IRS withdraws user authentication plan amid security concerns
Account Takeover Fraud , Fraud and Cybercrime Management , Fraud Risk Management
The agency offered facial recognition to verify users of online accounts
Mihir Bagwe •
February 8, 2022
The US Internal Revenue Service said it would withdraw plans to use facial recognition to authenticate new users of its online accounts.
The move comes amid concerns from members of Congress and privacy advocates about potential cybersecurity, accuracy and software bias issues around the IRS’ proposal to implement the technology. Concerns have also been raised about the lack of transparency in the agency’s contract with third-party provider ID.me.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said in an IRS statement “target=”_blank “>. “Everyone should feel comfortable with how their personal information is secured. , and we are rapidly pursuing short-term options that do not involve facial recognition.”
The IRS said it will “step away” from its third-party contractor ID.me’s facial recognition technology “over the coming weeks to avoid greater disruption for taxpayers during tax filing season. “. It will instead develop and use an additional authentication process that does not use facial recognition technology, the statement said.
The agency did not respond to Information Security Media Group’s request for details on the alternative authentication process.
On November 17, 2021, the IRS introduced an identity verification and login process for those who wanted to access and use the agency’s online tools and applications. To provide the verification services, the IRS partnered with third-party contractor ID.me, which offers similar solutions to at least five federal agencies and six state agencies, according to its website.
At the time, Rettig said the new verification and login process would provide easy access to online tools and the ability to securely perform other routine tasks online. The process was developed as part of the Secure Access Digital Identity initiative and complies with a federal mandate, according to the earlier notification from the IRS.
But this process required taxpayers to create a new ID.me account to log into various IRS tools and apps. In addition, to verify their identity with ID.me, taxpayers had to provide photo identification such as a driver’s license, ID card or passport, and take a selfie with a smartphone or webcam. to verify their identity. Only then were they allowed to access IRS online services.
The process is deemed secure and based on federal mandate guidelines, but the collection of personal information and its use in a facial recognition algorithm has caught the attention of privacy advocates and lawmakers. Senator Ron Wyden, D-OR, said in a letter to the IRS Commissioner, “Forcing Americans to submit to scans using facial recognition technology as a condition of interacting with the e-government, including access to essential government programs. And Wyden tweeted, “Americans shouldn’t have to sacrifice privacy for security.”
This is important: The IRS has informed my office that it plans to discontinue the use of facial recognition verification, as I requested earlier today. While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive. https://t.co/jw7OR7dNo0
— Ron Wyden (@RonWyden) February 7, 2022
Representatives Ted W. Lieu, D-Calif., Anna Eshoo, D-Calif., Pramila Jayapal, D-Wash., and Yvette Clarke, DN.Y., also sent a letter to the IRS Commissioner, l ‘ urging to halt plans to implement facial recognition technology and instead consult with various stakeholders before deciding on an alternative.
“Any government agency operating a facial recognition technology system – or contracting with a third party – creates potential risks of privacy breaches and abuse,” the members wrote in the joint letter. “In addition to cybersecurity risk, problems with the accuracy and bias of facial recognition systems disproportionately impact people of color,” the members note, citing a 2019 study by the National Institute of Standards and Technology which states that the one-to-one matching algorithms “saw higher rates of false positives for Asian and African American faces” compared to white faces.
Representatives also say they are concerned about the lack of transparency in the IRS’ contract with ID.me. Citing a recent company statement, the members claim that ID.me claims not to use one-to-many facial recognition algorithms and yet, in a recent interview, its CEO revealed that “his company actually uses one-to-many facial recognition technology.” Representatives say this is misleading.
Representatives also discuss the process for selecting a third-party processor, alternatives to facial recognition technology, review processes to mitigate data breach risks, and steps taken to secure biometric data.
What are the alternatives ?
While the IRS is in the process of finding an alternative solution for facial recognition technology, Lecio De Paula Jr., vice president of data protection at cybersecurity firm KnowBe4, says it is essential to master the basics.
A strong password requirement and simple two-factor authentication may be the best alternative, given the time frame the IRS is working on to phase out the current technology in use, De Paula Jr. told ISMG.
“[It] is a much cheaper, less intrusive and unbiased way to secure the portal without the need for a third party,” he says. “Once one government agency adopts a standard, others begin to follow. If the United States had a strong privacy law that protected individuals’ biometric information, the situation would be different. Without any protection, adopt this [facial recognition] technology on this scale would be privacy malpractice.”
Wyden recommends adopting login.gov, a single sign-on service operated by the US General Services Administration. Congress was required to use the platform in 2015, according to a letter shared by Wyden on Twitter.
Wyden says, “Login.gov is already used to access 200 websites operated by 28 federal agencies and more than 40 million Americans have accounts. Unfortunately, login.gov has yet to reach its full potential, in part because many agencies have flouted Congress’s mandate. that they use it and because successive administrations have not prioritized digital identity. The cost of this inaction amounted to billions of dollars in fraud, which in turn fueled a black market for stolen personal data and enabled companies like ID.me to market what should be a basic government service. . »
In one TweeterWyden said, “While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive.”