What is ID.me and What Does it Mean for Personal Data Security?
If you’ve left your house, booked an appointment, or attended an event in the last two years, you may have encountered ID.me. This service/company represents a new approach to identity verification. ID.me focuses not on passwords and security questions, but on biometric data to confirm that you are who you say you are – especially when signing up or logging in. Once you set up your account, services that use ID.me will ask you to snap a photo of yourself at key moments that will be matched to your ID.me identity profile.
Not just a trend, ID.me has become increasingly popular with (aka: required by) government offices including Veterans Affairs and the Social Security Administration. Major venues including hotels, stadiums, and concert halls have begun requiring ID.me to book and confirm guests. Online services like investment apps, cryptocurrency wallets, and banking platforms have also begun using ID.me to create and log into your accounts.
But what, exactly, is ID.me? Is it safe to use ID.me to manage your identity and will ID.me ever lose or sell your data? We’re diving into the details of this new identification database that is taking the nation by storm.
What is ID.me?
ID.me is a database identification service. It creates profile records of each person with an account – associated with your legal identity. It then uses these profiles to confirm your identity when you sign up or log in to online services. ID.me makes use of biometric data, primarily your facial data, to determine your specific traits and facial ratios. This data is then used to match your face in future photos to confirm that you are the same person each time.
ID.me typically uses your driver’s license, passport, or another official photo ID to create the profile. Services that use ID.me will then ask you to take a photo of yourself in that moment which will be compared to your ID.me profile. If your face matches the key data markers, then your identity will be confirmed and you can continue to use the service.
Your Biometric Data
ID.me makes use of biometric data. This is data created by your body – unique signatures that are difficult to nearly impossible to duplicate on the fly. Biometric data includes your facial scan, fingerprints, and voice scan among other details that are less precise like your heart rate, breathing pattern, or chemical markers.
ID.me stores facial data and voiceprints, primarily using facial data to track and confirm your identity.
Inferred Citizenship
Based on the documents you upload like your driver’s license and passport, ID,me also stores something it calls your “inferred citizenship”. To infer is to draw a conclusion from incomplete data. In context, a teacher may imply the answer to a question by hinting. The student infers the answer by catching the hint. So inferred citizenship means that ID.me has a rough guess of which country you are a citizen of based on your issued paperwork.
Why You Need ID.me
- Social Security
- Veterans Affairs
- Hotels and Convention Centers
- Stadiums and Theaters
- Claim Rebates
- Banking and Financial Apps
So why is ID.me so important now? As we stated, if you’ve used a banking app or booked an event lately, you have likely been asked to sign up and use the service. Not so much asked, as required. ID.me is quickly becoming a mandatory service that we all must join in order to do things like access social security, veterans services, cryptocurrency investing, claim rebates, and sports game attendance. Yes, that’s a wide spread including a vast number of government offices, mobile apps, and public venues.
Why? Because companies and governments want to know who you are -and they want to be sure. Your hotel wants you to ID.me so they know who is responsible for the room. Your social security office wants a face scan to reduce instances of identity theft fraud. Your sports arena wants to know every ticket-holder’s real identity in case there is an incident in the crowd. Your banking app wants you to snap a picture of yourself to reduce the “holding my phone” account thefts.
When looked at from this perspective, knowing the real, legal identity of your guests, clients, and benefits claimants is a great security move. But is it a good idea for ID.me to have and use this data in the first place?
Will ID.me Sell Your Identity Data?
ID.me has said that it will only provide the information necessary to verify your identity, and only to parties that you personally authorize them to verify with. In other words, they don’t export database information or sell your identity data to third parties. But companies and offices that require ID.me identification may be in possession of your facial data during and possibly after the ID event.
You can also have all your personal data fully deleted by managing your ID.me account.
How ID.me Profile Data is Secured
ID.me handles its data with the highest level of cybersecurity available. They make use of bank-grade encryption to ensure your stored identity information is secure even in the event of a data breach.
ID.me protects all sensitive data using AES 256-bit encryption when the data is at rest and RSA 2048-bi encryption when the data is at higher risk in-transit. ID.me servers are hosted on SSAE 16 validated data centers. The centers are protected by armed guards, surveillance equipment, and state-of-the-art access control.
Sensitive data on ID.me servers is tokenized and stored separately with an air-lock system so that breaking into the general ID.me network does not grant access to customer information. They use a FIFPS 140-2 validated system with AES 256 data encryption using the same methods used by many financial institutions.
How Do You Set Up an ID.me Profile?
To set up an ID.me profile and begin using the identification service, you will need an official photo ID like a driver’s license or passport. You will take a picture of the identification and a very careful picture of your own face to create the initial biometric data and identity profile. It may take several tries to snap the right face photo.
Once the profile creation is complete, you will be able to sign up or log into secured services by taking an additional photo of yourself to be verified through the encrypted ID.me database. It’s a surprisingly easy system to use and most concerns are related to data privacy rather than the performance of the identification network.
Should You Worry About ID.me?
The one lingering question about ID.me is: Is it a good thing? Should we worry about a database that keeps everyone’s legal identity and facial data? There are two ways to look at this, but from either perspective, it’s the inexorable march of progress.
On the other hand, we may be taking one step closer to Skynet, with liquid metal terminators identifying citizens through an evolution of the ID.me program. On the other hand, our data is already out there. Our faces, names, and identities are one Facebook scrape away, and ID.me is just compiling it all into an official, and really quite useful, service that adds a new layer of security where you are less likely to be identity-stolen without stealing your face as well.
For more cybersecurity insights and news on the latest technology innovations, contact us today.