It says that "Liveness detection will commence using a series of colorful flashing lights" - presumably that's designed to catch folks holding up photos.
AFAI-can-tell, it's actually "properly clever" with the mention of flashing colorful lights.
1) Video Feed + face detection
2) Blink white/red/white, blue/white/blue, etc, but in a particular timing for that unique verification session (ie: md5($date) => RGB => emit + recover)
3) Validate that the face is consistent throughout the validation video, validate that the color-shift (difference of pixels) occurs "at the right time" or "at the right rate" (accounting for lag).
Won't match the photograph on your government ID, which has strict rules for how you're photographed to ensure that pre-AI matching algorithms have a fair chance.
This also suggests that if you wear a pasta strainer in your DMV photo, you need to wear it when working through this verification, and be advised that their algorithm may get upset with you.
That's not a fair criticism. Government is not where you can move fast and break things. You must move carefully and fix things [1].
Just this weekend, Login.gov was made the primary identity provider for the Social Security Administration [2]. This is a big deal! They get 22 million visitors a month. The IRS was in a bind years ago because of identity fraud around refunds (disclosure: I interviewed with the team who is working to solve this), and ID.me appears to have been selected at the time to meet this need. Login.gov, to my knowledge, does not require liveness detection when submitting a state ID for proofing purposes (at least, it did not when I signed up for Social Security Administration access with my Login.gov account; only my state driver's license was required).
As of a year ago, Login.gov supported roughly ~90 agency websites/applications as an identity provider. As of a month ago, it's ~210. Despite the bureaucratic challenges, progress is being made, and considering that the CEO of ID.me wants to become a private corporation gatekeeper to digital identity services [3] [4], there's a lot of incentive to help government succeed based on the idea that this is infrastructure as a public good.
The question now is: when is IRS going to move to Login.gov as their identity provider and if they don't, why aren't they?
> Its target market appears to have been modified over the years, and ID.me’s founder and CEO described his aspirations for the company recently as similar to Visa Inc.’s electronic funds transfer business, but for personal identities.
> The CEO explained the business as a way to reduce friction in logins: “If we already know that you are you, or if we already have other credentials — like you’re a medical provider — here’s all the applications that accept ID.me for login. And you can just open up those applications without being challenged for your password or for identity verification because you’ve already done that. And when you do that, you can save people so much time and money.”
> ID.me hasn’t reached the same level of market saturation that Visa has in the United States, so many taxpayers who claim the child tax credit probably don’t already use the company’s services. In late March, ID.me said it had 39 million users, with more than 70,000 new users signing up each day.
(no affiliation with the federal gov, USDS, GSA, thoughts and opinions are always my own)
I tried to use ID.me, and learned that they only support Chrome and completely broke their MFA implementation[1]. I found their support page and submitted a message in June. I received messages in July and August saying it was still in the queue. No response since.
When I reported a compatibility issue with login.gov and Mobile Safari’s restrictions on WebAuthn which had shipped a few weeks earlier, I got a quick reply and they shipped the update within a month.
1. MFA using SMS returns an error code and a link to a support page which does not exist, FIDO (it gives an error immediately rather than triggering the standard dialog like every other site), and TOTP has the option to copy the secret disabled in the HTML.
I had a couple week period earlier this year where I would have been eligible for unemployment, but they couldn't make the standard verification work and I got stuck trying to use ID.me and failing over and over. Never occurred to me to download Chrome and try that.
Hold up a photo of Jan-Michael Vincent?
Invest in that Guy Fawkes mask you always wanted?
[1] https://ksassets.timeincuk.net/wp/uploads/sites/55/2019/03/G...
[2] https://www.walmart.com/ip/V-for-Vendetta-Mask-Guy-Fawkes-An...