Privacy advocates have long been sounding the alarm about the potential risks associated with digital identification platforms, and it seems the IRS has heeded those warnings.
In a surprising pivot away from modern identification methods, the IRS has discontinued its use of ID.me, a popular digital identity verification service.
This article delves into the reasons behind this decision and its implications for users.
If you've ever groaned at the thought of having to take yet another selfie for verification purposes, fret not - the IRS's latest move could signify a shift towards more privacy-conscious methods of identity verification.
Read on to explore this topic in detail!
ID.me – A Brief History
ID.me is an identity verification company established in 2010 to assist the US military in confirming identities.
In 2014, the Federal government approved the company as a credential provider. Since then, many government agencies have used its services.
In 2017, the IRS started a pilot program for ID.me, and its usage has significantly expanded since.
It quickly gained popularity and was embraced by many entities, from online retailers to government agencies.
The IRS previously partnered with ID.me in a limited capacity, with the full rollout planned for summer 2022, and as many as 26 states currently use the service to verify identities for unemployment services.
The platform used advanced technology, like facial recognition, to authenticate users' identities. It was seen as a revolutionary step towards redefining digital identity verification.
Notably, the IRS adopted ID.me to help protect taxpayers and streamline the authentication process. However, the reception among individual users was mixed.
While some appreciated the increased security measures, others found it confusing and unnecessarily complicated. They often complained about the requirement of a selfie for verification, which seemed invasive and excessive to some.
The IRS and ID.me
The relationship between the IRS and ID.me can be traced back to the goal of modernizing the government's approach to online security. The IRS turned to ID.me to bolster its online security by implementing a tool that ensures the taxpayer's identity before progressing with potentially sensitive actions.
However, the collaboration had its share of hurdles:
- Many taxpayers were uncomfortable with the two-factor authentication, where one factor was a selfie. They felt it was intrusive on their privacy.
- The process of confirmation using ID.me was often slow due to high demand, causing frustration among users who were anxious about their tax matters.
- Many seniors, who may not be as tech-savvy, struggled with the complexities of ID.me, further highlighting the accessibility issues inherent in the system.
- Feedback suggested that the interface was not as user-friendly as it could be, with users often getting lost in the multiple steps required for verification.
After considering these issues, the IRS opted to discontinue its partnership with ID.me and chose an alternate account verification solution.
Shifting Away From ID.me
The use of facial recognition technology has been a source of debate. Although some government agencies have employed ID.me for some time, the IRS’ mandate requiring ID.me accounts for each portal user has highlighted the controversy around the technology.
ID.me uses 1:1 face match technology, which is the digital equivalent of having an official at a government office verify your identity via photo ID.
However, an article by Cyberscoop revealed that ID.me employs a 1:many face match technology instead of storing users' images in a database to compare to multiple stored images.
ID.me CEO Blake Hall later confirmed this, explaining that the technology is meant to prevent identity fraud by ensuring users do not create multiple identities.
Researchers have found that the accuracy of facial recognition software is not consistent, especially for those with darker skin tones and those who do not identify with a gender binary.
The 2018 Gender Shades Project revealed that these people are misidentified 8-20% more than lighter-skinned men. Similarly, the National Institute of Standards and Technology found that American Indians, African Americans, the elderly, and young children are most likely to be affected by false positives.
Additionally, ID.me stores user images for possible future cross-checking.
ID.me's terms of service allow them to share collected data with the police, government, and selected partners. This data includes citizenship (for those who use passports as photo IDs), voiceprints, and more. ID.me stores this data on encrypted servers to prevent unauthorized access, but they still maintain the right to share it.
Registration with ID.me poses a problem for some taxpayers, as not everyone has access to a smartphone or computer with a webcam. This could limit access for the elderly and lower-income households to IRS services, creating an unequal situation.
On Monday, Feb. 7, 2022, Chair Ron Wyden of the Senate Finance Committee (D-Ore.) sent a letter to the IRS expressing his view that Americans should not have to provide their facial recognition for security purposes. Subsequently, the IRS announced a rescinding of its ID.me account requirements.
The recent turn of events involving the IRS and ID.me has left many taxpayers wondering what this means for them. The simple answer? Things are changing, but there's no need to panic.
To start with, you'll be happy to hear that you are no longer required to provide a selfie for the sake of identity verification. This was one of the most controversial aspects of the IRS's partnership with ID.me, and many users expressed their discomfort with it. If you were one of them, you can now breathe easily.
Another significant change is the discontinuation of the ID.me partnership. This means that the IRS will be implementing a new tool for online security. While details are still forthcoming, the aim is to introduce a more user-friendly and accessible solution that caters to all taxpayers, including seniors and those not particularly tech-savvy.
In the meantime, the IRS is also exploring other ways to authenticate users that don't involve facial recognition. For those concerned about their privacy and data security, this is a step in the right direction.
Despite these changes, it's important to note that the IRS still considers online security paramount. Be prepared for some form of two-factor authentication as part of the new system. Exactly what this involves will depend on the security solution the IRS adopts.
As a taxpayer, you might have to familiarize yourself with new processes—hopefully simpler ones—but rest assured that the IRS is committed to ensuring a smooth transition. They are in the process of providing detailed guidance and help resources to assist you.
Meanwhile, certain features, such as using photo ID for account creation, are likely to remain, but alternatives will be provided for those who find this difficult. It's all about striking a balance between security and ease of use.
So, while we all wait for the new authentication solution to be rolled out, it's crucial to keep an eye out for IRS updates and be ready to adapt to the changes. Remember, the ultimate goal is to create a more secure, user-friendly experience for everyone involved in the tax process.
The IRS will no longer require taxpayers to file returns through a registered ID.me account. This change will not affect filing tax returns.
To transition away from using ID.me, the agency stated it would take several weeks to develop a new authorization system that does not use facial recognition. For now, you can use your Secure Access username and password to access online services if you already have an IRS account.
If you have an existing ID.me account through a state or federal agency, you can continue to access the online portal.
On February 22, the IRS announced taxpayers would no longer need to use ID.me's facial recognition program for account verification. Instead, taxpayers may now opt for an online interview with an ID.me representative. This requires two primary identification documents, and the current wait for a live agent is roughly one hour. See the ID.me website for the full list of acceptable documentation.
Note: The online interview will be recorded, and ID.me will delete the video after 30 days.
To enroll in ID.me's facial recognition program, you must provide your Social Security number (no physical card needed), plus a driver's license, US passport, or US passport card. Additionally, you need access to either a smartphone or a computer with a camera.
Step 1: Go to the IRS website's "Your Online Account" page and click "Sign in to your online account". Choose to create a new ID.me account or sign in to an existing one. Click the white "ID.me Create an account" button to register.
Step 2: Enter your email address and create a strong, 8-character password with at least one capital, one lowercase letter, and one number. Confirm your password, check the box to accept ID.me's terms and conditions, then click “Create account”.
Step 3: ID.me will send you an email with a "Confirm your email" button. After clicking the button, return to your browser.
Step 4: After setting up your ID.me password, you'll need to enable multifactor authentication (MFA), which offers an extra layer of security. Most people use text messages or phone calls for MFA. After selecting your option, enter the 6-digit code you received and click “Continue.” You will need to repeat this step each time you log in to your IRS account.
Step 5: Upload photos of the front and back of your US passport book, state driver's license, or US passport card. Alternatively, use your phone to take pictures and enter your phone number into ID.me and they will send you a link.
Step 6: Upload your document, then take a video selfie with your webcam (click the white button) or phone (click the blue button and provide your phone number). ID.me will send you a link via text message.
Step 7: Record a video selfie with your phone in portrait mode. Place your head close to the camera, and wait for the background to flash various colors. When a green checkmark appears, your selfie is complete. Tap “Continue” and return to your window.
Step 8: Enter your Social Security number and click "Continue" to confirm.
Step 9: After reviewing your personal information (e.g. name, address, phone number) on ID.me, please confirm that all information is correct, then check the "Fair Credit Reporting Act" checkbox and click "Continue."
Step 10: After verifying your identity, ID.me will send you a text message requesting explicit approval for IRS access. You won't need to re-register with ID.me, however, "allowing" access to services such as Social Security and VA is required for each use.
Step 11: Click the "Allow" button on the ID.me message to verify your information with the IRS.
Step 12: Your IRS Online Account is now up and running. For security, you'll be automatically logged out after each session. Log in again with multi-factor authentication each time you access it. Visit “Your Online Account” to get started.
Those who've already created ID.me accounts for their IRS Online Access aren't greatly impacted. Existing accounts remain operational and continue to provide the same access levels as before. Your login credentials, namely your User ID and password, continue to function.
You may need to 'allow' access to IRS or related services each time identity verification is necessary, such as when filing tax returns online or checking account information.
Take note, that the suspension pertains only to new registrations requiring facial recognition. The ID.me platform still asks for an online 'selfie' in its account setup process, though this feature may be replaced with a live verification interview.
It's important to remember that the plans to transition away from facial recognition authentication don't invalidate your previously obtained ID.me data. ID.me has assured the public that its data security remains a high priority and that robust security and privacy measures continue to protect personal details.
Dependents and other taxpayers who previously verified their accounts using someone else's personal identifying information shouldn’t experience any notable changes in how they access IRS online facilities.
However, users should remain vigilant, ensuring that the portal remains secure and updated to stay ahead of potential cyber threats. Keep a close check on all actions requiring IRS authentication to maintain personal data security.
ID.me uses multifactor authentication (MFA), a strengthened security measure that requires more than one independent form of identification. This typically consists of something you know (like a password), something you have (like your phone), and something you are (like a fingerprint or a facial recognition scan).
Yes, if you no longer want to hold an account with ID.me, you can request they delete it. They are legally required to delete all your personal information within their possession, with the exception of records relating to past transactions which will be retained as per accounting and regulatory standards.
ID.me follows extensive measures to guard your personal data. These include data encryption during transit and at rest, regular security audits, multi-factor authentication for access, and constant updates to their security systems and measures. They move in tandem with evolving cyber threats to ensure optimum data security.
For identity verification with ID.me, you can use a valid US passport, passport card, state-issued driver's license or Identification card, or foreign passport with an applicable US visa.
Make sure to balance choosing the most relevant document(s) for authentication and ensure they are clear and within the expiry date. This strengthens the validation process and much is contingent upon the accuracy of this prerequisite step.
Is my personal data less secure with recent changes in ID.me’s registration process?
ID.me’s top priority remains the safety, security, and privacy of its users' data. Although the facial recognition feature in the registration process is suspended, they continue to offer robust protective measures ensuring data security, including multi-factor authentication. Transitioning away from previous systems shouldn't cause a degradation in security, as other effective methods keep the risk of unauthorized access minimal. The privacy measures comply with frameworks like the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Fincent: Your Business's Personal Financial Wizard - From Bookkeeping to Tax Filing