Skip to main content

*Identity Verification Overview

  • Updated
 

Identity verification is the process by which Login.gov confirms that a user is who they say they are. Some partner agencies require identity verification due to the sensitivity of the data or services users are accessing. This article covers remote unattended and in-person verification, accepted documents, facial matching, proofing rates, reproofing, and common partner questions. 

Service Levels

Login.gov offers three service levels:

  1. Authentication only — Email, password, and MFA. No identity verification. Meets NIST 800-63-3 AAL1 or AAL2 (depending on configuration).
  2. Basic identity verification — Identity verification without facial matching. Does not meet NIST 800-63-3 IAL2.
  3. Enhanced identity verification (IAL2) —NIST 800-63-3 IAL2-compliant Identity verification with facial matching (biometrics). Third-party assessed  by Kantara Initiative.

For more on service levels and which one is right for your application, see Login.gov’s determining your service level page.

Basic vs. Enhanced: Key Differences

Feature Basic Identity Verification Enhanced Identity Verification (IAL2)
IAL2 compliant No Yes (Kantara assessed)
Selfie required (remote) No Yes
Address verification by mail (remote) Available if phone verification fails Not available – phone verification required
Phone verification  Required for the in-person option, otherwise optional when verifying address by mail  Required

Pricing

There is no price difference between Enhanced (IAL2) and Basic IdV services. Login.gov provides competitive pricing for both basic and enhanced identity verification. Contact us for a full breakdown.

Remote Identity Verification

Login.gov’s default identity verification path is remote and unattended — users complete the process from their computer and phone without interacting with a human.

Process Overview

  1. Document capture: User captures their state-issued ID or U.S. passport book using their device’s camera.  photo capture is required and manual upload of scanned images is not permitted. 
  2. Document authentication: Login.gov validates the document’s security features, layout, and data against issuing-source databases.
  3. Identity resolution: User-submitted attributes (name, date of birth, address, SSN) are verified against authoritative records.
  4. Phone or address confirmation: User provides a phone number associated with their identity and receives a verification code. If phone verification is unavailable, users in the non-IAL2 flow can verify by mail (5–10 business days).
  5. Facial matching (IAL2 only): User takes a selfie, which is compared against the photo on their ID.
  6. Consent and redirect: Upon successful verification, the user consents to share their information with the partner agency and is redirected to the partner application.

For a visual walkthrough, see How to verify your identity on the Login.gov help center.

Desktop to Mobile Handoff

When a user starts identity verification on a desktop, Login.gov texts a link to the user’s mobile device, which when clicked, will initiate the document capture. Once the capture is completed, the user can resume the process on their computer. Mobile capture produces higher success rates because the experience provides real-time feedback on photo quality.

Step-Up Flows

Step up flows are processes where a user upgrades from an authentication-only account to an identity-verified account. Partners can use step-up flows to conditionally enforce identity verification for only a subset of users:

  1. Default to authentication-only requests for all users.
  2. After the user is redirected back to your app, determine whether they need verification (based on their role, the information they are accessing, or other criteria).
  3. If verification is needed, make a second authentication request to Login.gov, this time requiring identity verification.
  4. Login.gov checks whether the user meets the requested level. If so, they are redirected back immediately. If not, they are prompted to complete verification.

For detailed implementation examples, see Login.gov’s Alternative IdV Playbook (Examples A and B), available from your Partner Success Manager.

In-Person Identity Verification

For users unable to verify remotely — whether due to technical issues or personal preference — Login.gov offers a hybrid online/in-person verification process.

How It Works

  1. Online portion: The user begins the process online and enters their information (name, ID information, address, SSN, phone number). They can either attempt remote verification first or opt in to in-person verification up front.
  2. Barcode generation: If online validation of user-provided information succeeds, Login.gov generates an enrollment barcode with a 7-day expiration.
  3. Post Office visit: The user brings their ID and barcode to a participating U.S. Post Office. The user does not need to visit the location they initially selected – any participating Post Office will work. They stand in the regular line, and when it is their turn, they present their barcode to the retail associate. The associate scans the barcode or manually types in the enrollment code (which pulls up the user’s record in the USPS system), scans the user’s ID, checks that the ID information matches what was entered online (ID type, expiration date, address), physically examines the ID for signs of tampering, and verifies that the user’s face matches the photo on the ID. The associate tells the user they are done but does not disclose the outcome of the cross-check. Accepted forms of ID can be found here.
  4. Result notification: Login.gov emails the user within 24 hours (most users receive the email within 1 to 2 hours) with the outcome. If successful, the email contains a sign-in button. The user then signs in, consents to share their information with the partner agency, and is redirected to the partner application.

Important: If a user did not complete the online portion and does not have a barcode, the Post Office cannot help them. The barcode is required to initiate the in-person verification.

Key Details

  • Approximately 18,000 USPS locations participate. Users should always use the Post Office search tool to confirm participation. This search feature uses the USPS API for real-time participating location data and is the single source of truth.
  • Login.gov shares only the user’s name, ID type/number/expiration, and address with USPS. Email addresses are not shared.
  • In-person proofing currently accepts specific identity documents listed here
  • In-person proofing is included in identity verification pricing and available to all users — partners do not need to do anything additional to enable it.
  • The in-person proofing flow received IAL2 certification.
  • Any user going through identity verification can choose to verify in person — either by opting in at the start or by falling back after a failed remote attempt.

Fully In-Person Option

Login.gov does not offer a fully in-person verification option where no online steps are required. The current offering is a hybrid online/in-person service.

Online vs. In-Person: Key Differences

In the fully online flow, a user takes a photo of their ID (and a selfie for IAL2). The information on the ID is automatically extracted from the photo. In the in-person flow, these steps are replaced by the user manually entering all of their information exactly as it appears on their ID.

After the information is submitted, the verification steps are the same in both flows – Login.gov checks the data against authoritative records and verifies the phone number. The in-person option provides an alternative path for users who are unable to or prefer not to submit images of their ID and face online. Additionally, the in-person flow always requires phone verification (no verify-by-mail option).

Falling Back to In-Person Proofing

If a user has trouble taking photos of their ID during the remote flow, Login.gov presents options to switch to in-person verification:

Option 1: If the photo capture fails, the user sees an error screen with a “Cancel” link at the bottom. Clicking it leads to a “Cancel verifying your identity?” screen. On that screen, clicking the “Start over” button takes the user back to the initial IdV screen, where they can choose the in-person flow.

Option 2: If the submitted ID is not recognized or accepted, the user sees a “We couldn’t verify your ID” screen with a “Try in person” button.

In both cases, the user then enters their information manually and proceeds through the online verification checks. If those checks pass, they receive a barcode to take to a participating USPS location.