by Marquis Cabrera

Could a digital identity network prevent the next Equifax-like breach?

Feature
Dec 08, 2017
Data and Information SecurityData BreachHacking

A military veteran equipped with a Harvard MBA launches digital identity startup to protect against future Equifax cyberattacks.

facial recognition - biometric security identification
Credit: Thinkstock

MC: What is ID.me? And, where did you get the idea from?

Blake Hall: ID.me is a digital identity network, which allows people to prove they are who they say they are. Essentially, once an individual has verified their legal identity or any other identity card — whether it’s healthcare providers data card or student status or military status — that credential is then tied to a single sign-on that is portable across different websites, where people can authorize information that has already been verified to be shared to multiple sites. We’re one of four companies in the United States certified by the federal government to issue a digital, legal identity that is recognized by government agencies.

Historically, the most broadly adopted identity networks are Visa and MasterCard. Your payment identity is effectively ubiquitous. We take it for granted, but, prior to the networks, many issuing banks had to issue a BankAmericard to their customers because merchants didn’t know if they could trust a card issued by a local or regional bank. Visa and MasterCard changed that status quo by decoupling trust and standardization and moving those qualities to the network level rather than the issuer level – allowing small banks to retain their branding. 

But it took nearly three decades, from 1958 to the 1980s, for Visa to become ubiquitous.

Today, the challenge is how do you create Visa for identity?

And, of course, it’s a classic chicken and egg problem: organizations want to see lots of users with trusted, portable credentials and users want to see lots of organizations where they can user their credentials. While social logins have solved this issue for low-risk transactions, there is a huge need for a trusted ecosystem of identity providers for government, healthcare, and financial services.

So, in our model on the strategy side, we asked: how did the biggest networks form? And if you look at Facebook, I doubt that Facebook thought in the beginning that they were going to have 2 billion users. They were a social network for Harvard, and then they were a social network for the Ivy League, and then they were a social network for students, and then they were a social network for the world.

So, we decided to focus on specific communities. Retailers tend to give special treatment to members of the military and students. And there happen to be two federal agencies, Veterans Affairs and Education, that are exclusively focused on serving those two populations. 

Many of those retailers, we observed, had not made their affinity programs available online — they didn’t have a way to check student ID card or military ID card – while government agencies suffered under the weight of an enormous amount of fragmentation i.e. multiple login systems and legacy technology.

So, we journey mapped the different ways student ID cards were used.  For instance: With a student ID, you can go to Chipotle and show it and get like 10% off your burrito, then you can get physical access to the dormitory, and then you can complete a payment at the bookstore or the cafeteria. These transactions happen at wildly different levels of risk.

The way that your dorm authenticates your student ID through a reader is much different from the Chipotle guy who is just glancing at your ID and the risk of granting access after each of those transactions is much different too.

Our insight was: If we could build a network, where email and password along with static identifiers (e.g. is this student enrolled in this university) and controls to ensure that only one unique identity in a group can be issued a card at one time, then that would be fine for e-commerce – it mimics the retail-context in terms of flashing a card (yep, that looks like it’s on the up and up). Whereas, if I go to the government and I want to access my tax returns or view medical information, a much more rigorous process of identification is required.

What is neat about our model is: If you only make the user enter their information and credential them once, then once their credentialed, that credential should be portable to other agencies. ID.me is essentially a digital DMV with hooks into authoritative data sources to verify other things about an individual once we know who they are in terms of their legal identity.

MC: As a former entrepreneur, I know, a lot of VCs and philanthropist will ask: What is the analogous company that you’re trying to be like? Are you trying to be the Facebook of this or the Uber of that? If you had to answer that question, what company would ID.me be analogous to?

BH: The most comparable brand to ID.me is American Express because it is both a bank and a network, and that’s exactly what we’ve built. Our Single Sign On is equivalent to an identity bank as a shared log-in service, but then we’re also a network that makes other login issuers available at the sites where we are integrated. And what’s cool is we can unbundle the network and let other identity providers ride our rails because we’re using our single sign-on to build our network.  Meaning we want other entities, like Chase, Citi, Capital One and Wells Fargo, to ride our rails to make their log-in portable, so that people can use very trusted log-ins across the web.  So, if you imagine a world where maybe American Express was the dominant network, instead of Visa or Mastercard, that is pretty much the strategy that we’ve taken.

MC: So, we talked about what to me is why you start to love the background you mentioned identity as it pertains to me in the industry as a whole. Can you walk me through ID.me’s digital identity security protocols?  For instance, how do you verify a person is who they say they are?

BH: First, I want to talk about how we do Identity Proofing, which is what some folks might call authentication because Identity has a bit of a language problem.  Next, I want to talk about how we can move the industry from a reactive standpoint, where consumers can monitor their identity and find out that they’re being ripped off, or they can freeze their identity, which causes its own set of problems. And finally, how we can fix that issue to put people back in charge of their data to prevent identity theft and fraud.

Identification: When we deal with knowledge, the process of identification is a lot different from the process of verification. Identification means whose identity are we talking about; your name, DOB, and SSN are highly valuable still even after they’re public because they uniquely describe you. If I go hey, we’re talking about John Smith; okay what’s John Smith’s DOB? There’s still maybe 10,000 Americans named John Smith that have the same DOB. How do I know I am talking about this specific John Smith versus the 99,999? This is where your SSN in combination with the other two fields resolves to one person. So, the process of identification will always need static information to make sure that we’re talking about one unique individual. It’s still highly valuable. In the developing world, there aren’t records, so most folks go to the face as a unique identifier. In the absence of a national ID, like SSN, your face then becomes your unique identifier. That’s just a cool tidbit.

Verification: So, verification is the process of saying: is the user who is claiming this one unique identity the legitimate owner of that identity or a criminal? And that is a very separate problem from the identification problem. Knowledge as a static identifier should never be used for verification. Proof of knowledge of an SSN broadly available establishes no trust that the user is, in fact, that person.

So, what we (my team and I at ID.me) do on the verification step is we access mobile network operator feeds. We use machine vision to verify government identity documents, like an image of a driver’s license or passport. We can also do a biometric of the individual’s face to the photo on the government documents; so, you can take a selfie with aliveness test and make sure it’s not that person wearing a mask; then match it to a driver’s license or passport that has passed the machine vision check for signs of fraud and manipulation. And, then finally, we use financial account information. If you can log into your bank account, we can look at the last 90 days of transaction history. And, I’ll briefly talk about how each one helps prevent fraud.

We now have a high level of confidence that you are you. And we dramatically reduce the risk of a remote, scalable attack.

MC: Thank you for explaining that process!  I love the use of a phone SIM cards, bank account transaction history, and real-time photo for digital identity verification.  To continue: Recently, Senator Elizabeth Warren has been promoting Freedom from Equifax Exploitation (FREE) Act to give control over credit and personal information back to consumers.  Talk to me about how your solution could have prevented the Equifax breach? And, what is your view on the credit freezes?

BH: ID.me’s goal is to replace static identifiers with devices and biometrics. To accomplish that, we still need name, DOB, and SSN to understand the identity that is claimed, but once that identity is enrolled, and the login builds a history of reputable use then the trust in the association of the identity to the login is greater as well. The problem in the market is that a lot of organizations are still using static identifiers as passwords; for example, you can call customer service still and reset password using name, DOB, and last four of SSN. In a post-Equifax world, that’s negligent at best because that data is public.

Credit freezes are problematic because they’re like a tourniquet. You prevent more damage at the expense of making your own access to online services harder. A better way is to use a registered login – a digital credential – that represents the static identity as a gate for high-risk transactions.

For example, if someone is filing your tax return, it would be pretty terrific for the IRS to ask your bank to send you a push notification to confirm that you are in fact taking that action. That notification network is something we’ve built at ID.me and we’re anxious to see it more broadly adopted.

MC: The distinct advantage is the multiple identity provider verification. If you had to advise a government agency on managing and improving identity theft for its citizens, what would it be?

BH: Governments should ask: Is our identity solution significantly better than what is available today? Perfect access and perfect security are never going to happen, especially with the demographic challenges associated with identity (i.e., homeless, millennials relying on their parents, seniors without smartphones, citizens without broadband access). There will always be a certain amount of fraud. But the goal is almost like the payments ecosystem system; yeah, there’s credit card fraud, yeah there are chargebacks, but it’s a cost of doing business because the overall model is working pretty well. Ultimately, have reasonable expectations and examine whether a solution can make you substantially better off than you are today, even if it’s not perfect. In almost all cases, government should buy versus build.

MC: That was a great example! Also, what would be your advice to a military veteran wanting to become an entrepreneur?

BH: My favorite piece of advice is from Peter Theil: “The number of startups that should be started is equivalent to the number of secrets that are in the market that nobody knows about.” And I love that quote because it means that fundamentally startups are about learning.

Every successful startup goes through two major pivots to their business model before they kind-of find what they were meant to do. So, my biggest advice is always to make sure that you’re  solving the core problem and not a symptom of the problem. And never quit digging and reassessing your validations and assumptions until you’re down to that core problem; then assess whether that core problem is something that you want to spend the next decade of your life fixing because that’s what it takes to go to a real company.