Is ID.me safe? Understanding the security and reliability of the verification service

What is ID.me?

ID.me is a service that allows users to verify their identity online. With approval from the US National Institute of Standards and Technology, it is being used by some state and federal government agencies as a way to authenticate users.

To use ID.me, you upload an identifying document, like a passport or driver’s license, to the platform. Then, when confirming your identity, you can just take a photo of yourself. The site scans both your ID and your photo with facial recognition software, matching your face with the image on your ID.

ID.me has been used as a verification system for the IRS (Internal Revenue Service), The Department of Veterans Affairs, and other federal agencies, although some (including the IRS) are now trying to move away from the increasingly unreliable service.

While identifying yourself with a simple facial scan might seem convenient, using ID.me is not without some risks.

What are the security risks of the ID.me service?

Using ID.me to confirm your legal identity could expose you to privacy and security risks.

• A centralized target for hackers. To function properly, ID.me gathers and stores large amounts of sensitive data about individuals. This information includes Social Security numbers, scans of government-issued IDs, and biometric data. Holding this much data makes ID.me a very tempting target for hackers. If the company suffers a data breach, a huge quantity of sensitive information could end up in the hands of cybercriminals. In the event of a breach, hackers could use stolen data to commit identity theft and phishing attacks. Don’t wait and act if you have become a victim of identity theft.
• Limited alternatives for verification. Because ID.me relies on the use of government-issued IDs — which not everyone has — some people may struggle to access essential services online. Certain minority communities in the US are less likely to possess official IDs, meaning that an overreliance on ID.me could cause them to be prevented from viewing tax records, claiming unemployment benefits, and other important activities.
• Unreliable facial recognition software. The problem with facial recognition software is that it isn’t always reliable. That can be annoying when you’re trying to unlock your phone with a facial scanner, but it’s a far bigger problem if you can’t access your unemployment benefits as a result. AI facial scanners have also been shown to be less effective when trying to recognize people of color, so this is another problem that could disproportionately impact minority communities in the US.
• Reliance on a third-party company. Making citizens rely on a corporation to access essential government services may not be a good idea. While it might make social security administration easier for government bodies, reliance on private businesses can be bad for users. Companies are not always held to the same standards of accountability as governments and will not necessarily be vigilant enough when protecting user data. Some private companies may also sell user data to advertisers and data brokers — another issue that is avoided when the IDing process is retained by public-sector organizations.

Past incidents associated with ID.me

ID.me does not have a great record for transparency and communication, and a number of worrying incidents involving the company have been reported in recent years.

In 2021, for example, the company’s AI systems were reported to be struggling to identify many users’ faces, blocking them from claiming unemployment benefits. Shortly afterwards, news broke that a user had been able to fraudulently claim benefits by wearing a wig to trick the facial recognition scanner, highlighting flaws in the platform’s image recognition software.

ID.me found itself mired in more bad press after its CEO, Blake Hall, claimed that $400 billion had gone missing from Covid relief funds in the US. After initially making headlines, this figure was called into question because data from individual states undermined the assertion. ID.me has failed to produce the methodology it used to reach this eye-watering sum, drawing criticism from US government officials.

Eventually, the IRS stopped using ID.me as its sole source of identification, presumably as a result of ID.me’s poor performance. In 2022, a report by two committees in the US House of Representatives stated that ID.me “inaccurately overstated its capacity to conduct identity verification services to the Internal Revenue Service (IRS) and made baseless claims about the amount of federal funds lost to pandemic fraud in an apparent attempt to increase demand for its identity verification services.”

On the whole, ID.me does not seem like a safe or reliable solution for identity verification — a fact that the US government is becoming increasingly aware of.