The US Internal Revenue Service (IRS) has partnered with a Virginia-based private identification firm which requires a facial recognition selfie among other things, in order to create or access online accounts with the agency.
According to KrebsonSecurity, the IRS announced that by the summer of 2022, the only way to log into irs.gov will be through ID.me. Founded by former Army Rangers in 2010, the McLean-based company has evolved to providing online ID verification services which several states are using to help reduce unemployment and pandemic-assistance fraud. The company claims to have 64 million users.
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits. -KrebsonSecurity
For the sake of his article, Krebs made himself a guinea pig and signed up with ID.me to describe the lengthy process that "may require a significant investment of time, and quite a bit of patience."
After uploading images of one's driver's license, state issued ID or passport.
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans. -KrebsonSecurity
Once that's accepted, Id.me will ask to verify your phone number - and will not accept numbers tied to voice-over-IP services such as Skype or Google Voice.
Krebs' application became stuck at the "Confirming your Phone" stage - which led to a video chat (and having to resubmit other information) which had an estimated wait time of 3 hours and 27 minutes. Krebs - having interviewed ID.me's founder last year - emailed him, and was able to speak with a customer service rep one minute later "against my repeated protests that I wanted to wait my turn like everyone else."
As far as security goes, CEO Blake Hall told Krebs last year that the company is 'certified against the NIST 800-63-3 digital identity guidelines" and "employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity."
"We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled," said Hall. "You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis."
Krebs believes that things such as facial recognition for establishing one's identity is a "Plant Your Flag" moment, because "Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state."
The top commenter in his comments section, meanwhile, begs to differ...