January 19, 2022

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.

Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.


335 thoughts on “IRS Will Soon Require Selfies for Online Access

  1. Glen

    Brian, regarding your comment “So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.” I searched Support at ID.me and found this: “You may request access, correction or deletion of your Biometric Data at any time by contacting us at privacy@id.me.” I have a verified ID.me account, so I sent an email to privacy@id.me requesting that my Biometric Data be deleted. Within a short time I received this reply:

    “You may choose to either:
    * Revoke permission from selected organizations to view any of your data, or
    * Delete your ID.me account. [NOTE: Account deletion may mean that you will no longer be able to access services from some organizations, such as state workforce agencies.]

    To revoke an organization’s access to your data:
    1. Sign in to your ID.me account.
    2. Complete your multi-factor authentication (if applicable).
    3. Click the Sign In & Security tab.
    4. In the left column, click Privacy.
    5. A list of Website Names is displayed. Click Revoke Access for the organization of your choice.”

    Based on this response, it seems that the information provided by ID.me (“You may request … deletion of your Biometric Data at any time…”) is not true. ID.me will not delete your Biometric Data. You can only revoke access to your data for websites which have authorized access (why do the websites need your Biometric Data anyway, especially facial scans?). Revoking website access defeats the purpose of having an ID.me account. Also, revoking access is *not* the same as having your Biometric Data deleted. Perhaps you could point out this discrepancy (“You may request … deletion of your Biometric Data at any time…” vs. “revoke access”) to the CEO of ID.me.

    1. notlegaladvice

      https://www.id.me/biometric

      We use your Biometric Data as follows:
      To verify your identity when you are opening an account or using the Services;
      To authenticate use of your account and the Services for a transaction;
      To prevent fraudulent uses of the Service and the creation of multiple accounts for fraudulent purposes; and
      To comply with legal obligations or comply with a request from law enforcement or government entities where not prohibited by law.

      Subject to certain exceptions, you may have the option to withdraw or revoke your consent to use of your Biometric Data by notifying us at privacy@id.me. However, we may decline your revocation request if your Biometric Data is required to: (i) complete the transaction for which the information was collected, provide a good or service requested by you, or reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract between ID.me and you; or (ii) to help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes. You may also decline to provide Biometric Data. If you revoke your consent or decline to provide Biometric Data that is required for you to use the Services, however, you may experience a loss of functionality as well as a reduced user experience or may not be able to use the Services for certain purposes.

      Regardless of a canned email response that may omit some of your options, you still have the right to request deletion of biometric data.
      Just be specific and insistent.

      California residents currently have more rights for data privacy. Their CCPA law requires ID.me and others to comply with deletion requests. It is possible that your state does not have this requirement.
      Press your members of Congress to enact Federal law based on the CCPA.

      1. mealy

        Today in the Wapo – “IRS to abandon facial recognition plan after firestorm of criticism”

        So never stop complaining.

  2. JamminJ

    Brian,
    https://www.justice.gov/usao-edca/pr/new-jersey-man-indicted-fraud-scheme-steal-california-unemployment-insurance-benefits

    This fraudster from NJ has been stealing unemployment benefits meant for those truly affected by the pandemic, since COVID first surged in the US, back in March 2020.
    At some point, California’s EDD started using ID.me. Not sure when/if it became mandatory, but the article suggests the suspect did verify “live” through ID.me. I don’t know how soon thereafter, he was caught, arrested and indicted.

    I don’t have an active PACER account, but assume you do. Can you find the 29-page COMPLAINT Received from the Eastern District of California as to ERIC MICHAEL JAKLITSCH. It might provide some details about how he was finally caught. Although I’m sure ID.me does not want to reveal their anti-fraud methodology, they might have played a crucial role here. There is a reason cyber criminals don’t like to appear on camera, their risk level jumps through the roof compared to doing things by mail, email, or phone.

    1. JamminJ

      Looks like ID.me was indeed the ones who caught this fraudster.
      They saved several million dollars in taxpayer money because they used facial recognition. Most likely because these identity thieves need to go on camera multiple times.

      ID.me’s chief executive, Blake Hall, has been responding to the public criticism via posts to his LinkedIn page. Last month, he argued that his system not only verified identity but also checked faces against those of known identity thieves.

      He pointed to the indictment last month of a New Jersey man on charges that he tried to claim more than $2.5 million in unemployment benefits in California. “Data shows that removing this control would immediately lead to significant identity theft and organized crime,” Mr. Hall said.

      https://www.nytimes.com/2022/02/07/us/politics/irs-idme-facial-recognition.html

  3. barely ablemann

    for those who enjoy such things, the film “Anon” adds its two cents into the info debate. I found it to be entertaining and disturbing.

  4. Wade Buskirk

    Well my USA passport page jpg was rejected; “face not found”. I am not surprised given the difficulty in capturing a photo of the pebbled shiny hologram plastic stamped over the page including my face. Hopefully they will reconsider this revision while I continue with the old credentials.

  5. Laurie DiBella

    I received a text message with a link to obtain my verification code after I had successfully signed up on ID.me but wasn’t attempting to access my account. The text typically just sends the 6 digit number and no lnk. Unfortunately I clicked the link, got the 6 digit number with the same message about not sharing it with anyone. But now I am concerned that the link was not legitimate and I deleted the message so I cannot check the URL. Is a link in a text a legitimate way that ID.me sends the 6 digit number or was I compromised?

  6. Expat Abroad

    Brian,
    The IRS appears to have not given any thought at all to U.S. taxpayers living abroad (expats) who use VOIP for calls from the U.S. Will the system accept a foreign country cell phone number? Somehow I doubt it … so that might mean that an expat will need to have a second cell phone with a U.S. carrier chip in it — except that many U.S. carriers’ SMS text messaging services don’t work when the phone is outside the U.S. Having a second phone and paying a U.S. carrier is a ridiculous cost to have to bear.

    An alternative might be to have a smart phone with two sim slots, but that would still require a U.S.-based carrier who will send SMS texts outside the U.S. Not good.

    1. orly

      Your question was asked and answered on the first page of comments.

      Cindy replied, “I live in France. While the ID.me registration form will accept a French telephone number, it will not accept a French postal address”
      It doesn’t matter though, because you WILL get escalated to the manual verification process.

      As an ExPat, you’re not going to have an easy automated experience.
      But that’s the because the IRS has been scammed for years by foreigners living abroad. Not ExPats, but scammers who often pretend to be.

      Yeah, until you prove your real identity, the IRS has no clue if your really an ExPat, or just another scammer. So the IRS is going to WANT to put you through a manual verification process.

  7. Dvaid

    February 7, 2022
    IRS announces transition away from use of third-party verification involving facial recognition

    WASHINGTON − The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts. The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.

    During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

    “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

    The transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season. People should continue to file their taxes as they normally would.

  8. Alton Rouser

    IR-2022-27, February 7, 2022

    WASHINGTON — The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts. The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.

    During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

    “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

    The transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season. People should continue to file their taxes as they normally would.

  9. Gaylle

    After all, I’m sure the site is 100% safe, bug-free, and will NEVER be hacked into, so all your pictures are entirely safe.
    Please upload like crazy.

    Gov sites are known for their excellent, top-notch security!

  10. James Baker

    The other less mentioned problem is that the ID.me + IRS sign in treats you as though you’re only a user of IRS + ID.me verification services. I already have an ID.me account (as does my wife) for Veterans Administration and Department of Defense verification. That side works well. Now with the IRS, they, or ID.me, (neither will confirm which it is) requires you to send the very same ID documentation that we’ve already submitted for the VA/DoD verification and ID.me cannot confirm that submitting AGAIN won’t break their system. Believe me, you DON”T want to break the ID.me verification system.

    1. When you verify with ID.me and submit ID documentation, are you or are you not “verified”?
    2. If you are verified there should be no further request for documentation to “verify”.
    3. If you’re NOT verified with ID.me for all customers…what the hell good are they?

    ID.me have got some questions they can’t or won’t answer. The IRS just says it’s not our problem.

    Government. Sounds about right.

Comments are closed.