If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
The IRS says it will require ID.me for all logins later this summer.
McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.
These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).
Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.
Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.
After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.
The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.
When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.
Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.
My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.
An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.
Some of the primary and secondary documents requested by ID.me.
For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.
After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”
I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.
That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.
Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.
When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.
I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.
The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.
The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.
Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.
Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”
Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.
When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.
Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).
Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).
If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.
“An organization should never outsource its core functions” is a rule I strongly believe in. In this case “knowing a person’s identity” feels like a core function of government. I cannot understand why the ITS would chose to outsource identify confirmation to a third party.
I signed up for an IP PIN and use my IRS website to get a new PIN every year. Now that they’re switching to ID.me, i never want to use the account again, but I need to opt-out of the IP PIN Program, which IRS said they would allow in 2022. I’d love to know if the IRS plans to have the opt-out in place before fully switching over to ID.me.
Why are you opting out of the IRS pin? Isn’t that a good security feature for taxes?
a second post by me
this time related to senior citizens. ID.ME poses a nightmare to sign up for this. My mother is 94. she is in assisted living. either my sister or i would need to be with her to do this. with a 3 hour wait time, that is impossible. the IRS website is becoming more critical to follow tax returns, etc; mom HAS the older login, which i use, as POA, to monitor returns; the IRS had a 2 year delay on her 2019 return, and now we owe about $2,000.00 overpayment due to income limits for plan D drug rates in medicare (because medicare never got the IRS data for 2019).
this is becoming more and more absurd. the IRS needs a better way to help us enroll senior citizens.
ALSO, mom’s MEDICARE card does not have her middle name on it, EVEN THOUGH the social security office has it on THEIR card. there is no way to communicate with any of these agencies to get this stuff changed, without in-person visits, etc, even though each agency has the other’s data (or can get it).
if the cards you have, to verify the ID.ME identification, do not match, you are cooked !
Hmmm, what could go wrong! We provide a private 3rd party important informaton who assures us that everthing will be OK because “Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.”, and somehow you feel that this is OK? There should be general outrage at the complete lack of proper accountability and thoroughness for our private data AND no aspect of the government should be allowed to outsource this sensitive a function
Not a chance in hell that ill ever do this. The govt needs to stay in their lane. I thought we were US citizens but everyday we creep closer and closer to being US inmate slaves. Im so tired of this crappy govt.
Wow, calm down snowflake. You aren’t being oppressed. You aren’t an inmate or a slave. You should probably pay more attention in school so you don’t even dare compare yourself like that.
You come across looking very stupid when you talk like that. You are welcome to leave, and deal with whatever government you think won’t dare ask you to prove your identity, but good luck with that.
CCP operative, go back to your China camp, slave. We will not allow the likes of you to take our freedoms and privacy
Wow! Calling names! That’s a sure way to convince people that you’re right.
Ignoring the name calling and lack of civility, Hailey and Alice are still wrong.
It is not appropriate to compare their slight inconvenience to slavery.
It smacks of racism against those who were enslaved and also against Chinese people.
It may not be possible to convince someone with such deep hatred and white privilege anyway, so although I don’t condone name calling, I don’t think the point is lost.
1. I wish every federal department wasn’t so wastefully insistent on it’s own silo. Why this isn’t login.gov and is yet another government contract is beyond me. So when ID.me is breached or otherwise fails their contract…who’ll be the competitor to replace this contract? We’ll have to go through this all over again? (rolls eyes). The internet has made citizen identification and authentication a core government function that shouldn’t be outsourced.
2. The IRS/SSA/FedLEOs/ETC should provide a direct portal/interface at all of their regional offices so people can walk in directly to have their identity verified and uploaded like the DMV.
1) Yes, OMG yes. Government procurement and contracting is complete nightmare. It needs fixing. And it needs reforms such as eliminating revolving doors between government and private sector. It would not surprise me if someone that can influence a decision to go with ID.me, has some kind of interest in the company.
2) I wish state run DMVs could have some allowable federal presence. Just one kiosk with the camera setup and an employee on duty trained to enroll. May even be a good job for the post office. Of course, who wants to pay for all that?
I wonder how many people are like me and my wife. We’re both high iq, well educated, solid earners who plan to avoid taking SS payments b/c we understand the risks of data intrusion and privacy loss presented when midwit civil servants and low-bid H1B-staffed tech companies out for gain join forces to “protect” us all from a problem of their creation. We’ve been massively taxed by SS in our lifetimes, so this means the abandonment of potentially a sturdy pile of money.
One can’t help wondering whether somewhere in the bowels of gubmint, some hand rubbing analyst didn’t figure this out down to the last penny. Another form of wealth transfer. After all, this is what the UniParty specializes in now: taxation that looks like something else.
You don’t sound very “high iq”. You sound like an arrogant nationalist. I find that only narcissists get their IQ tested so they can feel superior to others.
Well Robert your last name says it all. Very appropriate.
Patton’s chief of staff. Inside joke
People, watch out for CCP and related deep state paid shills on here, they’re the only ones who’re defending ID.me privacy and civil rights intrusion
Data intrusiion? That started Day 1 with your birth certificate! You avoid taking SS payments because you “understand” the risks of data intrusion and privacy loss? What risks are they? And no Medicare? No driver license? No passport either?
I helped multiple family members (over the phone!) go through this (very long process) to verify ID for (valid) CA EDD claims in 2020, 2021; it’s gonna be a real big challenge. In addition to general security concerns, the ID.ME website is designed to lead you to the id.me SHOP? And the “do not sell my information” link at the bottom of page is “for CA residents” only so not only are we meant to trust with basically all PII, we also have to trust they won’t sell our contact info for marketing with their clothing, health and beauty, sports, etc. partners. ID.ME is almost as bad as my move that USPS tricks you into believe is part of GOV agency but is purely very valuable marketing since they’re at the junction of a move with a lot o PII
This is why we need to petition Congress to pass a nationwide version of the CCPA (California’s privacy law).
How confusing. Are you arguing against CCPA? Or that no other states have passed such a law? Or maybe you don’t understand any of it and are yelling at the clouds.
You did not need to do this! People fought back against these EDD ID.me requirement and were successful, all you have to do is not submit to them, complain and EDD would have send you a link to submit identity documents directly to them, this had been done!
You would have to be crazy to provide all this information including digital copies of identification documents. The data will be compromised in short order and the Chinese Communists and Russian thugs will have this within months. The US government has been singularly unable to protect data and in fact seems to be uninterested in doing so.
Even worse, my wife’s last name was screwed up by the SSA. When we file, we have to use her maiden name. But her state driver’s license shows her married, legal name. It could easily take weeks to months to get this changed and it requires a visit to the SS offices in a neighboring town to start the process. This is almost certainly not a rare occurrence.
There have to be other less onerous methods for the IRS to reduce fraud. But once again, they choose the method with the greatest burden on law-abiding citizens.
“There have to be other less onerous methods for the IRS to reduce fraud”
We’re all ears.
This has been a decades long problem, and the experts in the field have been screaming to implement strong MFA and identity proofing.
This was not chosen specifically to burden you, but you have to understand…. they don’t know the difference between a fraudster and a law-abiding citizen until AFTER you go through the identity verification process.
You know the saying, “if it were easy, everyone would do it”.
People want easy and convenient, so do those thugs. Unfortunately, it must a bit of a chore to really do it right and secure enough to filter between the two.
Seems like the IRS is demanding it right now. When I just tried to log in to my existing IRS account, it bumped me out and said I first needed to get the ID.me account set up.
This is New World Order.
Fight back!
After reading this, and having noticed the same option earlier in the week on the Social Security login page, I went ahead and set up my account. Total time: 15 minutes. No intervention by a real human (apart from me) was needed.
Yes, I hated setting up the account, but if it’s needed in order to continue to access my IRS and SS accounts, then I don’t really have a choice… and it’s on ID.me and the feds to own any problems.
“and it’s on ID.me and the feds to own any problems” You are naïve…it will be your problem to resolve…good luck with that.
Are you working for ID.me, why are you disseminating this lie?
No, you do NOT need ID.me to access your SSA account. This is an OPTION, not a requirement.
I just accessed SSA online account without any ID.me, there’s no requirement and will not be,
the only ID.me requirement is to be for new SSA accounts, but even that one can fight back against.
I successfully blocked ID.me requirement for another government agency and used alternative
option to identify myself, with government direct, like it should be.
People should stop being passive sheep/slaves and realize they have rights and fight for them.
Now imagine a senior citizen trying to authenticate themselves. Newer authentication methods don’t always mean better. We need to consider the customer friction caused by these “cool” methods of authentication.
In 2017, Instagram required a selfie to recover your account if you lost a password.
This is an email I received directly from their account recovery process.
“Please reply to this email and attach a photo of yourself holding a hand-written copy of the code below.
390553749
Please make sure that the photo you send:
Includes the above code hand-written on a clean sheet of paper, followed by your full name and username
Includes both your hand that’s holding the sheet of paper and your entire face
Is well-lit, and is not too small, dark or blurry
Is attached to your reply as a JPEG file”
Many clients I talked to at the time thought this was a “cool” way to authenticate your client. How someone thought this was an acceptable method for account recovery is beyond me. I joked that it’s no wonder there are no senior citizens using Instagram.
I’ve dealt with ID.me for 4 years in order to access my military disability records. So far I have no complaints about the process. It appears to work well and be safe (right now). It will be important for ID.me to continue improving and educating the public.
Yet another third party contractor with complete access to our very private lives – what could possibly go wrong?
Can we get the name/s of the assholes who decided to foist this I’ll-conceived, fresh new hell on all of us?
Do you want the list of names of all those who had their identities stolen over the last 10 years?
Or the names of everyone in the security community who begged and demanded that they fix the problem by implementing strong 2FA and identity proofing?
Glad to know I’m not the only one who is struggling to sign up, thought it was just myself.
The selfies will be used to train facial recognition software that will spot you if you march against vaccine mandates, if not for this plandemic then for the next one Fraudci and the Chicoms are brewing in Wuhan. It will spot you if you go to a Trump or DeSantis rally, and will help to document your absence from a “crowd” turned out for The Dotard or assembled for the next round of Burn Loot Murder riots. There are going to be the modern equivalent of Two Minute Hates once the domestic terrorists are all put away, and your face had better be recognized there or at anti-racism or LGBTQIAAAAAAAAAAA etc. ally training. This is how our new masters track everyone in China and keep track of social credit scores, and how their puppets are going to do it here.
Go drink your horse dewormer and go away
It actually makes me feel better that the CEO says that the data is not needed on an ongoing basis and that the identity is associated with a tokenm though there are caveats with that because much of that data is immutable. Yes, I have concerns about loading that much sensitive info to a third party site. Double edged sword though – do I really want the government to have access to all that data in one place either? I understand they have most of the pieces already but they have not proven adept at correlating that data to date. 😛 Do I want the government to know my cell records? And what about family members who are on another family member’s mobile account? Now CISA exists – seems like they should have one central highly secured identity store for all government functions. Also if they are requiring state or federal issued IDs what about illegals who pay taxes but don’t have IDs? Should they stop paying? There is a lot wrong with this entire situation, including that they are trying to do uplift on a fundamentally broken process (using legacy paper docs for identity like an SSN). This whole thing makes me uncomfortable
1) Cell records are not part of this.
2) CISA doesn’t have this capability nor mandate to handle these records or identity proofing services.
3) Undocumented persons paying federal taxes, as anyone else paying federal taxes, still don’t actually need an IRS.gov account.
I don’t know why so many people commenting here think that everyone must do this. Krebs is just describing the experience.
All those edge cases and exceptions and whatabouts… They are just fine not getting an IRS.gov account.
Not everyone has the ability to do a video selfie or chat, and the phone number verification doesn’t work if you’re a prepaid customer. USPS failed to verify my number and sent a code by mail instead so I could set up an account to put my mail on hold.
” ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number.”
Hrmmm. Well, my cell phone is actually owned by my employer, and my landline is under an account in my wife’s name. Now what?
You don’t have to provide a bill or proof that you pay for the phone service.
It took me about 15 minutes to setup ID.me to login with the IRS. I used my driver’s license to do so. I’m retired military and was already in their system. For authentication, I use the Yubico Authenticator desktop app, which requires a Yubikey to generate a code. And I use a password manager for my logins.
I am also an identity theft victim, having had someone try to file my income tax return (unsuccessfully) with the IRS about 10 years ago. I’ve locked down just about everything I can because I know my personal information is on the Dark Web somewhere and haven’t had an issue since. I’m not overly concerned about the privacy issues. The government already had my info, even before there was an internet.
any idea if magic jack phones work?
Wow, Brian Krebs. Dot me is a Montenegro country code extension . . . I don’t mind visiting those sites if I have anti malware software running to block suspect pages, but to give the amount of personal details demanded defies logic! You are one of the few who operate logically in the security journalism field.
From your description, it seems ID.me got the Holy Grail of government collabs in order to train its facial recognition software, with all the extra specs you submit!
“All Hail, Putin!” the US might as well relent. Sergey [Brin] came through! 🙂
Great way to build a biometric database for 3D face recognition of all US citizens!
All I see is another convoluted layer of potential security failures waiting for a place to happen. When the idiots in charge came up with RealID, they should have taken a good hard look at how the CAC card works. Would have completely eliminated the whole entire need for ID.me.
CAC still would not solve the problem of initial enrollment. Yes, it would provide 2FA via a smart card, but issuing a PIN locked hard token requires everyone showing up to a location.
I have a little RSA device issued to me by my bank (opt-in w/$25 purchase price) that I use for 2FA when logging in. For those who don’t know, the device produces a new authentication code every 60 seconds and is syncronized with the bank. It is just like sms verify codes but a lot safer/secure. The IRS can easily adopt this samething method.
On a side note, if think Id.me is bad then go check out the company Clearforce[dot]com. Don’t just look at what they do, but who runs it. A lot of employers are starting to use this service and forcing new-hires to sign away their privacy and allow 24/7 monitoring.
I worked for a major corporation and last year they handed out a very vague consent form telling people they had to sign it. I went and looked up the company and politely declined. They started trying to intimidate me into signing it until I told them I considered their actions harrassment in the workplace and they are creating a hostile work enviroment. They left me alone after that. 2 months later I found a better job and quit. I am not going to work for a company that automatically assumes every employee is crooked.
My phone’s facial recognition and/or finger print doesn’t work half of the time.
This is going to create even more of a practitioners nightmare!
I wonder if it’s just another way to stall…
You said: “And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).”
NO! First off, one will not be forced to use ID.me to pay their taxes – if they do this, it’ll be the last time they get taxes from a lot of people. Also, I have success fighting against ID.me requirements and getting alternative identification option from the government.. This government had been taken over by hostile, external forces via coup and is not longer serving the people. Instead of telling people to submit to this tyranny, you should tell to fight back. It is illegal to require a smartphone, webcam or facial recognition to access government services. There should always be an alternative option. Fighting back is doable, and I will continue to fight ID.me on all levels. File complaints, contact representatives such as Senator, protest, sue, fight back, this is a path to China-style total surveillance totalitarian state.
The main problem here is forced facial recognition.
This situation is organized by CCP and do you really think ID.me did not bribe their way into overtaking over government agencies? (if you do, I have another Brooklyn bridge to sell).
This is a path to social credit, total video surveillance 24-7, totalitarian state with concentration camps, identity theft, this must be stopped at any cost.
Resist, I had successfully done that and remove ID.me requirement from government agency, resist and demand alternative identification methods.
These government services had been paid by our taxes and facial recognition, smartphone, web camera can not be a requirement to access this, this is illegal.
It’s not new! I’ve needed to have an ID.me credential for years now since DoD required it for access to certain areas that I must access. Recently, several other sites I visit have started to require it, as well. Has been in use by multiple federal and state government entities for over a decade now. Founded in 2010 as TroopSwap for military community members, it has been ID.me since 2013 and has been thoroughly vetted and without any known leaks or misuse of PII.