ID.me founder defends claims, growing use of its biometric verification by US gov
A media backlash against ID.me and the claims of its Co-founder and CEO Blake Hall has erupted in U.S. media over the past few days. Triggered by the almost simultaneous publishing of a blog post by the IRS requiring an ID.me account for online tax filing and checking by the Krebs on Security blog, and a long investigation feature into ID.me by Bloomberg Businessweek.
Hall has issued statements to defend his firm’s processes and his own previous claims. He names iProov and Paravision as the face biometrics and liveness detection providers, the latter of which was reported by Biometric Update in August.
While ID.me has been winning contracts across the U.S. at the State and Federal levels, an update from the IRS ahead of Thanksgiving in November 2021 has begun making waves. Biometric Update reported on the upcoming changes at the time:
The IRS has launched improved, mobile-friendly sign-in process and identity verification to allow more people to securely access the department’s online tools such as managing Child Tax Credit.
The update has been developed under the Secure Access Digital Identity initiative (SADI) and the verification service is provided by ID.me. Users will require an account with ID.me requiring biometric onboarding, and if they have already registered for one with a specific government service, they can use that.
Now that people are coming across these updates and ID.me is becoming more apparent in more people’s lives, U.S. media is picking up on it. Brian Krebs detailed his own personal experience of attempting to create a login for the IRS via ID.me for a post on his blog, Krebs on Security. Krebs, a security expert, did not find it frictionless or seamless.
Krebs raises concerns over ID.me’s abilities to keep user data safe, but concludes that ultimately, people may just need to register so that a bad actor does not do it in their name: “Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state.
“And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).”
The Bloomberg Businessweek investigation covers the people across America who have been unable to become verified in order to process their welfare payments, and challenges Hall’s claim that unemployment fraud during the pandemic reached US$400 billion, a figure first used in an interview with Axios last year.
It follows the rise and evolution of the company from a discount-eligibility verification service for veterans to winning ever larger government contracts. The article covers multiple case studies of individuals facing extreme difficulty and distress over not being able to get through verification and even turning to legal support to get through to ID.me’s video chat support with a ‘Trusted Referee’ to remedy their situations.
The firm has released a series of points about its operations to counter media coverage and growing concerns over ‘facial recognition’ and reports of people waiting multiple hours to reach technical support. A statement from the CEO Blake Hall says:
“We are committed to ensuring everyone can verify their identity online and use it to access essential services. ID.me combines best-in-breed 1:1 face match technology with video chat agents available as backup. We remain the only digital identity verification service certified against the National Institute of Standards and Technology (NIST) guidelines to offer three ways to verify your identity, including automated self-serve, live video chat, and in-person processes.
“Our 1:1 face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use 1:many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users.”
Hall has since clarified on LinkedIn that ID.me uses one-to-many facial recognition on account setup, and only one-to-one comparisons for subsequent authentications, eliciting further criticism.
The firm states that “approximately 90 percent of individuals who verify their identity with ID.me online do so in minutes via the self-service flow” and “for the 10 percent who need additional assistance, ID.me provides a video chat with an agent called a ‘Trusted Referee.’”
Six-hundred and fifty in-person centers are also available, such as in New Jersey, according to the the firm.
Ultimately, coverage hints at a growing realization of the possibilities of a private company being brought in to manage and verify people’s identities for accessing government services.
This post was updated at 10:33am Eastern on Thursday, January 27 to include the clarification of one-to-many biometrics use.