The U.S. Internal Revenue Service (IRS) has partnered with a Virginia-based private identification firm, which uses facial recognition technology, in order to access online records with the agency.
According to KrebsonSecurity, the IRS announced the only way log into irs.gov by summer 2022 is through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
The McLean-based company has evolved to providing online ID verification services, which several states are using to help reduce unemployment and pandemic-assistance fraud.
The privately-held company says it has approximately 64 million users.
IRS To Require Facial Recognition To View Tax Returns https://t.co/450oL4kzbd
— zerohedge (@zerohedge) January 20, 2022
The IRS says by mid-2022, the only way to log in to https://t.co/Vq2XKM8HuD will be through https://t.co/Qo6iX1NgjI, an ID verification service where applicants have to submit copies of bills/ID documents, as well as live selfies via a webcam or mobile. https://t.co/fmE3pbrVCP
— briankrebs (@briankrebs) January 19, 2022
This is not a joke. The IRS requires you to full dox now to access your own records or to make any changes to tax payments.
Full video recording, pictures, IDs, the works.
Going to be the most comprehensive government facial recognition database ever. https://t.co/W5vJsU2uU7
— MeanHash ₿ ✪ (@MeanHash) January 20, 2022
Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.
Krebs signed himself up with ID.me to describe the lengthy process that “may require a significant investment of time, and quite a bit of patience.”
After uploading images of your driver’s license, state-issued ID, or passport:
If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.
Zero Hedge added:
Krebs’ application became stuck at the “Confirming your Phone” stage – which led to a video chat (and having to resubmit other information) which had an estimated wait time of 3 hours and 27 minutes. Krebs – having interviewed ID.me’s founder last year – emailed him, and was able to speak with a customer service rep one minute later “against my repeated protests that I wanted to wait my turn like everyone else.”
cont. from Zero Hedge:
As far as security goes, CEO Blake Hall told Krebs last year that the company is ‘certified against the NIST 800-63-3 digital identity guidelines” and “employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.”
“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” said Hall. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”
Krebs believes that things such as facial recognition for establishing one’s identity is a “Plant Your Flag” moment, because “Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state.”
The top commenter in his comments section, meanwhile, begs to differ…