ID.me trust framework extends military ID authentication
- By Stephanie Kanowitz
- Jul 25, 2014
Veterans, service members and their families looking to take advantage of government and commercial sector programs for the military community have a new tool that will help them securely interact with retailers and eventually, government offices: a digital ID card that doesn’t expose their personally identifiable information (PII).
Armed with Troop ID from ID.me, a Northern Virginia startup run by two ex-Army Rangers, more than 200,000 military clients are using a single sign-on technique to verify their military affiliation at a number of the company’s retail partners – and soon they will be able to interact with government agencies, too.
The company expects to complete certification this month at Assurance Level 3 as a General Services Administration Trust Framework Provider.
To support e-government, the Federal Identity Credential and Access Management (FICAM) Trust Framework Solutions aims to leverage industry-based credentials that citizens already have for other purposes.
The GSA certification is part of a two-year, $2.8 million grant ID.me won last year from the National Institute of Standards and Technology. ID.me was also one of five companies to participate in the President’s Strategy for Trusted Identity in Cyberspace.
“Consumers, especially veterans, need a digital ID card to prove who they are,” said Blake Hall, co-founder and chief executive officer of ID.me. “It just doesn’t make sense for a veteran to show a Social Security number to a clerk at Home Depot to get 10 percent off.”
To enroll, consumers apply through the ID.me’s website. They submit some PII – name, ZIP code and military affiliation – and fill in a secret field that varies by organization and benefit value. In the military context, it could be a full or partial Social Security number, said Hall, who served in Iraq for 15 months.
Through its back-end platform, ID.me compares the applicant’s information with that in authoritative databases, such as a bank, university or military department. The company charges organizations that use the technology to prevent fraud up to $1 for the verification response.
Validation occurs in real time, but is not necessarily lasting, Hall said. “There are some attributes like my veteran status that are permanent, but an attribute like active-duty military service or your current student status could literally change today,” he said. “So for those communities, you have to do fairly frequent – every few months or so – checks to make sure that attribute is still true for that individual.”
Once the person is verified, the digital ID is created.
When ID.me members visit a partner retailer, they click a widget that the company has embedded in its site. That connects them to ID.me’s servers. Users log in and once verified, ID.me sends a token back to the partner confirming the shopper’s identification.
“It’s pretty simple for us,” Hall said. “We’re essentially just sending back to one of our relying parties that this individual is a veteran or is not a veteran and then it’s up to their app to take that information and grant them access to a certain part of their website or a promotion.”
For instance, to apply for one of 2,000 year-long memberships to TechShop, a membership-based workshop for inventors and entrepreneurs being offered by the Veterans Affairs Department’s Center for Innovation, ID.me users go to the center’s website and log in with their ID.me account.
“We are acting as an intermediary,” Hall said. “So instead of the veteran having to show his or her DD214 [military service record] that has their Social Security number and all kinds of other PII on it, they verify their service through us. We then assert that attribute digitally to TechShop and eliminate the need for the DD214.”
ID.me uses the Security Assertion Markup Language protocol to return a response from government agencies. To secure the sensitive information it manages, it uses RSA 2048 encryption for data in transit, AES 256-bit encryption for data at rest and an encryption solution that has fully integrated key management.
When users want to close their ID.me accounts, their PII is wiped, Hall added.
The government has been supporting adoption of third-party verifiers for some time. For example, Section 12.4 of the Federal Identity, Credential and Access Management Roadmap and Implementation Guidance Version 2.0 issued by a subcommittee of the Federal Chief Information Officers Council in December 2011, describes steps to using third-party credentials.
Similarly, an Office of Management and Budget memo from 2011 details requirements for accepting externally issued identity credentials.
Matthew Thompson, ID.me’s chief operating officer, is part of the Identity Ecosystem Steering Group,. The group was stood up by the National Strategy for Trusted Identities in Cyberspace’s National Program Office to “promote secure, user-friendly ways to give individuals and organizations confidence in their online interactions,” according to its mission.
“As e-gov initiatives continue to take hold across more agencies, instead of each agencies creating their own siloed solution, they should be adopting third-party credentials,” Thompson said. “It’s a credential that citizens are using in their everyday life.”