If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.
These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).
Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.
Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.
After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.
The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.
When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.
Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.
My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.
An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.
For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.
After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”
I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.
That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.
Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.
When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.
I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.
The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.
The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.
Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.
Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”
Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.
When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.
Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).
Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).
If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.
“Selfie”, not “headshot”?? As in arm’s length, puckered up duckface, and flashing a peace sign?
(I kid…. although I am laughing at the possibility of the company overflowing with silly selfies as authentication data)
Anyway, speaking seriously now: I know there are privacy questions about all this, but the thing that struck me is how un-scalable the notion of individual video calls would be. Yeah, I get that it wouldn’t be everybody, but still, 1% of the US population would still be several million people. Even if it were a fraction of that and down to tens of thousands of people, just how many people does ID.me employ for this? And how long a wait? Brian here noted several hours (although he got favored big-time by someone and didn’t have to wait), but when this grows, does the average person wait 3 hours? Or that many days? Weeks?
Yeah, this doesn’t seem like as important a question as privacy, trust, secure storage of info, etc., but my point is that if the process gets overwhelmed, what problems will stem from that? And which of the ways to deal with those down-the-road problems would be insecure? This issue isn’t something immediate, but I feel it *is* something that needs to be taken seriously.
I really laughed at your comment. A pile of selfies being processed would be hilarious.
I agree that it would be unscalable to hold individual video calls (no matter how short) to a specific percentage of applicants. But I don’t think they will try to do that.
Rather, it sounds like it will become a floating “spot check”, that depends on the availability of resources.
Like the TSA (don’t get me started on that), these spot checks might turn out to be “peace of mind” and “security theater” meant only to create a reasonable chance of catching an attacker.
This can be of good value though, as hackers (especially foreign ones) are very risk adverse to systems that have a chance of human intervention. They much rather prefer automated and quick.
I used Id.me to sign up for IRS about a month ago I was verified almost instantly, I had to do the same selfie/video verification process
This will be a nightmare for disabled people or anyone who has shaky hands when trying to take the “live” photos of the multiple forms of ID and/or the “selfie”.
I wonder if the disabled lobby will sue about this. I hope so.
Anyone can sue about anything at any time.
But as long as there are reasonable accommodation, they can’t really win anything.
As long as the US Postal Service works to send scanned documents, and notaries available, there will always be another way.
I see no description of another way being available.
https://www.irs.gov/filing/where-to-file-paper-tax-returns-with-or-without-a-payment
This is already a mess I have been trying to get verified for my unemployment for 3weeks and are unable to even get a response, due to the fact you can only email!! I hope they find a better way for this site to operate!!
This “ID.me” is looking more and more like a front for the Democratic Party…..I’d be very concerned now…..
Drink your horse paste.
?? GOP States voter ID laws
A few significant observations:
– The camera and microphone are still recording after you end the live chat identity authentication (the activity light on the camera was still on). It only “seems” to deactivate when the browser window is in the background, so be sure to close the window and revoke site permission to the camera and microphone.
– When taking the selfie, you have to turn the brightness of the display up to 100% so that the strobing multi-colors of the display will reflect off your skin. It also means that if you have a USB webcam, you need to center it to the display so that you can get your face perpendicular to the display.
– The first automated identity verification seems to be through a credit agency, possibly TransUnion. A credit freeze will fail to verify, which escalates to the live chat. This also means that people without a current US address cannot use the automated identity verification, as there is no option to enter a foreign address. The escalation to live chat allows the entry of a foreign address, but I’m not sure how to fail the automated identity verification in order to escalate to the live chat, if you don’t have a US address to fail with in the first place. I guess you’d have to contact their support for manual escalation to live chat by explaining that you have a foreign address.
– The first automated identity verification requires a US landline or mobile phone subscription. Foreign numbers and VOIP are not allowed, I assume because they first check the number with the credit agency (which seem to only have US numbers) and then possibly use some technical method to check the registration of the telephone number with the carrier (or maybe send you a text? I failed automated verification so nothing happened to my phone so I wouldn’t know). The escalation to live chat allows you to enter a foreign number and VOIP, because I guess it’s only used for sending you a link to a smartphone so that you can take the selfie, upload the documents, and launch the live chat window from a mobile browser, if you don’t want to do it from a PC browser.
– The telephone number that you entered, either through the automated verification method if you passed, or the escalated live chat, gets saved into your profile and is shared with the IRS (according to what the id.me website says about what they share with the IRS). I’m not sure if this is the same number that you select for the 2FA telephone PIN, or if perhaps they would share both numbers if you changed the 2FA number. So be careful of which telephone number you enter, in case it’s not a number that you want to share with the IRS.
– The countdown to live chat is highly inaccurate and underestimated. The timer continuously went up and down but nowhere near the actual wait time, and ended up taking 4 hours.
As a parent of an adult disabled individual who has need to access SSA and IRS but who is intellectually a child, going to be interesting how to handle this. Need to see how “third parties” are handled, how legal representatives are handled, and someone else can bring up those with legitimate needs but no access to the equipment, tools or time. My son has no phone.
Serious questions?
Does your son have an existing IRS.gov account already? What about a Login.gov account?
Yes to IRS and SSA. IRS because he was identity scammed with tax return and his ssn. SSA because he gets checks. He has no credit, no phone. With SSA had to go in person to an office to be verified, it does seem the ID.me program uses credit checks which impacts a lot of the disabled.
I emailed them about people with legal guardians, people like my son who cannot function on their own, people who cannot read or write, if they could show me their policies for how their product can be “used” by folks who have these issues and they deflected and said to talk with the agency or organization that you are “using” – so if you are applying for an ID.me because of SSA, you need to talk to them about the issue. I was told they prohibit someone verifying for another individual.
And I believe that at least for governments, the alternative access methodologies for access to government services can not be “harder” than what “normal” people go through. But often folks at the margins get overlooked are folks figure it’s not that bad.
Oh, sorry to hear that. It is true that marginalized groups get hit the hardest, by both the problem and the solution.
Login.gov should be an option for you regarding the SSA.
It is sad that an IRS.gov account is needed because of identity theft. But this whole need for an idP like ID.me, is precisely BECAUSE so many people had their identity stolen.
Interesting if any independent scientist reviewed such system from psychological point point of view.
There seems to be a lot of people misunderstanding and taking this to the extreme.
Is there any real “requirement” to have an IRS.gov account? I don’t have one, and have been filing taxes just fine. That is not changing. So why are people thinking this is some new thing that will force people to create an account? Is just a big change for the people who already manage tax records with the IRS website directly. While the majority of comments here seem to be people talking about expatriates, retired people, and the disabled. How many of those actually have an IRS.gov login?
I agree that there is no need to have an IRS.gov account, until something goes wrong. We are retired and have set up Medicare and SS account with email addresses and simple passwords, but I doubt that this is secure enough to prevent fraud.
I have had a friend whose Taxes were lifted the refund mailed to the fraudster, and it was a nightmare. This may help prevent that.
The only really personal info required was my SSN and that is widely available, I assume.
You should understand that many people have ported their taxing over to this system, which means they’ll have to learn how to use another system or “give in” here.
First you create the supply, then you start making changes that the consumer just accepts because they don’t know anything else.
Humans are lazy, and corporations like IRS take advantage of that.
E-filing of taxes directly using the IRS website is not the only way to do it.
I understand many people started doing it that way, and don’t like change.
Like anything else with e-commerce, if you don’t like the way one system is changing, you’re free to go with any of the dozens of other tax prep/filing services and use their weaker/easier authentication schemes. Either way, change is inevitable with online systems, especially to adapt to growing cyber threats.
If they don’t like change, they are free to “port” their taxing back to the good ol letter in the mailbox system.
The IRS is not, *by definition*, a corporation. I’ve no idea who told you that, but that’s not what “corporation” means.
I have and IRS.gov account and have been using for years to pay quarterly estimated taxes. Before that, I would mail a check. So the IRS.gov account is really for convenience and not strictly necessary. However, I did recently see that they are moving to ID.me for logins, so I decided to be a good citizen and do what was expected. Unfortunately, the process turned out to be extremely quirky. For example, while Royal Caribbean has no problem with my passport scan, ID.me failed multiple times before giving up and telling me that I needed to confirm my identity in a different way, i.e. video chat. I tried to go back and use my drivers license, but at this point that is not an option. I am sure that I am now a red flag in their database. Anyway, I also saw the long wait time for the video chat, so I bailed. The good news is that cancelling my account was very quick and simple! I will try again one day when I have several hours to burn waiting for a video chat.
Positive identity authentication is essential to a functioning society, yet none of us wants to trust any private entity sufficiently, so this necessarily should be an essential government-provided function.
In fact, our Social Security System provides the same, albeit without proper implementations and controls to make it both safe and trusted. It’s way past time that we (a) remove the restrictions that hamper effective use of SSNs (and derivatives as might be necessary) that were implemented to assuage the fears of federalists and individualists, and (b) legislate appropriate controls along the lines that HIPPA does for health information.
Until we do so, the massively powerful network of overlapping private systems will continue to make it very easy for the powerful to snoop on everything we do and profit from all the data about us. ID.me is just a small symptom of a huge problem that is most evident in the use of our cell phone numbers as permanent identifiers connecting huge databases of online advertisers, and putting all the power in the hands of the commercial interests with virtually no recourse for us as individuals.
Although I’m generally a free-market advocate and quite suspicious of big government, this is a case where the the private alternatives are far scarier.
Here-Here
Just finished the entire process. It took about two hours, most of the time waiting. the video connection on my computer didnt work so clerk called me on phone and we eventually used Zoom on Ipad. Overall a rather easy experience, although as I have posted above, perseverance is required if you are refused acceptance the first tiem. It took me three tries to get thru to the video verification.
If only I could verify my deceased mother’s account and find out why the IRS hasn’t refunded her 2020 taxes. As she died in 2021 we had to send in a paper return with the death certificate. I am sure it is sitting in the pile of 10,000,000 docments they say are waiting to be processed
Similar situation. Waiting on 2019 refund for a deceased family member. No replies from IRS when I have inquired about the stat I s of the return that was filed.
Can I register more than one yubikey for 2fa at id.me?
Why would 1 user need more than 1 key for 1 site?
Lots of people want a backup yubikey.
For 2FA using challenge/response or OTP, the secret can be written to a backup yubikey.
For FIDO2 sites, not really. The site would have to support multiple keys. Of course, that is why backup codes exists, to reset the FIDO2 2FA if needed. But that means your backup will need to store text codes too. In practice, it means something like an offline keepass database with your backup/recovery codes, then encrypted using your yubikey.
Re: more than 1 key: you might lose a key. Have one you carry and one at home.
Also, take the backup advice seriously: if your house burns down and takes out all hardware keys, there must be a system to restore access. Although I suspect another video session with ID.ME would be a reliable way to restore access
Mr. Krebs, I would warn people to go to the IRS.gov site, rather than ID.Me’s page to begin this transaction. Registration only took five minutes.
I started the ID.me process on the IRS.gov site and as the OP mentioned the process was easy and only took about five minutes.
I just went through this mess last weekend, when ID.me couldn’t verify my phone number (I have a VOIP service at home– it would have been nice to know that it would be a problem for them). I waited online for 4 hours Saturday and 10.5 hours on Sunday (ID.me runs the webcall process 24/7); the last three hours, I watched the estimated wait time counter hover between 3 and 6 minutes. I used some of that time to send a nastygram via email to ID.me through their website; surprisingly, I got a voice message on my cell phone later that night providing me with a link separate from the one I had been holding on. I connected, got a human being and the rest of the process took about 5 minutes.
Ironically, when I posted my saga on my Facebook page, one of my relatives, a longtime freelancer, told me about eftps.gov, the IRS’s Electronic Federal Tax Payment System, which doesn’t require all that info plus your firstborn child and a pint of blood. Since all I wanted to do was to pay my quarterly tax, this seemed to be an ideal workaround; the only catch is that I have to wait for a snail mail from EFTPS with a code I’ll use online to prove my name and address is valid. Meanwhile, I put a check in the mail.
BTW: the office of my US senator provided me with the phone number of someone in the IRS’s Taxpayer Advocate Service. Talking with her was like the “yes, but these go to 11” scene in “Spinal Tap”– she didn’t see what the fuss was about, but she told me to use http://www.irs.gov/payments and click on the link labeled “Make a Guest Payment from Your Bank Account” … and no registration is required to use that link. So, even the IRS itself will tell you ways to skip ID.me if you know who to ask and where to look.
Sigh. Your tax dollars at work.
Funny how there is always a quicker and easier way to pay them. But when it comes time for a refund, benefit, or to receive something in return… it’s a process.
Either way, there has always been a slow alternative for people who don’t want to use a computer at all.
The IRS will always accept tax return filings through USPS.
“Back in my day”, before the Internet, filing taxes was an ordeal and a half. Mailing stuff and waiting for mail in return was the way. And that’s if you knew enough to prepare your own forms.
Can’t help be feel that this generation has taken the Internet for granted. So now accustomed to speed and instant gratification. That any new inconvenience is now a travesty and a breach of privacy. Don’t like it… you don’t need to use the Internet, it’s still optional even if you don’t like the legacy alternative because you’re entitled and spoiled.
“Can’t help be feel that this generation has taken the Internet for granted.”
“Can’t help but feel that this generation’s gains in quality of life offend my sense of rugged individualism and toughness for having ‘survived’ less well-off conditions and I begrudge them their expectation at an improved quality of life.”
Fixed that for you. Now go tell some kids to get off your lawn. Or better yet, go read some history books and use that crap on yourself every time you turn on a light or eat food that doesn’t have arsenic in it.
Hard to argue with Old Timer when so many people here are b!tch!ng about a process that has become so much easier and convenient that some Russian kiddie can file your taxes for you from across the globe. And now that it needs to be more secure, nobody wants to trade back even a bit of that convenience.
Y’all are lazy regardless of your age. Just lazy and spoiled.
I went through this process in order to obtain this year’s IRS pin. The process went fairly smoothly although I was not expecting all the hoops I was required to jump through. The main stumbling block I encountered was that the process refused to recognize all of the files I uploaded, driver’s license, passport, etc. I had these files saved for just this sort of thing. At one point I was told that they couldn’t match my selfie with my driver’s license. I took a new photo of my license a tad zoomed in and that was rejected as well. I then had to take another fresh photo of my passport. I took two. The first one wasn’t accepted, the second one was. I, too, got stymied during the process and had to start from scratch. I was pulling my hair out! It was not a pleasant experience. It only took a few hours!
A heads-up here.
For veterans, the procedure is different.
Since we already have info in DOD and VA systems, ID.me seems to be pulling intel from those systems to verify identity with a process not nearly as lengthy as this one.
Registering with VetTix, for example, one option to verify my service was with ID.me. I did a quick check on the website, and verified VA does use and cooperate with them.
That was a few weeks ago, so I can’t remember the exact procedure. I did have to verify some stations I was at, along with service start and end dates. Still, it didn’t take me more than 15 minutes start to finish.
Of course, when I set up my account with the VA, it took considerably longer than THAT to establish my identity. Maybe ID.me considers that an effective screening?
Either way, it’ll be interesting to see if any other veterans out there had a similar experience…
Developing nations like India have moved on to Biometric verification with Multi-Factor Authentication. Do you all think, it is time for America to move in that direction? Ofcourse, there are some privacy concerns but that has been fine-tuned and remediated with the help of innovation and technology.
https://en.wikipedia.org/wiki/Aadhaar
I already made mine. Yes, it was problematic. The system didn’t like my document images, and it seemed nonlogical. I couldn’t have made them more clear.
I ended up having to have a live session and when the audio want picking up, was given instructions that led to my being cut off.
The second live chat also had no audio on my end(yes, I had given permission for it), but the young man was very helpful. Had me stay on the phone for audio while using the camera on my laptop for the face to face. At one point, it was clear he was enjoying the stupidity of my ineptness. Not in a bad way… but he goes “You don’t have to hold the phone to your ear,” and I think he just was glad I was able TO stay with him. I think plenty of people with developmental issues are really going to struggle with this program.
Also, a cel phone device was not an accepted option. Many people only HAVE cels nowadays.
“I think plenty of people with developmental issues are really going to struggle with this program.”
The program is optional. I don’t have an IRS.gov account. And I don’t need one to file annual federal income tax.
People with developmental issues usually go through an agent to file or prep tax forms. People who need assistance for this, also need assistance to prepare tax forms. That’s why there are still plenty of local H&R Block desks during tax season.
The weakest links in this all new… piss-on-me-more-dear-incompetent-government …are the employees of the company, all it takes is a disgruntled one looking to sell access, or simple complacency and arrogance the likes of Experian and the rest of that sick cartel.
Any group of dedicated young ingenious hackers will soon find a way into this new chest of riches…
This is totally insane on two levels. 1)First and for-most giving a 3rd party all of one’s private info such picture of one’s SS card with your SS# or copy of your birth certificate, a copy of either bank stmt or utility bill, copy of one’s driver’s license and a selfie. By providing all of one’s vital information all in one place is providing a road map for hackers to obtain all of one’s vital information in just one place, is inviting this site to be hacked. As most people are aware there is no website that is fail-safe from hackers. If it were to hacked it would be catastrophic. 2) The difficulty and time required for the average person to navigate this site is going too be onerous. If it is taking on ave. 3 to 8 hrs online right now, what do think how much time it’s go take this summer when it’s required, days or weeks.This was not well thought out. What a boondoggle. I’m sure there is going to be an uproar as we get closer to summer. Most likely there will privacy lawsuits coming soon, if not already.
I already had an id.me account–not sure why–and used it to log into the IRS website. It made me re-upload my Drivers License, even though it indicated that had already been verified, and I had to do the video verify.
I doubt if my 88 year old mother would figure this process out. I suspect the elderly will be the preferred targets for identity theft because, no doubt, they will have to relax verification standards for them.
I also expect ID.me to be hit with many ADA lawsuits over accessibility.
Anyone can sue about anything at any time. But as long as there are reasonable accommodation, they can’t really win anything.
As long as the US Postal Service works to send scanned documents, and notaries available, there will always be reasonable accommodation.
Does your 88 mother have an existing IRS.gov account? Most retired elderly, I assume, don’t need to file annual federal income taxes, and get their SSA benefits via another system. And those with active investment portfolios often file through brokerages also don’t need an IRS.gov account.
I think a lot of people are assuming to speak on behalf of people who are not actually affected by this change.
The registration process hung at verifying my phone also, but I was able to complete it by copying the included link to the Chrome browser on my PC. Not extremely secure, I’m afraid, and clearly a compatibility issue with the Chrome browser on my Android phone.
Another thing to remember, in the case of using bills as identifiers, make sure you have your full legal name on them. I’ve seen people have issues because they use their shortened name on the electric bill or whatever, but it does not match their Social Security / Driver’s License name. John instead of Johnathon, Allie instead of Alberta for example. Also the confusion of some people who go by their middle name all the time, so that’s what their bill says.
era of fuedulism; techno feudalism. I saw a vlog about about that concept and found this interesting. Everyone will have to set an account eventually, this is the way of life. Besides, many do need to access the IRS for various reasons; the pandemic added to that. What is capitalism anyway?
OMG, you saw it on a vlog?
Wow, must be true.
Relax. This isn’t a slippery slope. You can always mail in your forms to the IRS, and you could always do it. The website is a convenient option but don’t act so entitled.
Geez, this generation of whiny entitlement is the real feudalism.
Regardless of the efficiency of the process…
1) Federal Govt has no business relying on a third party for identification. I suspect an attempt to offload liability for breaches.
2) Let’s talk about breaches . Quick – what organization is every hacker from here to Saturn going to go after?
Perhaps ID.me ? The Website Logo Image should be a rifle range target.
Just my family – going RIGHT back to paper Tax Returns. As we file quarterly, with the goal of “no refund”? Not our issue if the FEDS take 3-4 years to process the paper returns.
I agree with (1). Identity providers can be a 3rd party, if owned and operated at that level of government. The SSA for example, uses login.gov, provided by the GSA.
If it can’t be helped, they need to regulate the crap out of the private industry. Much more than civil defense contractors.
(2) is pretty weak as an argument. Although adding a 3rd party does increase the attack surface, it provides substantially better security for authentication. So it’s probably a better thing for attackers to target a hardened, security focused authentication platform… rather than the soft, squishy targets that attackers have been so successful at breaching for years now.
But yeah, for anyone who doesn’t like it, they can go back to paper filings.
My experience was slightly different. I did not have to upload any documents. My ID is a CDL and I have a hazmat (explosives) endorsement with TSA, ATF and Homeland background checks attached, so I wonder if that is why they didn’t prompt for documents.
A simple comparison with my ID and my face scan (Done on a computer web cam), then on to the phone verify and confirmation of my data. I was done at that point.
I too used MFA keys. I suggest you make sure you register more than one key. Also, you will need it every time you log in, you can’t select to have it remember a device.
Later this year? I had to switch to the new system when I logged in a week ago. The site said my previous credentials had to be updated to the ID.me system. It did the face scan and used some personal information to do a credit file match (it seemed).
have you /read/ to TOS? It includes the following:
• all data submitted to id.me is considered id.me’s property
• “id.me” “may use images in any method ID.me sees fit and make compilations
and derivative works thereof in all media now known or hereafter devised”
• “must assign to ID.me, as consideration in exchange for the use of the Service
and Website, all worldwide rights, title and interest in copyrights and other intellectual property rights to the Submissions”
• give up my right to sue
• submit to binding arbitration
• give up my right to pursue class-action remedy
“You will defend, indemnify and hold ID.me harmless against any and all claims, costs,
damages, losses, liabilities and expenses (including attorneys fees and costs)
arising out of or in connection with a claim by a third party related to your use of
the Website and the ID.me Service.”
And as we all know it’s not a matter of if they’re breached and “we” suffer data loss but when.
Should add a sarcasm tag because this is either meant as humor or you’re deliberately trying to mislead people.
Looks like a pretty good summary.
https://www.id.me/terms
There are basically two main sections referenced in the above comment (even though it’s separated into many bullet points.
1) Give up your right to sue as an individual or as part of a class and instead submit to forced arbitration. Those 3 bullets are all really just 1, and is standard boilerplate for pretty much all services in the US. These terms are legal, but can be bypassed with good lawyers.
2) The other 3 bullets and the final out-of-context quote, are missing the key definition of Submission.
The TOS is referring to “comments, feedback, … considered non-confidential”. That’s the standard TOS for many web services that have comment sections, feedback forms, and the like.
Ask a lawyer if that TOS is out of the ordinary or if that means they could sell your Driver License photo to a 3rd party. The answer would be no.
There are basically two main sections referenced in the above comment (even though it’s separated into many bullet points.
1) Give up your right to sue as an individual or as part of a class and instead submit to forced arbitration. Those 3 bullets are all really just 1, and is standard boilerplate for pretty much all services in the US. These terms are legal, but can be bypassed with good lawyers.
2) The other 3 bullets and the final out-of-context quote, are missing the key definition of Submission.
The TOS is referring to “comments, feedback, … considered non-confidential”. That’s the standard TOS for many web services that have comment sections, feedback forms, and the like.
Ask a lawyer if that TOS is out of the ordinary or if that means they could sell your Driver License photo to a 3rd party. The answer would be no.
The Terms of Service are not the only binding policy document in play.
https://www.id.me/biometric
https://www.id.me/privacy
Joe seemed to cherry pick from the TOS, Submissions section, in order to suggest that it covered confidential and sensitive things, when it does not. The privacy and biometric documents discuss those items, and it is far more reasonable.
If you are still so concerned about the TOS being too broad, then talk to your representatives and senators in Congress. Tell them to enact privacy policy similar to GDPR and CCPA at the national level. This would really make a lot of these nightmare interpretations really impossible to legally enforce.
I have been trying to connect with one of thier video operators since last week. Since every connection attempt showed > 4 hours wait time I just quit and tried again another day. Even late night and on weekend attempts it was still > 4 hrs! Only today did I get a wait time of < 2.5 hours. I've now been waiting three hours for their 2.5 hour queue. I've been at "20 minutes" for over 45 mins… (Oops! Now it says 21 mins…)
On the positive side, all the witing has allowed me to submit myriad "feedback" comments via the Feedback link on the page. I also submitted plenty of comments as I worked through the entire processs prior to ending up at the interminable waiting page.
Their dev staff should be forced to go through this mess for everything they have to do.
What I really dont get is why they don't offer a callback queue; a solution that might avoid everyone hating them.
The IDME thing is rediclous we have tried to get through for unemployment and it’s not letting us through keeps saying wrong photo ID then after days of trying it says video chat well that’s been a week ago still nothing it’s been a month that we have been trying this and still nothing I myself think it’s crazy idea who ever thought of this IDME thing I think they could of came up with something else easier for ya to get identify cause this way now it’s just not working for some people he had just came off from a existing claim and had no problem then to open up new claim one day after old claim ran out it’s making him go through it all again why it already gave him his one claim with no problem why pro lems with new claim it’s enough to drive you crazy he will be back to work before he can get his unemployment he really needs it need the money to be coming in for bills this is crazy a month still nothing but if it was frauders trying to get through they would of been through by now thank you
They don’t know how to prevent billions in fraud, other than with extreme intrusions into your privacy and collection of data they have a horrible track record of protecting. I would not be surprised if they are recording and linking your IP and device fingerprint with your ID information. Also for your protection, of course.
Better regulations are needed… but you have to consider the facts that the status quo is rampant with identity theft, and security problems. We have been petitioning them to add 2FA and identity proofing for a long time now.
This is a way to prevent identity theft and fraud.
Our private information is already breached and out there. It’s done.
Whether individuals volunteered that private info in social media, to get coupons/discounts, or if their data was stolen in a large breach… it doesn’t matter now.
The data is out there. Now is the time to protect our credit, finances and tax records going forward. And the best way to do that, is to make sure that old “static” data cannot be used by identity thieves.
The solution is unfortunate, but necessary. You have to give more private data, and it has to be more identifying than simple SSN/DOB/address.
We already had 2FA. ‘Unfortunate, but necessary’ to prevent identity theft and fraud. This is like justifying strip searching grandma at the airport because of 9/11. It never ends.
2FA what? Like SMS to your phone that hackers love to SIM Swap?
This is more like getting vetted for TSA precheck initially so they don’t have to strip search anyone anymore. You either go through an extensive, one-time process or you don’t fly. Much better than just accepting a few hijacked planes each year as part of the trade off because people don’t like to be inconvenienced.
Give me a break. Sim swap is to steal crypto and only the highest value targets. This level of intrusion is totally unjustified and guarantees an even more incredible data breach in the pipeline. Allow this ‘feature’ for those that want it. Demanding it for all is ridiculous.
“Sim swap is to steal crypto and only the highest value targets”
–
You must be new to security. I highly recommend you read more of Krebsonsecurity and educate yourself before making such statements that throw your subject knowledge into question.
–
By the way, getting an IRS.gov account is still an optional feature. You don’t need to have one to file taxes or most things. The IRS online portal remains an option for convenience regardless of your feelings that you, “need to have it”.
If you work for ID.me, you should disclose it.
I don’t.
I work in fraud and cybersecurity. And for long enough to have seen how rampant the problem is, and how many of us have recommended solutions like strong 2FA and Identity proofing. Recommendations that are often ignored and rejected because users are lazy and don’t like change.
Also, if you read other comments, I’ve been clear that I don’t particularly like private companies like ID.me taking on this critical role of identity management. Especially since the GSA has their own login.gov
You clearly didn’t read their terms & conditions carefully:
“In addition, to make it easier for you to enter your address, ID.me uses Google Maps APIs. By using the ID.me Service, you are agreeing that you are bound to the Google Terms of Service and Google Privacy Policy.”
So in order to interact with the federal government, I now have to agree to the Google Terms of Service and Google Privacy Policy? WTF?
It still works if you block Google API from loading in your browser using a plugin like noscript or ublock. You just won’t get the map. Enter the address manually.
The terms and conditions is scary legal jargon but ultimately a CYA for every major tech company.
The part about Google’s API use suggesting you are bound to their TOS is really unenforceable nonsense.
I bet Google just required them to add that line to their TOS.
Bottom line, it doesn’t matter what is in Google’s TOS if you don’t actually use google’s services. Stop using Chrome, Android and block all 3rd party API’s and scripts.