At ID.me, your security is our top priority. If ID.me detects your password in a known data breach, you’ll receive a security alert when you sign in, create a new account, or change your password.
Data breaches occur when unauthorized individuals access and expose private information from other companies or websites—not ID.me. This article explains what to do after a data breach.
What to do after receiving a security alert
The steps you need to take depend on what you’re trying to do:
- Sign in: Check your email for a message from ID.me and complete the sign-in process using your current multi-factor authentication (MFA) method. Next, secure your account by updating your password. If you’re unable to complete MFA, visit How to reset your multi-factor authentication method.
- Create a new account or change your password: Follow the prompts and use a strong password.
Secure your account
Follow our best practices to ensure your account remains secure:
1. Use a strong password
Ensure your password is strong to reduce the risk of your account being compromised. Strong passwords safeguard your identity and personal information from cybercriminals. To create a strong password:
- Avoid reusing passwords: Make sure your ID.me password is unique and different from any passwords you use for other services.
- Use a passphrase: Combine random words to make a strong but easy-to-remember password. For example, "Sunset$Giraffe!Window92."
- Mix characters: Use a mix of letters, numbers, and symbols. For example, instead of "Basketball74," use "B@sk3tB@ll#74."
- Avoid predictable patterns: Don’t use patterns like "1234" or "abcd," or common sequences like "qwerty."
- Consider a password manager: A password manager can create and remember strong passwords for you.
For step-by-step instructions to change your password, visit How to reset your ID.me password.
2. Add passkey MFA to your account
Passkey MFA is the safest MFA method available, making it the best way to protect your account. A passkey:
- Lets you use your smartphone or computer to sign in. For example, you’ll use facial recognition, a fingerprint, or a pattern unique to your device.
- Helps prevent phishing attacks because someone would need your device to sign in.
- Makes signing in to your account even faster.
To learn how to enable passkey MFA, visit Setting up passkey multi-factor authentication (MFA).
3. Protect your 6-digit MFA code
Some multi-factor authentication methods, like text message/phone call and code generator MFA, use a 6-digit code to complete sign in. If someone asks for your 6-digit code, STOP—it’s a scam. Never share your 6-digit code with anyone. ID.me will never contact you for this code. You’ll only be prompted to enter it at login.
When to contact Support
If you suspect that someone tried to create an ID.me account or verify using your information, or if you believe someone else signed in to your account, report it to ID.me immediately. Learn how to report fraud to ID.me Support.