To sign in to a government program using ID.me, go to the matching tile on ID.me Government and follow the steps to connect.

Security, Privacy, and Compliance

Reliable and secure identity verification organizations can trust

ID.me provides secure identity proofing, authentication, and group affiliation verification for government and businesses across sectors.

Contact Support navigate_next

Why Organizations Trust ID.me

Intelligent Credential Broker

ID.me is the only company that has an attribute exchange within our credential broker. This capability allows ID.me to dynamically meet custom relying party settings for authentication, identity proofing, and attribute verification involving multiple CSPs and entities.

Trusted Referee

ID.me is the only Identity Proofing vendor to provide a NIST 800-63-3 Compliant In-Person/Virtual In-Person Identity Proofing capability to ensure that there is no identity left behind.

Network Effects

Over 500 brands and agencies use ID.me to issue users the same portable login for use across ID.me’s network. The portability of a login determines its utility, so ID.me’s network effects drive unrivaled value for federal agencies.

Dedicated Security Team

ID.me has a dedicated experienced security team with certifications in privacy and security program management that include: Certified Information Security Management (CISM), Certified Information System Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT), Certified Network Defense Architect (CNDA) Security+.

Security Governance and Privacy Management
Federal Accreditations & Security Framework

ID.me is accredited by the US General Services Administration (GSA) FICAM to issue credentials in alignment with federal standards for the federal government at Levels of Assurance (LOA) 1, 2 and 3 per NIST 800-63-2 and Identity Assurance Level (IAL) 2 and Authentication Assurance Level (AAL) 2 per NIST 800-63-3.

ID.me conforms to the Privacy Trust Criteria set forth in the FICAM Trust Framework Provider Adoption Process.

Relying Parties may only request the minimum set of personal data that is reasonably required to deliver a defined benefit or service. Collection, storage, and release of any data is always performed with the consent of the user. Before ID.me transmits any data on behalf of a user, the user must always review the specific data fields that the relying party is requesting. Lastly, the user must provide authorization and consent for ID.me to release the data. ID.me's architecture and complete deference to user control is compatible with GDPR and all similar emerging privacy regimes that empower users to control their data.

ID.me uses a defense-in-depth strategy designed to secure Personally Identifiable Information (PII).

The NIST Risk Management Framework (including Kantara Initiative Identity management controls) structures our information security program. ID.me has implemented rigorous technical and policy controls to protect the privacy and security of user’s information in alignment with NSTIC principles, the Kantara Trust Framework, GSA FICAM, NIST 800-63-2, NIST 800-53 control family, National Strategy for Trusted Identities in Cyberspace (NSTIC) Privacy Principles, Fair Information Practice Principles, and NIST’s Cybersecurity Framework.

ID.me has earned SOC 2 Type 1 certification for the ID.me Identity Gateway (IDIG).

The SOC 2 Type 1 certification provides our customers with assurance that ID.me has integrated controls, policies, and procedures related to effectively protecting member information within the cloud-based software as a service (SaaS).

All Personally Identifiable Information (PII) is encrypted using a FIPS 140-2 approved Advanced Encryption Standard (AES) algorithm with 256-bit key sizes and dynamic key rotation.

ID.me is hosted within FedRAMP authorized AWS in an isolated Virtual Private Cloud (VPC) using independently-verified International Standardization Organization (ISO) 27001/27002, Statement on Standards for Attestation Engagements (SSAE)-16 / Payment Card Industry (PCI) / Service Organization Controls (SOC) 1 and SOC2 Type II certified Tier-III data centers. The data center’s physical and environmental security includes industry-leading network hardening and active monitoring, biometric access control, digital security video surveillance and 24/365 on-site security staff. The Kantara Initiative and FICAM accreditations require ID.me to pass ongoing annual on-site third-party security and data privacy audits for certification.

ID.me has been designed to comply with rigorous information security regulations including AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines.

Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. The customers that have completed this due diligence are: USAA, Veterans Affairs, IRS, SSA, and Allscripts. ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and the AES-256-CBC algorithms.

If you have reviewed our FAQs and still have questions, please contact us. We're happy to help!