Q: How secure is IDgo?
A: The IDgo service leverages WebAuthn, a core component of the FIDO Alliance’s FIDO2 specifications. The WebAuthn standard, a joint effort from the W3C, an international internet standards organization, and the FIDO Alliance, is for creating and accessing public key credentials on the web. This enables strong authentication of users. With IDgo, users can register and authenticate with web applications using devices such as phones, hardware security keys and laptops/desktops. A device can be used alongside other authentication factors to achieve multi-factor authentication (MFA), or in the case of devices with built-in biometrics or PIN entry mechanisms, can achieve MFA from a single gesture, increasing both security and ease-of-use. IDgo is designed to be phishing-resistant, as credentials are “scoped” to the website where they were created, and won’t work if users are tricked into authenticating on a phishing site. FIDO enables passwordless and multi-factor authentication that does not rely on secret credentials and is a strong defense against account takeover attacks. The IDgo service is designed to support two factors of security (something a user knows, something the user possesses, something the user is) at all times including during issuance of an IDgo credential, during usage of an IDgo credential and during IDgo account recovery. Security methods employed include use of device-based biometrics, passcodes, screen locks or the use of one-time passcodes during issuance, usage and account recovery.
Q: Are biometrics used by IDgo?
A: IDgo uses device resident biometrics, such as Apple’s TouchID and FaceID or Google’s Fingerprint in the authentication process. No user biometrics are collected or stored by the IDgo service; user biometrics never leave the end user’s device.
Q: What do you mean when you say IDgo is "app-less"?
A: By "app-less" we mean that the IDgo service does not require end users to download an application to use the service. End users interact with IDgo via SMS messages and the IDgo website.
Q: What do you mean when you say "omni-channel"?
A: By "omni-channel" we mean that the IDgo authentication service works exactly the same way for all channels, e.g., when authenticating via phone call, online or in person, making the user experience simple and consistent.
Q: What devices does IDgo authentication work with?
A: IDgo authentication works with internet connected devices including mobile phones, laptops, tablets and desktop computers. Users need a mobile device capable of receiving SMS messages to use the IDgo authentication service. It is recommended that devices have local biometrics capabilities, such as Touch ID / Fingerprint or Face ID.
Q: What end user data does IDgo collect and store?
A: IDgo collects and stores each end user’s mobile phone number. Relying parties have the option to require collection of additional end user information that will be stored as long as there is a business need.
Q: Does IDgo sell end user data collected by the IDgo service?
A: No, IDgo does not sell end user data collected by the IDgo service to any other organization.
Q: What is the IDgo privacy policy?
A: The IDgo privacy policy can be found here. IDgo takes privacy seriously and collects only the minimal amount of data needed about end users. End users control sharing their data with enterprises. IDgo does not share end user data with any other organization.
Q: Has IDgo achieved SOC certification?
A: Yes, IDgo has successfully completed and is maintaining SOC2 Type 2 certification.
Q: What happens with the IDgo authentication service when an end user switches cell phones and keeps the same phone number?
A: The next time the end user is prompted to authenticate themselves, the IDgo software will recognize the new phone has not yet been registered. The end user will be asked to complete an account recovery process to use the IDgo service again.
Q: What happens with the IDgo authentication service when an end user gets a different cell phone number than the one used to enroll in the IDgo service?
A: The end user will need to be re-invited by their service provider to complete the IDgo enrollment process again one-time to associate the new phone number with their IDgo account.
Q: Does IDgo comply with the Telephone Consumer Protection Act (TCPA)?
A: TCPA is aimed at restricting telephone solicitations, i.e., telemarketing, using pre-recorded voice messages, automatic dialing, SMS and fax. The requirements of TCPA do not apply to IDgo authentication SMS messages. In addition, IDgo does follow recommended guidelines when sending enrollment SMS messages and includes support for users to “Reply STOP” to opt out of receiving further enrollment SMS messages.