Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

By Summer, IRS Will Require Selfies for Online Access

January 20, 2022

KrebsonSecurity reported on January 19th that those who manage their tax records with the IRS will find that their login credentials will stop working by sometime this summer. The only way to log in to irs.gov will be through ID.me, an online identity verification services that requires applicants to submit copies of bills and identify documents – and (wow) – a live video feed of their faces via a mobile device.

ID.me is perhaps best known as the online identity verification service that many states use to stop the loss of billions of dollars in unemployment insurance and pandemic assistance stolen every year by identity thieves. The privately held company says it has approximately 64 million users, that number growing daily by roughly 145,000 new users.

As Krebs notes, “Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.”

Krebs went through the arduous process of creating an ID.me account. Read the post for the painful details.

A lot of trust is being placed in the company’s ability to protect all this private information. And one has to wonder about the facial recognition implications.

CEO Blake Hall told Krebs ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

This all sounds great, but we all know from long and painful experience that there’s no silver bullet in cybersecurity.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology