already talking with companies who are building the metaverse that there is interest in having proper identification of people. So that’s definitely great to hear.

Aaron: Identity is everywhere. It’s why this podcast is such an exciting topic for all of your listeners. It’s such a pervasive concept that we see, you know, so many of you talking about it in opening bank accounts and financial services, but it’s so much more. And when you start to think a bit in environments where people want to build trust, particularly social environments, which is what the metaverse really represents, places where people can be social, over time, be professional, but grounded in knowing who that person is, as opposed to just kind of making virtual friends that might be real. They might be human. They might be who they claim to be, or they might not be. I’m deeply optimistic that we can create this metaverse environment or the next generation of the internet or Web 3.0 with a greater sense of authenticity behind people to create safer and more trusted spaces.

Oscar: Yeah, absolutely. I think we will do that. Well, very interesting conversation about the Metaverse and with your special view from working on Nametag. Finally, one question we asked all our guests is that for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Aaron: I’m very focused on this concept of kind of the weakest link. And I would encourage everyone listening to understand how their organisation responds when a customer, an employee, a user is locked out of their account and in need of support. All too often, the methods of getting them back in are the weakest link in their security posture. And I think we can improve that weakest link. We can make enormous strides in using identity to improve cybersecurity more broadly, both in the current Web 2.0 world and certainly as we move forward into the metaverse.

Oscar: OK, thank you very much, Aaron. It was fantastic having this conversation with you. So, for people who would like to continue this conversation on the metaverse or anything identity, what are the best ways to get in touch with you?

Aaron: Check out our website at getnametag.com or feel free to visit me on LinkedIn. We post a bunch of content and love engaging in discussion with people who are passionate on these topics.

Oscar: Excellent. Thanks a lot. Again, thanks for this conversation, Aaron. And all the best!

Aaron: Thank you, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]