If you create an online account to manage your tax records with US Internal Revenue Service (IRS), these login credentials will stop working later this year. The agency says that by the summer of 2022, the only way to log into irs.gov will be via ID.me, an online identity verification service that requires applicants to submit copies of invoices and identity documents, as well as a live video feed of their faces via a mobile device.
ID.me in McLean, Virginia was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses, and first responders.
These days, ID.me is probably better known as the online identity verification service that many states are now using to help stop the loss of billions of dollars in unemployment insurance and help fight the epidemics that are stolen every year by identity thieves. The privately owned company says it has nearly 64 million users, and is gaining nearly 145,000 new users every day.
About 27 states already use ID.me to search for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to provide a greater amount of information than is usually required for online verification schemes, such as scans of their driver’s license or any government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.
Where an applicant does not have one or more of the above – or if something about their application gives rise to potential signs of fraud – ID.me may require a live, recorded video chat with the person applying for benefits.
Since my IRS credentials won’t work soon, I chose to create an ID.me account and share the experience here. An important introduction to these guidelines is that self-verification using Id.me requires one to be able to take a live video selfie – Either using the camera on a mobile device or a webcam connected to a computer (your webcam must be able to open on the device you are using to apply for an ID.me account).
Also, successfully verifying your identity with ID.me may require a significant investment of time and a bit of patience. For example, stepping away from one part of the multi-step application process for more than five minutes entailed another login, then resubmitting documents you previously uploaded.
After entering an email address and choosing a password, you will be prompted to confirm your email address by clicking on a link sent to that address. After confirmation, ID.me prompts users to choose the Multi-Factor Authentication (MFA) option.
MFA options range from a six-digit code sent via a text message or phone call to code generator apps and FIDO security keys. ID.me also suggests using its own branded one-time code generation app, which can “push” a claim to your mobile device for approval when you sign in. I went with this app and encourage others to use the most powerful MFA option – a physical security key. To learn more about the benefits of using an MFA security key, check out this post.
When the MFA option is checked, the system generates a one-time backup code and suggests that you save it in a safe place in case your chosen MFA option is not available the next time you try to use a service that requires ID.me.
Then, applicants are asked to upload photos of their driver’s license, state-issued ID, or passport – either via an archive or by scanning them with a webcam or mobile device.
If your documents are accepted, ID.me will then prompt you to take a selfie directly using your mobile device or webcam. This took several attempts. When my computer camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.
Then ID.me requires verification of your phone number, which means they will ask your mobile or landline provider to verify that you are indeed an existing paying customer who can be reached at that number. ID.me says it does not currently accept phone numbers associated with VoIP services such as Google Voice and Skype.
My order is stuck forever in the “Verify Your Phone” stage, which is somewhere near the middle of the entire verification process.
Email the ID.me support team with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all the information you had already provided, and then upload some.
For example, completing the process requires presenting at least two identification documents, such as a Social Security card, birth certificate, health insurance card, Form W-2, electric bill, or financial institution statement.
After reloading all this information, the ID.me system asked me “Please stay on this screen to join the video call”. However, the estimated waiting time when this message first appears is “3 hours 27 minutes”.
I appreciate that the ID.me system is based on real humans seeking to interview applicants in real time, and not all of these representatives are expected to deal with all of them right away. And I’ve realized that slowing things down is an important part of defeating identity fraudsters who seek to exploit automated identity verification systems that rely largely on hard data about consumers.
Having said that, I started this “meet an agent” process around 9:30pm and wasn’t particularly looking forward to staying up until midnight to complete it. But shortly after the message about the 3 hour wait came up, I got a phone call from an ID.me technician who was CC’d on my original email to the ID.me founder. Against my frequent objections to my wanting to wait for my turn like everyone else, he said he would handle the process himself.
Sure enough, a minute later, I was connected to the ID.me support person, who finished the verification in a video phone call. That took about a minute. But for anyone who fails to auto sign up, you can count on spending several hours validating it.
When my application was finally approved, I went back to irs.gov and proceeded to sign in with my new ID.me account. After giving the IRS access to the personal data I shared with ID.me, I was looking at my most recent tax data on the IRS website.
I was somewhat concerned that my identity verification might fail because I had a security freeze on my credit file with the three major consumer credit bureaus. But at no point during the application process did ID.me mention the need to lift or unfreeze the security to complete the authentication process.
Previously relied on by the IRS Equifax For the identity verification process, and even then, anyone with frozen credit files had to unfreeze to get them to go through the IRS’ old authentication system. For several years, the result of this dependence has been that identity thieves have massively abused the IRS website to impersonate taxpayers, view their secret tax records, and ultimately obtain a fraudulent tax refund in their name.
The IRS canceled its “Taxpayer Identity” contract with Equifax in October 2017, after the credit bureau revealed that a failure to correct a four-month-old security flaw resulted in the theft of Social Security numbers and personal and financial information on 148 million Americans.
Perhaps in light of this huge reach of 2017, many readers will be rightly concerned about being forced to give away so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with the founder of ID.me and CEO Blake Hall In last year’s story, how $100 million in unemployment claims went to inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would undoubtedly be a tempting target for hackers and identity thieves.
Hall said ID.me is certified under NIST 800-63-3 Digital Identity Guidelines, uses multiple layers of security, and completely separates static consumer data associated with a validated identity from the token used to represent that identity.
“We take an in-depth defensive approach, with segmented networking, and use a very sophisticated encryption scheme so that these things are protected when there is a breach in the event of a firewall,” Hall said. “You will have to compromise tokens at scale and not just the database. We encrypt all of this stuff down to the file level with keys that spin and expire every 24 hours. Once we verify you, we don’t need that data about you on an ongoing basis.”
Registering with ID.me requires users to agree to the biometric data policy which states that the company will not sell, rent or trade your biometric data to any third parties or seek to make any profit from that information. ID.me says that users can delete their biometrics data at any time, but there was no clear choice to do so when I signed in directly to my new ID.me account.
When I asked the support technician who did the video interview to remove my biometric data, he sent me a link to the process for deleting my ID.me account. Therefore, it appears that removing someone’s data from ID.me after validation means deleting the person’s account, possibly having to re-register at some point in the future.
Over the years, I’ve tried to stress the importance of creating online accounts tied to your diverse identity, financial services, and communications before identity thieves do it for you. But all those places where you have to “plant your knowledge” are doing identity verification in an automated way, using completely immutable data points about consumers who have been hacked multiple times (SSNs, DoBs, etc).
Love it or hate it, ID.me will probably become one of those places where Americans need to fly their flag and mark their territory, if for no other reason than that, there will likely be a need at some point to manage your relationship with the federal government government and/or your state. Given the potential time needed to successfully create an ID.me account has been invested, it may be a good idea to do so before you have to do it at the last minute (like waiting until the eleventh hour to pay a quarterly amount or annual assessed taxes).
If you visit the login page in US Social Security Administration (SSA) Recently, you’ll notice that on or around September 18, 2021, the agency stopped allowing new accounts to be created using only a username and password. Anyone seeking to create an account with an SSA is now directed toward ID.me or Login.gov, a single sign-on solution for US government websites.