If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.
These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).
Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.
Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.
After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.
The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.
When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.
Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.
My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.
An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.
For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.
After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”
I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.
That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.
Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.
When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.
I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.
The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.
The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.
Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.
Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”
Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.
When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.
Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).
Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).
If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.
Ummmm… Not a good idea.
The question is when id.me will be hacked, not if.
> “and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled”
(says the Trump admin appointed business associate)… In 3 years, when even phone apps can crack the encryption, and the site, or the cloud service, or the IRS, or the NSA, or the FBI, or Google, or Facebook, or Homeland Security, or whoever else thay have purposely shared/leaked your data to (beacuse it is easier for the pimple faced web dev to use the latest greatest gee whizbang cloud widget), has been breached, you are SOL. You just gave away the farm.
ID is racist anyway
ID.me wouldn’t let me verify with a Maryland driver’s license, saying that it couldn’t find an image of my face(!). I was able to register using my passport but it took about ten minutes to get an image that ID.me would accept.
Definitely DO NOT put off creating an account until the last minute.
This system seems to be a copy of the one that’s been in use by the Social Security Administration for a while. There’s obviously a difference in overall appearance, but when I was helping my parents set up online SSA accounts I noticed how much the process mirrored that used by the IRS.
And you’re right; I could not get the system to work by taking a picture of the drivers license.
If this is the same outfit, expect the exact same problems with the IRS system.
These people seem to keep coming up with more and more ways of us revealing our personal information without guaranteed protection that it’ll never be hacked nor stolen.
I tell you, the land of the free keeps revealing more and more that we’re not “free” at all
If you want a “guarantee” of “it’ll never…” then you are looking for an absolute. Don’t hold your breath.
The problem is that so much personal information is already out there, and the old system was rife with fraud because people could open credit, file for tax refunds, etc. with just a little bit of that information.
Yes, unfortunately we now have to give up more personal information and prove our identity so that we can get loans, tax refunds, benefits, etc. before some foreign hacker does it first using just a simple process.
Capitalism is the culprit. Money is not our friend.
I can never get answered by it’s yo contact me or me contact them. I opted out of the child tax credit several times from the beginning and they continued to send those checks first two by mail I turned iver the last $150@ to the baby’s mother and the first two child tax credits that I cashed and gave her bc she got the child by then and I promised her. She told me to opt out so I did. I tried more then 12 times to opt out. Then the is.me quit taking any info I put in and I could no longer even opt out. That was not my fault. Then it’s started all of a sudden in oct they put sort and oct child credits in my bank account I still tried to calm its and to opt out again bc I did not want to pay taxes on that money. Then again through December. Both last two deposited in my account as direct deposits. It was not my fault that what money was sent or that it was deposited. I happed to be over $1000 mega I’ve in my bank and they took what last two deposits bc irs direct deposited. It was at least first two checks I can cask and give yo mom but then they all of a sudden changed and direct deposited and screwed out up. I didn’t have the money to fix that and now I have to be the one to pay the it’s the taxes on all of it including the money I handed over to the baby’s mom. We had to get mom to keep baby bc me my sister and my husband ended with covid and my spouse died. I was yo sick as well and my spouse and sister yo care for him so we asked for him to stay with his mom since she was to get him soon anyway in a couple months. So he was allowed to go hom. He was mine yo claim on taxes for 2020 buy mow it’s a mess and screwed up. What is the taxes on all that going to be I am on social security disability and I am on a very small pension. I all of a sudden with the death of my husband I am paying for $510 on rent and car payment and etc where I don’t qualify for food stamps or additional help and I don’t have food most alway so how am I going to pay the taxes on the child tax money and I hat am I suppose to do now. I already can get money for food. I usually don’t go out and go to mii ok irs or do anything bc there isn’t enough money to do that. Please tell me a phone number I can talk to someone from its that they will answer. Bc they don’t. I had someone answer once and they said quickly wtong number I can’t answer you questions and I can help yiu I will transfer yiu bye and sent me to a number that never got answered. I need my taxes done and I need help. If I have to drive 100 miles to Kansas City to do it I guess I will. Bc I need help badly. It makes me sick bc I can’t find the answers and I did nothing wtong bc I opted out several several times and I tried to some more but the id.me did not work for me after that and I could not get ahold of irs anymore. So please give them my number if ya see them and tell them to give e me a call bc I will answer. They don’t 573-631-4450. Thank you so much for your time. I May Day you instead of the IRS. But I mean them. So please don’t take offense
There are a lot of reasons for having an IRS account not related to filing one’s taxes, just saying. Having had your ssn used for a tax fraudster is one of them. So the quick “you don’t need one of these because you can file taxes without it” is simply missing the fcat people interact with IRS for a lot of reasons.
And there are more ways to interact with the IRS than through the Online portal. Just saying.
People are acting like this applies to everyone. Worse, people are pretending to speak for groups of people who have never created an IRS.gov account, and will never.
The point is that it’s hard to name a hard “requirement” for having an IRS.gov account, when forms can always be mailed in, which has been the primary way for longer than the Internet existed.
The website is just the most “convenient way” (by a lot) to interact with the IRS, so people now thing it’s the only way.
I get the need to verify identity and I understand that to make it secure, it has to be tough and thorough. But given the push back I get on a daily basis from people who have to provide documents required to verify their identity in order to obtain a valid Real ID card (I work at a Minnesota DMV office) there is no way people are not going to go ballistic over this. On a daily basis I literally get complaints several times a day from women who’ve changed their name due to marriage or divorce, frequently multiple times, that they shouldn’t have to prove their name changes because it happened “20 years ago” or longer. Their lack of understanding for this basic requirement is ridiculous. And that’s only one example of the complaints people have over documents. I could go on but I won’t because I think you get the idea. Americans are spoiled, entitled and lazy. ID requirements are something they expect “others” to have to provide but when it comes to themselves, it’s simply too much to ask.
Thanks Lisa. That about sums it up.
Maybe this will result in women no longer changing their last name when marrying. 🙂
My wife never did change her name after we married. It’s been over 10 years. She uses her married name in informal settings, but for legal settings, she uses her maiden name. She just never got around to it and now it’d be a bit of a hassle. But, to each their own.
My wife kept her name, but she’s also cited on some 300 scientific papers. I was fine with it.
My wife kept hers as well. She is cited in 0 scientific papers, but she is prettier than your wife.
But if I have already provided all these background documents to get a passport or a Real ID, then why does the IRS need them again? Why isn’t the Real ID copy sufficient. People are angry because they keep having to provide the same documentation to everyone.
I just went through this process and it was a nightmare. Photos were blurry. Resent. Told to enter video chat. Waited over an hour then told photos needed to be reviewed and I should await an email. The next day my submissions were approved and I should reenter the chat. Told to expect over a 3 hour wait. I will say that I only waited a bit over an hour and the interviewer was pleasant. Interview took about 15 minutes.
Yeah, this is a major pain for even a person semi comfortable with technology. It will be a nightmare for folks that struggle with using their computers and phones to begin with, including many seniors. Waiting in the queue for another hour+…
ID.Me is hardly secure & easily bypassed. Threat actors can easily create a drivers license with someone else’s face & have them proceed with the 3 minute video chat. ID.me does not know what the “real” person looks like – as long as the picture in the ID & in the video chat are the same. This process works with even poor quality counterfeit ID’s.
Yes, there’s always potential for someone to go through all of these steps.
But it’s effective at cutting out the vast majority of identity theft operations.
–
Believe it or not, the majority of identity theft is not from someone in the US.
So now this ID.me process has just eliminated the bulk of Nigerian, Eastern European, etc. fraudsters.
Now they have to bring in Americans to help them. Someone with a face that could reasonably match the name, perhaps American accent that is not going to raise red flags, and able to answer questions and hold a conversation without hesitation.
–
Yes, this is all possible, but this is starting to become spycraft.
–
Keep in mind that criminals are risk-adverse and only the boldest would risk getting on camera to be recorded. These cyber criminals don’t like to be on camera. Which puts them in the crosshairs of their local law enforcement. Especially risky if they have a criminal record.
–
One big factor that really prevents identity theft…
Now each criminal can only steal 1 person’s identity. Trying for a second really puts them at risk as each session is recorded and compared with others. identity theft crime is usually perpetrated by a few criminals stealing a lot of identities and then selling them to other criminals.
–
Remember, identity theft has become a pandemic and all we have to do is make it significantly harder, and raise the bar for attackers. No one expects that identity theft through this new process goes to 0%. But it’s very possible that it becomes a footnote of problem.
You made me laugh, good joke; “Someone with a face that could reasonably match the name”
Yeah, it’s funny. I didn’t want to say racially profiling, but during identity proofing, it is something that could raise red flags for further investigation.
Kind of like when you get fake tech support scams and there’s a Indian guy with a thick accent, saying his name is Paul.
But really, it makes it much harder to steal the identity of females. Some Nigerian guy can’t really pretend his name is Susan.
You do not need to sign up with id.me to file your taxes. You need to sign up with id.me for access to IRS online and SSA online.
Many are balking at handing over the family jewels in order to sign up. While what you must minimally provide is more than most online accounts, it is far less than other identity verification. I know, I have had to provide far more multiple times. If you use any social media or any online service without full anti-tracking measures, you are handing over far more.
Speaking of anti-tracking measures, I am sure many online services (including id.me) are designed for the vast majority whom do not use anti-tracking measures. In addition to anti-tracking, you have anti-id-theft, anti-fraud, i.e. extra security. I have credit freezes, use a VPN almost always, block third party web-content, do not use social media per se, use Linux, use Vivalidi browser, use a VOIP number, use fresh profiles for each browsing session. I am certainly not the low hanging fruit. I frequently run into various challenges due to assumptions made in design of various online services.
I signed up with id.me later in the day on Christmas. With all my protection measures, I could not take advantage of the quick automatic id proofing. I actually think that is a good thing, except a mal-actor attempting to impersonate me might be able to utilize the more streamlined path and have an easier time validating than I. Sort of the opposite than the intent of more stringent identity verification. I did have to perform the live video session, pre-uploading scans of identity documents, and showing some during the video session. I used my laptop and had to enable video and audio (audio in multiple locations). My wait was not very long that I remember, but I attribute that to the fact that not many were attempting to use the service on Christmas evening.
I enabled hardware security keys, two to be precise. The first was during initial setup. The second was after later logging in and adding the second in the security section of the profile. You need to add second in case the first becomes unusable for any reason. That is precisely why I have more than one, with the second in a different safe location.
A federated identity is really necessary online as an identity theft counter-measure. It should be closely aligned with offline identity. Real-ID is a step in the right direction, but needs improvement. Remember identity is only the first step of I&A (identification and authentication). Authentication is the more important part. Authentication level should vary according to the need. Posting a comment is the lower end, claiming retirement benefits is the higher end. Multiple factor more stringent authentication applies to the higher end.
We have to get our priorities straight. The SSN is only and identifier, not an authenticator. A SSN alone should not allow access to information or more. An SSN should be able to be visible publicly without fear of ID theft. The breakdown is things of value are handed over on an identifier alone (the SSN). Then to top it off the onus is on the individual whom is assigned the SSN to prove the wrong or they are on the hook for the things of value. The onus should be on the one who had handed over the thing of value to the impostor and the impostor when authentication was either not performed or lower level authentication than appropriate for the thing of value.
A federated identification is not an evil thing of “big brother”. A federated ID does not have to be centralized, in fact it would be more secure if it were distributed. In fact a blockchain ledger may be a good fit for federated ID. Everybody’s ID should be publicly visible. Anonymity would still be possible when appropriate. A cryptographic authentication process is the only way to be sure somebody is who they say they are, and they who they are not. It has to be properly implemented with the implementation plan reviewed by appropriate experts. This is not an area for a roll your own proprietary encryption claimed to be military grade.
This right here!
EVERYONE needs to read this comment from G Scott. It really does a better job than the article at describing WHY this is happening. Brian did a good job at the practical experience and failings of this initial rollout, but nothing that can’t be fixed over time.
We have been desperately in need of federated identity services and multi-factor authentication.
I understand there will be edge cases and people who find this cumbersome, but identity thieves want to return to the same automated conveniences that made it so easy to steal an identity.
Yes you do if you want an IRS pin.
No, no you don’t.
Alternatives to the online tool
“If you want an IP PIN but can’t successfully validate your identity through the Get an IP PIN tool, there are alternatives. Please note using an alternative method to the online tool takes longer for an IP PIN to be assigned to you.”
No, no you don’t.
Alternatives to the online tool
“If you want an IP PIN but can’t successfully validate your identity through the Get an IP PIN tool, there are alternatives. Please note using an alternative method to the online tool takes longer for an IP PIN to be assigned to you.”
https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin
The IRS portal isn’t used for tax filing — its uses have grown over the years, but it’s not connected to E-file or even the Identity Protection PIN program, so most taxpayers don’t need an online account, and creating one won’t protect you from tax identity theft or help you file a tax return.
NIST released 800-63-3 in 2017, but the government being what it is, these implementations are just starting to see the light of day and people are just coming around to the implications for privacy and security.
For 10 years Canada has had a federated identity network that avoids the obvious privacy concerns of setting up single-silo identity credentials like this that combine the functions of identity proofing, identity attribute provider, digital credential management into what are effectively identity honeypots. Instead, you can use your bank account to securely log in to federal or provincial government websites (or to securely access consumer financial institutions, phone/Internet, healthcare portals). The Obama administration proceeded on similar lines, trying to set up a privacy-preserving public-private ecosystem (remember trust frameworks and connect.gov?) but their effort was too ambitious and fizzled. Unfortunately.
10 years later, we have the technology! Americans have access to many forms of strong ID (including on-device biometrics like Apple Pay) they carry every day, and even digital ID/drivers license is now being adopted. Federal agencies should focus on reusing the strong forms of ID that Americans already have, rather than outsourcing this function to a single vendor.
As with digital vaccination proof, there is a right way (CommonPass framework) and a wrong way (giving your identity, biometric and healthcare data to CLEAR).
I wonder, how much are federalism gets in the way of having a good rollout of digital ID cards. Every state is responsible for their own driver’s licenses. States don’t like to standardize.
It is by far the easiest way to get an IP PIN. The only other way I’m eligible to get an IP PIN is to make an appointment with a tax advocate.
And that is the crux of the problem here.
People want “easy” over “secure”.
Even after decades of identity theft and fraud that we’ve been begging and pleading for them to fix with proper 2FA and identity proofing. There is no way around it… it cannot be both “easy” and “secure” in this case. The easier you make initial identity proofing for everyone, the easier it becomes for criminals on the other side of the world to do the same thing on your behalf.
There must be a vetting process. And there is no way it can be easier than the simple and trivial ways we’ve done it before.
Estimated wait time for video contact with id.me was 1 hour and 15 minutes when I initiated the process. 4 hours later, the wait time disappeared and a message showed up stating that one of the documents did not contain the information needed (it did and it was the original pdf I received). Resubmitted the document and now must wait for email saying it has been reviewed and then restart the video queue.
At least the test kit request went through smoothly earlier this week.
All of these problems because there isn’t a EUA national citizen card with secure chip (+ PIN) that allows the users to proof their ID.
Yeah, I’d love for a single smart card standard across the US. But we’ve got over 50 different jurisdictions each with their own laws and implementations. Federalism can be a real obstacle.
I´ll never understand the way federalism is lived in the US, like having 50 different traffic laws and even national election rules and requirements. But at least there are some serious attempts at providing some government services vie the internet, however burdened by implementation issues.
In Germany, we have had an e-identity enabled “smart” national identity card for well over a decade (despite the 16 states loving their federalism in other areas, ID papers and driving licenses and tests are standardized, amongst other things). What Germany is still lacking after all this time is e-government services, except for using my NFC-enabled smartphone to do some ID verification through the postal service for example for mobile phone plans or account openings at banks, there is still f* all I can use the infrastructure for when trying to access any local, communal, federal or national government service 🙁
Because history has shown state actors are evil, repeatedly. How many millions died at the hands of their own government. The United States and the constitution are now a farce. US government makes old East Germany look like amateurs.
While you’re afraid of the US becoming East Germany during the cold war, many more are worried that the US is looking more like the Wiemar Republic of Germany in the 1920’s and 1930’s.
The government can be evil, and so can the mob of people. And we’ve fought wars against both. And our deadliest war (by far) was a civil war where the evil was from “State’s Rights” folks wanting their “freedom” to keep “property” without the federal government interfering.
OK, this “prove I’m me” technological turgid rigamarole so necessary to modern life is now more trouble than it’s worth. Hear that? It’s another pillar of civilization hitting the dust.
It’s funny, but most 5th century “Romans” actually _welcomed_ the barbarian invaders as a welcome relief from the kleptocracy and systemic over-complications endured every day under the decay of the late West Roman state.
At least the barbarians didn’t collect taxes.
Chicken little over here, again with the sky is falling doomsday prediction.
Relax, stop being so lazy and entitled.
You, Sir, are an insulting ass, and undeserving of a reply.
My verified Bittrex (cryptocurrency) account was recently suspended and I was obligated to upload ID in real time (not a scanned copy) plus a “selfie” verification. It took multiple goes to get the lighting perfect for the ID and then I had to hold the phone the precisely correct distance from my face. How anyone who is not used to taking photos (e.g. older people perhaps) or is disabled is supposed to manage this elaborate scheme is beyond me.
There is no way many of my elderly relatives would understand how to angle the phone at the exact position – and nor would they want to. Why should any of us outsource our information and biometrics to some well-connected third party?
In addition, with Bittrex I asked a few questions about where the ID is stored, for how long, etc. The answers – while in English – did not relate to the questions I posed, presumably as Bittrex has outsourced its customer agents to the Philippines and they are only capable of responding to basic conventional questions. I wonder if the same will be true of ID.me?
Is there a system in place to prevent competing identity verification company from demanding ID.me’s contract with IRS be reopened for bid periodically, possibly forcing taxpayers to register all this personal information with multiple identity verification companies as the years pass (neither convenient nor safe)? Are the safeguards used used by ID.me to protect taxpayer identity built into that contract? Is it not a contract thing at all, maybe?
I’m not eager to share myself out with more companies than necessary, especially if subsequent low contract bids might be a result of a company lowering expenditures on safeguarding my information. Doesn’t seem like there would be much choice. As you point out, if I don’t a fraudster could do so in my place.
I really don’t understand why the IRS isn’t using login.gov – developed by the government for authentication.
Social Security and DHS-Trusted Traveler Programs do use login.gov. Seems odd that the IRS is not and is instead, paying a third party.
Yeah, that’s a big concern of mine. They really do need to use their own system. That way they don’t have to fight to get a profit motivated private company to respect privacy.
I went through this process about a week ago. It was cumbersome, but everything worked the first time. Definitely agree that everybody needs to plant their flag and go through this.
I’m not entirely convinced everybody NEEDS to plant this flag. The shear difficulty and manual verification required is good security and prevents fraudsters from going through this pretending to be you.
That’s kinda the point, a system of identity proofing that you don’t have to plant your flag just to do it before someone else does.
If they give into the whining and whinging and make the process so easy and don’t require as much manual validation, then maybe I will plant my flag.
i just went through process, pretty straight forward and no issues really. I already had an old IRS account and an ID.me account (for veteran stuff) so it just required front and back of DL and a short video selfie for which i assume is to verify you are a living person and not a photo someone is scanning
December 8, 2021
A trip down IDENTITY VERIFICATION lane.
OR, WHY your phone number and email address are NOT JUST a means to talk to friends, but a CRITICAL PART of your identity, to be protected.
I have a logon for the Internal Revenue Service Website. It allows me to see what tax return info they got, make payments, etc.
i saw a notice that they now want you to have ID.ME as a login method, and they will be phasing out their own login as of summer 2022.
so, i decided to set up the login.
VERY INTERESTING, it is like going through TSA at the airport.
you set up a username and a password (complex password per their password rules)
then it takes you to identity verification
it requires a scan of your driver license (front and back, separately), or your passport
it requires you to have cell phone for two factor identification, for them to send you a code at every login.
ok, you enter this stuff, and it THEN wants a facial scan – through your phone, or your computer webcam.
you choose which (I chose the phone), and it sends a link to the phone, that activates the camera, and activates an actual facial SCANNINNG app that scans your face (you center your face in the lens), and it then tells you if that info is valid.
you then enter your social security number.
FINALLY, it tells you that it was successful. IF it HAPPENED TO BE successful.
Now, if it was NOT SUCCESSFUL (as in the case of one family member ) – a new can of worms opens up.
If they are NOT ABLE to verify you (meaning, that names match EXACTLY, first , middle, and last name), on ALL DOCUMENTS, and on ALL WEBSITES (example, maybe you missed a middle initial on a document or a website), your verification FAILS.
You THEN need to do a video call with a government agent, and you must FIRST UPLOAD a scan (FRONT AND BACK) of a PRIMARY document, and secondary documents (driver license, passport, birth certificate, social card, or others)
THEN, you also have to take a photo of yourself, to upload.
THEN, you wait in queue for a video call back from the agent.
The agent requires you to actually have the PHYSICAL PASSPORT, driver license, etc, to show, on the video call, IN ADDITION to having already uploaded it.
You need to make sure that the NAMES MATCH EXACTLY.
Finally, after about one-half hour on the phone, verification was completed, and a new login code was issued.
Anyway, thought this was very interesting and sobering, the way that the document uploads then get matched to selfie facial recognition, etc.
Go online and set up a login and give it a try !! it will change your mindset about how many social pictures, selfies, contact images and data you post, seeing the recognition technology in action….
the other side of ID-ME. This is a COMMERCIAL enterprise. If you think otherwise, see the home page
it has offers as follows
ID.me for Individuals
Qualify for Group Discounts
Learn how you can securely prove your military, student, or other group affinities to access exclusive group discounts.
Shop for Amazing Deals
WHY ARE THERE DISCOUNTS, DEALS, ETC when this is supposed TO BE ID PROTECTION ???
Yeah, this is my biggest concern.
The 3 (or 4) major Credit Reporting Agencies are private commercial enterprises too. And they really are the cause of a lot of this mess. Of course, individuals don’t have a choice with CRAs, the businesses that use them (creditors, lenders, etc.) decide, so most Americans are stuck with that.
With IRS.gov, I see no reason to open an account. I don’t have to use them to pay taxes or anything.
Hopefully, the GSA’s login.gov can be used in the future.
Guess the irs doesn’t get my tax money then
Jokes on you, they already withhold taxes from your income. Unless you’re self employed. And even then, the tax man cometh.
I had to help a parent set this up recently for unemployment since their flip phone didn’t take good enough photos. It was a nightmare. I don’t think it’s reasonable to expect older people to keep up with these changes without offering a clear means to assistance, as well assume they have the technological means to complete this. The 5 hour wait for a 2 minute interview was the least irritating part.
They already are doing this as of 2 weeks ago.
The IRS required photo identification including a photo of your state ID along with a selfie to opt out of receiving the Child Tax Credit late in 2021 and the system didn’t work. I’m a photographer so I have a clear understanding of taking photos, lighting, etc but after spending an hour on their site and submitting photo after photo of my ID (front and back) a million times before being accepted (sometimes the same photos and would be rejected for different reasons every time, or accepted once but then rejected), I never was able to get it to accept my selfie to verify I was who my ID said I was. I got so frustrated I just let them send me the money and will deal with the consequences this tax season, something I was really trying to avoid.
This seem very scammy.
A private company wanting all your personal data? That has never ended well.
Screw this. And Krebs is supposed to be about security? Ha. Oh – and Jammin J – you sure are a fed fanboi.
This is about security. If you cannot see that, then you’re in the wrong place.
Not sure about Jammin being a fed fanboi just more valuing security over privacy. Makes sense since this is Krebs on Security not Krebs on Privacy.
I had to do this to opt out of the Child Tax Credit check distribution last year. I should have done it for my spouse, but it was such a PITA I didn’t. AND I have no trust that ID.ME will be able to keep my identity safe. It wouldn’t take a scan of my watermarked driver’s license, so I had to submit a scan of my passport.
Hello Brian,
Thanks for the great article. I have been expanding your message to plant your flag to everyone I know.
I happen to have created an ID.me account last year exactly because of getting access to the IRS.
I honestly can’t remember if it was as difficult as your experience.
Turns out I didn’t save the account/password in my Lastpass (how on earth???) so I had to do a password reset.
This operation was painless, the usual link to your email, and then use the 2factor option (yubikey!)
I will share that I also have my google pixel as a 2nd factor which I tried to use to login. Its a more involved push notification, but it failed on the first attempt. I would think it did work when I set it up…
Umm….pretty sure I’ve been told over and over again requiring ID is racist??