IRS Will Stop Using ID.me Facial Recognition
The US Internal Revenue Service (IRS) will stop using face recognition technology from ID.me. The agency had begun introducing the authentication technology and had announced that users would be required to submit video selfies to the third-party company to access their online accounts. The plan to require the use of the technology was decried by privacy and civil liberties advocates, as well as by legislators.
This is a great lesson for security practitioners how you often have to balance the interests of different stakeholders. The IRS has a difficult job. It has been the target of massive fraud, and at the same time, needs to provide efficient access to tax data and filing resources. Most users will only connect with the IRS once a year, making some of the traditional authentication methods unpractical. In addition, the filings often happen last minute. Now add a good amount of politics to a difficult technical problem. Solutions may include a government-wide identity management (login.gov does attempt to provide that. Not sure why this wasn't here). Canada, for example, leverages financial institutions to identify individuals.
First, it is important to point out: years of sensitive information compromises has proven that no data is private when it is accessible by a reusable password. It is critical that sensitive citizen tax-related information (already being compromised for several years because of weak authentication) be given stronger protection – privacy is impossible without it. In my comment on the IRS announcement a few weeks ago I said, “The government needs to do strong vetting and testing of the ID.me service.” That, as well as exploring other alternatives, should have been done first and data made available showing the protection provided to the authentication data.
This is a great step in privacy and security, but it's important to note that others in government (such as the Department of Veterans Affairs) still use the same underlying service for identity. It would be nice to see a government clearinghouse for vetting the security of privacy invasive technologies and building implementation guidelines.
There are two challenges. First what strength of authentication is appropriate for your data. NIST 800-63-3 says you need MFA for accessing PII, which applies to the IRS. Second, what level of identity verification is necessary when issuing the authenticator. This is the problem the IRS was working to solve with the facial recognition. Services such as Login.gov are working to solve this problem, providing the appropriate level of authentication and identity assurance before issuing credentials, while allowing partnering agencies to have a single IDP for non-government users.
The IRS is in a tough spot here. They are trying to do the right thing by stopping rampant identity fraud. In addition, I’m not sure that this should be the IRS’s problem to solve as strong validation and authentication is needed by numerous government agencies, to include SSA. It appears that this is the path the government is taking with login.gov, but perhaps the solution is not robust enough yet? Either way, this is a problem that needs to be solved, so good to see this being worked on.
Many of the objections raised here are knee-jerk and not well considered. Unlike the password, even in the rare cases when an actual image is stored, as in the case of the facial image on a driver's license or passport, the utility does not rely upon secrecy. The world is awash with pictures of me, in both public and private databases. We have been using facial images for authentication purposes since the invention of photography. Computers have only recently become as good at reconciling them as toddlers.
William Hugh Murray
Read more in
Washington Post: IRS abandons facial recognition plan after firestorm of criticism
KrebsOnSecurity: IRS To Ditch Biometric Requirement for Online Access