The IRS isn’t doing quality control checks on the vendor-powered digital identity proofing that it requires taxpayers to pass in order to access many online IRS applications.
Although the tax agency beefed up its privacy protections after its use of the company ID.me and face recognition technology caused concern for members of Congress and advocacy groups in 2022, the IRS isn’t evaluating ID.me’s work or independently verifying performance data, according to a new report from the Government Accountability Office.
That means that the IRS is “relying on ID.me’s own assessments of its solutions’ performance,” reads the new report, which includes recommendations for IRS.
Millions of taxpayers go through the company’s identity checks annually to get to IRS applications deemed sensitive enough to require identity proofing, like individual online accounts with information like tax records or balances.
Users logged into IRS apps requiring ID.me over 150 million times between 2021 and 2024, according to the report. People using the program can either go through a self service option, which involves submitting a selfie and photo of an ID to be matched against each other, or join a video call with a live agent.
The tax agency promised to add a government-run option following backlash in 2022, but ID.me is still the only option for taxpayers wanting to access dozens of IRS applications online where stronger security controls are required.
In addition to performance checks, the IRS wasn’t able to show Congress’ watchdog that it had established measurable goals or performance objectives for its identity proofing program, of which ID.me is a main provider.
The IRS also hasn’t listed the identity proofing solution in its artificial intelligence inventory as required by law, executive order and IRS policies, despite the fact that ID.me uses AI as part of its face recognition process.
That means that “IRS cannot ensure that ID.me’s identity-proofing solutions comply with agency requirements or reflect the government-wide principles for AI use,” the report says.
The tax agency has obligated over $242 million to ID.me licenses, support services and fraud analytics across two contracts, both of which provide ID.me through V3Gate, a third-party software vendor.
In 2022, the IRS promised to add a government option — Login.gov — for users to select when accessing services, following backlash over its use of ID.me. The IRS currently only offers the government solution for IRS apps requiring less rigorous identity proofing.
Until last fall, that option didn’t meet government standards for more stringent identity proofing — a reason why the IRS didn’t add it in the first place as it rushed to get a solution in place to stand up a portal for the Advance Child Tax Credit in 2021. At the time, ID.me was the only vendor that met those standards, the report states, and the IRS used a blanket purchase agreement to move quickly, a decision that affected oversight moving forward.
“Due to the nature of the products contract vehicles, a quality assurance surveillance plan was not required nor completed to define performance measures for the IRS’s digital identity verification program,” comments from IRS included in the report read.
The BPA is set to end in August and will be up for renewal, giving the IRS an opening to change its oversight terms.
The lack of measurement means that it’s hard to know if the identity proofing is working for the IRS, even though ID.me gives the tax agency weekly performance reports, GAO says.
“IRS officials were unable to demonstrate how they used any performance data to evaluate ID.me solutions,” the report says, noting the risks inherent to identity proofing, given the data required to check someone logging in. Millions go through the process to access the IRS online annually, and ID.me is the only option.
Even within the agency, the IRS couldn’t show GAO that the agency has procedures for sharing ID.me performance data with the relevant IRS officials.
The efficacy of solutions that match a selfie against a photo of an ID to identity proof someone varies widely. Some work very well, but many aren’t able to reliably match selfies with ID photos. Many also struggle to actually catch fake IDs and root out imposters, testing has shown.
Face recognition technology also poses potential problems with privacy and bias.
Government testing in 2019 found racial and gender bias in algorithms used for face recognition tech, although that technology has generally gotten better since then. Still, government testing as recently as last fall found that some commercial offerings were inequitable across people of different demographics.
An ID.me spokesperson told Nextgov/FCW in a statement that ID.me increased the pass rates for identity proofing at the IRS from 40% with its old solution to over 70%. They also said that they had made improvements in access for underserved populations, and noted that other agencies also only offer a single option for how people can identity proof themselves.
The National Institute of Standards and Technology, which sets the identity proofing standards that are followed by the IRS and other agencies, should set metrics and performance guidelines for identity vendors, and the company also welcomes AI oversight, the spokesperson said.
“We agree fully with the GAO report that measurable goals and regular evaluation are necessary,” they noted.
The IRS made privacy-related changes to its contracts in 2022 after external pushback, the report says, and has followed up “to ensure ID.me privacy protections are in place and that data it uses are valid” by reviewing ID.me’s code for deleting data.
For now, ID.me is the only option for taxpayers wanting to access sensitive IRS apps online — including the IRS online tax filing website, Direct File. But the service is no longer the agency’s only viable option for identity proofing that meets NIST standards. After adding face recognition capabilities last year, Login.gov now meets that same, more stringent standard as ID.me.
As of last fall, the IRS told GAO that it was “developing plans to potentially use Login.gov for [identity assurance level 2] applications,” where stricter requirements for identity proofing are in place to prevent fraud and secure transactions.
The IRS didn’t respond to a request for comment on the status of adding Login.gov, which has been the subject of its own recent GAO recommendations and bombshell report about how GSA officials misled other agencies about the standards the service met at the time.
