Recently, I interviewed Blake Hall, an Army Ranger, who is the Founder and CEO of ID.me, a digital identity network that empowers individuals to prove their identity and group affiliations while controlling how their information is shared online. Blake led a battalion reconnaissance platoon in Iraq for fifteen months during 2006 – 2007. He was awarded the Bronze Star with Valor for leading his men during a firefight against insurgents in an action senior commanders credited with saving twenty American lives. Blake has written for The Washington Post, The Wall Street Journal, Foreign Policy, Forbes, The Huffington Post and DC Magazine. Blake is a frequent contributor to programs hosted by Public Radio International and syndicated on NPR and the BBC.Thanks to The Economist, he is also the first Google result for the phrase “muscly entrepreneur.” Blake attained a Bachelor of Science magna cum laude from Vanderbilt University and an MBA from Harvard Business School. I met Blake because he was our (IBM) 1st place winner of the Citi T4I Challenge. Here’s our interview:
Marquis Cabrera: What is ID.me? And, where did you get the idea from?
Blake Hall: ID.me is a digital identity network, which allows people to prove they are who they say they are. Essentially, once an individual has verified their legal identity or any other identity card -- whether it's student status or military status -- that credential is then tied to a single sign-on that is portable across different websites, where people can authorize information that has already been verified to be shared to multiple sites.
In 2012 / 2013, the federal government through the National Institute of Technology (NIST), which is part of the Department of Commerce, said legal identity theft is reaching all-time highs. Fast forward, I think the recent Equifax breach shows why and how flawed our identity system is, and we want to make it easier for Americans to prove their legal identity when they're interacting with government, healthcare, and financial services.
Marquis Cabrera: In the UK, Kevin Cunnington of GDS is focused on Verify, which is a digital identity system at its core. Many other governments are trying to protect against identity theft. Can you talk about the flaws with digital identity and how ID.me provides a solution to the problem?
Blake Hall: The problem with digital identity at its root is that no trusted, portable credential represents identity. As we started to solve the problem for military veterans, we had organizations come back and say that this is an issue that's not specific to military & veterans, we face this issue with students, teachers, first responders, with employee benefit programs.
To use a simple example: Everybody who has been over to your house on your birthday knows all the static information that is printed on your driver's license -- right! They know your name; they know your address; they now know your birthday, if you said this is my 35th or 40th birthday. But why can't they claim your identity: It's because people can't walk into a bank with a piece of looseleaf paper that says, "I am Marquis." [Banks] need to see a credential that shows that there's been a trusted identity provider that has verified that you are, in fact, the identity that you're claiming to be. And that's why we all go to the DMV with our utility bills, birth certificates, and face gets minted onto a card. So what identity is missing are credential providers and, in a digital context, that means a single sign-on, where somebody can get credentials. Then the way that you trust that combination of the Name, Date of Birth, and Social Security Number is because they are a trusted credentialed, a single sign-on provider that is vouching you are you.
At a fundamental level, that's what we've built (at ID.me). For example, a lot of retailers want to give discounts to seniors in the military and students. Many of those retailers, we observed, had not made their programs available online -- and didn't have a way to check student ID card or military ID card -- and then a lot of government agencies, like the V.A. and Department of Education, are just set up to serve these populations. So, we journey mapped the different ways student ID cards were used. For instance: With a student ID, you can go to Chipotle and show it and get like 10% off of your burrito. Then, you can get physical access to the dormitory, and you can also complete a payment at the bookstore or the cafeteria. All of these things happen at wildly different levels of risk. The way that your dorm authenticates your student ID through a reader is much different from the Chipotle guy who is just glancing at your ID. And when I was in the military, I would go to Home Depot and flash my military ID card at the cashier. She probably wasn't even looking at the picture of my face but thought it looks like a valid DoD credential, and, as a result, I got 10% off my order. But then I use the very same credential to show to a gate guard to get on base, where he's taking it from me and looking at my face and simultaneously at the card. The guard might even scan it against a DoD network to make sure that the credential it's valid because he's giving me physical access to a military installation. Then I go to my workstation and put my ID into the reader, and now I am using PKI and cryptography to log into my e-mail. So a much more rigorous authentication is used in the latter situation, but it is the same credential. In some ways, what we are doing is very simple by making a digital identity portable across different sectors of the economy the say way that we use our physical ID cards. The hard part is actually getting large organizations to trust that ID.me is the network they should bet on to enable that functionality for consumers.
Our insight was: If we could build a network, where email and password (and static identifiers) is fine for a retail-context in terms of flashing a card (yep, that looks like it's on the up and up); whereas, if I go to the government and I want to access my tax returns or view medical information, a much more rigorous process of identification is required.
What is neat about our model is: If you only make the user enter their information and credential them once, then once they are credentialed, that credential should be portable to other agencies.
By creating an identity network for service members and veterans to use when buying with retailers, we now have hundreds of retailers -- from Major League Baseball to Cedar Fair -- and many brands that are using our technology; you get credentialed in any one of them, and it is easy to authorize a subsequent retailer. We're also minimizing the data that is shared. For example, a veteran only has to share that she or he is in the military. And, then a veteran can go over to Veterans Affairs, to Vets.gov, and go through an identification process that meets very rigorous Federal standards and protect your account with two-factor authentication. Now, you've got a "digital driver's license" that is a federally recognized credential. And we have had a lot of success with some of our early Federal agency partners; we now have six additional federal agencies, other than the V.A., which have integrated us. And one of the largest States in the country is integrating us, as well. And that was our strategy to start a network, which was to focus on veterans, students, and seniors. And, just in June, AARP announced that we are their identity platform for their 38 million members at their Cloud Identity Summit in Chicago. And that relationship is going live in December and January. I actually wrote down that partnering with AARP would be a critical milestone for ID.me when we were first starting up and now four years later it’s a reality.
ID Founder and CEO Blake Hall (center), IBM Vice President Rizwan Khaliq (right), and me (left)
Marquis Cabrera: Can you give me a use case of ID.me?
Blake Hall: One of our products, Medical ID, is for healthcare providers. A lot of times, healthcare organizations need to work with different doctors who write notes to somebody's electronic health care system. And, normally, if doctors want to get privileges to another hospital documentation system, they have to bring in a bunch of identity documents. My wife is a physician, so she must bring in her driver's license, her medical license for the state, her organizational I.D. card, her NPI number, her transcripts, etc.
In our model, when we deal with the electronic prescription of controlled substances, we administer the legal identity proofing that we been federally certified to perform. [It is important to note: We're one of only four companies in the United States federally certified to do legal identity proofing.]
For example: If a user (i.e., a Doctor) is trying to access health care provider portal, we ask the individual for the National Provider Identifier, which is the number their assigned, and then we actually query Health and Human Services (HHS) -- to say hey, HHS is this identity that we've also verified the identity of a health care provider? Are they a physician? A Nurse practitioner? And if they are, then all these identity documents -- transcript, medical license, etc. -- come back to us in digital form; organization affiliation is John Hopkins; the state that their license in is in Maryland; their specialty is Oncology, etc.
All of the doctor's medical documentation aggregated in one place in milliseconds; then we can send that over to the healthcare provider portal. And, ultimately, say you can trust that this user is who they are claiming to be; here are all of their medical credentials; go ahead and give them the appropriate privileges within your application. So if you're an application developer for electronic health records, or you're a hospital system that needs to work with doctors at another hospital systems, instead of making your doctors go through this painful process, you can just set a policy through ID.me. If you're getting credentialed the first time, it takes about four to five minutes; and your subsequent log-in is just two-factor authentication and a consent screen if you're interacting with a new medical system. I think that's a great example of how legal identity plus something else, like student or military status, shows the endless number of use cases (criminal background checks, notarized documents) for ID.me.
Marquis: How has your military background enabled you to be a better startup CEO?
Blake Hall: I love this question; I think the military is where I first learned entrepreneurship!
One time: My unit in Iraq was thrown, or I guess assigned (hah!), it felt like we were thrown, a mission that we hadn't trained for at all. We were scout snipers and all of sudden we were told to do a high-value target mission. We were given brand new equipment that we never trained on just a few days before we went into combat. And the first few months, we sucked! The theater's success rate on high-value target missions was in like mid-40 percentile. And, my team was in the 20s. But we kept getting a little bit better every day. By the third month, we were average; and when we finished our tour (around the 13th month, by some metrics), we were the highest performing high-value platoon in the Iraqi theatre. That experience just really taught me the power of getting a little bit better every day; the power of working as a team to learn. I learned: If you constantly learn and you've got a mission that's worthy, you can make an enormous difference in people's lives around the world. Without my combat experience and my military training, I would not be an entrepreneur today.
Marquis Cabrera: That is incredible! My dad was in the Air Force. I was cadet battalion commander of our Junior Reserve Officer Training Corps in Middletown. Most of my high schools best friends went into the military. So I love understanding how military training is fungible to other career paths. Thank you for your service, Blake!