> Is the plan that a single entity offering this centralized product will control not just which users are allowed to have identities, but which companies are allowed to access users' IDs? Presumably there is a somewhat costly process to vetting companies and their requirements, so would companies pay a fixed amount to cover this vetting process, or pay more based on the level of personal information they hoped to receive from users?
That's the plan, yes. The current pricing structure is to let companies pay a monthly price per active user. They would not be able to pay more to get access to more data. As this is early stages, I'm not sure what the vetting process will look like yet. It's mostly there to ensure that the the data the companies request are actually needed for their core business and will not be used for tracking. For example, a company can only request the legal name of a user if the law requires them to know it. This might be true for a bank but not for a dating app.
> What type of verification do you imagine being necessary or available for user identities?
The verification we will be performing is at the level required by some laws, for example Know Your Customer (KYC) and Anti-Money Laundering (AML) laws. Our goal is to make Pass suitable for fintech companies which have quite stringent requirements. I can also see lighter forms of verification being good enough for other applications, like the Web of Trust model used by PGP.
> Are there any technologies specific to phones that mean this couldn't run as a web app instead?
Yes. Many modern phones have a built-in Hardware Security Module (HSM) which can be used to store and use asymmetric keys securely. Browser storage can't offer the same level of security currently but there have been some interesting developments which might change this, for example WebAuthn.
> So if you can install multiple copies of the app on your (Android) phone, you could have multiple identities on the same device?
I can't really answer this right now as I'm not sure which way we'll go. It will depend on what regulations require and what we can achieve in terms of verification.
That's the plan, yes. The current pricing structure is to let companies pay a monthly price per active user. They would not be able to pay more to get access to more data. As this is early stages, I'm not sure what the vetting process will look like yet. It's mostly there to ensure that the the data the companies request are actually needed for their core business and will not be used for tracking. For example, a company can only request the legal name of a user if the law requires them to know it. This might be true for a bank but not for a dating app.
> What type of verification do you imagine being necessary or available for user identities?
The verification we will be performing is at the level required by some laws, for example Know Your Customer (KYC) and Anti-Money Laundering (AML) laws. Our goal is to make Pass suitable for fintech companies which have quite stringent requirements. I can also see lighter forms of verification being good enough for other applications, like the Web of Trust model used by PGP.
> Are there any technologies specific to phones that mean this couldn't run as a web app instead?
Yes. Many modern phones have a built-in Hardware Security Module (HSM) which can be used to store and use asymmetric keys securely. Browser storage can't offer the same level of security currently but there have been some interesting developments which might change this, for example WebAuthn.
> So if you can install multiple copies of the app on your (Android) phone, you could have multiple identities on the same device?
I can't really answer this right now as I'm not sure which way we'll go. It will depend on what regulations require and what we can achieve in terms of verification.