January 19, 2022

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.

Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

335 thoughts on “IRS Will Soon Require Selfies for Online Access

  1. Alex

    Absolutely despise this and it is a complete travesty to hand over data to an unreliable private 3rd party that almost assuredly got this contract by rubbing the proper elbows in DC.

    That said, pretty hilarious that people are out here complaining about the “gubmint” and the “CCP” and “deepstate” when it’s exactly libertarian ideals of privatization and small government that led us here.

    An essential public job being sold out to a third party contractor to make a huge profit is not communism.

    It’s the after effect of a brand of capitalism that cannot fathom any form of social function or action without some rich, well-connected snob profiting from it. Defund public functions, sell everything off as much of it as possible to private parties who can do no wrong because the profit motive, right?

    The refusal to admit that any public action is anything but beast to be starved, and that privatization can do no wrong, is what leads us to this messed up worst of both worlds – a public function is sold to a private party, and we collectively lose any form accountability.

    But of course, just the use of any of form of the word “collective” probably already created the pavlovian of “DONT MAKE ME THINK THINGS, YOU COMMUNIST, CCP SHILL” response that years of indoctrination have conditioned you lot to.

    (And don’t even get me started on how it’s blind patriotism that led to the personal data collection and spying machine post-9/11)

    1. JamminJ

      I agree. The government should just use their own GSA idP that has already proven successful. No need for this privatization at all.

      I think one of the many Qanon sects have begun to troll en masse here.
      Qanon is one of those things where anybody can pick and choose from a smorgasbord of different theories (some actually conflict with others). “The deep state, everything is CCP, and every decision is being made to further strip away freedoms. There are tracking devices in everything from vaccines to space lasers. And this serious attempt to combat the endemic surge of identity theft and fraud, is just a smoke screen for some cabal trying to control all Americans.”

      It’s sickening for those of us who have had such high hopes for the Internet, to see how toxic this place has become. We security practitioners just want to help secure the terrain, butthe political disinformation and mass psychosis have turned this into a nightmare full of zombies.

      1. Sunman42

        I suspect that the IRS got (consultant; the Congressional GOP has starved the agency of funds to hire people to staff the customer support lines, and IT, for years) advice that they would save money and have better security with a third party doing this. Considering how many large government IT acquisitions for modernization of large IT systems — including the IRS — have foundered over the last couple of decades, that was probably not bad advice.

        Recall that it was the OPM’s (at least two) failures to upgrade an ancient database of information on civilian employees who had had any sort of security clearance (including anyone who had a government-issued chip card for logging into government systems) that led to the (Chinese?) downloading the entire db. Which is why I’ve had freezes on my credit reporting outfits accounts for the last six years. (Thank you again for the advice, Mr. Krebs.)

        1. JamminJ

          Yeah, probably right. Private sector often makes promises of being cheaper and safer than anything the government can build themselves. That doesn’t always turn out to be true, but given the history, it’s a compelling argument.
          My data was breached by OPM too. The whole point of 2FA with CAC is that the stolen static data is no longer enough for hackers to get into those government systems. Of course, issuing a CAC is an “in-person” ordeal.
          And the whole point of identity proofing with ID.me, or Login.gov, is that the static data stolen from OPM is no longer enough to create a valid user account.

          1. PattiM

            All that said, the loss of $billions to hacking *is* a big enough deal to push (desperate?) measures. This is being done because of the failure of ALL prior attempts to halt such losses. Such desperation would seem to be an indicator of approaching catastrophe.

            1. JamminJ

              I wouldn’t call it desperate. But necessary and measured. It could have been a lot more Draconian with stricter requirements.
              When you look at how non-citizens and overseas personnel are verified with biometrics to ensure they are not members of ISIS, Al-Qaeda, known Taliban, etc…. US Marines have been doing this for almost two decades.
              It never seems like a huge burden when it’s happening to other people.
              There was a great comment earlier in this thread from a woman who works at the DMV. She mentions how people always approve of strong identification measures, except when it pertains to them. It’s got to be something with the ego, after all, they know who they are and they trust themselves. So it seems like an overreach when other people don’t trust them when they say who they are.

              I think this could definitely avert catastrophe. Doing nothing in the face of this epidemic of identity fraud, is a surefire way to let it continue and get worse.

    2. John Holmes

      The IRS (Government) still does not care about Seniors. Who the hell is going to help Seniors complete this process?

      1. orly

        The same people who help seniors file their taxes. They will instruct you that you don’t actually need an account with the irs.gov website.

    3. Kiers

      A “Virginia” software firm…….i already knew what to expect!

    4. Christopher

      No. The real capitalist solution is that we stop paying taxes to fund commie crapola. Social security is a ponzie and the taxes are used for benefit of some, not all. It’s not theirs to give to their friends and voters, especially at the federal level.

    5. Black Wolf

      There is a very GREAT difference between libertarian ideals of private capitalist companies doing what Government does badly and the Government choosing a particular company to be the sole provider of access to Government services. A true libertarian approach would allow multiple companies to authenticate people’s IDs. This is just crony capitalism.

      1. first duckface on the moon

        “True Libertarian approaches” don’t get past inventing fire TBH.
        Spoiler, it’s hot. Do your own research of course.

  2. K. M. Peterson

    Well, THIS story has generated a lot of comment. Hopefully this isn’t redundant…

    There is a well-established vein of practice in the US based on the idea that there should not be a federal, mandated, identity credential. The lack of such – usually expressed as an ID “card” but presumably also respecting a digital credential – has led to the multiplication of partially-authoritative documents.

    The “driver’s license” at the state level is the closest thing to a universal id, and the weaknesses of the many issuing state systems led to the “Real ID” standard. Getting a Real ID in Massachusetts, for example, has been well-publicized as being very difficult.

    It’s not clear when the inconvenience or real inability to participate as a citizen will make it untenable for people to maintain the right to not use these systems, but sooner or later it will happen. The actual problem is that because there is enough pressure on the federal government to block these efforts to centralize identity registration, agencies will go around it by employing contractors like id.me. Maybe the best way forward, as (arguably) with the “public option” for health insurance, is an agency offering identity as a service. As the Post Office participates in passport application, perhaps that would be a good place to start.

    I’m not naive about the problems – I have an SF-86 on file, which was undoubtedly leaked – but the problem is not going to go away.

    1. JamminJ

      Thanks. That’s a very good understanding of the problem.
      Our nation is unique in our persistent fear of concentrated government. Our federalism is a result of compromise between the federalists and anti-federalists of old. Hamilton / Madison / Jefferson / and others.

      But you did leave out an important corollary. The Social Security Number.
      It started out as just a unique numeric identifier, at the federal level, and because 51 separate DL numbers would not work and Driver privileges were not fully inclusive enough to cover the number of Americans that needed to pay into (and receive from) the Social Security pool.
      It was the “identity” that most people got early in life, kept for a lifetime, and used for most interactions with the federal government when it came to paying taxes. Even the states, which could levy their own taxes, require their own forms of ID to file state taxes, still found the SSN most useful.

      Of course, SSN have also been fought against for as long as it’s been in use. Many still regard their SSN as the “mark of the beast”, or a form of government overreach.

      Perhaps that’s the biggest failing with the comments that have flooded in. That proper digital identity proofing is needed now, BECAUSE identifiers like Social Security Numbers have failed us for so long. The financial sector had abused the SSN by using it for more than just an identifier, but as a secret password. So they have been complicit in most identity thefts when they issue funds to criminals who do a little bit of recon on the full name, date of birth, address, and an SSN. Too easy for crooks, but users don’t care about security if it makes it harder than this.
      To get a new SSN, it is usually a difficult process too. But the people complaining about ID.me, are people who got their SSN at birth and don’t remember the process to submit birth certificates. Likewise, the the process to change an SSN is a very arduous process. But that is the nature of identity proofing from scratch.

      The GSA (General Services Administration) has a “public option” already. Not sure why IRS.gov isn’t using it like the SSA is currently.

  3. al

    This is a most timely article. I had to make a payment to the IRS in the amount of $10.00. I previously had an account with the IRS which no longer existed. I was directed to create an account with ID.me.

    I started the process at nine in the morning. I scanned and uploaded the required documents (hint, take a photo of the documents and upload them…the scans do not provide a clear enough image). After much re-uploading until they were satisfied I then had my face scanned, which turned out to be a hilarious series of failures until finally the scan was accepted (or they just gave up on the effort).

    I was then informed that I would have a 2 hour wait in the queue to be interviewed by a remote interview person. By then it was almost lunch time so I started fixing breakfast and watching the screen. Part way through cooking my eggs I was notified my turn was up. A representative showed on my screen…he could hear me but he couldn’t see me so he terminated the video call (damn cheap webcam). I was notified that it would be an hour before I would be contacted. So I continued cooking breakfast. Before my toast was done my turn came up again. This time the rep could see and hear me. She looked over my documents and said they were ok and then put her face right up to her monitor so she could see that my face was a match ( I really did try not to laugh watching all this).

    At around ten that night I completed the process. Normally I would have abandoned the whole thing…I have never been through such a ridiculous process before (including my time in army) but I just wanted to see what was going to happen.

    I logged into the IRS site to make my $10.00 payment and felt very proud of myself to have the perseverance to complete the process. That is not like me.

    I am so glad I found your article so I know I am not the only one out there.

    1. Idp

      I guess the alternative would be to go to an irs office somewhere to pay or not be lazy and mail a check.

  4. kingJames

    Went through same. It will be helpful if all requirements are spelt out as well as the estimated time of completion.

  5. jay

    I hate this change to use ID.me and hate handing over all my personal information to yet another 3rd party company. I would have preferred using login.gov credential at IRS too like the SSA website & others. I switched SSA to login.gov while back. At least, with login.gov your personal information is with some government website (not that it will be any safer but at least the entity is not a private company). I wish there was a way to create the ID.me account, disable online access to related sites, remove the personal information & only deal with snail mail for communications.

  6. Ron Cleven

    I would be fine with this change if the same concept was also used to secure elections. But nobody wants secure elections, so never mind, I guess …

    1. JamminJ

      Of course we want secure elections. And I would certainly consider identity proofing as a way to do voter registration.
      However, using a site like IRS.gov (which is not a requirement for just regular tax payers), is very different than a system that every eligible voter must use.

      150 million Americans pay taxes, but there are 240 million eligible voters. That includes the homeless, jobless, and those in extreme poverty.
      It is expected that the IRS website could require more hoops to jump through, like getting a hold of a smart phone / computer / internet. But for voters, no.

      Now, there are ways to do identity proofing in person, without infrastructure, and without costing the voter a single cent.
      The US military routinely uses biometrics to register people and filter known insurgents. But that’s something Americans are unwilling to tolerate at home.

      I would be willing to support fingerprinting all voters to satisfy the secure voting objectives of the right. But only if the government paid for it in its entirety. They would need to be within easy travel distance without a car or paid fare. That means they would have to be at every post office.
      Now, to the people who say they want secure elections, when they see the bill for everything needed to do secure identity proofing with biometrics and have it inclusive enough to be completely free and accessible to even the homeless… then you’ll see a lot of hypocrisy and backtracking revealing the truth. Many people who SAY they want more secure elections, really just want an opportunity to suppress the votes of political opposition.

  7. Bill

    I got “validated” for IRS access today. Already had an ID.Me account for military and education discounts, but still had to go through the whole verification process. Although it says you can upload a PDF of a document (I scanned my driver’s license to a PDF), it rejected it as a “photo of a photo” and I had to take a photo with my phone (which was lower quality than the scanned PDF!). After submitting the replacement, I had to wait a couple hours for an email that said my documents were good. I then logged back in, got the “wait message” (mine was only just over an hour), and was told I would do a video call when I came up in the queue. After about 35 minutes, I got a text with a link to initiate the video call. The call took about 10 minutes during which I had to confirm my identifying information, hold up my driver’s license to the phone and then my passport. Then he took the “selfie” and validated my access. Fairly painless, though a little time consuming. I’mm for anything to help prevent identify theft and someone filing a false tax return with my identity.

    1. TRX

      > video call

      How is this accomplished? Some specific web browser or browser extension?

      I don’t have a cellular phone, and my desktop runs openIndiana, not Windows or Linux.

      1. orly

        Then you don’t need the website. You need to go through the mail like you normally do.

  8. Tyrhonda Stone

    The hacker will have a field day with the site. I remember several years ago when the IRS database was hacked and my information was compromised in a system that was supposed to be secure but it wasn’t as secure as they thought. I was given free membership with the credit bureau to monitor my credit for a couple of years. The membership allowed me to lock and unlock my report. Add a selfie on the IRS database and the ability for them get in spell disaster.

    1. B.D

      People willingly upload selfies to social media every hour, for the attention.

      The point of doing all this, is to make sure that the previously compromised information is no longer of any value to those criminals. Credit monitoring didn’t prevent fraud. This will.
      Your stolen information could previously have been used to allow hackers access to your taxes, refunds and benefits. Now, they can’t. Not even if they have your “selfies”. They would need to be live, and interacting with a real person. Static information won’t work to steal your identity anymore.

      1. Elaine Biggerstaff

        I’m not one of those who upload anything to any social media. And as a senior citizen using only Tracphone as a cell phone and only got it for emergencies, soon I will not be able to do or get anything because everything will depend upon having a smartphone. So, those of us without the latest technology are non-entities who are discriminated against for not wanting to join the technocracy rulers over life.

        1. Susan

          How are you paying taxes right now?
          Doesn’t look like anything will change for you at all.
          I know people who still mail their forms to the IRS, the internet and all this technology hasn’t changed as much as you think.

        2. John Cox

          Certainly there are many people who lack access to computers or smart phones.
          As to your specific concern, a smart phone is NOT required to complete the ID.me sign-up. A computer with a webcam will work just fine.

  9. John

    I have existing accounts at IRS.gov and SSA.gov where I initiate the login with a username and password. ID.me is shown as an option on both sites. The IRS site states “ID.me is our trusted technology provider in helping to keep your records safe.” The Social Security Administration, quite surprisingly, has a disclaimer saying “links to certain websites [namely login.gov and ID.me] are not affiliated with the United States government. If we provide a link to such a website, this does not constitute an endorsement by SSA or any of its employees of the information or products presented on the non-SSA website. Also, such websites are not within our control and may not follow the same privacy, security or accessibility policies.“ The Social Security Administration offers this option, but what they are really saying is you are on your own. The information I would need to provide for ID.me enrollment is likely more sensitive than the information the IRS or Social Security is trying to protect.

    As one who has been affected by the 2015 US Office of Personnel Management data breach, where the most personal details of my family and myself were released, and to a lesser degree, details on my neighbors, I would not trust ID.me or any other such organization. The other 22 million people involved in the OPM data breach would likely feel the same.

    1. JamminJ

      “The information I would need to provide for ID.me enrollment is likely more sensitive than the information the IRS or Social Security is trying to protect.”
      No, that is backwards.

      The information is private, but it’s sensitive precisely because it can be used to open up accounts for the purposes of lending money, paying benefits, refunding tax dollars, etc.
      The solution cannot be to claw back sensitive data. That’s like asking people who’ve had their SSN stolen, to just get a new one. It’s not practical.
      Although having you and your families information out there is still scary… The proper solution, which has been recommended by security professionals for a long time, is the eliminate the practical value of those “personal details”. If fraudsters can’t really use those personal details to open lines of credit, or get benefits in your name,… then that solves the fraud and identity theft problems.

      Yes, I was also affected by the OPM breach too. And what’s worse, is that it was about the same time I began working in this field. So I knew then the exact implications of the breach and how it was going to affect everyone. Even further, I knew that credit monitoring could only be a band aid on a gaping wound. And that the real solution would be to neuter the data that was breached. Make it so that SSN/DOB/address are practical useless. Of course we also knew the way to do that is strong identity proofing and MFA that users are not gonna like.

  10. Trustnot Irs

    Doesn’t anyone else worry about the use of the .ME tld (which I block) over a .gov TLD? I have just a tad more trust (just a tad) that the requirement for a domain to be parked in .gov is not as easy as getting a .me . A small step indeed, but security is made of of many small steps, no one thing to save everyone. This just help drive bad behavior. Thank you, IRS.

    1. JamminJ

      There was a big shift, don’t remember how many years ago, that unleashed TLDs from what they once were, country codes often used by firewalls… to anyone can buy pretty much any custom TLD now.
      So .me TLD isn’t particularly unsafe compared to .com anymore.

      .gov does indeed have some restrictions still in place though. So your point is well made. Another reason why the GSA’s login.gov should be used instead.

  11. Louise

    The privacy policy states:

    We provide certain services and products of the Website through Third-Party service providers. These “Third-Party Service Providers” perform functions on our behalf, such as sending out and distributing our administrative and promotional emails. We may share your Personally Identifiable Information with such Third-Party Service Providers to remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results and links, process credit card payments, operate the Website, troubleshoot, and provide customer service.

    Brian, it would be nice if CEO Blake Hall would supply a LIST of top 20 affiliates/partners by volume of data, such as the owner / operator of the face recognition software ID.ME uses . . . not just Third Party Advertising Companies . . . that are members of the Network Advertising Initiative (“NAI”), which include Google/Alphabet companies.

    “These companies may use Non-Personally Identifiable Information about your visits to this and other websites in order to provide, through the use of network tags, advertisements about goods and services that may be of interest to you.”

    Google is going to receive a windfall of Non-Personally Identifiable Information to refine its database of US citizens including

    “remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results.”

    If Google or Alphabet is supplying the facial recognition software, or any other softwares enabling the processing of ID information, it will be able to fine-tune its information on US Citizens. The terms and privacy are murky!

    Of course,

    “You will defend, indemnify and hold ID.me harmless against any and all claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) arising out of or in connection with a claim by a third party related to your use of the Website and the ID.me Service.”

    1. notlegaladvice

      That’s not the privacy policy, that’s the Terms of Service.

      1) Give up your right to sue as an individual or as part of a class and instead submit to forced arbitration. These terms are legal, but can be bypassed with good lawyers.

      2) When the TOS refers to PII as a Submission. That’s different than the live video calls and uploaded documents to perform the identity proofing. Those policies are not in the TOS, but in the Privacy policy and the biometrics policy.
      The TOS is referring to “comments, feedback, … considered non-confidential”. That’s the standard TOS for many web services that have comment sections, feedback forms, and the like.
      Ask a lawyer if that TOS is out of the ordinary or if that means they could sell your Driver License photo to a 3rd party. The answer would be no.

      The Terms of Service are not the only binding policy document in play.

      Don’t cherry pick from the TOS, Submissions section, in order to suggest that it covered confidential and sensitive things, when it does not. The privacy and biometric documents discuss those items, and it is far more reasonable.

      If you are still so concerned about the TOS being too broad, then talk to your representatives and senators in Congress. Tell them to enact privacy policy similar to GDPR and CCPA at the national level. This would really make a lot of these nightmare interpretations really impossible to legally enforce.

      1. Louise

        Hi, Thanx for the reply.

        I should have posted the link: id.me/privacy – most of the quote, above, is from the privacy policy, some under the heading, if you scroll down:

        We may share your information with Authorized Third Party Service Providers

        “We may share your Personally Identifiable Information with such Third-Party Service Providers to remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results and links, process credit card payments, operate the Website, troubleshoot, and provide customer service.”

        So, this concerns, PII. Just saying, you KNOW this info will be shared with Google: “provide search results.”

        Thanx for publishing my comment, Brian Krebs!

        1. notlegaladvice

          Yeah, I get what you’re saying. It’s just confusing to a lot of people who see the terms of service or privacy policy in regards to PII. Especially when a company is handling confidential data that’s still considered PII but is also a subclass which is handled differently.
          It’s really scary because people don’t understand the nuance.

          You can be concerned with the handling of PII like we all have concern regarding data privacy for every other online service.
          But in the context of ID.me, people think you’re talking about the biometric data and legal documents being uploaded for identity proofing. And they get scared thinking that the company can just handle that like every other piece of PII, just because their terms of service or privacy policy has a disclaimer about it.
          The biometrics policy covers this type of data in more detail and the legal framework still does not permit them to treat confidential biometric data in the same way they treat every piece of PII.

          1. Louise

            What’s the difference? PII is PII. ID.me investors wrote themselves a blank check, so to speak. ID.me investors covered their butt to use the PII anyway they want! The user agreed to it, “greed” being the operative word.

            Brian Krebs, did the ID.me founders have to sign an NDA when they accepted investment? Who are the investors? Outside the “sell, trade, rent” realm . . . investors bouy the company. Brian Krebs, who are the “investors?”

            1. notlegaladvice

              No, not all PII is the same. PII is an extremely broad term, defined somewhat differently depending on your state, and covers many subsets/types, each with different regulatory, compliance and governance requirements.
              The biometrics policy linked above includes a lot more detail about how they handle biometric data that is still PII. Reading only one policy, unfortunately, is not enough to understand how the company may or may not handle your data.

              Seems like you think this is a shady, secretive company. But they’ve been around for a long time. Yes, founding shareholders generally sign NDAs. It’s a private company. And I agree that the IRS should not be using a private company for this.

              The terms of use, privacy policy, and even the biometrics policy are not law. Yes, every company uses these statements to cover their butts. But it doesn’t circumvent the laws and regulations that apply. They still cannot just “use PII any way they want”.
              “Greed” doesn’t make sense, since they cannot sell the the data to 3rd parties. They get their revenue from selling their services to all the private and government services in desperate need to fight identity fraud… and there are a lot of them, and they are willing to pay a lot since they are losing millions already.

  12. Spencer

    I had been resisting RealID, but then read about the IRS’ new process. By chance, just before seeing this post, I had just finished signing up on ID.me and then going to IRS, signing in with the ID.me button, then following the instructions online. Compared to Chris’ experience, mine went reasonably smoothly. I use Firefox with NoScript and uBlocker and tracking disabled. So, when I could not upload the photos of my driver’s license [it said upload, then hit Continue, but the Continue button remained greyed out], I disabled all these filters, but it still would not work. Luckily, it also will send a link to your phone to take the photos, and this worked fine. When I got to the video-mugshot part, it complained a couple of times [before I removed my eyeglasses to match the license], but then finished and sent a Verify to my phone and that completed the process. Easier than I expected, and it never asked for any other documents.

  13. Sane One

    There is absolutely no reason after establishment of your identity through the ID.me process and creation of your unique token that ID.me would need to retain your biometrics. The fact that they retain it means they intent to use and profit from it in the future either by selling (and then requiring) iris or DNA matchine and/or selling their services to other entities which will require you to facial scan at point of transaction with them. It’s shadier than heck and absolutely should be opposed.

    1. notlegaladvice

      They don’t sell biometric data.
      And just like your DMV, they keep the data.

      Opposing this should begin with adopting something like California’s CCPA nationwide.

      1. TimH

        CCPA doesn’t apply where FCRA applies. So it’s inadequate already.

        1. notlegaladvice

          And the FCRA (Fair Credit and Reporting Act) does NOT apply here.
          So CCPA would be very useful if it were adopted nationwide.

          1. TimH

            Yeah, that’s working well:


            6. Protecting and Destroying Personally Identifiable Information
            Personal information will be retained until we have fulfilled ID.me’s legal, contractual and policy obligations. Currently, in order to fulfill these obligations, our retention policy is the duration of your relationship with ID.me plus seven and a half years.

            1. notlegaladvice

              What’s supposed to be working?
              ID.me is based in Delaware, not California. So CCPA doesn’t apply.
              That’s why I am saying that if you don’t like the weak privacy laws that ID.me is currently under…. then you should petition and call your representatives to adopt California’s CCPA nationwide.

            2. notlegaladvice

              ID.me is based in Delaware, not California. So CCPA doesn’t apply unless you are a resident of California. And as a resident of CA, you have certain rights that every other ID.me user won’t have. For example:

              Right to Opt-Out
              According to the [CCPA], you have the right to opt-out of the sale, disclosure, release, transfer or dissemination (collectively, “sale”) of your Personally Identifiable Information. While we do not sell your Personally Identifiable Information, we will share such information with third parties with your explicit consent as set forth in our Terms of Use and Privacy Policy. We will respect and honor your request to opt-out of the sale of your Personally Identifiable Information, but please be advised that you may not be eligible to receive discounts, cash back rebates and other benefits from merchants and other service providers because they will not be able to verify your identity and/or eligibility.

  14. David

    Very helpful, thank you. I set up an account for myself but can it also be used for client matters in my CPA Practice?

  15. Ben Hyde

    Interesting how the cost of testing with a proctor has become a lot cheaper. “Thanks Internet” Deciding to not add more procedures to your security scheme is a hard sell in many organizational settings.

  16. Nicholas Spagnola

    IF YOU SUBMIT DOCUMENTS that do not have EXACT name matches, including middle NAMES, yoiu get flagged, switched to a real person, etc.

    BUT, I JUST FOUND THIS on the SOCIAL SECURITY WEB SITE, regarding middle name – – it is NOT A LEGAL PART OF THE NAME !!!!! so if THAT is true, then all this matching up is NOT following truly LEGAL guidelines???? DOES the left hand know what the right hand is doing??

    FROM social security web site

    RM 10205.120 How the Number Holder’s Name is Shown on SSN Card
    The number holder’s (NH) first and last name on his or her SSN card must agree with the first and last name shown on the document submitted as evidence of identity or legal name. A middle name or suffix is not considered part of the legal name. It does not matter if the middle name or suffix is included, omitted, or incorrectly shown on an SSN card.

    For SSN purposes, a NH’s legal name consists of the first (or given name) and last (or family name or surname) that is used to sign legal documents, deeds, or contracts.

  17. alton rouser

    I will be surprised the public will put up with this highly intrusive change. This is a horror show in the making. Time to complain to your Congressman and everywhere else.

    1. The government can’t be trusted to keep all your private information secure. Privacy and personal security matter.
    2. Lots of people can’t deal with computers, such as the disabled and old. There needs to be an analog fallback mechanism.
    3. The procedure chosen is way too cumbersome sanctioned by out of control bureaucrats.

    Starting to discuss alternatives:

    1. What happened to the notary public? (In this case you show up in person and present your one or two ID’s and get a notarized document back to send in with your paper application for an account.) This would be a good job for post offices to do: identity verification.

    2. Why can’t the IRS piggyback on https://secure.login.gov ?

    3. Why can’t the IRS use its own verification methods. I seem to recall it required the previous year’s AGI for verification. Address validation has sometime been used by other government accounts. You can already get an IRS pin to file your return with. Why not piggyback on some of that?

    4. Plus there are many more verification methods, such as state ID’s, credit cards, passports, bank accounts for payments and refunds, and credit reports. Why can’t the IRS piggyback on state ID’s, etc?

    1. JamminJ

      1. True, and neither can private enterprise. Government systems can be breached. Private systems can be breached and decide to sell your data.
      2. There are already analog fallback mechanisms for everything you can do online with IRS.gov. Those people who can’t deal with computers themselves already use proxies, agents, accountants, tax prep companies and the US Mail.
      3. Secure 2FA and identity proofing procedures were not created by the government. They have been recommended for many years by the experts. Identity theft and other common fraud targeting the IRS, had proposed solutions. This is the result.

      1. Yes, notaries are still used in many cases when dealing with the IRS. Certainly still in use for those who don’t have an IRS.gov account.
      2. That is a good question. They absolutely should have that as the default option.
      3. Those methods of verification (AGI, home address, and even mailed PIN) are terrible for identity proofing. Rife with fraud. Dumpster diving is one easy way. Stolen mail is very common. This kind of “static” data, has been abused by scammers and is the reason why the secure way must avoid them.
      4. State issued IDs and Passports are the methods of pre-existing identity verification that ID.me uses. Of course, verification of those items is still needed to make sure they are not forged. And the static information in credit reports is a horrible idea; most of that info is open source and available on the internet.

      Good security is not intuitive to people outside the security community. It may seem like “common sense”, but it really is complicated and nuanced. That’s why we need good journalists like Krebs to bridge the gap and explain this stuff.
      To have a secure system that can significantly reduce fraud and identity theft, we have to understand the subtle difference in the types of data and also the capability of fraudsters. I know it’s cumbersome, but it HAS to be difficult for criminals.

  18. JamminJ

    It would not surprise me at all if the IRS is still in the process of allowing “Login.gov” from the GSA.
    With large bureaucracies, there are often roadblocks that may not exists when contracting out to a private 3rd party, but do make it a long process for two separate parts of government to work together.

  19. J Cunningham

    Interesting… I took me all of 15 minutes to get approved after I discovered my IRS account is not there anymore.. the longest part was getting me phone to produce the Live Photo they wanted… I finally ended up using my bathroom lights to illuminate my face and voila done… Like the author all of my Credit history are locked…

    I was comprised in the OPM hack…

    So now what?

  20. Jay Libove

    This is a great summary of the process and the problems with the process .. for US-resident Americans.
    I’m an ex-pat American. No bank, phone, utility, Internet, etc bill would be accepted by ID.me’s processes, and we do not have US-side mobile phones, so not only did my wife and I have to go through the video verification (which, once we got to it, worked well), but we had to figure out how to get TO the video verification, since it only happens after you submit “acceptable” documents. It takes a series of failures and human email intervention from ID.me to get a video verification in this case. In some ways I was impressed by ID.me’s system, but it clearly is not well thought out for ex-pats. (Nor for seniors/ the less “technically savvy”, which fortunately I’m not). It must be improved.

  21. James Mac

    Very interesting. I live in Jersey – the original one, not the knock-off copy over the river from New York. Our government introduced an identity system not unlike ID.me for access to online tax returns about three years ago, software called Yoti.

    Once it’s on my phone it works very well.
    Getting it installed was an absolute nightmare, and like you it was mainly because of video.
    Getting it uninstalled and moved from one phone to a newer phone is basically impossible.

    I think this whole thing about photos and videos for biometrics is likely a dead end, and it’s going to cause a lot of grief on the way.

    1. JamminJ

      Photos and videos for biometrics is indeed bad. Since the technology for deepfakes has become easy to get and use.
      However, LIVE video for biometrics is still good, for now. Doing a deepfake with a live video stream is not currently good enough to be believable. This may change, and when it does, we’ll have to go back to in-person interviews for identity proofing.

      Biometrics are a great thing, if implemented correctly. I’ve long said that biometrics should only be considered secure for identification, if “supervised” during biometric reading. That means no fingerprint readers on car door handles, but yes to face scans to gain access to a government building with guards watching.
      ID.me video interview process is a compromise, figuring that live video chat is sufficient supervision while taking biometrics. With today’s technology, it is good enough.
      Fraudsters are not going to risk getting on live video unless they can mask their true face with a convincing deepfake of the victim.

  22. Smartacus

    How about you DON”T cooperate with the police state that Democrats are building, rather than geek out on the details? There are broad and terrible consequences of giving this to the government. You all know they do not require this to hand out money to illegal aliens, right? The 100% purpose of this is to make it easier to control dissent.

    1. Q

      Go back to alex jones.
      We all know you people hate this country. You want your dictator reinstated, Constitution be damned.

  23. Smartacus

    Umm, who has acted as a dictator? The one who wants facial recognition files on all taxpayers and vaccine mandates for citizens, but not for illegal aliens and “refugees”? How about the one who locks up the political opposition for over a year for trespassing charges but releases allies who both trespass, assault people and destroy property? The one who works with tech to enact censorship? Wait, that’s all one guy- Biden (and the people pulling his strings). You have to be mentally ill to say Trump was a dictator after seeing the loss of freedom we have endured this last year.

    As far as hating the country goes, those tearing down statues of Teddy Rosevelt, Thomas Jefferson and George Washington come to mind. And their party.

    1. P.D.

      Dude, you failed your little insurrection. Stop whining. You’re not Patriots, you’re hypocrites. You don’t want freedom for all Americans, you want a white nationalist ethno state. You Proud Boy militias make me sick.
      You think you’re fighting like it’s 1776, but the thing you are fighting for, is from 1860, and you’re on the side of the Confederacy.

    2. Dustin

      You both are being very hyperbolic.
      But Smartacus you seemed to have gone down a dangerous rabbit hole of Qanon conspiracies. The Insurrection of January 6th was criminal, but you seem to sympathize. And I’ve heard similar remarks from Qanon demonizing an entire half of the country. Do you think all Democrats are pedophiles too?

      Biden certainly is no great president. His biggest failing seems to be over promising and not delivering on those campaign promises. Promising to end a once in a hundred years type pandemic, within a single year. Bungling the end to a 20-year war, which was going to be a stain on the legacy of whichever president decided to finally do it.
      So basically average screw ups for a president. Reagan screwed up the economy too, had his share of scandals, big and small. War on drugs was a major failing there too.

      All of that said, Trump was on a whole nother level. Not just a bad president by American standards. But a global catastrophe and an embarrassment to any so-called free democracy. Trump made Nixon look like a law-abiding citizen in comparison. Weakening the Ukraine by extorting them to dig up dirt on the Bidens, was on par with Nixon’s Watergate scandal which was also about digging up dirt on Democrats prior to an election. Trump was willing to break any law, tell any lie, and risk destroying the fabric of democracy just to win re-election.
      Blaming radical leftists and communist is an old playbook dating back since before the reichstag fire was also blamed on communists. Now Trump supporters like Smartacus want to blame them for the Capitol attack as well.
      Trump is a criminal in many ways, like a mob boss in organized crime, he will have his supporters.
      Biden sucks, but in a normal way that almost every president sucks.

  24. S Vine

    What’s not being reported anywhere is this verification doesn’t just affect those trying to use irs.gov or online filing.

    We’ve been working with several elderly PAPER filers who have refunds tied up because of “fraud flags” that this private company identified. In these cases, the victims of this company have been unable to complete website or video “verification” in some cases lacking the required documents (utility bills) or technology (webcams and smartphones) to use the service. Calls to local IRS offices or the taxpayer advocate service indicate they are unable to clear these blocks and refer the victims to an ID.me phone number which has not been answered in over three months.

    All the valid concerns about privacy and government overreach aside, It’s appalling to roll out these technologies without making provisions for the people who will be most disadvantaged and discriminated by their use.

    1. orly

      Sounds like the system is working then.

      These elderly PAPER filers who get flagged, are often because they are “victims of actual identity thieves”. Not victims of a company trying to prevent the fraud.

      So before, these elderly paper tax return filers, would have just had their identity stolen, and their money moved offshore without a word. These victims have been complaining for decades about how hard it is to “come back” from identity theft. Years of paperwork, updating records, dealing with credit reporting agencies, and getting new social security numbers.
      But now, I guess people can just complain that they have to call a number and get help using webcams and smartphones.
      Sounds like a win.

  25. Chris S

    You know how only people with something negative to say take the time to comment? Well for the rest of you, here’s a positive: I created my account in under 3 minutes, a week ago (obviously did not need to wait to see a human), and was not too worried about giving up any information, as my drivers license is basically already government info, and my face is already handed out or posted everywhere. Although, I also resent being “forced” to do business with this 3rd party….

  26. rapidfs

    For now, this process is optional if you already have an IRS username and password. But if you don’t, and you want to use online tools to request an online tax transcript or see information regarding your tax payments or economic impact payments, you’ll need to sign up with ID.me. And starting this summer, those old IRS usernames and passwords will no longer work.

    As CNN reported last year, ID.me already verifies identities for more than half of all states’ unemployment agencies as well as a growing number of US federal agencies. In addition to the IRS, ID.me works the Department of Veterans Affairs, Social Security Administration and the U.S. Patent and Trademark Office. The company says it has 70 million users and adds 145,000 new users each day.

    1. Bob W

      I tried logging in to the IRS with my existing credentials and was told I could no longer use those to log in. Luckily I had already created the ID.me account when I was getting my RealID DL in Calif. So, I only needed to go through the ID verification portion of the process on the IRS site and after a couple of images of my DL and a short mugshot video, I was done.

      Overall it went quite smoothly and took very little time (for the parts I needed to complete).

  27. Paul Nasman

    How many times do we have to do this? I already have a login.gov account for accessing government benefits. I’ve also gone through a background check, fingerprinting, an in-person interview, and paid a $100 fee to get a Global Entry Card for foreign travel. So, after all this, we’re saying that the screening “service” provided by ID.me somehow adds value?
    The process described by Mr. Krebs is nearly identical to the verification of results for the Binax-NOW Ag at-home Covid test from Abbott Laboratories. Basically this involves calling a toll-free number, receiving instructions, then answering a call-back 15 minutes later to review the test results. The “certified” representative used my iPhone camera to make sure my face matched my driver’s license and to view my little test card on a stick. I received a pdf certificate of test results 10 minutes later, which was added to my state health records at my request.
    If Abbott Labs can do this for a product you can buy at Walmart, how does ID.me get away with wasting hours of time with their bungled procedure? And how much are they charging the IRS for privilege of amassing this huge consumer database? Somebody has to be laughing all the way to the bank.

  28. M Ray

    Well I had an ID.ME account from the California DMV (just info, no pictures). Of course, it’s not good enough for the IRS.
    Can get through the photo verification. Never got the open for video.

    Had to figure out how to open a support ticket, so 48+ hours later. they come back and say there’s a problem with my info, and they’re going to “fix it”

    Never receive a reply back. Try again. Still fails, but now I get a link for video chat.

    Which shows my account is now “suspended”. Which they didn’t tell me. Nice security – account gets locked for activity, and DON’T tell the account owner ?

    Anyway have to open yet another ticket to say my account is suspended and continue to wait. So I figure it will be at least 48 hours to get a “we got your ticket” and at least that long for them to reply with actual info.

Comments are closed.