Facial recognition is complete. So how will the IRS verify identity?
Such problems led the IRS and many others to switch to alternatives, such as sending a code to a phone number checked against credit agency records. They also informed a 2017 overhaul of federal digital identity guidelines, which recommended that access to systems that could leak sensitive data or cause financial harm require verifying a person with an ID. with photo or biometrics such as a fingerprint. Photo verification can be done in person, via video chat, or using algorithms that compare images or video of a person’s face to their identity.
At the same time, selfie checks have spread among private companies such as Airbnb, Uber, Lyft, Stripe and cryptocurrency exchange Coinbase.
ID.me, a Virginia-based startup, pioneered facial recognition for identity verification in government agencies, and in 2018 became the first vendor certified under NIST’s 2017 guidelines. The pandemic has boosted its activity. More than two dozen public employment agencies have rolled out ID.me since the pandemic began, often touting the service as a way to speed up application processing while preventing the fraud that has plagued employment programs. pandemic aid.
Even before the recent outcry over the IRS’ use of ID.me, the company had its critics. Individuals have complained of waiting hours or even months to remedy a failed selfie check; Privacy experts have pointed out that harvesting selfies creates new vulnerabilities. California’s state auditor said last year that while the company’s system improved job application processing, it rejected about 20% of legitimate applicants in its first few months of use. .
Daniela Urban, executive director of the Center for Workers’ Rights, a Sacramento, Calif., nonprofit organization that helps low-wage workers and their families, said that when the California Department of Employment Development adopted ID.me at the end of 2020, it immediately created “a huge obstacle” for many of its customers.
The service’s default workflow required both a smartphone and a laptop or other device, which many low-income people lack. And helping people from a distance just got a whole lot harder. When clients now call with ID.me issues, Urban and his staff tell them to apply using paper forms instead. “We found this to be the easiest workaround, as requesters spent weeks or months trying to find someone they knew with a computer or phone who could help them,” says Urban. .
The IRS did not respond to a question about how it would verify identity without using facial recognition. Kathleen Moriarty, director of technology at the Center for Internet Security, said the strong backlash against the IRS could cause security experts and standards setters to reconsider if or when facial recognition is an acceptable way to verify identity in line. “Sometimes we get to a point where we have to rethink decisions about how to use technology,” she says.
ID.me CEO Blake Hall says he’s been rethinking some of his own decisions. “There’s a group of users that we didn’t consider,” says Hall. “We are now very aware of the need to offer them a path as well.” ID.me will now allow agencies to offer users the choice between automated processing with facial recognition or video chat with an agent, a process that was previously only a fallback if recognition failed facial. Hall says he’s hiring hundreds more agents to handle those chats, but early testing suggests more than 95% of people are choosing facial recognition. The company also has 700 locations for in-person identity verification across the United States.
Even before the IRS controversy, at least one federal agency was hesitant to use facial recognition for online identity checks. The Social Security Administration warned NIST in 2020 of “privacy, usability, and policy concerns” about the technology. “During preliminary testing, we found that a significant number of clients were either uncomfortable submitting a photo or lacked the technical knowledge or equipment to do so successfully,” the agency wrote. He raised concerns about potential biases affecting minority groups and called for alternatives to be allowed. NIST is due to release an updated draft of its digital identity guidelines this year and, after public consultation, will finalize it in 2023.
For now, the IRS and other agencies are likely to rely on established but flawed mechanisms like SMS-sent verification codes, despite the growth of “SIM-swapping” attacks that can hijack the process. .