IRS questions security of planned ID verification system

The Internal Revenue Service has faced challenges in transitioning the system it uses for authenticating the identities of taxpayers and tax professionals to a system more widely used in the federal government as it makes plans to begin pilot testing a Direct File system next tax season.

The IRS has concerns about the security of the Login.gov system it planned to use for taxpayer identity verification, according to a report released earlier this month by the Treasury Inspector General for Tax Administration. The service received complaints last year about the privacy implications of its existing verification system, ID.me, which uses facial recognition technology to authenticate taxpayers who submit a selfie and images of government-issued documents like a driver's license or passport (see story). The system authenticates taxpayers who set up online accounts with the IRS, and the agency has also transitioned authentication of its other e-Services applications for taxpayers and tax pros to the platform.

After hearing criticism from members of Congress and privacy advocates, the IRS allowed taxpayers to opt out of agreeing to biometric facial recognition technology and instead undergo a virtual interview with a customer service agent. It announced plans in February 2022 to offer another authentication option besides ID.me and began exploring Login.gov, a system that's been used in other parts of the federal government. The IRS's then-commissioner, Charles Rettig, told lawmakers during a Senate oversight hearing last year that Login.gov didn't have the capacity at the time to handle all the requests expected from taxpayers. The IRS made the decision in May of last year to migrate its e-Services online applications for tax professionals to ID.me in the meantime.

Now it appears that the problems with Login.gov aren't just due to capacity restrictions, but also to security concerns, according to the TIGTA report.

Andrew Harrer/Bloomberg

The report, it's worth noting, is partially redacted to avoid revealing security vulnerabilities, as the IRS has often found itself the target of attempted cyberattacks. Some of its e-Services applications such as Get Transcript and Identity Protection PIN experienced data breaches in 2015, resulting in shutdowns that lasted until 2016 when the IRS added improved authentication.

The TIGTA report found that Login.gov does not comply with all of the National Institute of Standards and Technology's Identity Assurance Level 2 standards, which ID.me appears to comply with, according to its website. TIGTA's review also found that Login.gov has not fully implemented specific controls to improve its anti-fraud program as required by the White House's Office of Management Budget. Another concern about Login.gov was partially redacted from the publicly released version of the report.

The report lays out discussions between the IRS, TIGTA, the Office of Management and Budget, the Treasury Department and the federal government's General Services Administration over the concerns about Login.gov.

In one memo last November, IRS officials explained the problem: "Login.gov's lack of strong anti-fraud controls prohibits the IRS's ability to detect large-scale exploits, putting billions of dollars of taxpayer payments at risk. The success of the IRS online fraud-fighting effort relies on end-to-end visibility of user's online activity data predicated on a fully compliant IAL2 registration pipeline.  Fraud control is mitigation from weaknesses in fully compliant IAL2 implementations. Fraud controls are not a substitute for non-compliant IAL2 implementations. The IRS maintains highly sensitive financial, personally identifiable information data, and federal tax information across the taxpayer community and is a prime target of cyber-fraud. Bad actors have aggressively targeted IRS online applications leveraging identity theft that occurred outside the IRS with compromised third-party information."

Last December, the IRS launched Login.gov to provide identity-proofing services for two of its applications that were at the lower IAL1 level and continued its planning to provide identity-proofing services for IAL2 applications. But after conducting a "tabletop exercise" in January, the IRS identified numerous fraud gaps and notified the GSA about them.

Among the issues, it found that Login.gov had not yet added protections for individuals who are at heightened risk of identity theft and for whom standard identity verification controls are insufficient. They held a go-or-no-go decision meeting in March, but couldn't reach a decision to implement the technology, with the IRS's chief privacy officer voicing "significant concerns" about subjecting 10,000 taxpayers to the risks identified.

Implementation of the system was postponed, but the IRS continued to come under pressure from other agencies like the OMB to roll out the system. The GSA's own inspector general's office released a report that month about how the agencies that were using Login.gov had been misled about its NIST level of security. The IRS decided in April not to do a limited-scope launch in the midst of tax season and the Login.gov contract was modified in May. In July, the IRS approved a roadmap for a future credential service provider outlining the need for two or more CSPs, including a government and non-government option, to provide taxpayers with a choice.  

"The protection of taxpayer data is a top priority for the IRS, and we strive daily to improve our processes and maintain the public's confidence," wrote Jeffrey Tribiano, deputy commissioner for operations support at the IRS, in response to the report. "We also strive to enhance the taxpayer experience within the constraints of protection of taxpayer information. We continue to work toward a technical solution that will satisfy both."