As IRS grapples with ID.me, what's next for Login.gov?

Getty Images

Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

The tax agency is in the hot seat with Congress and privacy advocates because it's asking citizens for a selfie to verify their identity with a private-sector service to file taxes online, but why won't the IRS use the government's homegrown ID system?

In 2020, the IRS processed over 189 million income tax returns; the same year, the Social Security Administration issued benefits to over 69 million people. But as more citizens look to find and use these government services online, identity remains a stumbling block. The government doesn't have an easy way to verify the identities of its citizens online for itself, a situation that many say must be changed as government services move online.

"COVID-19 moved government service delivery online, and there's every reason to believe that move is permanent," wrote Waldo Jaquith, current senior advisor to the head of the General Services Administration, in a 2021 report written while he was out of government and a fellow at Georgetown's Beeck Center.

"Government is now unavoidably in the identity-verification business, because doing so is central to delivering on agency missions," he wrote.

How federal agencies should do that, though, isn't clear.

The IRS is facing public scrutiny for using ID.me, an identity verification company that relies on biometrics.

Open government groups, privacy advocates, algorithm bias experts and members of Congress say they're concerned about ID.me -- about potential bias in its facial recognition technology, about reports of long wait times, and about the privacy and security of biometric data and how ID.me could share it with authorities. Concerns have also been sparked by the company CEO's backtracking about what methods of facial recognition it uses.

There are reports that the IRS is considering alternative identity verification tools in the wake of the ID.me controversy.

The government's homegrown identity service Login.gov does not appear to be an option for taxpayers right now. The shared sign-on service says publicly that it offers identity proofing capabilities, but it isn't currently finding customers among many widely-used, public-facing government services, including the IRS, which considered using the tool but decided against it.

Login.gov got a nearly $187 million investment from Technology Modernization Fund last fall. At the time, a GSA spokesperson told FCW that Login.gov wanted to use that money to attract larger agencies with high-profile public- facing missions, including IRS and SSA. 

Most of Login.gov's business is providing shared sign-on services, or a way for someone to use a username and password with two-factor authentication on multiple sites, but there's still an expectation that the service can help with identity issues.

"To deal with improper payments, we also have to deal with identity theft," said Office of Management and Budget acting Director Shalanda Young at a recent Congressional hearing. "Improvements through the TMF [to Login.gov] will bring down identity theft issues."

The Treasury Department points to funding gaps when asked about their use of ID.me as opposed to an in-house solution or Login.gov.

"The lack of funding for IRS IT modernization has made it impossible for the IRS to invest in state-of-the-art technology," a Treasury spokesperson told FCW. "The IRS today uses third-party service providers to validate the identification of individuals attempting to improperly gain access to taxpayer accounts. This includes ID.me, which is compliant with the National Institute of Security Technology standards." 

According to ID.me, it has 10 federal agency customers including the IRS, SSA and the Department of Veterans Affairs. It also works with over 20 states for their unemployment insurance programs. It is also known in the government contracting community as the credential needed to log into the System of Award Management.

The IRS has been struggling with how to do identity management for "probably a decade or longer," said Jay McTigue, director of strategic issues at the Government Accountability Office and expert in tax policy and administration. It saw billions go out the door annually in the mid-2010s to fraudulent claims for tax refunds. 

"With the controversy now with the IRS, you know, the context before that is, well, gosh they had to do something. They really couldn't leave it with the old-fashioned password. There's just too much potential for fraud," said Nick Marinos, GAO's managing director for the IT and cybersecurity team.

The IRS has tried relying on "out-of-wallet" questions with information from credit bureaus. As that method became more hackable, the IRS moved to other methods, said McTigue. Some involved using people's personal cell phones as an identity token, but those methods left people without cell phones in limbo.

The IRS considered using Login.gov, said McTigue. "My understanding is they went with ID.me in part because at the time, Login.gov did not provide a high enough level of assurance for this type of transaction."

Who should run digital ID services?

Some on Capitol Hill are pushing for the government to be more directly involved with identity management. A bipartisan bill sponsored by Rep. Bill Foster (D-Ill.) would require the government to look for ways to be more active in digital identity verification. 

"The U.S. is trailing the rest of the developed world when it comes to digital identity, and it's time we caught up," Foster said in a statement to FCW.

Senate Republicans, led by ranking member of the Senate Finance Committee Mike Crapo (R- Idaho), also pointed to the government's role in a recent letter to the IRS.

"The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services," they wrote. "The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life."

With its access to personal biometric data on Americans, ID.me will likely be a target for cyberattacks, they wrote, also pointing out that the company isn't subject to the same oversight or data regulations as a government agency. 

Jeremy Grant is a managing director of technology business strategy at Venable LLP and the former senior executive advisor for identity management at the National Institute of Standards and Technology. He's now the head of the Better Identity Coalition, a trade group that advocates for the government to take a bigger role in identity verification. 

"To be clear [Login.gov depends] on the same sorts of vendors for ID verification," he wrote on Twitter. "If IRS was requiring people to submit selfies and data directly to IRS (rather than to ID.me) -- and then IRS would send that data for analysis to ID verification vendors behind the scenes -- would the reactions be any different?" he asked. Grant declined to comment on the record to FCW about ID.me or Login.gov.

Login.gov uses LexisNexis’ identity proofing capabilities, which have been vetted against government standards for identity proofing by the Kantara Initiative, which has also approved ID.me and is in the process of assessing Login.gov.  

As to the biometric strategies used by ID.me that have come under criticism, a press representative for GSA, where Login.gov is housed, told FCW the agency is testing facial recognition technology, but facial recognition tech is currently "not in use on Login.gov for the public" and won't be "until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations."

GSA's vendor, LexisNexis, does state in its release on its GSA contract that LexisNexis Risk Solutions has "digital identity and authentication capabilities" that "incorporate identity authentication and document capture with biometric, identity verification and device/digital/behavioral risk assessment." 

Still, the government is looking into biometrics, as evidenced by an October 2021 request for information from the Office of Science and Technology Policy asking for input and information on biometrics. The document notes that biometrics are "often presented as a cheaper and more reliable form of identification," but it also has been the subject of a range of concerns.

According to the Beeck Center report, Login.gov verifies identities by checking "attributes that may include the person's name, Social Security number, address, phone number, date of birth, and a photo of their state-issued ID card" against data sources like "driver's license databases, phone records, and credit agencies."

The Login.gov website says that proofing works via the submission of personal identifiable information, like photo IDs, that are "validated with the issuing source (ex: state DMVs) or authoritative sources (ex: credit, financial, telephone records)." Login.gov also validates addresses as part of the process.

"Login.gov is a solution that is keeping pace with the market, working with industry and the marketplace, and considering all of the options available to ensure secure authentication while prioritizing equity and accessibility in our product design and service delivery," said Dave Zvenyach, director of the Technology Transformation Services, the part of GSA that houses Login.gov.

The agency did not provide clarification on specific questions posed by FCW on the details of Login.gov's identity proofing capabilities, methods or vendors. 

The trouble with Login.gov

According to the Beeck Center paper, Login.gov is having difficulty attracting government customers because of policy restrictions and its obligation to be cost-recoverable.

In his paper, Jacquith recommended that the service be expanded to all levels of government, something GSA started last year. It should also offer more services like eligibility determination and work with the Postal Service to offer in-person identity verification services as a way to "sidestep the challenges of online identity verification," which have emerged for all to see in the ID.me selfie story. Login.gov also needs to be inexpensive for agencies, Jaquith wrote.

Agencies also currently have only an all-or-nothing option and have to use Login.gov in its entirety, which Jaquith recommended changing so that agencies can pick and choose if they only want some of the functions.

One way that the government could be more involved is by attempting to recreate the physical ID system, which is spread across states but unified by intergovernmental cooperatives. This is a strategy Jaquith touted in his report as something that Login.gov could be a part of.

As to the ramifications of the current situation, Jaquith called the shift to the use of private businesses to verify identities for government a "seismic change in government service delivery" that "should not be entered into lightly," in his report.

"As long as government has existed, it has interfaced directly with the public that it serves. This new model puts a layer of private enterprise in the middle of that relationship, sometimes just for the moment of verification, but sometimes permanently," he wrote. 

Having private businesses do the service also leaves them in possession of the "product" of verified identities, Jaquith continued.

"Whether it's ID.me or some other private company, a lot of the concerns we have are going to exist so long as it's a company outside of the government being entrusted with doing identity verification," said Caitlin Seeley George, campaign director at Fight for the Future, a nonprofit digital rights advocacy group. 

There would still be concerns about the security of centrally government-held identity information, especially when it comes to cybersecurity and data protection, George said, but private industry isn't necessarily subject to the same levels of scrutiny as government systems and processes, nor is it always clear how companies are sharing that data.

"Why don't we address the problems we have around building up these tools internally and making them secure and trustworthy privacy-forward, as opposed to just expanding not only to continue to work with private companies, but expand the types of information and the sensitivity of the information that they're gathering," said George. "I think there is an opportunity to solve a number of problems here."

NEXT STORY: TMF board member says the fund can't do everything

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.