Welcome to ID.me for developers! If you are interested in integrating ID.me, you are in the right place. Here we will cover how to get started implementing ID.me.

Multi-Factor Authentication

ID.me offers comprehensive and easy-to-deploy progressive multi-factor authentication solutions to fit your business needs and risk tolerance.

Authentication Policies

SMS One-Time Password (OTP)
  • Enter a code sent to your MFA device.
  • Text message or phone call is the most convenient MFA option for users
  • Least secure compared to the other options as it is vulnerable to security breaches.
  • This method is not available as an option for DEA EPCS authentication.
Learn More
Code Generator Time-Based One-Time Password (TOTP)
  • This MFA option generates new 6-digit security codes every 30 seconds to verify a user is who they say they are.
  • A code generator security codes are always six digits long and expire after 30 seconds on the ID.me Authenticator app.
Learn More
Push Notification via ID.me Authenticator App
  • A push notification is a message that pops up on a mobile device. Push notifications are similar to SMS text messages and mobile alerts, but they only reach users who have installed your app.
Learn More
  • FIDO U2F Security Key is a physical device (security key) that a user plugs in to a USB port which you tap when prompted to securely sign in.
Learn More
NFC-Enabled Mobile Security Key
  • Mobile YubiKey is a physical device that you can scan using an NFC-enabled mobile device. NFC stands for Near Field Communication, which enables short-range communication between devices.
Learn More


These are a set of open specifications and protocols that specify how to design an authentication and authorization system. They specify how you should manage identity, move personal data securely, and decide who can access applications and data. The identity industry standards that we use at ID.me are:

Open Authorization (OAuth) 2.0

An authorization standard that allows a user to grant limited access to their resources on one site to another site, without having to expose their credentials. You use this standard every time you log in to a site using your Google account and you are asked if you agree with sharing your email address and your contacts list with that site.

OpenID Connect (OIDC)

An identity layer that sits on top of OAuth 2 and allows for easy verification of the user's identity, as well as the ability to get basic profile information from the identity provider.

Security Assertion Markup Language (SAML)

An open-standard, XML-based data format that allows businesses to communicate user authentication and authorization information to partner companies and enterprise applications their employees may use.

Bearer Token Authentication

Bearer tokens are a much simpler way of making API requests, since they don’t require cryptographic signing of each request. All API requests must be made over an HTTPS connection, since the request contains a plaintext token that could be used by anyone if it were intercepted.