Q: How secure is IDgo?
A: The IDgo service leverages WebAuthn, a core component of the FIDO Alliance’s FIDO2 specifications. The WebAuthn standard, a joint effort from the W3C, an international internet standards organization, and the FIDO Alliance, is for creating and accessing public key credentials on the web. This enables strong authentication of users. With IDgo, users can register and authenticate with web applications using devices such as phones, hardware security keys and laptops/desktops. A device can be used alongside other authentication factors to achieve multi-factor authentication (MFA), or in the case of devices with built-in biometrics or PIN entry mechanisms, can achieve MFA from a single gesture, increasing both security and ease-of-use. IDgo is designed to be phishing-resistant, as credentials are “scoped” to the website where they were created, and won’t work if users are tricked into authenticating on a phishing site. FIDO enables passwordless and multi-factor authentication that does not rely on secret credentials and is a strong defense against account takeover attacks. The IDgo service is designed to support two factors of security (something a user knows, something the user possesses, something the user is) at all times including during issuance of an IDgo passkey, during usage of an IDgo passkey and during IDgo account recovery.
Q: What fraud attacks does IDgo protect against?
A: IDgo protects against many common fraud attacks including: Credential Stuffing, Phishing / Smishing, Social Engineering, Person in the Middle Attacks, Malware, Brute Force Attack, Spoofing, and SIM Swap. To learn more, click here to read about how IDgo protects against attacks.
Q: Are biometrics used by IDgo?
A: IDgo uses device resident biometrics, such as TouchID and FaceID or Fingerprint in the authentication process. No user biometrics are collected or stored by the IDgo service; user biometrics never leave the end user’s device.
Q: What do you mean when you say IDgo is "app-less"?
A: By "app-less" we mean that the IDgo service does not require end users to download an application to use the service. End users interact with IDgo via a browser application on their device.
Q: What do you mean when you say "omni-channel"?
A: By "omni-channel" we mean that the IDgo authentication service works the same way for all user engagement channels, e.g., when authenticating via phone call, online or in person, making the user experience simple and consistent.
Q: What devices does IDgo authentication work with?
A: IDgo authentication works with >98% of internet connected devices including mobile phones, laptops, tablets and desktop computers.
Q: What end user data does IDgo collect and store?
A: IDgo collects and stores each end user’s mobile phone number. Enterprises have the option to require collection of additional end user information that will be stored as long as there is a business need.
Q: Does IDgo sell end user data collected by the IDgo service?
A: No, IDgo does not sell end user data collected by the IDgo service to any other organization.
Q: What is the IDgo privacy policy?
A: The IDgo privacy policy can be found here. IDgo takes privacy seriously and collects only the minimal amount of data needed about end users. End users control sharing their data with enterprises. IDgo does not share end user data with any other organization.
Q: Has IDgo achieved SOC certification?
A: Yes, IDgo has successfully completed and is maintaining SOC2 Type 2 certification.
Q: What happens with the IDgo authentication service when an end user switches cell phones and keeps the same phone number?
A: The next time the end user is prompted to authenticate themselves, the IDgo software will recognize the new device does not have an IDgo passkey if it is an Android device, while Apple devices will work fine as the passkey is stored in iCloud. For Android devices, the end user will be asked to complete an account recovery process to use the IDgo service and given the opportunity to create an IDgo passkey.
Q: What happens with the IDgo authentication service when an end user gets a different cell phone number than the one used to enroll in the IDgo service?
A: The end user will need to be re-invited by their service provider to complete the IDgo enrollment process again one-time to associate the new phone number with their IDgo account.
Q: Does IDgo comply with the Telephone Consumer Protection Act (TCPA)?
A: TCPA is aimed at restricting telephone solicitations, i.e., telemarketing, using pre-recorded voice messages, automatic dialing, SMS and fax. The requirements of TCPA do not apply to IDgo authentication SMS messages. In addition, IDgo does follow recommended guidelines when sending enrollment SMS messages and includes support for users to “Reply STOP” to opt out of receiving further enrollment SMS messages.