IRS plans to approve use of Login-dot-gov as Tax Day nears

Less than a month out from Tax Day, the IRS is preparing to implement a government-operated identity verification system: Login.gov. Taxpayers will be able to use the single sign-on tool to access tax documents and make payments through IRS.gov as soon as next week, FCW and Nextgov have learned.

The news comes one year after the IRS faced outcry over requirements for taxpayers to verify their identities using facial recognition technology from vendor ID.me to access online IRS accounts and one week after an internal audit showed Login officials had paused efforts to implement similar technologies—and misled agencies about those plans. 

As the 2022 tax season wound down, the IRS pledged to work with the General Services Administration, which operates Login.gov, to add the service as an option for users. The tax agency cited the need for higher security standards and scale for Login.gov.

That time has come, according to multiple sources, with Login on track to be integrated as an identity proofing and authentication option for IRS.gov accounts next week. Already, two IRS applications that don’t require identity proofing offer Login.gov as an option.

Once fully integrated, taxpayers will be able to log in to IRS.gov using their Login.gov credentials, which are in use at a host of other federal websites, including benefits sites run by the Department of Veterans Affairs and the Social Security Administration.

But stakeholders on every side of this have expressed concerns about whether Login can meet the needs of the IRS—especially on Tax Day, the heaviest traffic day of the year—and what it will mean for the program.

“Reputation is my main concern,” one TTS staffer said in a June 2022 internal Slack message seen by reporters. “For example, IRS can weather this but for Login.gov it could make or break us.”

That reputation will be more important than ever as the White House considers a massive push for the service as part of a long-awaited executive order meant to address identity fraud in government benefit programs, although the order is not yet finalized.

A government-owned single sign-on solution

The initial prototype for Login.gov was built by the U.S. Digital Service—the White House’s tech unit—and 18F—the digital consultancy housed within GSA—with the goal of providing a single sign-on service that would someday be used across government. 

The service launched in 2017 and was built up over time, adding vendor support for various services, including data broker LexisNexis, which provides fraud detection and identity verification for the service.

In 2021, Login.gov received a nearly $187 million investment from GSA’s revolving tech fund, the Technology Modernization Fund, to help it scale to more agencies. 

And a partnership with the IRS would help those efforts, as it will introduce Login to a much larger pool of users.

“There will be a one-time big hit—a tsunami of identity proofing that will happen at the front—that’s going to be the big test,” said Dominic Sale, who from September 2019 to February 2021 served as assistant commissioner of GSA Solutions, the group under TTS responsible for managing Login.gov, among other services.

“Once those accounts are proofed, though, the beauty is they won’t have to reproof them every time they log in” to other government websites, Sale told FCW and Nextgov. “Will someone like IRS have to absorb some of that upfront? Possibly. I just hope to hell they’re prepared to do it.”

But the service has struggled to meet identity proofing standards set by the National Institute of Standards and Technology, leaving some agencies hesitant to use the service, including the IRS.

GSA told press in early 2022—as the IRS and ID.me were facing public pushback for facial recognition requirements—that the agency wouldn’t use facial recognition “until rigorous review gives us confidence that we can do so equitably and without causing harm to vulnerable populations.”

That decision, as outlined in a recent report by GSA's Office of Inspector General, put identity assurance level 2, or IAL2, out of reach for Login.gov, since NIST requires a biometric to meet that standard.

Despite that requirement, advocates concerned about the government’s use of facial recognition technology have long pointed to NIST testing done in 2019 that found different demographics had significantly different proofing rates among some facial recognition systems.

The Login.gov team “put concerns for the public’s experience and identity security front and center from the start—so much so that they’ve now been written up for actions related to them prioritizing user needs over full compliance with a standard so controversial that a vendor’s compliance with it caused a bipartisan political firestorm last year,” said Aaron Snow, 18F co-founder and former deputy commissioner of TTS, referencing the ID.me row. 

“Notwithstanding whatever mistakes or misrepresentations may have been made regarding compliance with the NIST standard, the bottom line is that Login.gov is a great, secure, and sorely needed cornerstone of our national government’s digital infrastructure,” he said.

NIST is currently updating the standards at the center of the recent watchdog report. The draft update, released last year, would add performance requirements for biometrics in identity proofing and independent tests for identity vendors.

NIST is also making a new, lower security threshold for identity proofing that would not require any biometrics, something that “is definitely going to create a new option for agencies… where you could use a somewhat lower level of assurance,” said Jeremy Grant, former senior executive advisor to NIST’s National Strategy for Trusted Identities in Cyberspace. “I don’t know that it’s going to solve the problem across the board,” he added.

Also in question is how well the IRS and GSA will be able to accommodate known barriers to digital identity proofing for people who don’t have access to identity tools or credentials needed to confirm their identity without being in person. Users who don't have a smartphone or access to their credit history could be left out.

“Those are the hardest people to proof,” according to Sale. “Whatever proofing rates they have, at large, demonstrated to this point, if you’re picking out a specific demographic that’s historically difficult to proof, then your proofing rates are going to plummet.”

“What’s the fallback if someone doesn’t get proofed remotely, which I’m guessing that half won’t,” Sale said. “Will there be something provisional, like a provisional ballot, where you can log in provisionally and then walk in somewhere in person to complete the proofing?”

GSA does have a pilot to allow users to identity proof in certain U.S. Postal Service locations, but according to public GSA documents from January, the effort is limited to “a small number of federal partners” and “select USPS retail locations.” GSA is assessing expanding the option in 2023.

As of last October, the pilot was limited to seven locations in and around Washington, D.C., but the Login.gov website no longer lists specific locations for the pilot.

Technically ready?

Potential issues also go beyond ethical and equity concerns. Several technical issues have arisen since this time last year, such as whether Login.gov’s servers can handle an extreme influx of users—particularly in the waning hours of Tax Day as a deluge of anxious taxpayers attempt to log in to IRS systems at the last minute.

“We have been working really, really closely with the IRS and making progress,” a source at TTS who has worked directly on this implementation told Nextgov. “The narrative that’s out there that Login isn’t ready or can’t do it, is actually not” the case.

While the Login system should expect its highest traffic rates to-date come Tax Day, the source said ongoing improvement efforts—funded in part by the TMF award—should get the system to where it needs to be.

“The Login I left would not” be able to handle the increase in users, Sale said. “I can only hope that they would not assert that they could handle it and then not be able to handle it.”

However, Sale noted the program has gotten a large influx of funding since his time in government.

“Login has a lot more money now than it did when I was there, in large part for these purposes,” he said.

A GSA spokesperson confirmed in October that the TMF award was being used to ensure Login’s ability to scale as needed.

Stakeholders have also wondered aloud about who will take the phone calls when disgruntled users inevitably run into technical issues while trying to sign up.

While the IRS is well-versed in dealing with customer calls on Tax Day, the agency does not run Login.gov and would not be able to provide technical help to users.

Conversely, while the Login.gov team knows its system, the unit is not traditionally staffed up to handle these kinds of events.

“We need [a] definitive answer to how the IRS approaches customer support. This is a major risk to GSA and the public in terms of the weight and volume we may incur. Please advise,” a concerned TTS staffer said in an internal Slack message in June, noting they had been asking this question for several months. “I’ve asked in person, over email and in the weekly meetings. The only answer I got in person was, ‘We don’t do customer support at IRS.’”

A GSA spokesperson referred questions on the agreement to the IRS and directed users to the Login.gov help desk, which they noted offers 24/7 support. They did not respond to follow-up questions about scaling the help desk ahead of Tax Day.

The IRS told FCW and NextGov in a statement that the “IRS continues to assess plans for integrating Login.gov to enable access to IRS applications that require identity proofing.”