The IRS’ move drew brickbats from privacy advocates from the moment it was announced. On February 7, 2022, several lawmakers joined the chorus urging the IRS to reverse its decision, which the department did soon after, promising instead to explore other options. “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” noted IRS commissioner Chuck Rettig as he recanted the decision. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
Saving Face
The agency planned to use authentication technology from ID.me and had asked users to submit video selfies to the company to access their online accounts. Jay Paz, Senior Director of Delivery at Cobalt, told Lifewire over email that while biometrics have become a part of our daily lives, thanks to smartphones and smart devices, its use for authentication has been voluntary. “For more sensitive systems and data, like what the IRS has access to, it’s vital to have transparency into the technology and processes that will safeguard users’ data,” Paz pointed out. Tim Erlin, VP of Strategy at Tripwire, agreed and told Lifewire through email that while facial recognition technology is polarizing in general, for many, the idea of trusting a third-party to manage such personal data is unacceptable. “If the United States had a robust privacy law which protected the biometric information of individuals, that would be a different situation. However, without any protection for the data of American citizens, adopting this technology at this scale would be privacy malpractice,” Lecio DePaula Jr., VP of Data Protection at KnowBe4, told Lifewire over email. Then there’s the fact that not all people have access to biometric authentication capabilities, something Paul Laudanski, Head of Threat Intelligence at Tessian, pointed out to Lifewire over email. He reasoned this could be due to several factors, such as a lack of access to reliable internet services or devices with compatible cameras and sensors.
Viable Alternatives
DePaula Jr. believes that the IRS’ plan was one of those situations where the ends do not justify the means. “The portal can be just as secure by leveraging strong password requirements as well as two-factor authentication for the end-users, which is a much more inexpensive, less intrusive, and unbiased way to secure the portal without needing to leverage a third party,” he opined. Paz is in favor of such secondary identity verification methods as well, especially the use of time-based one-time password apps such as Google Authenticator. Alternatively, he suggested the IRS can also try using verified phone numbers to text an SMS code to users, which is perhaps the most widely accessible solution available to virtually all users of all ages. Before it zeroes in on a solution, however, Darren Cooper, CTO at Egress, explained to Lifewire via email the IRS will have to ensure the mechanism it selects can protect taxpayer data without introducing accessibility issues. He suggested that if the department wants to prioritize a higher level of security, they could use physical means of personal authentication such as an RSA security key fob. This method, however, is logistically complex. SMS authentication is a potentially less complex option, but Cooper added it’ll only work if the department has a known mobile number for everyone. “The IRS should also consider a requirement for prior interaction with the user to confirm their identity before they can access the service. For example, they could require that taxpayers enter unique ID details, such as social security or passport numbers, which can be checked by the IRS internally before an online login is issued. The logistical overhead here is greater but ensures a higher level of security can be achieved,” suggested Cooper. While the IRS hasn’t listed the alternatives it’s exploring, clearly, there’s no shortage of options. Even as they collectively hailed the IRS for reversing its decision, security experts point out others in the government, most notably the Department of Veterans Affairs, still use the same underlying facial recognition service for identity verification purposes. This is something DePaula Jr. is well aware of and hopes the IRS “begins to head in the right direction, because once one government agency adopts a standard, others begin to follow.”