Is ID.me a Scam? 

If you’re thinking of using ID.me, you need to know if it’s safe. Is ID.me a scam? 

Below, we explain whether ID.me is a scam and discuss some steps you can take to improve your safety when using this company. 

What Is ID.me?

ID.me is an online identity verification and authentication service that people can use to prove that they are who they say they are.

It is often used by government agencies to verify someone’s identity before giving them access to services or benefits. 

Users create an ID.me account and verify their identity, which typically involves uploading documents, such as a driver’s license, taking a selfie, and sometimes a video call with a verification agent. 

Once verified, people can use their ID.me account to log into various services without having to go through the identity verification process again.

ID.me is a private company based in the US that was founded in 2010. 

Is ID.me a Scam?

No, ID.me is not a scam. It’s a legitimate digital identity verification service. 

User reviews of ID.me are mostly positive:

• 2.6 out of 5.0 stars (from 3,847 reviews) on Trustpilot.
• 4.2 out of 5.0 stars (from 28 reviews) on Capterra.
• 4.7 out of 5.0 stars (from 54 reviews) on G2.
• 4.1 out of 5.0 stars (from 30,661 reviews) on Sitejabber.  
• 4.0 out of 5.0 stars (from 8,825 reviews) on Better Business Bureau.

On online forums like Reddit, people generally say they trust ID.me. 

For example, in response to the Reddit question “Is ID.me safe,” one person said: “Yes I’ve had my account for over 10 years. No issues. Although I did have to verify at one point.”

On the other hand, another person said that even though they had an ID.me account for 10 years, someone still managed to create a second (duplicate) account using their Social Security number. 

That fake account was then linked to their state’s unemployment system, which blocked or delayed their benefits. As a result, they missed 4 months of unemployment payments and are still waiting for the money to be issued.

On a subreddit dedicated to privacy, people’s feelings about ID.me are mixed but lean skeptical or negative. 

In particular, many do not like the fact that a private company is storing citizens’ biometric data for the government. Concerns over data breaches are also common, with multiple users referencing past major hacks and assuming that ID.me will eventually be breached, too.

ID.me is Better Business Bureau (BBB) accredited and has a “B” rating. ID.me has received 1,445 total complaints on the BBB website in the last three years, with 506 complaints closed in the past 12 months. (See our review of whether the BBB is a scam).

ID.me facial recognition backlash 

ID.me’s deployment of facial recognition for identity verification, especially for accessing IRS and government benefits, sparked concerns about privacy, accuracy, and racial bias. 

The company initially minimized the extent of its use of “1:many” facial recognition (which can be more error-prone) but later admitted to using it, which increased criticism and fueled calls for alternatives.

ID.me Security

In its privacy policy, ID.me says it employs “technical, administrative, and physical security procedures” to protect your information. 

It then provides examples of the procedures and controls it has in place, including access control and physical and environmental procedures. 

For certain sensitive information, like biometric information, it uses security measures such as encryption, firewalls, and intrusion detection and prevention systems. 

On its ‘security’ page, ID.me says it has a dedicated security team with certifications in privacy, security program management, ethical hacking, penetration testing, and network defense (including CISM, CISSP, CEH, CPT, CNDA, and Security+). 

It also says that its controls are built to meet U.S. federal standards. 

The company follows strict privacy rules, requiring explicit user consent for any data sharing and limiting collection to what’s necessary.

ID.me’s “defense-in-depth” security program uses the NIST Risk Management Framework, NIST 800-53 controls, and Kantara Trust Framework standards. 

Protections include SOC 2 Type 1 certification, AES-256 (FIPS 140-2) encryption with dynamic key rotation, and hosting in FedRAMP-authorized AWS environments with Tier III data centers, biometric access control, and 24/7 monitoring.

ID.me performs annual third-party audits, uses role-based access, multi-factor authentication, and encrypts data in transit and at rest. 

ID.me Privacy

ID.me explains the kind of data it collects, for what purposes, and with whom it shares it in its privacy policy. It also has a biometric-specific privacy policy. 

It collects the following personal information:

• Verification data (name, DOB, SSN, government IDs, photos, biometric data).
• Community affiliations (military, student, veteran status).
• Contact information and correspondence.
• Automatic data (cookies, location, and device information).
• Information from partners and social media.

The company uses this information for identity verification and account management, reporting to government agencies (with consent), contract fulfillment, customer support, marketing (with opt-out options and restrictions for government users), service improvement, security, and biometric verification for high-security partners like the IRS. 

ID.me may share your data with third parties for identity verification (with your consent), service providers who help operate the platform, government entities when legally required, for fraud prevention, and partners during corporate transactions.

It also collects, uses, and discloses aggregated/de-identified data that doesn’t “reasonably identify you or your device, and is not considered Personal Information.” 

The company makes it clear that it does not “sell, rent, or trade your Personal Information.” 

Most personal data is kept up to 3 years after account closure (shorter if the law requires).

Biometric data retention depends on the verification partner and can be as short as 24 hours. ID.me will not retain biometric information for longer than 36 months (unless there’s a subpoena, warrant, or another legally compelling reason). 

You can close your ID.me account at any point, though ID.me will retain certain information about you for up to three years. 

You can also delete your selfie image and biometric information. Deletion of this information may take up to seven days. 

Additionally, you can opt out of receiving marketing emails from ID.me and change or update the information you shared with the company. 

There’s a section in the ID.me privacy policy dedicated to ID.me Rx, where it is noted that the service collects health-related information (not covered by HIPAA) and shares your ID.me Rx card details with pharmacies at your discretion. You can close ID.me Rx without closing your main ID.me account.

So, Should You Use ID.me?

If the service you need offers no alternative, you may have little choice but to use ID.me. 

In that case, use the most privacy-conscious settings possible. Provide only required data, opt out of marketing, and consider deleting biometric data after verification.

If there is an alternative, that may be preferable if you want to reduce the risk of your biometric data being stored by a private company.

How to Use ID.me Safely and Privately 

• Check for alternatives first. Before signing up, see if the agency or service accepts another method of identity verification.
• Limit the information you provide. Only submit documents and personal information required for the specific verification you’re doing. Skip optional fields like secondary phone numbers, extra email addresses, or social media links.
• Manage biometric data carefully. If facial recognition is required, complete verification and then request deletion of your selfie and biometric template through your ID.me account settings. Make sure to follow up. Deletion can take up to 7 days, but keep confirmation for your records.
• Use strong account security. Use a unique, strong password and turn on multi-factor authentication (MFA). Avoid logging in on public Wi-Fi or shared devices.
• Control sharing and marketing. In your account settings, opt out of marketing emails. Review every data-sharing request. ID.me shows you which fields an agency or partner is asking for. Approve only what’s necessary.
• Don’t enable ID.me Shop or discount programs. They expand your data footprint.
• Periodically review your account. Check your account activity log for any unfamiliar logins or connections. Disconnect services you no longer use.
• Update contact information only if required. Stale data is better than fresh data in some contexts.
• Know the retention rules. Most personal data is kept up to 3 years after account closure. Biometric data is deleted sooner if you request it. Plan to close your account if you no longer need it, then confirm all data deletion requests.