If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
The IRS says it will require ID.me for all logins later this summer.
McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.
These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).
Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.
Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.
After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.
The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.
When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.
Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.
My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.
An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.
Some of the primary and secondary documents requested by ID.me.
For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.
After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”
I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.
That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.
Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.
When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.
I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.
The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.
The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.
Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.
Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”
Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.
When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.
Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).
Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).
If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.
I started the same process about a week ago to get ID.me credentials for irs.gov. I got an email from ID.me saying, “The documents you’ve submitted have been successfully reviewed and you are now ready to join a video call.” The email indicated that they needed to see my driver’s license. The couple of times I tried to enter the waiting room, I saw >4 hour wait times.
Yesterday, I had a block of time to try to get a video call. At 1 pm PST, I entered the waiting room to see an ID.me Trusted Referee. Initially, my estimated wait time was over 4 hours. The timer didn’t coincide with real time. Several times, my estimated wait time got to ~ 58 minutes, then inexplicably, changed to 2.5 hours. At various times I would click the “Get Updated Status” button and my wait time would jump down 5 minutes or increase 10 minutes.
Finally, around 7 pm PST, the 1 hour estimated wait time seemed to be working in real time. I finally connected with a referee just before 8 pm, so it was 7 hours of waiting for me. The verification took less than five minutes.
This is the kind of bureaucratic BS that INFURIATES people. As soon as I finish this post, I will be complaining to my local Congressman, friends running for Congress and both Senators to stop this crap.
I urge everyone to raise hell with their Congressman and both Senators. Attend their “Town Halls.” Email them, write letters and bluntly tell them, and actually follow through, “I will vote AGAINST You and anyone else who tries to force us to use this!”
Please get in line behind all the people who complained, protested, and threatened to fix the decades long scourge of identity theft.
We shouted for a long time for them to do something about the problem. That 2FA was needed for this critical issue.
We may not like the idea that the IRS chose a private company like ID.me rather than login.gov… but we did ask for this.
Identify theft is a problem. ID.me is not the solution.
What’s your proposed solution?
The mark of the Beast.
Yes, a government entity already exists for this, i.e. “login.gov”, already used by TSA, USAJOBS, etc. and uses 2FA compatible with Google Authenticator, Microsoft Authenticator, LastPass authenticator and other compatible authenticators.
So why is ID.me needed?
https://login.gov/what-is-login/
One account and password
Login.gov is a secure sign in service used by the public to sign in to participating government agencies. Participating agencies will ask you to create a Login.gov account to securely access your information on their website or application.
You can use the same username and password to access any agency that partners with Login.gov. This streamlines your process and eliminates the need to remember multiple usernames and passwords.
Login.gov is used to secure your account when you apply for
Federal jobs (USAJOBS – Office of Personnel Management)
TSA PreCheck and Global Entry (Trusted Traveler Programs – Department of Homeland Security)
Small business loans and disaster assistance (Small Business Administration)
And more…
Thanks.
My biggest concern is the use of a private, profit motivated corporation. So ID.me should have been rejected IMO unless they had a unique capability that the GSA’s login.gov did not.
Hopefully login.gov will become an option for the IRS.gov website at some point.
Messages are sent…
I wonder how well this is going to work for those of us who live outside the US.
It definitely does not work from Belarus
Or own a computer without a webcam. Or only have a webcam with a resolution too low. Or only have a VOIP phone number. Or don’t have any phone number at all.
The number of people this excludes from dealing with the IRS online alone should be reason enough to put the kibosh on it. Sadly, it is not.
That’s the security / convenience paradox.
It is not a good idea to reduce the security down to lowest denominator. It is much better to let that minority use a legacy process. “Online” should require a higher standard for identity proofing, and if a small number of people cannot do it, they should be directed to in-person / mail methods, rather than putting the “kibosh” on the whole thing, forcing everyone else into a less secure scheme that’s already proven to be easy for identity thieves.
It doesn’t. I live in France. While the ID.me registration form will accept a French telephone number, it will not accept a French postal address. There is a mandatory (red asterisk) box for STATE with a drop-down list that doesn’t offer an overseas possibility. Infuriating.
No AE AO type codes? That’s a significant bug.
You have to escalate to the live chat to be able to enter a foreign address. That foreign address has to match any foreign documents that you upload for the live person to check against. It’s the first automated verification that only works with a US address. I’m not sure how to get to the live chat to use a foreign address without being able to first fail the automated verification with a US address. Perhaps you may have to contact customer support to ask them for a direct link.
Policies can change, companies change hands, ownership changes, contracts are renegotiated… ID.me isn’t immune.
This is a nightmare waiting to happen for anyone and everyone who submits the family jewels to ID.me. What a pot of gold for hackers…
There is no longer a prevention strategy for ID/information theft – Only monitoring and strengthening authentication for us end users.
Private companies are notorious for altering their terms of service in hidden ways to the detriment of the users.
Government contracted private companies cannot easily do this. We need heavy regulations for this public-private partnerships.
Credit Freezes are the “prevention strategy”, for whatever it’s worth.
This is often misunderstood that a credit freeze is supposed to block all “read access” from Credit Reporting Agency (CRA) databases. This is untrue, and is why ID.me can set up an account while your credit is frozen.
Credit Freezes are more of a “write-block” to a credit record. So any “lender” would be unable to issue credit (lend money) in the name of that credit record while frozen.
…yes and no, each lender is free to decide whether to extend credit regardless of credit checks…
…as a convention, they use the score and some demographics, but don’t have to as long as they comply with the fair credit reporting act…
Thanks. That’s the more nuanced answer.
Dear Brian, thank you for covering this critical issue. The U.S. Trademark Office just began demanding that everyone that files an application or any papers (digital) with the U.S. Trademark Office must have their identification verified by Id.me or by paper verification using a notary, to whom the person will present two forms of identification. I believe that option was only made available because the Trademark Office is mainly dealing with lawyers, who were objecting vehemently to the use of ID.me The use of ID.me includes biometric data, such as “selfie” images made using a smart phone while on the ID.me app, videos. ID.me also includes giving a social security number and allowing a credit report to be opened. All this to file a trademark! The Trademark Office has made claims about the security of ID.me, without considering the incredible dangerous of giving ID.me all this power over so many peoples’ lives and information. I find the use of ID.me to be anti-American, startling, Big Brother at its core, dangerous, and in short, terrifying. Goodbye to any kind of privacy. All of the privacy advocates should be up in arms about ID.me.
As a privacy advocate, and trying not to speak for others… I do not think that everything should allow anonymity. Filing for patents, copyrights and trademarks should NEVER allow an anonymous or pseudo-anonymous persons. This is how it’s abused in practice. Trolls are rampant in filing for IP through automated, easy and anonymous methods.
Filing taxes is NOT something that can, nor should be anonymous.
Although I am seriously concerned that a private company has been chosen over the US Government just building their own identity platform. Of course, even then, plenty of people would still consider it anti-american and possibly compare it to the mark of the beast.
Reliance on private corporations have become a nightmare. But that’s unchecked capitalism for ya. The flip side would be a stronger central government, which will be criticized equally from the other side. The middle ground will likely be heavy regulation of private companies.
I did this a couple of months ago. A pain but I understand problem and the need. Took me about 90 minutes from start to end. I guess I got there before the rush. This is to protect you not the government. If you want to make it harder for someone to steal your info and your SSA retirement, then take a deep breath, grab a book (or tablet) and queue up.
Ummmm… Not a good idea.
The question is when id.me will be hacked, not if.
> “and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,”
In 3 years, when even phone apps can crack the encryption, and the site has been breached, you are SOL. You just gave away the farm.
Thanks, Brian took me about 15 minutes. Keep fighting the good fight, my friend. KB
> “And once we’ve verified you we don’t need that data about you on an ongoing basis.”
So do you (ID.me) delete it? That doesn’t say “we delete it”, and the next bit about only being able to delete biometrics by closing your account is less than reassuring.
“We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours”
… was the preceding sentence.
Sounds like they are talking more about encryption keys, rather than data retention.
I don’t expect an identity platform to delete identifying information.
All I can say is…more dictatorship from a government that is “here to help”…..
I don’t have a webcam on my computer monitor, and I’m not sure my very basic not-very-smart Walmart phone will handle the requirements this demands. I can’t afford to replace either. What alternative options is the IRS going to offer retirees like me?
Snail Mail
How about using a similar system for voting verification? Ahem…
How dare you
Thought of that too.
My guess is that there is a fundamental difference for people who need to file taxes with the IRS (about 150 million Americans) vs. the 240 million eligible voters.
It can be an expectation of federal tax filers to be able to use a computer or jump through additional hoops. However, requiring all eligible voters, to use the Internet for registration,.. is a no go. Even the homeless, jobless, retired with no benefits, etc… should be allowed to vote without the additional burden.
And then there is the fundamental concept of federal vs. state. Elections are handled by the state, so would require 51+ separate systems, and they cannot use the federal system.
The proof of citizenship requirements in voter ID laws can be far more burdensome. Besides the handful of people without birth certificates, name change documents have to be exact and documents generally have to have exact matches (i.e. SS card, driver’s license, marriage licenses, etc. all can’t use nicknames or have misspellings). The court fees to rectify it are generally hundreds of dollars, not to mention the time involved.
Which is why courts have generally only allowed the “ID” part of the laws to go forward and not the proof of citizenship part. For this service, a non-REAL ID is probably acceptable along with social security number and phone number.
Being someone who has read Krebs on Security for at least half a decade, one thing I take away from all of the excellent reporting is that no data connected to the internet is safe. Sometimes even data that is air-gapped isn’t safe, i.e. Stuxnet. I don’t believe, either, that this is a good idea. SSO is only as strong as it’s weakest link, and I would suggest maybe some research into the procurement process is in order to see who competed against this vendor and what they had to offer.
Agreed. What’s really going to boil your bum, is the sad fact that IRS data has been connected to the internet for a long time now.
I kinda wish they stayed with login.gov (by the GSA) rather than any private company. But government systems are also big targets with a long history of major breaches too.
So the government makes sure you have confirmed your identity multiple times to get benefits, but asking for any identification to vote is racist..
The issue with ID laws is not really the ID itself. The issue is “Proof of Citizenship,” which is beyond what IRS is asking for here and beyond most IDs accepts passports and “REAL ID” licenses.
Proof of citizenship sounds good, but it requires unbroken trail from ID to a birth certificate and social security card, with any name change documents matching exactly the previous name. Court fees rectifying previous documents generally are in the hundreds of dollars.
Yes,
Voting should be an inalienable right. Not a privilege like benefits, and not an obligation like taxation.
Even the homeless, jobless, retired with no benefits, etc… should be allowed to vote without the additional burden of getting a smartphone or modern laptop. Paying federal taxes is something that carries an expectation that you are at least employed and making money.
The racist part only comes in when getting identification is skewed against a racial group, as it sadly still is in many parts of the country. Mostly it is indirectly tied to race because of poverty. If only drivers licenses are accepted, that skews towards people who own and operate a car, which is skewed against the poor and those living in places where cars are non practical/economical to own.
I’m not opposed to voter IDs, but they have to be free, allow for homeless, poor, uneducated and need to be publicly funded for years before they are required.
I would actually prefer biometrics over a physical card. I think there should be lots of option that are inclusive, rather than the current push for voter ID that seems explicitly biased to skew against certain demographics and suppress voter turn out.
Not sure I either want to or even have the patience for this cumbersome process. I will electronically file my 2021 tax return soon (along with the PIN code provided by IRS in an annual letter to me) with the assistance of TurboTax. Plus my state tax return as well. I am assuming that that process will be able to be accomplished without any intervention of ID.me?? Thanks!
Pete, I went thru this cumbersome process in order to be able to request a PIN code, annually. How do you get yours sent to you by annual letter? Were you a previous victim of some IRS fraud? Those were to original recipients of PIN codes.
That is excellent! It helps the people who really need help: the old people with no idea about technology. Sure, there are some techies who will have issues with it, but they are really the 0.1% of users, and they’ll figure out the process no matter what it is.
Pretty sure there is a snail mail option always available.
Why would I want to give all that info to a 3rd party? Now that 3rd party company is going to get hacked and that info will be used to steal my identity.
This is gonna be just frickin wonderful for blind folks as well as those who are not facile w/technology in general. I mean, you close your eyes & try taking a selfie–you had trouble w/them wide open, evidently. It’ll bar a large segment of the population from obtaining an account. & it just slipped on by w/no notice to the public.
In some respects, this seems very similar to the I-9 verification process employees go through when on-boarding with a new company.
A centralized “yes this me” solution is enticing in that regard. Instead of having to constantly prove my identity to new companies, being able to proxy that through something like ID.me has appeal.
That being said, this is the ultimate target for hackers. The payoff for effort of a system like this is huge.
Data on “Exempt Organizations” – Charities – is Public Domain. “Philanthropy space” is a thoroughly vetted class-less society. The Trump Administration tried like hell to muddy these waters. The only thing they seem to have accomplished is spotty service for the data base look-up. Some EIN’s do not yield results, without explanation.
One formulation of Occam’s Razor is “never attribute to malice what can adequately be explained by stupidity”. You owe both the IRS and ID.me the same grace. If however you never have any problems with either – lucky you – you have rediscovered the hidden choice in Occam’s Razor.
Ah, yes. The very company who made me spend 30+ minutes trying to get their awful ID-photo-taker to accept my license, and then their awful selfie detection to recognize I was a human, only to tell me nope, all that time was wasted. And then took literally months to respond to my email. All that work just to see if my stimmy was on its way…
Obviously having a private company with a central database of all Americans is much better than the government having the same.
This already happened for me a week ago. It seems a little over the top but they have to justify their large budget somehow.
I just tried it twice but it couldn’t verify my identity, with an error code E$308 that it does not explain. The FAQ pages do say that if your credit file is frozen, it will not work, although Brian says his worked even with a frozen credit file.
My credit file has been frozen for years.
Will try again sometime. SIGH
Tried again, and now it works. Have 1 1/2 hours to wait.
Of course predicted wait time dropped in ten minutes from 2 1/4 to 1 1/2
1. This doesn’t work for American citizens abroad (think expats / long term living in foreign countries working individuals), asked to pay taxes for ever, but prevented to use id.me. Why? System requires a US based number, and – NO – GV or other IP telephony solution doesn’t work.
2. IRS recently advertised (and keeps doing so) a web site to upload documents. Once done so, no agent called for follow-up knows where such are, and how they could reach them, to attest receiving, so they ask for info to be faxed, instead. Imagine more of such info, i.e. tax paying citizens pictures and/or videos, going into the same black hole, reassuring all of privacy of data.
Am I correct that we will NOT need to go through all this just to file our Federal tax return electronically through TurboTax, H.R. Block, etc.? Thanks.
I also just went through this process. I did not have to provide very many documents and did not have to do a video chat so it only took about 20 minutes. But then, I am not claiming to be Brian Krebs. It does seem to be a decent service, just overwhelmed with new signups right now. That will probably not get better until they can scale up their staffing. The MFA options seem well thought out, too. As a member of the class of victims of the OPM hack ID.me inspires more confidence than some underpaid government employees. Given the data they are collecting they will be a big target. Hope they get their security right.
I am 100% for more stringent ID processes. The idea that a multiple hour long process is required is absolutely not acceptable. How the heck do you think you’re going to get this done once it becomes mainstream and wait times are even longer?
Sorry, IRS, big swing and a miss here.
This is an invasion of privacy.
I demand an easy way to access this critical site while remaining anonymous
When I tried to sign up with IE.me I had a similar experience, but I was unable to get past the second documentation upload and schedule a video call. In addition to the documents I provided they wanted one of: (1) social security card (I lost mine years ago), (2) military separation document (I have never been in the military), (3) draft card (I lost mine around the end of the Vietnam war), or (4) a 1099, W-2 or pay stub with my full social security number.
Nobody sends out 1099, W-2 or pay stubs with full social security numbers any more: everyone Xs out the first 5 digits to improve security. I eliminated the social security number from pay stubs I was sending out in 2005. I did upload my pay stub with XXX-XX-nnnn, where the nnnn matched the social security number on the other documents, but they rejected it because it wasn’t the full social security number.
Oh, good, it wasn’t just me.
The “upload” for documents didn’t work for me, I had to use my phone camera. Then I got bumped out because it wouldn’t accept either my cell phone or my landline. That’s as far as I’ve gotten so far. Nice to know that I’m almost halfway there!