Documentation

Multi-Factor Authentication

To bind proofed identities to credentials for initial and subsequent authentication, ID.me offers a state of the art Multi-Factor Authentication (MFA) suite that is certified to NIST 800-63-3B Authenticator Assurance Level (AAL) 2. These authenticator options provide a high level of confidence (Assurance Level 2) that the same user who was proofed remains in control of their account and credential.

ID.me's MFA options play a crucial role in preventing fraud by adding a layer of security beyond just a username and password. ID.me offers several MFA options increasing accessibility for all demographics. For example, ID.me offers Call to Landline MFA for users without a cell phone and “unphishable” options such as a FIDO2 token the user carries with them on their keychain.

By doing so, ID.me's MFA options, as highlighted below, reduce the risk of fraudulent access even if one factor, such as a password, is compromised.

When to use this policy

Ideal for integrations with an existing login that leverage multi-factor authentication.

Who is eligible?

Anyone with an ID.me account.

Authentication flows and MFA options

Here you can find what the ID.me Multi-Factor Authentication user experience looks like today:


Native App Push Notification

ID.me provides native app push notification with ID.me’s Authenticator application. Users receive a push notification which prompts the user to authenticate via touch ID or PIN code. This application is available on iOS and Android via ID.me’s Authenticator App and is compliant with FIPS 140-2.

Watch demo

Native App Time-Based-One-Time-Passcode (TOTP)

ID.me’s Authenticator application also provides native TOTP that can function in an online and offline setting. ID.me’s Authenticator application is FIPS 140-2 compliant.

Watch demo

External Authenticator Application Support

ID.me supports external or third-party authenticator applications (e.g., Google Authenticator, Duo, etc.). These applications are also able to function in an offline setting.

Watch demo

Passkey via WebAuthn

Passkeys enable users to authenticate with client side authenticators on their device like TouchID and FaceID which streamlines MFA while being phishing resistant and enhancing user experience. Passkeys also provide resiliency against Account Recovery events as a laptop or desktop with a cryptographic association to the authenticator using WebAuthn APIs can serve as an MFA backup that can authenticate the account in the event a mobile phone is lost or unavailable or a phone number has changed.

Watch demo

FIDO USB Security Key

User is prompted to insert a USB/USB-C key into their computer and touch a button to complete secure authentication. ID.me’s Authenticator application is FIPS 140-2 compliant.

Watch demo

NFC Mobile Key

User is prompted to tap their NFC compatible key to their device to complete secure authentication.

Watch demo

Enhanced SMS

ID.me sends an SMS short link to the number provided. This approach uses browser based APIs to guarantee send and delivery to a defined phone number and device. This authentication method is not vulnerable to Signaling System No.7 (SS7) exploits, and there is no known technical method to defeat device verification (e.g. we can always see the actual device and phone number that clicks the link) using the short-link verification method.

Watch demo

Call to Landline/Voice with One-Time-Passcode (OTP)

While 97% of Americans own a cell phone, cell phone ownership percentages dip as age increases, income decreases, and rural populations are more proportionally represented. As a result, supporting landlines as an alternative method for MFA is very important to increase inclusion and participation in digital government for the aforementioned groups.

Watch demo

Backup Codes

ID.me presents a set of 12 randomly generated codes made up of 16 alphanumeric characters. The user can copy all 12 codes at once and add it to their device, or print out the list. Alternatively, the user can jot the codes down on paper. Each code can be used once during authentication, and upon usage of all 12 codes, the user will be presented with a new set of 12 codes. This method enables authentication without the possession of a phone and is an option for the In-person Verification flow.

Watch demo

Use cases

Here you can find example ID.me use cases:


Securing Account Access

Enhance account security by integrating ID.me's Adaptive Multi-Factor Authentication (MFA) capabilities with NIST 800-63-3 Authenticator Assurance Level 2, to protect your users from account takeover and your business from fraud and loss.