No Identity Left Behind: An American Approach to Increased Access to Online Services
Most people are not aware that almost all government agencies rely upon data brokers to verify their users’ identities online. For communities that don’t have a presence in records, this arrangement completely excludes them from online access to their government. This status quo is unacceptable.
To solve this problem, ID.me committed to a mission of “No Identity Left Behind.” The approach involves two simple steps. First, expand access to identity verification so communities that lack online access (i.e international users, recent immigrants, people who’ve changed their name) can verify online through a video chat process. Second, make the verified login portable so people can seamlessly prove who they are at different websites with a single credential; the same way a Visa card streamlines payments.
Over the last year, challenges with distributing unemployment benefits to eligible applicants have spotlighted the need to improve digital identity in America. Fundamentally, identity is about access and security. The pandemic highlighted the operational challenges with trying to verify a significant portion of the American population while organized crime pummeled agencies with stolen identities.
This challenge need not be permanent. In a consumer-centric model for identity, individuals can pre-verify their identity at any government site they visit. If a crisis arises, then individuals can use those pre-verified digital identities to rapidly prove their identity to workforce agencies. This is essentially how driver’s licenses work. You verify your identity once to drive but the ID itself is useful at many places.
We have been working towards this goal for over ten years. Fortunately, the federal government also recognized the same problem and announced the National Strategy for Trusted Identities in Cyberspace (NSTIC) in 2011. We were fortunate enough to win two grant awards from NIST in 2013 and 2015, and we provided feedback to improve the federal standards for verification, NIST 800–63–3, to establish a more inclusive and equitable ecosystem for online access to government benefits.
The most notable achievement from this collaboration is a process known as Virtual-In Person proofing (video chat). For individuals who do not have a presence in records or who live overseas, this capability offers them the opportunity to prove their identity online for the first time ever in this country. When we debuted the technology at VA in 2018, many of the conversations were emotional. An 81-year-old Veteran who lives in Japan and cares for his wife wept openly when we restored access to his benefits.
Unfortunately, that same Veteran was unable to access other government websites until ID.me’s login moved to those sites because those government websites use data brokers that do not offer coverage for international users and other communities. Today, with over five federal agencies, 26 states, and tens of healthcare organizations using ID.me, we are meaningfully expanding access for all communities.
In the NSTIC model, all of the verified individuals from unemployment agencies can rapidly prove their identity across multiple federal and state agencies. At agencies that previously used data brokers, historically disadvantaged communities now have higher rates of access relative to affluent users because they only need to log in to prove their identity.
How identity verification works — and what you need to know about facial recognition
In the NSTIC and ID.me model, individuals only need to verify their identity once. After an identity is verified — whether online (or soon in-person) — each user simply needs to log in to prove their identity to a second, third, fourth, etc, site. Our goal is to maximize first-time identity verification rates and then make the login as widely accepted as possible so it is “everywhere you want to be” to borrow a line from Visa.
About 90% of people never have to use live video chat. They verify their identity through an automated process in about five minutes. That process requires a photo government ID, a phone, and a selfie. It can be completed with a smartphone or a webcam. The 1:1 Face Match step is similar to how Apple uses FaceID to unlock phones or how a TSA agent would compare your face to your photo ID at an airport.
The software is highly accurate (99.9%), but it’s not always perfect due to image quality and lighting issues. If you’ve ever held up your iPhone or Android at an angle where your phone doesn’t recognize you and asks you to try again, then you’re familiar with this technology. And, if your phone doesn’t recognize you again, it prompts you to use your PIN. ID.me does the same thing. We prompt users to try again, and if they fail three times, we offer them a live video chat session — similar to a Zoom call — with a live agent so they can finish the verification process that way. No one is blocked by this step.
Face Match has been vastly misunderstood in the press. The facts are:
- NIST clearly distinguishes between 1:1 Face Match and 1:N (1 to Many) Facial Recognition.
- It is grossly irresponsible to conflate 1:1 Face Match with 1:N Facial Recognition. The 1:1 Face Match step is what tens of millions of Americans do every day to unlock their smartphone. The 1:N process is tied to a wholly different set of issues — surveillance, law enforcement, etc.
- ID.me performs 1:1 Face Match to verify an individual’s identity.
- The automated 1:1 Face Match is not associated with denying or blocking benefits. There is always a path forward for a user who fails any automated step in ID.me’s process.
- There is no racial bias tied to 1:1 Face Match in the ID.me verification process. We performed a regression analysis and a chi-squared test against the Fitzpatrick skin tone scale from a random sample and found no correlation between skin tone and failure rate.
- ID.me uses 1:N solely to prevent identity theft. 8 of 10,000 selfies are flagged for human review by this step. Six of the eight are highly likely to be serial identity thieves based on multiple fraudulent indicators. Two are verified with high-quality service through video chat without waiting.
- Any use of 1:N is internal to ID.me and does not involve any external or government database.
- ID.me uses best of breed component vendors. We don’t OEM our own technology. You can view the success rates for 1:1 Face Match as validated by NIST here.
Preventing identity theft and protecting Americans’ privacy
The most damaging event to someone’s privacy is identity theft. In a government benefits context, the harm is measured in dollars and time wasted remedying the situation, all while legitimate claimants are forced to wait for support. In some cases, criminals filed for unemployment with stolen identities before the actual eligible recipient, resulting in reduced rates of access and months without benefits due to inadequate security measures.
For example, CBS 6 News Albany reported that Ryan Pooler of New York was blocked from getting benefits after his identity was stolen and someone applied in his name before he did.
To put this problem in perspective, consider these figures. The FTC reported that identity theft related to government benefits increased by 2,920% year over year. The Identity Theft Resource Center, a non-profit in San Diego that helps less affluent victims, reported a 4,800% increase in identity theft related to unemployment benefits specifically year over year. This tsunami of fraud must be checked.
Using pre-pandemic fraud rates, DOL estimates that the lowest possible level of improper payments for unemployment benefits represents $87.3b in loss to taxpayers. Our own data, supported by public figures from the states, shows the fraud rate increased substantially during the pandemic and likely exceeds $400b. Previous reporting from earlier in the pandemic also pointed to significantly higher fraud rates relative to historical levels due to the relaxation of existing controls along with the introduction of new programs. The FTC figures certainly indicate fraud skyrocketed during the pandemic.
ID.me defeats 2 to 2.5% of all identity verification attempts at state workforce agencies where the attacker is wearing a mask and/or holding up an image or video of the intended victim. Russian attackers, either organized crime or nation-state, have unsuccessfully attempted to bypass the selfie check by replaying the response sent after a successful check. Keep in mind that each one of these images is tied to an innocent person’s stolen personal data, and this control is preventing harm to them.
Identity Theft Attempts Defeated by ID.me’s Selfie Verification Technology
The selfie to government ID match step is a critical control to prevent identity theft. In a healthcare setting, if this control is not present, the same attacker could gain access to someone’s medical records. Given the vast amounts of sensitive personal data that has been breached, and the proficiency of social engineers, criminals who harvest government ID images by posing as romantic interests or employers, this 1:1 selfie to photo ID check is often the last line of defense to prevent harm to an innocent victim.
Giving everyone access with video chat and in-person verification
Our primary goal is to get every legitimate claimant verified. We are working around the clock, and we’ve added thousands of employees to better serve legitimate claimants. Many of them are Trusted Referees, live video chat agents, who stand ready to assist those who need help verifying.
If an individual uploads a blurry image of their face, or submits a photo of a government ID that is cut off, then these agents provide concierge assistance to help legitimate applicants through. Given the unprecedented demand for our services to increase access for previously excluded users, we have hired thousands of people to make the verification process as smooth as possible.
In the coming weeks, we will also offer in-person verification options to help people who don’t have a reliable internet connection at home. Or to keep video chat wait times down in the event a government agency sends us millions of people for verification in a single day. We are committed to increasing access further through additional support for English as a Second Language (ESL) communities.
There is always more work to be done. At the same time, relative to the status quo, we have already advanced online access rates far beyond where they were prior to our introduction.
Once and done, with lasting benefits
Once an individual is verified, they can use the ID.me login to prove their verified status to other government agencies, federal and local. We are committed to permanently increasing equity so that once a user is verified for, say, unemployment, they can use the same ID.me login to prove their identity for services like Medicaid/Medicare, SNAP, Rental Assistance, etc. This is the vision that we have strived to realize over the last decade — an America where all people have equitable access to their government.
1 Federal Trade Commission. Consumer Sentinel Network Data Book 2020, 6. Washington, DC: Federal Trade Commission. Retrieved from https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
2 COVID Unemployment Sees 4,800% Spike in Fraud, Identity Theft, CEO Says. Accessed June 21, 2021. https://www.msn.com/en-us/news/crime/covid-unemployment-sees-4800percent-spike-in-fraud-identity-theft-ceo-says/ar-BB1gCsiI.