Is ID.me Safe?

If you’ve tried to catch a plane lately or you’ve taken an anxious dive into IRS.gov in the hopes of finding good news, you’re probably aware of ID.me, the American online identity network company. ID.me digital credentials can be used in multiple contexts. You can access government services, complete healthcare logins, or receive discounts from retailers using ID.me. The company is based in Virginia and was launched in 2010.

Of course, when it comes to a service that literally is used to identify people, you’ll want to know that your identity is safe and secure. We know that you come to us for a complete appraisal of the safety and security of the world’s largest online platforms. And when it comes to ID.me, there will be a couple of things that come up during this review.

Rest assured that by the end of this article, you’ll have a better sense of what kinds of data ID.me gathers from you, the service’s digital security practices, what kinds of risks you can expect, and how you can keep your identity safe if you decide to use the platform. Let’s get to it!

>> Also See: Best Identity Theft Protection Services

Is ID.me Safe?

Let’s not, as an editor of a newspaper might say, bury the lede. Here’s the bottom line: ID.me is largely a safe service. When you use ID.me, your personal details are encrypted and stored securely. ID.me also uses security protocols to protect your data and prevent online breaches. The platform also promises to never share your information or sell it to third parties. ID.me touts itself as a veteran-owned platform, with well-known entities like Dell, Verizon, and the Social Security Administration using the platform.

Here are a few other aspects of ID.me’s safety and security that stood out to us in our research:

• Top-tier encryption: ID.me protects all personally identifiable information (PII) with AES 256-bit encryption. This is higher than the standard 128-bit encryption that some other platforms use.
• Regular audits: ID.me is accredited by the Kantara Initiative and FICAM, which requires the platform to pass annual on-site third-party security and data privacy audits.
• Restricted employee access: Only ID.me employees with a legitimate business need can access your personal information, and such access is monitored. You can be assured that ID.me also runs background checks on all employees and requires security training.
• Full-service security team: ID.me touts a dedicated and experienced security team with certifications in privacy and security program management, including certified information security management (CISM).
• Finite data retention: ID.me stores personal information only as long as is necessary to fulfill the purposes outlined in its privacy policy. ID.me securely deletes data it no longer needs.

What to Know About the ID.me Investigation

More than a year ago, CEO Blake Hall and ID.me had to answer to the House Oversight Committee, which began an investigation into ID.me, including that its facial recognition technology could potentially be used to discriminate against certain groups. This comes on the heels of chatter about privacy concerns over ID.me’s identity technology software and a deal with the IRS.1

Ultimately, a report by the House concluded that ID.me mischaracterized its wait times and overstated the $400 billion in false unemployment claims Hall estimated were made during the height of the pandemic — which inflated the valuation of the platform. ID.me, however, has stood resolutely by its $400 billion estimate.2

In the wake of the controversy, ID.me has worked hard to clarify information about how it works, emphasizing that it neither sells data nor sends biometric information to its government partners, except in specific situations involving fraud or identity theft. These days, Hall seems keen on moving forward after these events and continuing to grow the company.

How to Stay Safe While Using ID.me

When dealing with an online identity network like ID.me, it’s important to establish best practices that we always hammer home when talking about identity theft. These include signing up for an identity theft protection service that monitors your credit and identity. Other services to consider include:

• Identity recovery services: These services help users regain control of their finances and PII, generally with the help of case managers or other trained experts.
• Identity theft insurance: Another part of identity protection services is identity theft insurance. Most policies offer reimbursements for up to $1 million, keeping you at ease should something go awry.

Our identity theft protection guide goes into more details about the ins and outs of identity theft protection. And you can read all about one of the best identity theft protection providers in our Aura review.

In addition to identity theft protection, when navigating ID.me, here are some other ways to keep safe:

• Pick a secure password. As always, keep your passwords to yourself and never share them with anyone else. In addition, make sure you are creating a strong password and one that only you can figure out. Remember, this is your identity we’re talking about!
• A VPN is a must. Think of a VPN as extra insurance as you’re navigating the internet. A VPN keeps your browsing session secure by encrypting your online activity and assigning your device an anonymous IP address. This keeps you free and clear of trackers.
• Don’t forget antivirus software. We hammer this home often, but it bears repeating: Make sure you not only buy and install antivirus software, but also check to see if the software is updated so that it can take on the latest malware.

ID.me’s Privacy Policy

Before you go booting up your computer or your cell phone to sign up for ID.me, let’s take a quick look at ID.me’s privacy policy. This policy is pretty far-reaching and covers a lot of things, including use of the platform by minors and the many ways ID.me might use your information.

As security experts, we were quite impressed by how thorough this rundown was. Here are the highlights of this policy:

1. ID.me collects data when you use its services. Like many other platforms, ID.me collects PII as well as non-PII.
2. ID.me collects data when you contact the platform. ID.me also might gather information from any email or other correspondence you have directly with ID.me.
3. ID.me might share this information with the public sector. ID.me frequently works with governmental agencies and might share a limited set of PII to these governmental customers to better serve its users.
4. ID.me has protections for minors. ID.me will not knowingly collect information from minors and people under 18 years of age are not allowed to use ID.me.
5. ID.me might use your biometric information. The platform might use such information (fingerprints, facial features, etc), to verify your identity for partners, including the IRS. However, it will never sell, rent, or trade your biometric information.

Should You Use ID.me?

ID.me has seen its popularity and user base increase rapidly in recent years, with more than 50 million users verified at NIST IAL2, a type of identity proofing, at the start of the year.

While we’ve found ID.me to be mostly safe, due to the platform’s extensive privacy policy and robust AES 256-bit encryption, the interplay between ID.me and government agencies is something that some users might not be comfortable with.

Still, it’s worth emphasizing that ID.me and the government are completely separate entities and that ID.me shares only a limited amount of PII with the public sector as needed. So, after all of our research, we do feel it is safe to use ID.me.