ID.me question

[IBMJunkman]

Had to create an account to access the IRS. Just got an email extolling the virtues of ID.me which mentions many of the sites I can use it with.

Which leads me to my question. Does this not fly in the face of the idea that you use unique passwords for each account? One password and the 2FA challenge gets me into IRS, SS, Veterans Affairs and various State agencies.

Does not seem that smart. Am I wrong?

 

[mindless1]

Well there is the 2FA...

Is ID.me Safe?

If you’ve tried to catch a plane lately or you’ve taken an anxious dive into IRS.gov in the hopes of finding good news, you’re probably aware of ID.me,

www.security.org

I started using it to get the Lowes and Home Depot, 10% military discount.

 

[Steltek]

Had to create an account to access the IRS. Just got an email extolling the virtues of ID.me which mentions many of the sites I can use it with.

Which leads me to my question. Does this not fly in the face of the idea that you use unique passwords for each account? One password and the 2FA challenge gets me into IRS, SS, Veterans Affairs and various State agencies.

Does not seem that smart. Am I wrong?

None of the available options seem to be either safe or smart anymore. We are only protected due to sheer numbers, so the chance is exceedingly small that you will be targeted by someone to hack.

BTW, you also have to upload a picture of your ID in order to establish the account with ID.me.

Something I'm just absolutely loath to give to a privately or publicly held corporation, given the complete lack of legal liability and accountability any corporations seem to have these days for the data they hold whenever they (inevitably) get hacked.

 

[Steltek]

Login.gov has now started requesting copies of IDs to access certain government websites, as I found while assisting my mother with her federal health insurance open season this year.

So, in the end, it won't matter whether you want to do it or not. The government is going to force the issue.

 

[mindless1]

None of the available options seem to be either safe or smart anymore. We are only protected due to sheer numbers, so the chance is exceedingly small that you will be targeted by someone to hack.

BTW, you also have to upload a picture of your ID in order to establish the account with ID.me.

Something I'm just absolutely loath to give to a privately or publicly held corporation, given the complete lack of legal liability and accountability any corporations seem to have these days for the data they hold whenever they (inevitably) get hacked.

Not sure that I agree. You upload a picture, but that could only be for verification purposes by a human, then that doesn't necessarily mean the pic persists. Maybe it does, I really don't know but I don't think that a pic of an ID card is enough for a compromise since even a car dealership can make a scan of your ID if you want to take a test drive.

Similar for other info, some more responsible sites don't store this info, just use it for initial verification, and even passwords are encrypted with hash that isn't backwards engineerable.

I do agree about lack of accountability, being unfair, but this is the modern life we live in. Personally, I am the reverse, that I am annoyed by 2FA and don't want to use phone/email/etc to do what I've always done in the past without that. I don't otherwise engage in dodgy connections so I'm forced to have this extra burden for those that do.

 

[Lost_in_the_HTTP]

I'm more concerned that FedGov ever let that information out to third parties to begin with.

 

[mindless1]

I'm more concerned that FedGov ever let that information out to third parties to begin with.

I look at it as, if you're signing up with them, you're giving your consent for them to receive your military status. If you go to test drive a car, and they want a photocopy of your driver's license, so you hand it to them, you're giving them consent to do that.

What advantage does a 3rd party have over me, knowing I'm a veteran? I suppose if dishonorably discharged, that would be a mark against me for employment purposes but if it were a legit requirement for employment then I'd consent to that, but otherwise what detriment is there?

I wouldn't want my DD 214 falling into the wrong hands because it has my SSN, DOB, signature, and if I lived at the same address as back then, the address, but no other info on that document seems particularly sensitive.

Plus,
Effective April 7, 2009, with the passage of Senate Bill 248, veteran’s discharge records are no longer considered public record. Therefore, only "authorized parties" are allowed to view or receive a copy of any DD214. Authorized party is defined as follows:

The person who is the subject of the record of discharge

A county veterans service officer, or attorney-in-fact, agent or other representative of the person who is the subject of the record of discharge, if authorized to inspect or copy the record of discharge by that person in a power of attorney or other document

A person authorized, for good cause shown, by a court of record to inspect or copy the record of discharge

If the person who is subject of the record of discharge is deceased, the executor or administrator, or an heir, legatee, or devisee, of the person’s estate or a funeral director who is to perform the funeral for the deceased person

If such person is not authorized, only redacted copies containing name, rank, date of birth, date of discharge and type of discharge will be provided
-------------------

However what is not clear to me, is what the statement IBMJunkman made, "Had to create an account to access the IRS.", means? Since the IRS services more non-veterans than veterans, why does "access" require military veteran status and verification of it?

If it's something about being a contractor or employee doing work for them, through this "account" and they want to disqualify people who have a dishonorable discharge, I can understand that. It could be the equivalent of barring employment because of a felony conviction, something the general public can look up.