The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency’s identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.
“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.
“Taxpayers will still have the option to verify their identity automatically through the use of biometric verification through ID.me’s self-assistance tool if they choose,” the IRS explained. “For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.”
In addition, the IRS said it planned to roll out Login.gov as an authentication tool for those seeking access to their tax records online. Login.gov is a single sign-on solution already used to access 200 websites run by 28 federal agencies.
“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov, with the goal of moving toward introducing this option after the 2022 filing deadline,” the agency wrote.
The IRS first announced its partnership with ID.me in November, but the press release received little public attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me.
The IRS says it will require ID.me for all logins later this summer.
That story went viral, and the ensuing media coverage forced the IRS to answer questions about why it was incentivizing the collection and storage of biometric data by a private company. On Feb. 7, the IRS announced its intention to transition away from requiring biometric data from taxpayers who wish to access their records at the agency’s website, but it left unanswered the question of what would happen with the facial recognition data already collected by ID.me on behalf of the IRS.
In a letter to the IRS this month, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements, saying login.gov is perfectly up to the task if given all of the resources and funding it deserves.
“Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity,” Wyden wrote. “The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”
Anyone believe that personal data actually will be deleted?
I didn’t think so.
I actually do believe that.
Whatever data the NSA wanted, it has already. Now it’s just a storage liability for this dept.
Any projected date for when the IRS will integrate login.gov for their authentication? I would think a Presidential Directive would take care of the issue with agencies flouting the requirement.
Anyone who is promoting Login.gov clearly have never used it before..it is worse
It is still going to be optional. If you like ID.me better, and don’t care that they are privately owned, then you can still choose to use ID.me as your identity provider.
RE the “taxpayers are no longer required to provide facial scans to create an account online at irs.gov”, it looks like there is no option to create anything but an ID.me account.
From irs.gov sign-in page:
“If you have an existing IRS username, please create a new ID.me account as soon as possible. We’re bringing you an improved sign-in experience. You won’t be able to log in with your existing IRS username and password starting in summer 2022. If you’re a new user, please create an account with ID.me.”
“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov . . .”
Does this mean IRS systems are not meeting security standards?
Yes, each agency has their own standards and practices. The Treasury Department is different from the GSA, and the DoD.
Similar to the private sector, where each company largely sets their own standards.
They do try to follow NIST standards but even their extensive documentation still leaves some room for interpretation.
It’s quite possible the IRS implementation of Identity management follows most NIST standards but doesn’t adhere strictly to some other NIST guidelines that are implemented by the GSA’s Login.gov.
Since Login.gov covers a lot more agencies, the “scale” required for Login.gov is very different from what the IRS has been used to.
Remember, there is a significant body of politicians who have been trying to defund the IRS for decades, and they are behind the curve on many of the latest technologies.
G.Scott H. and JamminJ, I think you have it backwards. IRS wanted a NIST 800-63-3 IAL2 compliant login and login.gov is not IAL2 compliant. See page 13 of this report from 2 years ago: https://www.treasury.gov/tigta/auditreports/2020reports/202020012fr.pdf
Yes, thank you. It seems that quoted statement can be taken both ways, as either the IRS doesn’t meet the GSA standard, or GSA doesn’t yet meet the Treasury’s standards.
IAL1 – There is no requirement to link the applicant to a specific real-life identity. Any
attributes provided in conjunction with the subject’s activities are self-asserted, which are
neither validated nor verified.
–
IAL2 – Evidence supports the real-world existence of the claimed identity and verifies
that the applicant is appropriately associated with this real-world identity. IAL2
introduces the need for either remote or physically present identity proofing
–
IAL3 – Physical presence is required for identity proofing. Identifying attributes must be
verified by an authorized and trained credential service provider (CSP) representative.
Should we plant our flag at both ID.me and Login.gov?
The question is who runs login.gov? In an administrative/operational sense. Does the federal government have a Department of IT we don’t know about? My point is that if .gov just farms the work out to a civilian contractor, what is the difference? And who has better operational information security, the government (disregarding .mil) or the private sector?
Krebs will correct if I’m wrong, but I believe login.gov is a government site managed by the GSA. Like many government organizations, they may employ non-government people per the guidelines setup but its still managed by the gov.
Of course nothing is 100% secure no matter who manages it
the difference is that login.gov doesn’t require a facial scan. They also don’t require a video interview…which I have zero confidence ID.me is not taking a screenshot in the course of the video interview….Also, I have zero confidence ID.me is *actually* going to delete those images, despite what the IRS is telling us.
Yes, ID.me is using the video interview as biometrics. They never denied that, and that’s the way their anti-fraud system worked.
It’s actually the reason why so many state governments choose ID.me. Because they lost millions in fraud, as the same few criminals, pretended to be thousands of people making claims for benefits.
Just last month, they indicted a NJ man for defrauding more than $2.5 million in unemployment benefits in California.
ID.me used those “screenshots” from his video interviews to prove he was the same person.
ID.me will be forced to delete the data. They would face significant fines and lawsuits if they were to keep it. And it’s not like they can hide it if they keep it, because of whistleblowers. And if they cannot use it for anti-fraud investigations (which would also reveal that they are still retaining the data), then it makes no sense to spend money to retain the data.
Login.gov is fine…. but I think we’ll just see the same problems with rampant identity theft. It’s all good for privacy advocates, until they get their identity stolen too.
well that directly contradicts the article:
“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.
So is the video interview “biometrics” or not? Because both can’t be true. Either taxpayers are providing biometrics in the form of the video interview, or no biometrics are required.
The article goes on to state “Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.” If they are deleting “any existing biometric data” and “new requirements are in place to ensure images…are deleted” (and as you point out, they cannot use it for anti-fraud investigations), then how, exactly, is ID.me going to be any better than Login.gov?
As to the “millions” saved because of ID.me, even if the story is true (and if it’s not, it’s an open secret that the welfare system is rife with fraud), there is a qualitative difference between an optional, opt-in, voluntary service, and something that ALL income-earning residents and citizens are **required** to use.
I happen to have a Login.gov account that was more extensively verified than anything ID.me could throw at it…. I have zero interest in yet another account to have to keep track of, private or not. Having more accounts is not going to make my identity any more secure….
This article is quoting future tense.
So yes, the IRS and ID.me are going to be doing things differently than they did just 1 month ago. Hence the “now” in the headline, the “will have”, “will be”, etc. in those quotes.
I agree, there is a big difference between an optional service, and a requirement for a huge population. That is a big point made by opponents of Voter ID laws too.
But “ALL income-earning residents and citizens are **required** to use” is incorrect. I do not have, nor will I need, an IRS.gov account. You don’t need it to file taxes.
Nonetheless, I do agree that ID.me should not be the sole identity platform in use, and people should always have multiple options.
All income earning residents and citizens are required to use the IRS.
True, you don’t need an IRS account to file your taxes, but most of us are going to need to interact with the IRS on a deeper level at some point. Need to set up a payment plan? Set up an account. Need a tax transcript for a background check because employers aren’t required to keep employment records past a certain amount of time, and some background checks want 10 years of employment history? Tax transcripts require an account. Need to make estimated payments for a 1099 job? Actually have your identity stolen and need an “identity protection PIN”?
The list of things you need an account for keeps getting longer.
How long will it be before the IRS decides that the best way to prevent fraudulent tax returns is to require an account? I’m honestly surprised that it *isn’t* already a requirement for the IRS; many states with an income tax require an account with their taxing authority just to file.
I get what you’re saying. It certainly does seem like it’s headed in that direction.
But it is still not currently “ALL income-earning residents and citizens”, and I don’t even think “most” is an accurate term right now.
In the future? Yeah, I agree.
That’s why this needs to be sorted out now, before it is required for the majority.
Nitpickery forever.
It’s not nitpicking. It’s detail. And this is why i come to Krebs
Great questions.
CISA is kinda the defacto department in charge of Cybersecurity policy. Each department within the federal government has their own “IT department”. DISA for the DoD, and the IRS uses the Treasury Department’s.
Yes, like most things in the federal government, contractors do most of the actual work. Defense contractors build and operate the DoD’s IT systems too.
It’s a surprise to many, but there is a significant revolving door between the government and private sector.
The data is stored in government “owned” cloud networks. But really, still AWS, GCP and Microsoft Azure. It’s just subject to stricter contracts. What this means in practice, varies, but generally means servers are separate from non-government, no shared tenancy, cannot use that data with 3rd parties, etc. This segregation does provide better security. But most vulnerabilities would still apply.
login.gov is run by GSA (specifically 18F). It uses LexisNexis (Risk Solutions) under the hood for identity verification: https://www.prnewswire.com/news-releases/calibre-systems-inc-and-lexisnexis-risk-solutions-team-up-to-strengthen-secure-access-to-government-agencies-through-the-logingov-single-sign-on-solution-301437468.html
https://www.newsweek.com/2019/10/04/lexisnexis-mistake-data-insurance-costs-1460831.html
It appears that the older logins may no longer work. I just tried my existing IRS login and was taken to the “create a new login” page. {Sigh}
so I opt-in to the Identity Protection Pin (IP PIN) program every year. Will login.gov let me do this? There’s no way I’m creating an id.me account.
So just to confirm, login.gov will give access to the same information as ID.me, correct?
ID.me was apparently used by Texas unemployment dept. and CA DMV – people have rated ID.me poorly (1.1 out of 5) due to problems verifying data, and asking for too many substantiating documents.
California unemployment (EDD) has been using ID.me too.
They don’t really care about Yelp type ratings as they only reflect on convenience, not security.
These state governments lost millions to fraud. That’s the more important rating for them.
ID.me, in asking for “too many” substantiating documents and requiring video interviews, directly led to the arrest and indictment of a NJ man who made millions of dollars in claims in California.
People were tired of Identity Theft. There was huge outrage and people demanded that governments get strict against fraud. ID.me is the result.
What a mess.
In most European countries (except UK) there is a unique Citizen ID Card issued by some government entity that can be used for everything (identification related).
These day’s with in chip authentication and digital signature certificates even to access government services and some private sector web sites (usually banks… but these one’s all require a mobile app with the government authentication… just because the banks want it that way, government doesn’t care if you use the card or the app on the mobile to access their services).
What about other login.gov of other websites?
digital signature certificates even to access government services and some private sector web sites. but these one’s all require a mobile app with the government authentication like erp.moh.gov.sa I hope they don’t do the same in Saudi Arabia bcs this is a mess
Thanks for sharing this amzing post.
I appreciate the time you spent finding that information.