The U.S. Internal Revenue Service (IRS) is requiring people create an account with ID.me to access and submit taxes. One of the verification methods is a video selfie, reports KrebsOnSecurity.
Verification With IRS and ID.me
By the summer of 2022 this will be a requirement for all Americans and ID.me will be the only method to log into the IRS website. ID.me is an online identity verification service. Based in Virginia, the private company is already being used by 27 states to screen for identity thieves. When you sign up for an account you’ll be asked to submit documents such as: scan of a driver’s license or other government-issued ID and copies of utility or insurance bills. If you don’t have one or more of the above you’ll be asked to submit a video selfie.
Based on the ID.me support page, the animation used to explain this looks similar to the process of setting up Face ID. The person in the GIF moves their head around for the camera and the video is uploaded.
Blake Hall walks through the account setup process and it sounds tedious. One option is joining a live video chat with an agent, and the estimated wait time for Mr. Krebs was three and a half hours. He also mentions that he wasn’t required to lift his credit freezes to complete the process, and at no time was the topic brought up. After Equifax disclosed a data breach in 2017 the IRS canceled its taxpayer identity contract with the bureau.
ID.me founder and CEO Blake Hall says that the company is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled. You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.