The U.S. Internal Revenue Service (IRS) is requiring people create an account with ID.me to access and submit taxes. One of the verification methods is a video selfie, reports KrebsOnSecurity.
Verification With IRS and ID.me
By the summer of 2022 this will be a requirement for all Americans and ID.me will be the only method to log into the IRS website. ID.me is an online identity verification service. Based in Virginia, the private company is already being used by 27 states to screen for identity thieves. When you sign up for an account you’ll be asked to submit documents such as: scan of a driver’s license or other government-issued ID and copies of utility or insurance bills. If you don’t have one or more of the above you’ll be asked to submit a video selfie.
Based on the ID.me support page, the animation used to explain this looks similar to the process of setting up Face ID. The person in the GIF moves their head around for the camera and the video is uploaded.
Blake Hall walks through the account setup process and it sounds tedious. One option is joining a live video chat with an agent, and the estimated wait time for Mr. Krebs was three and a half hours. He also mentions that he wasn’t required to lift his credit freezes to complete the process, and at no time was the topic brought up. After Equifax disclosed a data breach in 2017 the IRS canceled its taxpayer identity contract with the bureau.
ID.me founder and CEO Blake Hall says that the company is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.
We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled. You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.
ID.me’s privacy policy also says that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”
I have been trying to set up an account, and thus far it has been a nightmare. I live outside the US and most of the phone and address fields are US-centric. The workaround is to try to use the “live verification” (which looks like will become required for everyone going forward, according to the article), but I am stalled now by being forced to prove my SSN to them. The best I’ve got is an old Social Security statement from 2000 (they started masking the number in 2001). But that particular form isn’t one of the ones they accept, as far as I can tell. This is the first time I have ever been asked to “prove” my SSN to anyone, which has left me somewhat frustrated with the whole process.
I have an ID.ME account established as a Military Veteran. I don’t recall the process as being particularly onerous or time consuming.
@BlackCorvid: It is very much like setting up Face ID, only less efficient and more temperamental. It required more than one attempt to complete the setup, at least for me. I think this may, at least in part, be due to the process occurring on a website as opposed to being serviced by an SOC on device. Still, there are more onerous setups.