ORCID is legitimate: it is a real, non-profit persistent-identifier registry used by thousands of publishers, funders and institutions worldwide. But “legitimate” is not the same as “fraud-proof.” ORCID’s own documentation confirms that an ORCID iD verifies control of an email address and account — not a researcher’s real-world identity, credentials, or institutional affiliation — which is exactly the gap paper mills exploit.
An ORCID iD is a free, sixteen-digit persistent identifier that distinguishes one researcher from another and links that person to their publications, grants and affiliations. That single-sentence definition explains why ORCID is trusted — and why, on its own, it was never designed to stop organised authorship fraud.
This piece is a CASRAI editorial perspective: it argues that identity-layer tools like ORCID and contribution-layer tools like the CRediT taxonomy solve different problems, and that conflating the two leaves a detection gap that paper mills are actively exploiting.
Contents
- What does an ORCID iD actually verify?
- Is ORCID legit? The non-profit case
- Can identity verification stop paper-mill authorship rings?
- Why a contribution taxonomy like CRediT tackles a different problem
- Answer-first Q&A
- Implications for publishers, institutions and funders
- Conclusion: identity plus contribution, not identity alone
What does an ORCID iD actually verify?
An ORCID iD confirms that a person controls a given ORCID account and email address, and it links that account to a persistent, disambiguated researcher record. It does not independently confirm a person’s legal identity, employment, qualifications, or that they actually authored the works attached to their profile.
ORCID’s own guidance is explicit on this point: the organisation states that an ORCID iD is not a form of identity verification in the government-ID sense. Registration requires only a working email address, which is the same low bar that lets a legitimate early-career researcher register in seconds — and lets a paper mill spin up a disposable account just as fast.
Is ORCID legit? The non-profit case
Yes. ORCID is a genuine, mission-driven non-profit — ORCID is a global, not-for-profit organisation sustained by member fees from universities, publishers and funders, not by selling researcher data. It is embedded in submission workflows at major publishers and grant systems precisely because it solved a real problem: name ambiguity.
- Common-surname collisions are severe — a mere hundred surnames account for over 85% of China’s population, with Wang, Li and Zhang alone covering more than a fifth, making name-only attribution unreliable at scale.
- ORCID lets a researcher control which affiliations, works and peer-review activity are publicly visible, rather than relying on a publisher’s guesswork.
- Adoption is now effectively mandatory at many funders and journals, which is a trust signal in itself — but mandated use is not the same as verified authenticity.
So the trust question and the fraud-detection question are separate. ORCID earns trust as infrastructure; it was never marketed, and does not function, as an authorship-fraud filter.
Can identity verification stop paper-mill authorship rings?
No — not on its own, and the evidence for that is now substantial. The Committee on Publication Ethics (COPE) and the STM Association jointly defined and characterised the problem in their December 2022 Paper Mills Research Report, describing paper mills as commercial operations that manufacture fabricated or manipulated manuscripts and sell authorship slots, often to researchers under career pressure to publish.
The scale became undeniable in the retraction data. Publishers retracted more than 10,000 research papers in 2023 — a record documented by Nature’s news team, with a large share traced to paper-mill-linked special issues, concentrated heavily at a single Wiley/Hindawi imprint before its special-issue programme was shut down. An ORCID iD attached to a fabricated paper did not prevent a single one of those retractions; in many cases the fraudulent authors held valid, active ORCID accounts throughout.
That is the structural weakness: paper mills do not need to defeat ORCID, they only need to open an account, which requires nothing more than an email inbox. Publishers in response formed the STM Integrity Hub, launched in 2022, a shared cross-publisher infrastructure that pools signals — duplicate submissions, manipulated peer-review rings, image and reference manipulation — across member publishers in something ORCID’s single-account model cannot replicate, because ORCID has no mandate or mechanism to police manuscript content.
Why a contribution taxonomy like CRediT tackles a different problem
Identity tools answer “who is this person?” Contribution taxonomies answer a different, equally necessary question: “what did this specific person actually do on this specific paper?” CRediT, the contributor role taxonomy, was originated by CASRAI in 2014 and is now stewarded by NISO as ANSI/NISO Z39.104-2022 — CASRAI is the originator, not the current standards steward.
CRediT requires each listed author to be tagged against a defined set of contributor roles — conceptualisation, data curation, formal analysis, writing, and others — for every submitted manuscript. That disclosure layer creates a different fraud signal than identity ever could: a co-authorship pattern where a name appears solely under “funding acquisition” across dozens of unrelated papers in a short window is implausible in a way that a valid ORCID iD alone will never flag, because ORCID has no visibility into role-level contribution claims.
Neither tool substitutes for the other. Identity infrastructure and contribution disclosure address separate failure modes, and a detection strategy that leans on only one is structurally incomplete.
| Tool | What it verifies or standardises | What it does not do |
|---|---|---|
| ORCID iD | Persistent identifier; confirms control of an account/email and disambiguates a researcher’s name across works | Does not verify legal identity, institutional affiliation or credentials |
| CRediT taxonomy (ANSI/NISO Z39.104-2022) | Standardises disclosure of which of the defined contributor roles each named author performed | Does not verify that the named person exists, consented, or was even contacted |
| STM Integrity Hub | Shares cross-publisher fraud signals in real time — duplicate submissions, manipulated peer review, image reuse | Does not itself confirm any individual author’s identity |
Answer-first Q&A
Is ORCID legitimate?
Yes. ORCID is a genuine, non-profit registry that provides persistent researcher identifiers and is integrated into submission systems at most major publishers and funders. Legitimacy as an organisation, however, is separate from its capacity to verify identity — ORCID confirms account control, not real-world credentials.
Is it safe to share an ORCID iD?
Yes. An ORCID iD is a public, non-sensitive identifier by design, and researchers control visibility settings for the underlying record. Sharing it on a CV, manuscript, or grant application does not expose private data, since ORCID does not store the kind of personal information used for identity theft.
Should you use ORCID?
Yes, for disambiguation and administrative efficiency. An ORCID iD saves time on grant and manuscript forms and reliably links a researcher’s outputs across name changes or institutional moves. It should not, however, be treated by editors or reviewers as evidence that a submission’s authorship is authentic.
Is ORCID credible?
Yes, as infrastructure. ORCID is a trusted, community-governed non-profit that cannot be bought by a commercial entity and does not sell researcher data. Credibility as a registry does not, however, extend to guaranteeing the integrity of any individual manuscript that cites an ORCID iD.
Implications for publishers, institutions and funders
Editorial offices that treat a valid ORCID iD as a clearance signal are relying on infrastructure built for a different job. A layered approach performs better:
- Require CRediT contributor-role statements alongside ORCID iDs, so implausible role patterns become visible at submission, not after retraction.
- Cross-check institutional email domains and affiliations, since paper mills routinely fabricate both.
- Join or query shared infrastructure such as the STM Integrity Hub, which pools cross-publisher fraud signals ORCID was never designed to hold.
- Treat ORCID account age and activity history as a weak signal only — a freshly created account attached to a first submission warrants closer editorial scrutiny, not automatic rejection.
Conclusion: identity plus contribution, not identity alone
ORCID is legitimate infrastructure doing exactly the job it was built for: disambiguating researcher identity across a fragmented publishing ecosystem. Expecting it to also police fabricated authorship asks a registry to perform forensic work it has no data or mandate to do. COPE and STM’s own analysis, and the 2023 retraction record, both point the same direction: stopping paper mills requires layered defences — identity infrastructure, authorship policy, contribution disclosure, and shared publisher intelligence — working together, because no single layer was designed to catch what the others miss.