The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.
Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs.gov will be through ID.me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.
The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.
It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID.me).
ID.me says it has approximately 64 million users, with 145,000 new users signing up each day. Still, the bulk of those users are people who have been forced to sign up with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit payments, and pandemic assistance funds.
In the face of COVID, dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to screen for ID thieves applying for benefits in someone else’s name.
But ID.me has been problematic for many legitimate applicants who saw benefits denied or delayed because they couldn’t complete ID.me’s verification process. Critics charged the IRS’s plan would unfairly disadvantage people with disabilities or limited access to technology or Internet, and that facial recognition systems tend to be less accurate for people with darker skin.
Many readers were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID.me gets breached?
The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering another identity verification option that wouldn’t use facial recognition. At the same time, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements.
In a statement published today, the IRS said it was transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.
“The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
The statement further stressed that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”
It remains unclear what other service or method the IRS will use going forward to validate the identities of new account signups. Wyden and others have urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.
“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”
Login.gov is run by the U.S. General Services Administration, which told The Post that it was “committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services until a rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”
Login.gov is light years better than ID.me. Wonder why the IRS is avoiding the use of an existing federal identity platform for a private one? Something smells fishy here.
I agree, what sense does it make to have ID me come in when there is a perfectly creditable platform already in place. Oh well, there goes any chance of getting a tax return this year
Why is Login.gov “light years better”?
From an accessibility standpoint, I’ve found login.gov to be a significantly better experience, login.gov has a very straight-forward privacy policy, allows for physical 2FA tokens, and is open-source with an active developer base. it’s already in use by the Social Security Administration, so I’d like to believe there’s some sort of fraud protection in place but I’m not an expert on the subject.
I’m sure Login.gov has a good anti-fraud team. The way it usually works, is a serious of conditions, “flags”, and thresholds for manual followup.
The biometrics that ID.me uses isn’t necessary for all anti-fraud, but it can help.
When a fraudster is good at forging IDs and other documents, a live video chat running face recognition is the best bet for catching them when they try to impersonate more than one person.
Just recently, ID.me caught a major criminal.
A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.
An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.
Explain to me exactly how login.gov prevents fraud or stops me from misrepresenting myself as someone else? As best as I can tell it has zero anti-fraud features. Was created for convenience, not security. Remember, you can only get one of those two. When it comes to billions of dollars of fraud, I vote for security.
That’s the problem. People want convenience over security.
“Some agencies require you to verify who you are.
Login.gov verifies your identity for the agency. By submitting personal identifiable information (PII), such as your photo ID, you can verify that you are you and not someone pretending to be you. We only confirm that you are you and do not make any determination on eligibility for agency services.”
https://login.gov/what-is-login/
Login.gov is pretty good. But it’s hard to catch a fraudster who is good at forging IDs and other documentation.
Biometrics can be very useful for this particular anti-fraud feature.
Brian, thanks very much for making noise about this requirement. You documented very well why this implementation needed to be fed to the sharks.
Ironic that I just completed the ID.me process a few weeks ago, trying to be pro-active. Next time I will wait until the last moment, rather than trying to get ahead of the crowds.
Heh, that sucks. You can still use ID.me for other services besides IRS right?
Now that you’ve done the hard part anyway.
My Family is not TOUCHING “ID.me” … photos or not. NOT dumping all the info a hacker could want, into a private DataBase. Their Web Logo should be a 100 yard Range Target.
Like jon, I tried to be proactive and completed the ID.me process in late December 2021 (as did my wife). Once IRS and SSA have implemented new authentication methods (and I know they work for me), I will probably close my ID.me account so my biometric data can be deleted. Hopefully, I won’t ever need to use an ID.me account to access other websites in the future.
Any biometrics you give the gobmint will eventually be hacked. Use Chain ID instead. Microsft & IBM are already working on this. When you log into a web site, your phone will prompt you for authorization.
Sounds infallable. /s
Whew. I’m glad to hear this.
Why are we not pursuing self-sovereign identity? Leverage blockchain technology etc…
Because that doesn’t the bootstrap problem.
Once a person’s identity is verified, there are plenty of good technologies that can keep the integrity of that identity. Issuing MFA hard tokens, putting everything on an immutable ledger like a blockchain, etc.
But how do you ensure that the initial identity verification is correct? The answer is NOT DIGITAL… but ANALOG. Not Online, but In Real Life. More technology might not be the key. But going back to in-person.
Blockchain don’t need no fancy-schmancy NFT’s if somebody else gonna own the registry. You can quote me on that IRS.
Many thanks for your efforts Brian – they are greatly appreciated!!!
US Government proceeded to hand over me, spouse and all 3 dependant kids data (SSN birthdates, etc) in a major hack. *Included my fingerprints* provided for security clearances… my response to IDMe was not kind. I am Not not no way handing any highly specific biometrics to an ‘US agency’, ever again. Nope. Glad they are reconsidering. Avoids me a lifetime of certain hassle.
SSN, Birthdates, and even fingerprints, are a problem if they fall into the wrong hands… precisely BECAUSE identity thieves can use that info to steal your identity, credit history, tax benefits, etc.
We should stop lenders and the government from accepting that data (which has been stolen years ago) in order to give those thieves any money. And that’s kinda the whole point behind using identity verification like ID.me’s video chat session.
I’ve seen several articles on this today, but none have addressed deletion/removal of your account data. Like others here, I created my account the other day to grab some tax notices … I’ll be deleting my ID.me account today:
https://help.id.me/hc/en-us/articles/203532014-How-do-I-close-delete-my-ID-me-account-
I echo TechVet’s thanks to Brian.
While I’m relieved that ID.me is off the table, I’m undecided about Login.gov. Didn’t the OPM fall victim to a massive breach in 2015 that comprised over 22 million government employees and contractors, including sensitive background data on FBI agents? I think all OPM offered was a few years of free credit monitoring. A couple of my friends were caught up in that fiasco and credit monitoring was cold comfort. Hope the GSA does a better job.
I got a chuckle from the statement by the IRS that it “will quickly develop and bring online an additional authentication process that does not involve facial recognition.” Since when does the IRS do anything quickly, or do it well? Especially at a time when they’re facing staffing problems and dealing with a huge backlog of tax returns from last year.
Also its assurance of security isn’t comforting. Take a look at the Privacy Statement of one of its free online tax return filing options (FreeFileFillableForms https://www.irs.gov/e-file-providers/free-file-fillable-forms). Excerpted below is the SSL and Data Security section. So much in it bothers me, like “when applicable we encrypt” and “we cannot and do not act as insurers of the security” of your information and “we assume no liability”. So it’s caveat emptor if you use this service accessed through the IRS website? Bugs me. Is it just me?
SSL and Data Security
The security of your personal information is important to us. When applicable we encrypt the transmission of that information using secure socket layer technology (SSL). We restrict access to your information that we keep. Only employees who need such information to perform a specific job are granted access to it.
We cannot and do not act as insurers of the security of your Free File Information, particularly when it is transmitted over the Internet. Accordingly, we assume no liability for any disclosure of data due to errors in transmission, unauthorized third-party access or other acts of third parties, or acts or omissions beyond our reasonable control. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
https://www.freefilefillableforms.com/home/privacy_statement.php
I would be more worried if they did make such guarantees of security.
That disclaimer is pretty standard. Users should never assume that anything over the internet can be secured 100%. Your data flows through a dozen different hands on its way to a server.
Absolutely there are no guarantees. Your point about the data flowing through many servers ….. Isn’t that why transmission should always be encrypted?
What I’m looking for in a section describing SSL and data security is how and when they protect data (e.g. during transmission or when stored, or hopefully both), and not weasel clauses about what they aren’t responsible for. What does “when applicable we encrypt the transmission” mean? It begs the question — When is it not applicable to encrypt transmission when taxpayers are sending sensitive financial and personal information? It’s not even clear where the data is stored and by whom.
freefilefillableforms.com is not the IRS. It’s a consortium of tax preparation companies (Free File Alliance) in partnership with the IRS. TaxACT happens to be one of the companies in that alliance. Here’s what they say about security on their website selling their own product. Note the difference? https://www.taxact.com/secure-information
TaxAct Online follows industry standard best practices to safeguard your personal information. All personal information sent over the Internet is in an encrypted format using Secure Socket Layers (SSL), which means that a computer hacker cannot view or alter the information while it’s in transit. When you see a small lock in the bottom right or left corner of your browser window, you know your data is being encrypted for transmission. Your information is safely stored in our secure servers in an encrypted format, behind a corporate firewall.
Legal jargon is usually designed to protect the company, yes. Not really written to be a comprehensive explanation or a detailed description of their security posture.
Like most things, there are caveats and nuance.
Lot of companies make claims about End-to-End encryption, or Military-Grade this or that. I would not trust it any more or less than a policy that doesn’t mention any of it. “Industry best practices” is subjective, SSL doesn’t matter if your device has a root cert allowing a MITM (legit employers commonly do this for inspection).
Going back to the OPM breach… I was also a victim. I am tired of playing whack-a-mole with private data. If not OPM, then Equifax, or something else. The data is out there. I shouldn’t have to care about people knowing my SSN, or even my face. There should be nothing that a scammer can do with it.
And that is why we need strong Identity Proofing, so that the compromised private data out there, is no longer useful to identity thieves. They would have to appear in-person or on live video in addition to knowing all that static personal data.
Now they must require ID.me to delete all of the data that they have already collected from people trying to set up an IRS account.
Use of a non-standard top-level domain “.me” was a security mistake. I’ve not used “login.gov”, but at least is has a .gov top-level domain, which is subject to enhanced scrutiny. The sudden insistence on “ID.me” smelled to me of a sweetheart deal.
It’s been years… but TLDs are not what they used to be.
I think the US government should hand out security token devices, like what HSBC bank does with their customers Then to access your IRS account, you would need your login name, password and 2FA code from the security device.
Wouldn’t that be a better solution then using bio metric ?
That’s a thumbs up from me, Sunshine State.
Check out HSBC bank security token device, it’s real slick
https://www.us.hsbc.com/content/dam/hsbc/us/docs/pdf/HS2175_OTP_Brochure.pdf
After checking out login.gov based on the positive posts above by Dan Klein and Jon M, I’d be willing to try it. At least it encrypts the data during transmittal and the data are stored encrypted. It also gives the user several login authentication options, including security keys that meet FIDO standards.
So why does the IRS feel compelled to reinvent the wheel?
After reading the posts by Dan Klein and Jon M about
There is a difference between authentication and identity.
Once an identity has been verified and enrolled, then you can pick from different authentication options.
But how does the bank or IRS know who they are sending the security token to???
MFA is great, and I’ve been a loud advocate for it. But it’s not a panacea. A flawed enrollment/onboarding process that allows unverified people to get an account, will negate the benefits of MFA.
Those are good points JamminJ. I’m guessing they use one of the credit bureaus among other sources based on the information they say they use for verification, but the following is from the horse’s mouth:
During identity proofing, the ID is also checked for authenticity. Then, the personal information is validated with the issuing source (ex: state DMVs) or authoritative sources (ex: credit, financial, telephone records). These external services do not retain any personal information, they are only used for validation purposes. Given these stringent requirements, Login.gov currently supports state IDs and federal government employee IDs. Over time, Login.gov will support additional IDs.
Your address is also validated during this process. This can be done remotely using a telephone number associated with the address or through a letter with an enrollment code sent to the account holder’s address. Please note, the enrollment code is valid for 30 days. (5-10 days for the letter to be delivered along with 10 days to complete address validation on https://secure.login.gov). Once validated, Login.gov identity credentials are encrypted with the account holder’s password. Encryption ensures that only you, the account holder, can access your information with your password.
https://login.gov/policy/how-does-it-work/
Less accountability if you force the user to get their own. Cynically speaking.
threatpost.com/cisa-orders-federal-agencies-to-fix-actively-exploited-windows-bug/178270/
If the US can’t even get every person to vote, get a drivers license, etc do you really think a 2FA security device given to everyone is going to work?
How do they know to whom they are sending security token devices??
How do they know which account to bind the token??
How would that prevent the fraud of identity theft??
Identity proofing comes BEFORE authentication methods.
An identity thief can just as easily set a strong password, set up a 2FA token, and use any required strong authentication method.
You have to stop fraud at the identity stage.
A great idea! I have a security token for my Schwab account.
Anecdote, not data, but here goes: early Jan 2022 (before your 19 Jan 2022 story about proposed new log-in requirements), I had no problem logging into http://www.eftps.gov to pay my 4th-quarter estimated federal tax. I was an early user (June 2007) of EFTPS for federal tax payments. EFTPS (Electronic Federal Tax Payer System) has, from my first encounter, used multiple factors. None rely on yuppie fones. For me, the original system (carried forward to today) has worked without a hitch.
After reading your 19 Jan 2022 story, I logged into My Social Security. There was some bumph indicating new log-in arrangements might be on the agenda, but my existing credentials (id and password) worked just fine.
Thanks for keeping us updated. My take: it’s prudent to be selective about when (and when not) to be an early adopter.
I wish I had known they were going to drop it no sooner than they started it. I too completed signing up right after I was notified it would be required.
@arbee, the new SSA ID.me requirement doesn’t apply to anyone who had an existing SSA account in 2018 [sometime, forgot the date]. Also if i read the IRS release correctly about the 3rd party authorization (selfies, oh hahahahaha) it applied to anyone logging into an *irs.gov* account. EFTPS is separate from IRS. gov & is used by, among others, businesses. What kind of selfie would a business send?
A customer may know the https://bit.ly/362j909, but the challenge they face
Don’t click on shortened URLs.
If the US can’t even get every person to vote, get a drivers license, etc do you really think a 2FA security device given to everyone is going to work?
Brian, Thank you for the update. I, too, wanted to get ahead of this new requirement but considered delaying until seeing what came of your article because precisely what I perceived, this may blow up. I should have trusted my gut. Since it was first announced over 6 months ago, I assumed the IRS wouldn’t change now, you didn’t express significant security concerns after communicating with the ID.me CEO; and your article primarily highlighted the inconvenient process issues; I accepted the risk and signed up too.
I chose to start at 5 AM since I’m up already; ID.me is available 24×7 and before the east coast of the U.S. gets their day started. I signed up on my PC, and the process was easy, flawless, and had zero waiting, so I felt victorious, though I was a bit concerned since there was zero human intervention I could detect. Too late for this gut feeling to affect the outcome.
Please publish a follow-up with recommendations on what to do with a now established ID.me account? Recall you did not raise concerns with their protections in place, but once biometric data is compromised, I can’t afford the medical intervention to get a new face. Laughing right now, but seriously, it may not be a laughing matter if ID.me is ever compromised. Put another way, what are you doing with your ID.me account?
Stay calm. You can request in writing to ID.me to delete your account and bio info. Cc an attorney, and the attorney general in your state. The founders sound like responsible men who would honor the wishes of their fellow citizens, because of their background defending the US.
Maybe the founders would be just as shocked as anyone when the reality dawns of their partners’ ambitions to secure the data: AI software training. They supplied the keys to PII of US citizens . . . to whom? Still, Brian Krebs, I would like to know who the “partners” are who process the PII . . . Is the list of the names of its investors under NDA?
Biometric IDs – After the next hack, would be possible to change the iris or fingerprint?
ID.me was a train wreck to begin with……if we would just would do a flat tax we wouldn’t have to even talk about this…problem solved……
Not really. Flat tax doesn’t solve this problem.
I was horrified to be putting in the information to ID.me. it also took almost a day to complete the process but I had no choice as I needed a payment plan set up to pay an underpayment. I am in Cyber insurance and was very very concerned that I was disclosing everything about me including pictures, passport, DL, SS, Address, DOB… petrifying that all that data is captured in one file. What happens to all of our data already captured by the ID.me?
Well, this cuts both ways, because there is an inevitable tradeoff between security and ease of use… Any trip through airport security since 9/11 should reinforce this fact.
I went through the sign-up process for ID.ME when I saw the posting on KrebsOnSecurity last month. While it wasn’t easy, it was doable. And secure, baring inside attacks at ID.ME.
Any government solution will cost $B’s and $B’s. We are spending ourselves into oblivion with the lowest common denominator focus on “vulnerable populations”. But lowering our guard, so to speak, invites fraud. We can’t have it both ways. No feel-good happy talk changes that, either.
If one is to do business on the internet, multi-layered security must be used. Maybe vulnerable populations need to stick to paper-based solutions, phone and US Mail. That is expensive enough… the only way to achieve security for the vulnerable (read: naive) is to unplug them from the internet, for the scammers always target the vulnerable. The naive will always be vulnerable on the internet.
Not sure if I’m understanding the point you’re making. If you’re implying that only the naive are vulnerable on the internet, then I beg to differ. No matter if individual users are assiduous in following the best safety protocols, we have no control over how well our data are being protected. Read on. FBI Director Christopher Wray is speaking about the threats posed by the Chinese government. https://www.fbi.gov/news/speeches/countering-threats-posed-by-the-chinese-government-inside-the-us-wray-013122
Here in the U.S., they unleash a massive, sophisticated hacking program that is bigger than those of every other major nation combined. Operating from pretty much every major city in China, with a lot of funding and sophisticated tools, and often joining forces with cyber criminals, in effect, cyber mercenaries. In just one case, one example, a group of MSS-associated criminal hackers stole terabytes of data from hundreds of companies. Now, to put that in context, one terabyte is around 70 million pages of data. Think about that. They’re not just hacking on a huge scale but causing indiscriminate damage to get to what they want, like in the recent Microsoft Exchange hack, which compromised the networks of more than 10,000 American companies in a single campaign alone.
Back a week or so ago, I set up log in’s via ID.me for both IRS and Social Security sites. Uploaded my driver license… and the process went smoothly. Now, I wonder if I was too trusting? 🙁
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured”
1. Obviously IRS did not take taxpayer privacy seriously.
2. “feel comfortable” is really the metric for personal information security assurance?
Looks like they are changing due to public backlash, not waiting for a breach to happen. So looks like they are taking privacy seriously. They are obviously taking privacy more seriously than security.
A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.
An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.
This is the benefit of biometrics.
The criticisms of biometrics not being perfect, is only a criticism of using biometrics in an automated way. But to use it to flag a few attempts to claim benefits, for manual review, is very effective.
Identity thieves like Eric Michael Jaklitsch put themselves at great risk of getting caught, every time they have to go on camera for a live session, pretending to be someone else. They more they try to claim, the higher the risk. Without biometrics, and to appease everyone’s privacy concerns… makes the process very easy for fraudsters to keep doing it.
Using biometrics cuts both ways. Could be used for good or harm. The good, as in your example. The bad (an extreme example for sure), how biometrics is used by the Chinese government. Orwellian.
I share the concerns of those who aren’t comfortable with their personal data being aggregated by one entity that will (not if) be compromised sooner or later. One breach is all it takes. If this had not been a requirement for accessing our own government’s services or to comply with their regs, then it’s a matter of personal choice between convenience and security. The problem with the government (local, state or federal) requiring its residents to cough up very sensitive information to a private contractor takes personal choice out of the equation. And who’s to say that the private contractor won’t be sold to a foreign entity in the future?
I agree that using only ID.me (a private company) was a bad choice.
I just don’t think it was the use of biometrics for anti-fraud, that was the problem.
I don’t worry about the company being sold. That’s always a fear with defense contractors, but the contracts don’t allow those scenarios. That’s a long story though.
Like you said, it’s not a question of IF, but WHEN, our personal data gets stolen.
The real solution is NOT to attempt the futility of keeping your SSN or other static data private. Rather, reduce or eliminate it’s value, it’s utility for harm. Fire instance, stop using Social Security Numbers as a password to get a line of credit. Then, who cares if people know it, it’s just an identifier, like your name.
Biometrics can’t be changed, so we absolutely should NOT use it as a static secret (like SSNs were). But they can be used as identifiers (if under supervision). The way ID.me uses it, is actually good. They don’t use biometrics in an automated verification of identity, rather just as a check for the same person making multiple claims to different identities.
That’s how they caught that NJ guy who made $2.5 million in fraudulent claims last month.
I do agree that using only ID.me (a private company) was a bad choice.
I just don’t think it was the use of biometrics for anti-fraud, that was the problem.
I don’t worry about the company being sold. That’s always a fear with defense contractors, but the contracts don’t allow those scenarios. That’s a long story though.
Like you said, it’s not a question of IF, but WHEN, our personal data gets stolen.
The real solution is NOT to attempt the futility of keeping your SSN or other static data private. Rather, reduce or eliminate it’s value, it’s utility for harm. Fire instance, stop using Social Security Numbers as a password to get a line of credit. Then, who cares if people know it, it’s just an identifier, like your name.
Biometrics can’t be changed, so we absolutely should NOT use it as a static secret (like SSNs were). But they can be used as identifiers (if under supervision). The way ID.me uses it, is actually good. They don’t use biometrics in an automated verification of identity, rather just as a check for the same person making multiple claims to different identities.
That’s how they caught that NJ guy who made $2.5 million in fraudulent claims last month.
First, I do not work for or have any relationship with Id.me, IRS, or any other government agency, I am just a cybersecurity consultant. Second, although I completed the ID.me Identity Proofing process in less than 20 minutes, I was like most of you unhappy with the fact that parts of the US Government (e.g., IRS and SSA) were using a private company to handle very private and sensitive information. Compounding the issue was that safeguards were not put in place to delete this information after it was no longer needed. Although I do understand the need for a solution to increase the online cybersecurity of government accounts which will cause some disruption in the other two dimensions of the triad of Security, Convenience, and Privacy, this was not a very good implementation.
Why is this happening? First, we need to understand the problem space of digital identity a little better. Often to create and/or claim an online digital identity and its associated account Knowledge-Based Verification (KBV) is used. Unfortunately, with social media and other data about us being online so insecurely this process has been an issue for over 10 years and getting worst. To compound the issue the more detail the information request to increase the security the higher the failure rate of the correct individual.
This insecurity was so well known in the cybersecurity world, the common suggestion (I believe even on this blog at one time) was and still is to claim your accounts (e.g., IRS, SSA, USPS Informed Delivery, credit agencies, ….) ASAP before the bad guys did. This issue was highlighted with the IRS accounts abused in 2016 caused by its reliance on KBV of semi-public information (i.e., stuff Equifax had). And yes, I am sure that the algorithm Equifax used could have been more security but then there would be an increase failure rate and its associated outrage.
In 2017 the NIST published the Digital Identity Guidelines (DIG) Special Publication 800-63 Revision 3 (SP 800-63-3). This was a significant restructuring of the Revision 2 from 2013. BTW Revision 3 is almost 5 years old which is a lifetime in cybersecurity and needs updating to deal with the current threats and tactics hopefully we will see Revision 4 in 2023. But we have not even solved the issues highlighted in 2017 never mind the ones from 2021.
DIG/SP 800-63-3 frames the problem into three areas each with an associated Assurance Level (xAL) with a scale from 1 to 3.
• Enrollment and identity proofing (SP 800-63A) / Identity Assurance Level (IAL)
• Authentication and lifecycle management (SP 800-63B) / Authentication Assurance Level (AAL)
• Federation and assertions (SP 800-63C) / Federation Assurance Level (FAL)
One thing most of this ruckus is about the “Identity Proofing” and not the “authentication” step.
So, from the Enrollment and Identity Proofing, here are the three IAL levels from NIST SP 800-63A:
IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.
IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
IAL2 tries to solve the issue of how insecure Knowledge-Based Verification is. Is it the right solution? I do not know but it is a solution. Is it a workable solution and do we have the technology? Maybe but it does not work for 100% of the cases.
The first step in using the DIG framework is decide for each account which xAL is necessary to secure the asset. IRS has a process called Digital Identity Risk Assessment (DIRA), you can find a 2020 report on its progress here https://www.treasury.gov/tigta/auditreports/2020reports/202020012fr.pdf
From that report the IRS has 63 public-facing applications, that is needs to secure. It seems they decided (rightfully so) that the https://www.irs.gov/payments account should have a IAL2.
Now the question is how to implement that and were to get the technology. BTW one thing that makes this a little easier is if the individual has a Real-ID since that can be used to “real-world existence”. So, some of the hard work was done over the last 15 years by the states to get this technology in more people’s hands. In hindsight (always 20-20) it would have been nice if we had tied getting the Real-ID to a digital identity when they were at the DVM. But then we would have to had cross the federal/50 state divide.
So why can we not use login.gov? (BTW I have now tied it to my SSA account.) Because it does not do IAL2. In fact, they were looking for IAL2 technology last fall. https://www.biometricupdate.com/202109/us-government-wants-real-time-digital-id-verification-for-login-go
Login.gov has a wide range of authentication mechanisms (e.g., FIDO U2F, SMS, authentication app, backup codes) with great control options so you can maximize security (i.e., use only FIDO U2F security keys with an added bonuses they ask for a PIN if one is on the key unlike id.me). They still have some authentication issues but hopefully they be fixed. Ideally, they would start supporting FIDO2(WebAuthn/CTAP2) to get phishing-proof state-of-the-art and best-in-class authentication.
Again, most of this ruckus has not been about “authentication” but rather “Identity Proofing”.
So, what does IAL2 need? You need to “identity proof”, tie “real-world existence” like some type of physical photo ID (e.g., Real-ID or Passport) to the person making the claim. Either in-person or on-line (real-time face scan or web conference). Yes, none of the solutions are ideal and none are 100% foolproof. Is the real-time scan ready for primetime? Seems like given the number of people having issues the answer might be no but what is the solution then? In person? Ok where? Does that scale? State or federal office? How do you tie the in person visit to online account?
If you do not agree with the need for IAL2 then what is your solution to secure these accounts? Since we know KBV is insecure and there will be outrage the next time there are issue with the current system. Sorry but something in the triad of Security, Convenience, and Privacy must give, you cannot have all three at the same time.
One thing about the id.me process, I can not understand why they need to keep the information needed to do the “identity proofing” (i.e., my Real-ID and face scan) except to make money on our data, since once you have passed this stage there is no reason to maintain it except maybe for some audit in which case it should be archive at the IRS not id.me.
Long read, but good read.
IAM is a tough business.
Some people coming to hear do seem to confuse the authentication with identity proofing. I’ve replied to those comments already.
I also agree that the biggest failing here was choosing a single identity proofing solution in the private sector and not giving consumers a choice. I think login.gov definitely should be an option. And it makes sense that they will not be able to do IAL2. And from the looks of this backlash, it doesn’t seem like they would be willing to do so in the near future either.
ID.me does have legitimate reasons for retaining biometric data.
They use an anti-fraud feature which will compare new enrollees with past ones.
This has already had success with the investigation, indictment, and arrest of a New Jersey man who defrauded the state of California for $2.5 millions.
Sure, they could just prioritize data privacy over anti-fraud features, and delete the data after the identity proofing is complete. But it is a very powerful and useful security tool. They do not sell biometric data to third parties, it’s much more profitable to use the data themselves as a service. Plus, I’m sure it’s codified in their government contracts as well.
I think people are really over exaggerating the data privacy risks here. They are upset, and scared. But that’s because they don’t really know how identity proofing works in the real world. They go to the DMV, in person to get an ID and take a photo. But they don’t ask who makes the cameras and maintains the databases for the state government. It’s not 100% state employees. They contract a lot of this out third parties, private companies.
Not sure if IAM is a tough business, maybe confusing because nobody wants to talk about the risk assessment tradeoffs across the triad of Security, Convenience, and Privacy. Pick a point but you cannot be everything to everybody. There are few places where these dimensions pull in the same direction except maybe FIDO2(WebAuthn/CTAP2) security keys.
I agree you have been one of the voices on this blog that is helping bring back the outrage to the fundamental problem to solve: Identity Proofing.
I am not sure why it makes sense that login.gov does not have IAL2 yet. It is a 5-year-old problem. I am sure after the next major breach of people’s government accounts that on this blog there will be the outrage of why this issue was this not solved years ago. And everybody will forget they did not like the solution rolled out, but nobody had a better one.
Since I have had my login.gov account for years since it was used for securing my Trusted Traveler Programs account, I cannot say how secure their Identity Proofing was or is but given I know of several issues with their authentication process I am not confident that it was more secure than the normal Knowledge-Based Verification (KBV) process. So, my suggestion is that if you do not have an account go claim it NOW before somebody else does.
“ID.me does have legitimate reasons for retaining biometric data.” Careful this is the slippery slope everybody is afraid of and at the bottom is something like the Minority Report. I think many people are afraid of who can keep the data safe and not be used outside of why it was given for in the first place. I wish I was as confident as you that the government contracts thought of all the safeguard need to keep this information secure and private. But given the other missteps I doubt it.
Here is a story from today that is mind boggling that this happens. https://www.engadget.com/twitter-parts-ways-two-factor-provider-claims-of-secret-surveillance-080536054.html
I do agree that outside of the fact that there was a public company in the Identity Proofing flow, much of the outrage is over exaggerating the data privacy risks for this solution, if everybody knew the issues elsewhere in the system. Such as the 50 states each with different DMV systems and who secure that information and who has access to it. But that is a subject for another outrage day. Brian maybe that something to explore.