display | more...

I can't see my VA patients any more once their present authorizations run out. The VA, in its infinite wisdom, now requires everyone in my office to put their identity on id.me. Id.me requires a scanned copy of their driver's license plus their social security number plus a phone so that in order to log on we'll have to get a call and have to punch a button every time. And other information. Having skimmed their privacy policy and their Terms of Service, they pretty much can give out our information.

Id.me explains why I need to sign up with them and at the same time, makes their case for why I am refusing. id.me on digital identity security post equifax breach

In an interview with PYMNTS’ Karen Webster, ID.me CEO Blake Hall said that “secrets are useful when you are establishing trust. But once the secrets are public knowledge, you clearly cannot trust that information anymore — by definition, it is no longer a secret.”

No one, of course, can get a new Social Security number or date of birth. Those things are immutable and true facts and identifiers. With the Equifax data breach, he said, “the toothpaste is out of the tube.” Individuals’ most sensitive info is out there, publicly available, and the latest event should give food for thought to CEOs and other organizational leaders to think about identities in two different ways.

The first step to establishing trust with identities, said Hall, is to make sure that a digital identity has been established and, at the same time, that it is unique — namely, is the proffered information true about a real person? In satisfying that first step, Hall said, names, dates of birth and Social Security numbers still prove useful.

But that aforementioned data is no longer useful for making sure that the user who is claiming that identity is, in fact, the owner of that identity — and it is not actually a criminal working with that data for their own aims.


The future, then, lies in what the executive called “next generation techniques” and methods that rely on possession of devices and identity documents (like driver’s licenses) biometrics, all combined to work in sync to give additional layers of security.

The faster companies move to those relatively advanced techniques, said Blake Hall, the lower the risk of being the victim of fraud and breaches — and the risk to businesses.

In other words, we gave big companies our information. Social security number, date of birth. They were breached and lost the information. So now they want MORE information, and even a selfie, so that we can prove who we are. And once they lose the driver's license and the photograph, hello, then what? Let's just continue this vicious cycle of more proof of identity and more identity theft.

In a recent movie, someone holds up a dead hand to use the fingerprints to get through a "secure" door. Or was it the head, to use the iris of the person's eye?

More from Id.me: Against that backdrop, ID.me seeks to help businesses assess whether a person who lays claim to an identity is, in fact, that individual. Matching the image of a user’s face to the image on a driver’s license can be a powerful tool, said Hall. If someone steals an identity but their face looks different than what is presented on the document, that is a control that stops further illicit use of that identity.

Other lines of defense include using mobile network operator data, said Hall. According to the executive, thieves are lazy, even though they are professionals. Thus, some behaviors can offer clues on bad actors working behind the scenes. By way of example, consider a SIM card that hasn’t been switched in a year, Hall noted. This is a piece of insight paired with “true” consumer history (such as timely bill payments and a lengthy tenure with Verizon or another mobile operator) that would make it just too hard for a criminal to mimic, at least profitably.

Oh, great. I just want to see my VA patients and meanwhile Id.me is searching my bill payments and how long I've used T-mobile? Am I down with that? Over my dead body.

The VA used to fax us the authorizations. They did fax us a letter that says that the authorization has been approved. But they didn't fax the authorization itself, and I can't see my patient without it. My receptionist called them and is told that it can only be obtained on line, that they no longer will fax it, and was referred to the id.me site. We've looked it over and have both said no thanks. I've already scanned my driver's license in order to be able to take the Family Practice Board Exam and I was not at all happy about it.

According to one of my Veterans, multiple providers are throwing up their hands and giving up. As an employer, requiring an employee to scan both sides of their driver's license into a website that says that it can give our information out just seems like pure unadulterated insanity. I already have to do the two step verification to use the local hospital version of their EPIC electronic medical record. That means that any time I log on, it calls the office phone and we have to hit a key to get in. Sometimes it times out. Sometimes it won't work at all. They suggested I use my cell phone, but I don't take my cell in to the room with patients. I'd like patients to turn off their phones too, because it's distracting and annoying when they ring or ping.

I suppose if enough of us refuse, they will think up something else. Meanwhile my Veterans are out of luck.