The Internal Revenue Service has faced challenges in transitioning the system it uses for authenticating the identities of taxpayers and tax professionals to a system more widely used in the federal government as it makes plans to begin pilot testing a Direct File system next tax season.
The IRS has concerns about the security of the Login.gov system it planned to use for taxpayer identity verification, according to a report released earlier this month by the Treasury Inspector General for Tax Administration. The IRS ran into hot water last year over the privacy implications of its existing verification system, ID.me, which uses facial recognition technology to authenticate taxpayers who submit a selfie and images of government-issued documents like a driver’s license or passport (see story). The system is used to authenticate taxpayers who set up online accounts with the IRS and the IRS has also transitioned its other e-Services authentication to the platform.
Under criticism from members of Congress, the IRS agreed to allow taxpayers to opt out of using facial recognition technology and instead undergo a virtual interview with a customer service agent. The IRS made plans to transition its authentication technology away from ID.me in February 2022 to Login.gov, a system that’s been used in other parts of the federal government. The IRS’s then-commissioner Charles Rettig told lawmakers during a Senate oversight hearing last year that Login.gov didn’t have the capacity at the time to handle all the requests. The IRS made the decision in May of last year to migrate its e-Services online applications for tax professionals to ID.me in the meantime. Now it appears that the problems with Login.gov aren’t just due to capacity restrictions, but also to security concerns, according to the TIGTA report.
Andrew Harrer/Bloomberg
The report is partially redacted out of security concerns as the IRS has often found itself subject to cyberattacks, and some of its e-Services applications such as Get Transcript and Identity Protection PIN faced data breaches in 2015, resulting in shutdowns that lasted until 2016 when the IRS added improved authentication.
The report found that Login.gov does not comply with all of the National Institute of Standards and Technology’s Identity Assurance Level 2 (IAL2) standards, which ID.me appears to comply with, according to its website. TIGTA’s review also found that Login.gov has not fully implemented specific controls to improve its anti-fraud program as required by the White House Office of Management Budget. Another concern about Login.gov was partially redacted from the publicly released report.
The report lays out discussions between the IRS, TIGTA, the OMB, the Treasury Department and the General Services Administration over the concerns about Login.gov. In one memo last November, IRS officials explained the problem: “Login.gov’s lack of strong anti-fraud controls prohibits the IRS’s ability to detect large-scale exploits, putting billions of dollars of taxpayer payments at risk. The success of the IRS online fraud-fighting effort relies on end-to-end visibility of user’s online activity data predicated on a fully compliant IAL2 registration pipeline. Fraud control is mitigation from weaknesses in fully compliant IAL2 implementations. Fraud controls are not a substitute for non-compliant IAL2 implementations. The IRS maintains highly sensitive financial, Personally Identifiable Information (PII) data, and Federal Tax Information (FTI) across the taxpayer community and is a prime target of cyber-fraud. Bad actors have aggressively targeted IRS online applications leveraging identity theft that occurred outside the IRS with compromised third-party information.”
Last December, the IRS launched Login.gov to provide identity proofing services for two of its IRS applications that were at the lower IAL1 level and continued its planning to provide identity proofing services for IAL2 applications. But after conducting a “tabletop exercise” in January, the IRS identified numerous fraud gaps and notified the GSA about them. Among the issues, it found that Login.gov had not yet added protections for individuals who are at heightened risk of identity theft and for whom standard identity verification controls are insufficient. They held a go or no go decision meeting in March, but couldn’t reach a decision to implement the technology, with the IRS’s chief privacy officer voicing “significant concerns” about subjecting 10,000 taxpayers to the risks identified. Implementation of the system was postponed, but the IRS continued to come under pressure from other agencies like the OMB to roll out the system. The GSA’s own inspector general’s office released a report that month about how the agencies that were using Login.gov had been misled about its NIST level of security. The IRS decided in April not to do a limited scope launch in the midst of tax season and the Login.gov contract was modified in May. In July, the IRS approved a roadmap for a future credential service provider outlining the need for two or more CSPs, including a government and non-government option, to provide taxpayers with a choice of credential provide service based on the taxpayer’s preference.
“The protection of taxpayer data is a top priority for the IRS, and we strive daily to improve our processes and maintain the public’s confidence,” wrote Jeffrey Tribiano, deputy commissioner for operations support at the IRS, in response to the report. “We also strive to enhance the taxpayer experience within the constraints of protection of taxpayer information. We continue to work toward a technical solution that will satisfy both.”
