As IRS grapples with ID.me, what's next for Login.gov?
The tax agency is in the hot seat with Congress and privacy advocates because it's asking citizens for a selfie to verify their identity with a private-sector service to file taxes online, but why won't the IRS use the government's homegrown ID system?
In 2020, the IRS processed over 189 million income tax returns; the same year, the Social Security Administration issued benefits to over 69 million people. But as more citizens look to find and use these government services online, identity remains a stumbling block. The government doesn't have an easy way to verify the identities of its citizens online for itself, a situation that many say must be changed as government services move online.
"COVID-19 moved government service delivery online, and there's every reason to believe that move is permanent," wrote Waldo Jaquith, current senior advisor to the head of the General Services Administration, in a 2021 report written while he was out of government and a fellow at Georgetown's Beeck Center.
"Government is now unavoidably in the identity-verification business, because doing so is central to delivering on agency missions," he wrote.
How federal agencies should do that, though, isn't clear.
The IRS is facing public scrutiny for using ID.me, an identity verification company that relies on biometrics.
Open government groups, privacy advocates, algorithm bias experts and members of Congress say they're concerned about ID.me -- about potential bias in its facial recognition technology, about reports of long wait times, and about the privacy and security of biometric data and how ID.me could share it with authorities. Concerns have also been sparked by the company CEO's backtracking about what methods of facial recognition it uses.
There are reports that the IRS is considering alternative identity verification tools in the wake of the ID.me controversy.
The government's homegrown identity service Login.gov does not appear to be an option for taxpayers right now. The shared sign-on service says publicly that it offers identity proofing capabilities, but it isn't currently finding customers among many widely-used, public-facing government services, including the IRS, which considered using the tool but decided against it.
Login.gov got a nearly $187 million investment from Technology Modernization Fund last fall. At the time, a GSA spokesperson told FCW that Login.gov wanted to use that money to attract larger agencies with high-profile public- facing missions, including IRS and SSA.
Most of Login.gov's business is providing shared sign-on services, or a way for someone to use a username and password with two-factor authentication on multiple sites, but there's still an expectation that the service can help with identity issues.
"To deal with improper payments, we also have to deal with identity theft," said Office of Management and Budget acting Director Shalanda Young at a recent Congressional hearing. "Improvements through the TMF [to Login.gov] will bring down identity theft issues."
The Treasury Department points to funding gaps when asked about their use of ID.me as opposed to an in-house solution or Login.gov.
"The lack of funding for IRS IT modernization has made it impossible for the IRS to invest in state-of-the-art technology," a Treasury spokesperson told FCW. "The IRS today uses third-party service providers to validate the identification of individuals attempting to improperly gain access to taxpayer accounts. This includes ID.me, which is compliant with the National Institute of Security Technology standards."
According to ID.me, it has 10 federal agency customers including the IRS, SSA and the Department of Veterans Affairs. It also works with over 20 states for their unemployment insurance programs. It is also known in the government contracting community as the credential needed to log into the System of Award Management.
The IRS has been struggling with how to do identity management for "probably a decade or longer," said Jay McTigue, director of strategic issues at the Government Accountability Office and expert in tax policy and administration. It saw billions go out the door annually in the mid-2010s to fraudulent claims for tax refunds.
"With the controversy now with the IRS, you know, the context before that is, well, gosh they had to do something. They really couldn't leave it with the old-fashioned password. There's just too much potential for fraud," said Nick Marinos, GAO's managing director for the IT and cybersecurity team.
The IRS has tried relying on "out-of-wallet" questions with information from credit bureaus. As that method became more hackable, the IRS moved to other methods, said McTigue. Some involved using people's personal cell phones as an identity token, but those methods left people without cell phones in limbo.
The IRS considered using Login.gov, said McTigue. "My understanding is they went with ID.me in part because at the time, Login.gov did not provide a high enough level of assurance for this type of transaction."
Who should run digital ID services?
Some on Capitol Hill are pushing for the government to be more directly involved with identity management. A bipartisan bill sponsored by Rep. Bill Foster (D-Ill.) would require the government to look for ways to be more active in digital identity verification.
"The U.S. is trailing the rest of the developed world when it comes to digital identity, and it's time we caught up," Foster said in a statement to FCW.
Senate Republicans, led by ranking member of the Senate Finance Committee Mike Crapo (R- Idaho), also pointed to the government's role in a recent letter to the IRS.
"The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services," they wrote. "The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life."
With its access to personal biometric data on Americans, ID.me will likely be a target for cyberattacks, they wrote, also pointing out that the company isn't subject to the same oversight or data regulations as a government agency.
Jeremy Grant is a managing director of technology business strategy at Venable LLP and the former senior executive advisor for identity management at the National Institute of Standards and Technology. He's now the head of the Better Identity Coalition, a trade group that advocates for the government to take a bigger role in identity verification.
"To be clear [Login.gov depends] on the same sorts of vendors for ID verification," he wrote on Twitter. "If IRS was requiring people to submit selfies and data directly to IRS (rather than to ID.me) -- and then IRS would send that data for analysis to ID verification vendors behind the scenes -- would the reactions be any different?" he asked. Grant declined to comment on the record to FCW about ID.me or Login.gov.
Login.gov uses LexisNexis’ identity proofing capabilities, which have been vetted against government standards for identity proofing by the Kantara Initiative, which has also approved ID.me and is in the process of assessing Login.gov.
As to the biometric strategies used by ID.me that have come under criticism, a press representative for GSA, where Login.gov is housed, told FCW the agency is testing facial recognition technology, but facial recognition tech is currently "not in use on Login.gov for the public" and won't be "until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations."
GSA's vendor, LexisNexis, does state in its release on its GSA contract that LexisNexis Risk Solutions has "digital identity and authentication capabilities" that "incorporate identity authentication and document capture with biometric, identity verification and device/digital/behavioral risk assessment."
Still, the government is looking into biometrics, as evidenced by an October 2021 request for information from the Office of Science and Technology Policy asking for input and information on biometrics. The document notes that biometrics are "often presented as a cheaper and more reliable form of identification," but it also has been the subject of a range of concerns.
According to the Beeck Center report, Login.gov verifies identities by checking "attributes that may include the person's name, Social Security number, address, phone number, date of birth, and a photo of their state-issued ID card" against data sources like "driver's license databases, phone records, and credit agencies."
The Login.gov website says that proofing works via the submission of personal identifiable information, like photo IDs, that are "validated with the issuing source (ex: state DMVs) or authoritative sources (ex: credit, financial, telephone records)." Login.gov also validates addresses as part of the process.
"Login.gov is a solution that is keeping pace with the market, working with industry and the marketplace, and considering all of the options available to ensure secure authentication while prioritizing equity and accessibility in our product design and service delivery," said Dave Zvenyach, director of the Technology Transformation Services, the part of GSA that houses Login.gov.
The agency did not provide clarification on specific questions posed by FCW on the details of Login.gov's identity proofing capabilities, methods or vendors.
The trouble with Login.gov
According to the Beeck Center paper, Login.gov is having difficulty attracting government customers because of policy restrictions and its obligation to be cost-recoverable.
In his paper, Jacquith recommended that the service be expanded to all levels of government, something GSA started last year. It should also offer more services like eligibility determination and work with the Postal Service to offer in-person identity verification services as a way to "sidestep the challenges of online identity verification," which have emerged for all to see in the ID.me selfie story. Login.gov also needs to be inexpensive for agencies, Jaquith wrote.
Agencies also currently have only an all-or-nothing option and have to use Login.gov in its entirety, which Jaquith recommended changing so that agencies can pick and choose if they only want some of the functions.
One way that the government could be more involved is by attempting to recreate the physical ID system, which is spread across states but unified by intergovernmental cooperatives. This is a strategy Jaquith touted in his report as something that Login.gov could be a part of.
As to the ramifications of the current situation, Jaquith called the shift to the use of private businesses to verify identities for government a "seismic change in government service delivery" that "should not be entered into lightly," in his report.
"As long as government has existed, it has interfaced directly with the public that it serves. This new model puts a layer of private enterprise in the middle of that relationship, sometimes just for the moment of verification, but sometimes permanently," he wrote.
Having private businesses do the service also leaves them in possession of the "product" of verified identities, Jaquith continued.
"Whether it's ID.me or some other private company, a lot of the concerns we have are going to exist so long as it's a company outside of the government being entrusted with doing identity verification," said Caitlin Seeley George, campaign director at Fight for the Future, a nonprofit digital rights advocacy group.
There would still be concerns about the security of centrally government-held identity information, especially when it comes to cybersecurity and data protection, George said, but private industry isn't necessarily subject to the same levels of scrutiny as government systems and processes, nor is it always clear how companies are sharing that data.
"Why don't we address the problems we have around building up these tools internally and making them secure and trustworthy privacy-forward, as opposed to just expanding not only to continue to work with private companies, but expand the types of information and the sensitivity of the information that they're gathering," said George. "I think there is an opportunity to solve a number of problems here."