What is ID.me? Is it safe?

You’ll quickly should show your id to a Virginia-based safety firm known as ID.me to be able to file a return, verify tax information, or make funds on the Inside Income Service (IRS) web site. Your previous username and password credentials—in the event that they nonetheless work—will cease working in the summertime of 2022.

After I tried to log into my very own IRS.gov account right now, I used to be met with this advisory:

“If in case you have an current IRS username, please create a brand new ID.me account as quickly as doable. We’re bringing you an improved sign-in expertise. You received’t be capable to log in along with your current IRS username and password beginning in summer time 2022.”


ID.me compares your selfie along with your driver’s license or passport picture to confirm you’re who you say you’re. It may additionally ask for different documentation akin to a duplicate of a latest invoice. If the system nonetheless isn’t glad, it could even ask you to leap on a video name with a human consultant. ID.me says this is one thing just like the digital equal of going to an IRS workplace and reviewing id paperwork with a consultant. The corporate says it’s additionally devised methods for abroad, under-documented, or homeless individuals to confirm their identities.

The conversion to ID.me’s system marks the primary time the IRS will depend on private biometric knowledge to confirm accounts. However it received’t be the primary federal company to make use of it. ID.me says a complete of ten federal businesses use its system, together with the Division of Veterans Affairs and the Social Safety Administration.

What is ID.me?

ID.me, which has been round since 2010, was initially utilized by e-commerce websites (and nonetheless is) to confirm the id of retail clients. State governments then started adopting the ID.me system as a means of stopping individuals from defrauding their unemployment claims methods. Reuters reported in July that 27 states had been then utilizing the ID.me system.

The IRS, in fact, is an enormous company that offers straight with many thousands and thousands of people and companies. ID.me will change into liable for an enormous quantity of personally identifiable info—at a time when cyberattacks on authorities networks have change into frequent. Recall the 2015 cyberattack on the US Workplace of Personnel Administration (OPM), during which cybercriminals gained entry to 22.1 million authorities personnel information, together with these of presidency staff and their households, and individuals who had undergone background checks.

Requested if ID.me is working straight with the Division of Homeland Safety on methods to safe all of the personally identifiable knowledge the corporate holds, an organization consultant advised Quick Firm that ID.me obtained a FedRAMP Moderate ATO (authority to function) from the Basic Providers Administration. This was granted after the corporate proved compliance with federal requirements developed by NIST (Nationwide Institute of Requirements and Know-how) that govern authenticating people to authorities businesses.

And ID.me can retailer tax filers’ private knowledge for as much as seven and a half years, the consultant tells me in an e-mail. The corporate, nevertheless, says it will adjust to person requests to delete their private info at any time.

Within the occasion of an information leak, nevertheless, your choices for redress are considerably restricted. On the very prime of the ID.me phrases of service you’ll discover an all-caps assertion saying that by utilizing ID.me you comply with binding arbitration within the occasion of a dispute, and wave your proper to affix a class-action towards the corporate.


The IRS’s imminent change over to ID.me was first noted by safety researcher Brian Krebs at Krebs on Safety.