A 9‑Digit Number Can Get You Hired—So Why Are States Expanding E‑Verify in 2026 When It Still Can’t Prove You’re You?
E‑Verify’s green light can feel like certainty, but watchdogs say it mainly matches records—not the person in front of the employer. That gap is where borrowed identities keep working.
By TheMurrow Editorial
April 13, 2026
Key Points
- 1Recognize the limits: E‑Verify confirms work authorization via record matching, but it often cannot prove the applicant’s identity.
- 2Understand the loophole: accurate borrowed or stolen SSNs can still return “Employment Authorized,” as GAO warns about persistent identity-theft vulnerability.
- 3Follow the rules: TNCs aren’t final, and DOJ says employers can’t punish workers while they contest and resolve mismatches.
A nine-digit number can open doors.
In American hiring, that number is often a Social Security number, typed into an online portal that promises employers certainty: E‑Verify. The system’s result—“Employment Authorized”—lands with the weight of a green light. Managers exhale. Payroll proceeds. A job begins.
Yet the clean finality of that phrase masks a quieter truth that federal watchdogs have been repeating for years. E‑Verify is not built to answer the question most people assume it answers. It is designed to verify employment authorization, not to prove identity. When those two ideas get blurred—especially in a labor market that runs on speed—identity fraud can slip through.
E‑Verify can be a strong check on paperwork—and a weak shield against borrowed identities.
— — TheMurrow Editorial
The paradox matters beyond politics. It shapes how employers manage risk, how authorized workers get protected, and how unauthorized work persists through the oldest trick in the hiring book: using someone else’s information that matches government records.
What E‑Verify Actually Verifies—and What It Doesn’t
E‑Verify is a federal electronic system run by the Department of Homeland Security (DHS), through USCIS, in partnership with the Social Security Administration (SSA). Its purpose is straightforward: confirm whether the information a new hire provides on the Form I‑9 matches records held by DHS and SSA. In other words, E‑Verify is an employment-eligibility verification tool, not a comprehensive identity-proofing system. USCIS describes E‑Verify as a check on the Form I‑9 process, not a replacement for it. (Source: e-verify.gov)
That distinction sounds technical until you translate it into everyday hiring reality. E‑Verify asks: do the identifiers entered—name, date of birth, Social Security number, document data—match a record for a person who is authorized to work? The system is not fundamentally designed to answer: is the person standing in front of the employer the rightful owner of those identifiers?
That gap is not merely theoretical. The Government Accountability Office (GAO) has warned that E‑Verify remains vulnerable to identity theft, meaning someone can present valid-looking information that matches government records without being the person those records describe. GAO framed identity fraud as a “significant challenge” for the program and noted E‑Verify often cannot detect it. (Source: GAO‑11‑146)
That distinction sounds technical until you translate it into everyday hiring reality. E‑Verify asks: do the identifiers entered—name, date of birth, Social Security number, document data—match a record for a person who is authorized to work? The system is not fundamentally designed to answer: is the person standing in front of the employer the rightful owner of those identifiers?
That gap is not merely theoretical. The Government Accountability Office (GAO) has warned that E‑Verify remains vulnerable to identity theft, meaning someone can present valid-looking information that matches government records without being the person those records describe. GAO framed identity fraud as a “significant challenge” for the program and noted E‑Verify often cannot detect it. (Source: GAO‑11‑146)
The “Employment Authorized” Result Can Be Misleading
“Employment Authorized” does not always mean “identity confirmed.” It means the data entered aligns with a record that indicates work authorization. If the data belongs to someone else—and it is entered accurately—E‑Verify can still return approval.
The practical implication is uncomfortable: a system widely perceived as a lock functions, in some circumstances, more like a keypad that accepts any correct code—regardless of who typed it.
The practical implication is uncomfortable: a system widely perceived as a lock functions, in some circumstances, more like a keypad that accepts any correct code—regardless of who typed it.
E‑Verify answers whether the identifiers match. It does not always answer whether the person matches.
— — TheMurrow Editorial
The Core Trade-Off: Scale Versus Certainty
E‑Verify operates at national scale, across employers with varying training and compliance cultures. Tightening identity proofing—especially with biometric certainty—would be a different program entirely, with different legal, privacy, and logistical costs. Critics argue the identity gap undermines the promise of enforcement; defenders counter that E‑Verify was never designed to be a national ID system in disguise.
Both sides are arguing about the same thing: whether the United States wants employment verification to double as identity verification. Right now, it largely does not.
Both sides are arguing about the same thing: whether the United States wants employment verification to double as identity verification. Right now, it largely does not.
The Hiring Workflow: Where E‑Verify Fits (and Where It Doesn’t)
E‑Verify begins with something older and more analog: the Form I‑9. Employers must complete the I‑9 for new hires, reviewing documents that show identity and employment authorization. E‑Verify is an additional step used by participating or mandated employers, not the first step and not a substitute. USCIS treats it as a supplement with “special rules” for E‑Verify users. (Source: uscis.gov)
That sequencing matters. Employers often experience E‑Verify as the decisive moment, but the system only checks what the employer enters based on what the employee presented. If the source documents are borrowed, counterfeit, or mismatched in subtle ways, E‑Verify may not catch it unless the mismatch is visible to SSA/DHS databases.
That sequencing matters. Employers often experience E‑Verify as the decisive moment, but the system only checks what the employer enters based on what the employee presented. If the source documents are borrowed, counterfeit, or mismatched in subtle ways, E‑Verify may not catch it unless the mismatch is visible to SSA/DHS databases.
What Employers Actually Do
In practice, the workflow looks like this:
Typical E‑Verify workflow
- ✓The employee completes Section 1 of the Form I‑9.
- ✓The employer reviews documents and completes Section 2.
- ✓If the employer uses E‑Verify, they enter the employee’s information into the system.
- ✓E‑Verify returns a result such as “Employment Authorized” or a mismatch that triggers a formal process.
This is a process built around record matching and employer data entry. It is not a live identity check administered by the government.
A Case Study in the Ordinary
Consider a common scenario: an employee presents documentation that appears valid and supplies a Social Security number that belongs to a work-authorized person. The employer enters the data; the data matches government records; E‑Verify returns “Employment Authorized.” If the employer has no reason—and no tool—to know the identity is borrowed, the hire proceeds.
Oversight reports have pointed directly at this vulnerability. GAO has repeatedly emphasized identity theft as a gap that E‑Verify cannot reliably close. (Source: GAO‑11‑146)
Oversight reports have pointed directly at this vulnerability. GAO has repeatedly emphasized identity theft as a gap that E‑Verify cannot reliably close. (Source: GAO‑11‑146)
A system built for eligibility can’t automatically become a system built for identity.
— — TheMurrow Editorial
“Tentative Nonconfirmation”: The System’s Friction—and Workers’ Rights
When E‑Verify cannot match the information entered to SSA or DHS records, it returns a Tentative Nonconfirmation (TNC). E‑Verify distinguishes between SSA mismatches and DHS mismatches, and some cases require manual review, producing statuses such as “Needs More Time.” (Source: e-verify.gov)
A TNC is not a final finding of unauthorized work. It is a signal that something in the record match failed—sometimes for benign reasons: name changes, data entry mistakes, or unupdated agency records. For employees, the TNC is where the system’s promise of certainty collides with the messiness of real life.
A TNC is not a final finding of unauthorized work. It is a signal that something in the record match failed—sometimes for benign reasons: name changes, data entry mistakes, or unupdated agency records. For employees, the TNC is where the system’s promise of certainty collides with the messiness of real life.
The Legal Guardrails Employers Must Follow
The Department of Justice’s Immigrant and Employee Rights Section (IER) is explicit about one crucial safeguard: employers may not take adverse action—such as firing, suspending, delaying training, or cutting hours—against an employee because of a TNC while the employee is resolving it. (Source: justice.gov, IER FAQs)
That safeguard is easy to state and hard to enforce in a busy workplace. Employers worry about compliance risk; workers worry about retaliation or stigma. The system tries to balance both.
That safeguard is easy to state and hard to enforce in a busy workplace. Employers worry about compliance risk; workers worry about retaliation or stigma. The system tries to balance both.
Why TNCs Don’t Solve the Identity-Fraud Problem
A TNC can catch errors and mismatches, and it can block some unauthorized hires. Yet the identity-fraud problem often runs in the opposite direction: the information matches too well. When a borrowed identity is entered correctly, the system has less reason to throw friction into the process.
That is why watchdogs emphasize the difference between catching mismatches and confirming identity. The former is what E‑Verify does reliably; the latter is what the program struggles to do at scale.
That is why watchdogs emphasize the difference between catching mismatches and confirming identity. The former is what E‑Verify does reliably; the latter is what the program struggles to do at scale.
The Nine Digits Problem: How Borrowed Identities Slip Through
The most common misunderstanding about E‑Verify is that it “checks the person.” Most of the time, it checks whether the data lines up with government records. When someone uses a Social Security number that belongs to a work-authorized individual and pairs it with matching biographical data, E‑Verify can return approval.
GAO has described identity theft as a persistent vulnerability in E‑Verify, one that the system often cannot detect. (Source: GAO‑11‑146) That assessment has shown up repeatedly in policy debates for a reason: it maps onto the real-world incentives that drive identity borrowing.
GAO has described identity theft as a persistent vulnerability in E‑Verify, one that the system often cannot detect. (Source: GAO‑11‑146) That assessment has shown up repeatedly in policy debates for a reason: it maps onto the real-world incentives that drive identity borrowing.
Why the System Can Be Fooled by Accurate Fraud
E‑Verify’s strength—rapid electronic matching—is also a weakness in identity theft scenarios. A database match is indifferent to who is typing.
To detect identity fraud, you typically need something more than matching:
- A stronger document security check
- A higher-confidence identity proofing step
- Or a biometric comparison
E‑Verify, as designed, is not a biometric system. It is a confirmation of records, mediated by employer inputs.
To detect identity fraud, you typically need something more than matching:
- A stronger document security check
- A higher-confidence identity proofing step
- Or a biometric comparison
E‑Verify, as designed, is not a biometric system. It is a confirmation of records, mediated by employer inputs.
What This Means for Authorized Workers
Identity theft in employment is not a victimless technicality. When someone uses another person’s Social Security number, the rightful holder can face wage-reporting complications, tax confusion, and bureaucratic stress untangling their record. The research here emphasizes the verification gap rather than downstream harms, but the implication is clear: a system that cannot reliably detect identity fraud does not only affect immigration enforcement debates; it can also affect the integrity of individual records.
9
The nine digits of a Social Security number can unlock hiring systems—yet E‑Verify can’t always confirm the person behind them.
Photo Matching: A Helpful Feature That Isn’t Identity Proof
E‑Verify includes Photo Matching, a feature that displays a government-held photo associated with certain documents so the employer can compare it to the photo on the document the employee presented. E‑Verify describes this as a tool for employers to reduce document fraud. (Source: e-verify.gov)
Photo Matching sounds like a direct answer to the identity problem. The catch is in the mechanics—and in how limited the feature is.
Photo Matching sounds like a direct answer to the identity problem. The catch is in the mechanics—and in how limited the feature is.
Why Photo Matching Has Limits
The DHS Office of Inspector General (OIG) reviewed E‑Verify and concluded USCIS needed to improve the program’s electronic employment eligibility verification process. OIG highlighted that identity confirmation is limited in part because photo matching is not fully automated and depends on employers manually reviewing photos. (Source: OIG‑21‑56, Aug. 2021)
Manual comparison introduces variability. Some employers train staff carefully; others rush. Some workforces rely on high-volume onboarding; others hire rarely. The tool is only as consistent as the human being clicking the buttons.
Manual comparison introduces variability. Some employers train staff carefully; others rush. Some workforces rely on high-volume onboarding; others hire rarely. The tool is only as consistent as the human being clicking the buttons.
Photo Matching Still Isn’t Biometric Proof
Even when photo matching applies, it is not the same as biometric identity verification. It is a visual comparison between two photos, conducted by an employer representative, under the pressures of a hiring process.
Photo matching can reduce certain kinds of document fraud. It does not eliminate the fundamental issue GAO has identified: E‑Verify can be vulnerable to identity theft, particularly when the presented data and documentation align with existing records.
Photo matching can reduce certain kinds of document fraud. It does not eliminate the fundamental issue GAO has identified: E‑Verify can be vulnerable to identity theft, particularly when the presented data and documentation align with existing records.
2021
DHS OIG’s 2021 report (OIG‑21‑56) flagged process weaknesses, including identity limits and manual photo-matching reliance.
What the Watchdogs Say: GAO and DHS OIG on the Identity Gap
It is tempting to treat E‑Verify’s limitations as partisan talking points. Federal oversight bodies have been more specific—and more persistent—than that.
GAO: Identity Theft Is a “Significant Challenge”
GAO has repeatedly warned that E‑Verify remains vulnerable to identity theft and employer fraud, and that it cannot detect identity fraud in many cases. The relevant report often cited in these debates is GAO‑11‑146. (Source: gao.gov)
That is not a marginal critique. It goes to the center of the program’s credibility, particularly when E‑Verify is marketed—formally or informally—as a definitive answer to unauthorized work.
That is not a marginal critique. It goes to the center of the program’s credibility, particularly when E‑Verify is marketed—formally or informally—as a definitive answer to unauthorized work.
DHS OIG (2021): Process Improvements and Manual Weak Points
The DHS Inspector General’s 2021 report (OIG‑21‑56) concluded USCIS needed to improve E‑Verify’s process, pointing to deficiencies that include the limits of identity confirmation and the manual nature of photo matching. (Source: oig.dhs.gov)
In plain terms: the government’s own watchdog sees E‑Verify as a useful system with operational vulnerabilities that matter, especially where identity is concerned.
In plain terms: the government’s own watchdog sees E‑Verify as a useful system with operational vulnerabilities that matter, especially where identity is concerned.
Older Evaluations Still Shape Today’s Debate
Policy discussions also reference earlier evaluations—often associated with Westat-era studies and summarized by the Congressional Research Service (CRS)—that describe identity and document fraud as major drivers of erroneous “employment authorized” outcomes. The point for readers in 2026 is not to memorize dated numbers, but to recognize how durable the underlying problem has been: the labor market creates incentives to find valid-looking credentials, and electronic matching tools struggle when the credentials are real but misused. (Source: CRS summary via everycrsreport.com)
GAO‑11‑146
A frequently cited GAO report warning that identity theft is a significant challenge for E‑Verify and often goes undetected.
Key Insight
E‑Verify’s core value is fast eligibility record-matching. Its core weakness is the same: accurate stolen identifiers can still pass.
So What Should Employers—and Workers—Do With This Reality?
E‑Verify is not useless. It can deter some unauthorized hiring and catch many mismatches quickly. The more honest question is what E‑Verify can realistically deliver, and what employers should do to avoid turning a compliance tool into a false sense of certainty.
Practical Takeaways for Employers
Employers using E‑Verify should treat the system as one layer in a compliance program, not the entire program.
Key implications from the research:
- Train hiring staff on TNC rules. DOJ’s IER guidance is clear: no adverse action while a worker resolves a TNC. (Source: justice.gov)
- Prioritize accurate data entry. Many mismatches can stem from simple errors; accuracy reduces unnecessary TNCs and disruptions.
- Use Photo Matching carefully where it applies. OIG’s critique highlights the employer-dependent nature of manual review; consistency matters. (Source: OIG‑21‑56)
- Understand the identity-theft limitation. GAO has made the point bluntly: E‑Verify cannot reliably detect identity fraud in many cases. (Source: GAO‑11‑146)
Key implications from the research:
- Train hiring staff on TNC rules. DOJ’s IER guidance is clear: no adverse action while a worker resolves a TNC. (Source: justice.gov)
- Prioritize accurate data entry. Many mismatches can stem from simple errors; accuracy reduces unnecessary TNCs and disruptions.
- Use Photo Matching carefully where it applies. OIG’s critique highlights the employer-dependent nature of manual review; consistency matters. (Source: OIG‑21‑56)
- Understand the identity-theft limitation. GAO has made the point bluntly: E‑Verify cannot reliably detect identity fraud in many cases. (Source: GAO‑11‑146)
Practical Takeaways for Workers
Workers caught in a TNC should know two things the system can obscure:
- A TNC is not a final denial of authorization.
- The law restricts employers from punishing workers for contesting and resolving a mismatch. (Source: DOJ IER FAQs)
Workers also benefit from maintaining consistent records—especially around name changes—and ensuring SSA and DHS records reflect updates where required. E‑Verify is a matching system; mismatches often arise when databases lag behind life events.
- A TNC is not a final denial of authorization.
- The law restricts employers from punishing workers for contesting and resolving a mismatch. (Source: DOJ IER FAQs)
Workers also benefit from maintaining consistent records—especially around name changes—and ensuring SSA and DHS records reflect updates where required. E‑Verify is a matching system; mismatches often arise when databases lag behind life events.
The Policy Choice Hiding in Plain Sight
E‑Verify debates often pretend the question is binary: mandate it everywhere or scrap it. The real question is more pointed: should the United States continue using a large-scale eligibility check that remains vulnerable to identity theft, or should it build something closer to true identity verification—with all the civil liberties and infrastructure implications that would entail?
E‑Verify’s current design reflects a compromise. The results reflect it too.
E‑Verify’s current design reflects a compromise. The results reflect it too.
Editor’s Note
“Employment Authorized” is best understood as a database match to authorization records—not a definitive identity verdict.
Conclusion: The Verdict E‑Verify Can’t Deliver
“Employment Authorized” is a powerful phrase, but it is not a declaration of identity.
E‑Verify is built to match records, and it often does that quickly. Federal oversight—GAO on identity theft, DHS OIG on process weaknesses and manual photo review—shows why the system can still be gamed by a person holding the right data but the wrong identity. The system’s critics are right about the gap; the system’s defenders are right that it was never meant to be a national identity proofing regime.
The danger lies in pretending the gap does not exist. Employers deserve an honest understanding of what E‑Verify does on their behalf, and workers deserve a process that does not punish them for database mismatches. Policy makers, meanwhile, should stop selling E‑Verify as a moral verdict. It is a compliance tool—effective in some lanes, porous in others—and the nine-digit number problem sits squarely in the porous part.
E‑Verify is built to match records, and it often does that quickly. Federal oversight—GAO on identity theft, DHS OIG on process weaknesses and manual photo review—shows why the system can still be gamed by a person holding the right data but the wrong identity. The system’s critics are right about the gap; the system’s defenders are right that it was never meant to be a national identity proofing regime.
The danger lies in pretending the gap does not exist. Employers deserve an honest understanding of what E‑Verify does on their behalf, and workers deserve a process that does not punish them for database mismatches. Policy makers, meanwhile, should stop selling E‑Verify as a moral verdict. It is a compliance tool—effective in some lanes, porous in others—and the nine-digit number problem sits squarely in the porous part.
1) Does E‑Verify confirm someone’s identity?
E‑Verify primarily confirms whether the information provided on Form I‑9 matches SSA/DHS records indicating work authorization. It is not a full identity-proofing system. GAO has warned the program remains vulnerable to identity theft and often cannot detect identity fraud when accurate stolen or borrowed information is used. (Source: GAO‑11‑146; e-verify.gov)
2) Why can E‑Verify return “Employment Authorized” for someone using a stolen SSN?
Because E‑Verify checks whether entered identifiers match government records. If a worker uses an SSN and biographical data that correctly match a record for a work-authorized person, the system can return “Employment Authorized” even if the person presenting the information is not the rightful holder. GAO has described identity theft as a significant challenge for E‑Verify. (Source: GAO‑11‑146)
3) What is a Tentative Nonconfirmation (TNC)?
A TNC occurs when the information an employer submits to E‑Verify does not match SSA or DHS records. E‑Verify distinguishes between SSA mismatches and DHS mismatches, and some cases require additional time or manual review (“Needs More Time”). A TNC is not a final finding of ineligibility. (Source: e-verify.gov)
4) Can an employer fire someone because of a TNC?
Not while the employee is resolving it. The DOJ’s Immigrant and Employee Rights Section (IER) states employers may not take adverse action against an employee because of a TNC if the employee chooses to contest and resolve the mismatch. Employers must follow the required process. (Source: justice.gov, IER FAQs)
5) What is Photo Matching in E‑Verify?
Photo Matching is a feature where E‑Verify displays a photo associated with certain documents, and the employer compares it to the photo on the employee’s document. It can help reduce some document fraud, but it relies on employer review and is not a biometric identity verification system. (Source: e-verify.gov)
6) What did the DHS Inspector General find about E‑Verify?
In a 2021 report, the DHS Office of Inspector General concluded USCIS needed to improve E‑Verify’s employment eligibility verification process. The report highlighted limits in confirming identity, including that photo matching is not fully automated and depends on employers to manually review photos. (Source: OIG‑21‑56, Aug. 2021)
7) If E‑Verify has gaps, why do employers use it?
Many employers use E‑Verify because it can quickly confirm many hires, catch common mismatches, and support compliance obligations for participating or mandated workplaces. The system’s limitations—especially around identity theft—do not negate its usefulness as a records-matching tool. They do, however, require employers and policymakers to be realistic about what “Employment Authorized” can and cannot mean. (Source: e-verify.gov; GAO‑11‑146)
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering explainers.
Frequently Asked Questions
Does E‑Verify confirm someone’s identity?
E‑Verify primarily confirms whether the information provided on Form I‑9 matches SSA/DHS records indicating work authorization. It is not a full identity-proofing system. GAO has warned the program remains vulnerable to identity theft and often cannot detect identity fraud when accurate stolen or borrowed information is used. (Source: GAO‑11‑146; e-verify.gov)
Why can E‑Verify return “Employment Authorized” for someone using a stolen SSN?
Because E‑Verify checks whether entered identifiers match government records. If a worker uses an SSN and biographical data that correctly match a record for a work-authorized person, the system can return “Employment Authorized” even if the person presenting the information is not the rightful holder. GAO has described identity theft as a significant challenge for E‑Verify. (Source: GAO‑11‑146)
What is a Tentative Nonconfirmation (TNC)?
A TNC occurs when the information an employer submits to E‑Verify does not match SSA or DHS records. E‑Verify distinguishes between SSA mismatches and DHS mismatches, and some cases require additional time or manual review (“Needs More Time”). A TNC is not a final finding of ineligibility. (Source: e-verify.gov)
Can an employer fire someone because of a TNC?
Not while the employee is resolving it. The DOJ’s Immigrant and Employee Rights Section (IER) states employers may not take adverse action against an employee because of a TNC if the employee chooses to contest and resolve the mismatch. Employers must follow the required process. (Source: justice.gov, IER FAQs)
What is Photo Matching in E‑Verify?
Photo Matching is a feature where E‑Verify displays a photo associated with certain documents, and the employer compares it to the photo on the employee’s document. It can help reduce some document fraud, but it relies on employer review and is not a biometric identity verification system. (Source: e-verify.gov)
What did the DHS Inspector General find about E‑Verify?
In a 2021 report, the DHS Office of Inspector General concluded USCIS needed to improve E‑Verify’s employment eligibility verification process. The report highlighted limits in confirming identity, including that photo matching is not fully automated and depends on employers to manually review photos. (Source: OIG‑21‑56, Aug. 2021)
