Best Practices

In order to enable a successful deployment and ensure that ID.me meets your requirements, please follow these best practices before going live.

Quality Assurance Testing

Testing your ID.me integration in a lower environment is an important step in any successful deployment. You should test to not only validate that you're able to access the requested resource, but to ensure that the greater application is functioning properly. Depending on your use case, test to ensure that you’re able to:

  • Launching ID.me verification screen - Full redirect or Pop-Up
  • Verification Screens Co-Branded with your logo Enabling your Terms of Service & Privacy Policy links on consent screen
  • Testing of redirect URI upon workflow completion
  • Testing authorization code successfully generated and captured
  • Testing access token successfully generated and captured
  • If applicable, refresh token successfully generated and captured
  • Successfully decrypt payload
  • User data object captured in your database
  • Appropriately utilizing that data to achieve a greater business outcome (e.g. triggering a discount based on a customer affiliation)

Validate with Test Credentials

Community Affiliation

As a part of the deployment process for credential validation, ID.me will provide you with pre-verified test credentials. Using these test credentials, you’ll be able to log into ID.me, provide consent and redirect back to your resource. Test credentials should be used to test the end-to-end user experience.

Identity Verification

ID.me’s sandbox for identity verification enables you to create unlimited test accounts through the ‘Create an ID.me account’ option.

Create Account Screen

ID.me’s sandbox environment will accept real or fake emails for account creation. Once your account is established, you may enter in fake test data to complete verification, provide consent and generate a mocked response. For subsequent logins, you’ll be able to leverage that same sandbox account to test the end-to-end experience in a pre-verified manner.

Data

Data Expectations

A primary benefit of deploying ID.me is the verified data we consensually collect and share on behalf of users. The data we’re able to collect will vary across all of our policies and verification sources. For that reason, it’ll be important to work with your ID.me account team to understand which data attributes we can pass in all verification scenarios, and those we’ll only pass with certain specific verification sources.

For instance, if you’re verifying a person’s identity with a driver's license, we’ll be able to pass their verified address because all standard US driver’s licenses include an address field. However, if verification is done with a passport, that same information won’t be available. For this reason, you should build your application with an expectation that the address field may be a null value and will require you to dynamically collect this information on your own. With this understanding, you’ll be able to build resilient applications that won’t break in any testing scenarios.

Data Minimization

ID.me has a philosophy of data minimization that’s meant to reduce your security and privacy risk profile. Please work in collaboration with your dedicated ID.me team to ensure that we’re only sending a payload of relevant data points and nothing more. Relevant data can vary from partner to partner and is largely dependent on your respective use case. By being deliberate about the kind of data we’re including, we can minimize the risk around sending and storing data that may be useless for your purposes.