Security, Privacy, and Compliance

Reliable and secure identity verification organizations can trust

ID.me provides secure identity proofing, authentication, and group affiliation verification for government and businesses across sectors.

Contact Support navigate_next

Why Organizations Trust ID.me

Icon broker

Intelligent Credential Broker

ID.me is the only company that has an attribute exchange within our credential broker. This capability allows ID.me to dynamically meet custom relying party settings for authentication, identity proofing, and attribute verification involving multiple CSPs and entities.

Icon referee

Trusted Referee

ID.me is the only Identity Proofing vendor to provide a NIST 800-63-3 Compliant In-Person/Virtual In-Person Identity Proofing capability to ensure that there is no identity left behind.

Icon network

Network Effects

Over 350 brands and agencies use ID.me to issue users the same portable login for use across ID.me’s network. The portability of a login determines its utility, so ID.me’s network effects drive unrivaled value for federal agencies.

Icon dedicated

Dedicated Security Team

ID.me has a dedicated experienced security team with certifications in privacy and security program management that include: Certified Information Security Management (CISM), Certified Information System Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT), Certified Network Defense Architect (CNDA) Security+.

Security Governance and Privacy Management
Graphic security
Federal Accreditations & Security Framework

ID.me is accredited by the US General Services Administration (GSA) FICAM to issue credentials in alignment with federal standards for the federal government at Levels of Assurance (LOA) 1, 2 and 3 
per NIST 800-63-2 and Identity Assurance Level (IAL) 2 and Authentication Assurance Level (AAL) 2 
per NIST 800-63-3.

ID.me conforms to the Privacy Trust Criteria set forth in the FICAM Trust Framework Provider Adoption Process.

Relying Parties may only request the minimum set of personal data that is reasonably required to deliver a defined benefit or service. Collection, storage, and release of any data is always performed with the express consent of the user. Before ID.me transmits any data on behalf of a user, the user must always review the specific data fields that the relying party is requesting. Lastly, the use must provide explicit authorization and consent for ID.me to release the data. ID.me's architecture and complete deference to user control is compatible with GDPR and all similar emerging privacy regimes that empower users to control their data.

ID.me uses a defense-in-depth strategy designed to secure Personally Identifiable Information (PII).

The NIST Risk Management Framework (including Kantara Initiative Identity management controls) structures our information security program. ID.me has implemented rigorous technical and policy controls to protect the privacy and security of user’s information in alignment with NSTIC principles, the Kantara Trust Framework, GSA FICAM, NIST 800-63-2, NIST 800-53 control family, National Strategy for Trusted Identities in Cyberspace (NSTIC) Privacy Principles, Fair Information Practice Principles, and NIST’s Cybersecurity Framework.

All Personally Identifiable Information (PII) is encrypted using a FIPS 140-2 approved Advanced Encryption Standard (AES) algorithm with 256-bit key sizes and dynamic key rotation.

ID.me is hosted within FedRAMP certified AWS in an isolated Virtual Private Cloud (VPC) using independently-verified International Standardization Organization (ISO) 27001/27002, Statement on Standards for Attestation Engagements (SSAE)-16 / Payment Card Industry (PCI) / Service Organization Controls (SOC) 1 and SOC2 Type II certified Tier-III data centers. The data center’s physical and environmental security includes industry-leading network hardening and active monitoring, biometric access control, digital security video surveillance and 24/365 on-site security staff. The Kantara Initiative and FICAM accreditations require ID.me to pass ongoing annual on-site third-party security and data privacy audits for certification.

ID.me has been assessed externally at the FedRAMP Ready level to demonstrate compliance with NIST 800-53 controls.

Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. The customers that have completed this due diligence are: USAA, Fidelity Investments, Veterans Affairs, IRS, SSA, Allscripts. ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and encrypted using the AES-256-CBC algorithms.

Need Help?

If you have reviewed our FAQs and still have questions, please contact us. We're happy to help!