[HN Gopher] IRS to ditch biometric requirement for online access
___________________________________________________________________
IRS to ditch biometric requirement for online access
Author : bonyt
Score : 119 points
Date : 2022-02-07 20:23 UTC (2 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| strangesongs wrote:
| "Login.gov is already used to access 200 websites run by 28
| Federal agencies and over 40 million Americans have accounts,"
| Wyden wrote in a letter to the IRS today. "Unfortunately,
| login.gov has not yet reached its full potential, in part because
| many agencies have flouted the Congressional mandate that they
| use it, and because successive Administrations have failed to
| prioritize digital identity. The cost of this inaction has been
| billions of dollars in fraud, which has in turn fueled a black
| market for stolen personal data, and enabled companies like ID.me
| to commercialize what should be a core government service."
|
| not great!
| cproctor wrote:
| If the IRS (or Sen. Wyden) is looking for a "core government
| service" which has been inappropriately commercialized, they
| might start with tax preparation.
| Rebelgecko wrote:
| I recently had to sign up for login.gov (to renew my Global
| Entry, after they moved away from their own one-off CBP login
| system) and was pleasantly surprised with how good it was.
| Hopefully the TreasuryDirect.gov folks migrate some day
| monksy wrote:
| Are they still giving out those decoder cards?
| StanislavPetrov wrote:
| Not great that there is billions of dollars in fraud or that
| the government uses a private company to harvest and retain the
| biometric data of over 40 million Americans. Great that the IRS
| is no longer part of this biometric data harvesting scheme that
| represents a massive attack on the privacy and dignity of every
| taxpayer.
| jackson1442 wrote:
| I was extremely confused when I was asked to create an ID.me
| account for IRS. I have implemented Login.gov for some projects
| and it's rather easy; I can't see why they'd choose something
| else.
| Spooky23 wrote:
| Easy, the answer is right here:
| https://developers.login.gov/overview
|
| Login.gov is a fine authentication service, but cannot
| deliver the identity assurance level (IAL-2) required to
| identify people. (It may not be able to deliver AAL-2
| authentication soon either as standard evolve.) Uploading a
| picture of your drivers license is not a meaningful
| validation of your identity.
|
| The reaction of the Senators here is the equivalent of "I'm
| shocked to hear there is gambling happening here". Typical
| pandering. Literally every drivers license and ID in the
| country is running through a biometric identity provider run
| by a contractor to identity duplicate licenses. Many DMVs
| outsource credential production to a third party.
|
| I don't think ID.me is the best solution, but it is better
| than providing a trivially stolen number "what was your AGI
| last year" that facilitates billions of dollars of fraud
| annually.
| akersten wrote:
| No third party/private solution is appropriate here.
|
| The government that oversees the issuing of these IDs and
| attests that they are sufficient for government use (Real
| ID) cannot themselves validate said ID?
|
| Corruption or incompetence are the only paths that lead to
| outsourcing federal identity verification.
| Spooky23 wrote:
| The only IDs issued widely by the US government are
| military credentials, immigration credentials, and
| passports. Driver's licenses are issued by states and
| other entities. They are also fraught with problems as
| millions of people do not have REAL IDs, yet need to
| interact with government.
|
| The problem is that any bartender who has scanned your
| drivers license has the information required to scam an
| online validation without some other validation.
|
| If you want good online validation for the public, you
| need a third party right now. In the future, in some
| states, you'll be able to use a mobile drivers license,
| provided you own a smartphone. Also problematic, as the
| government has to support everyone. Foreign nationals pay
| tax. People in nursing homes who cannot appear before a
| DMV need to pay taxes.
|
| You can yak about corruption and incompetence, but that
| honestly attests to ignorance on the topic.
| toomuchtodo wrote:
| You continue to make some good points, but at the end of
| the day, this is a government function and
| responsibility, not that of a private company.
|
| This is a call to enhance Login.gov's identity abilities,
| and US government citizen identity management in general.
| Login.gov (and perhaps USPS for in person proofing)
| should be funded to do this, not ID.me. Higher level,
| this is about building strong public goods and defending
| them.
| mpyne wrote:
| > You continue to make some good points, but at the end
| of the day, this is a government function and
| responsibility, not that of a private company.
|
| Private companies have been part of the government
| discharging its responsibilities since first days of the
| Republic. You'd probably be shocked when you learn who
| does credit monitoring after government servers get
| hacked, by the way.
|
| By your logic the government couldn't use cloud computing
| (run by a private company), couldn't use computer
| hardware even if they wanted to run a private cloud
| (hardware is built by private companies).
| PaulDavisThe1st wrote:
| > You continue to make some good points, but at the end
| of the day, this is a government function and
| responsibility, not that of a private company.
|
| I 100% agree. Problem is, the federal government (and the
| state governments and to a large extent big chunks of the
| citizenry) are fundamentally opposed to the issuance of a
| non-passport general citizen's ID and/or number. Those
| opposed to it don't have any good solution to "how to
| protect information the government keeps about you"
| either, so it's no good asking them.
|
| Devising an actual public system for identity
| verification when you're being told the government cannot
| identify people is ... challenging.
| Spooky23 wrote:
| USPS is already the agent for a national id program in
| all but name -- passports and passport cards, which are
| much better than DMV issues credentials in many ways.
|
| As another poster mentioned, the problem is that both
| progressive and conservative constituencies are strongly
| against meaningful national identity for different
| reasons, some of which are insane.
|
| It's a policy problem that won't be solved in our
| lifetime. Our best bet long term is for states to issue
| mobile credentials, but even that is problematic because
| it will disenfranchise people.
| hn-sucks wrote:
| techsupporter wrote:
| > If you want good online validation for the public, you
| need a third party right now.
|
| In all reality, this is fine. I have no particular
| problem with using facial recognition, but I want it
| regulated and I want recourse.
|
| Fine, outsource it to ID.me. But the terms of service
| better be a page, maximum, and include the ability for me
| to appeal a decision that says I am not who I say I am
| and to use other forms of validation that may be slower
| or more procedural (such as presenting myself to a Post
| Office). I want no binding arbitration clause in the
| agreement, and if that means the Federal government has
| to indemnify ID.me, then so be it. I want it in the TOS
| that the data ID.me uses for this will be segregated and
| kept for a very limited time and that I have the right to
| review and correct it.
|
| Use the third party for what they are good for but
| enforce suitable rights for the rest. This is doable, it
| just wasn't fully done here.
| jdmichal wrote:
| I generally agree with you. However:
|
| Real ID validates that you are the person you are at the
| time of issuance, but does not guarantee that the
| possessor of the ID is that person. This stems from the
| fact that an ID is "something you have". Like any secure
| system, you should use multifactor authentication. The
| facial scan is "something you are", so the combination of
| ID and scan provides that. One might also use "something
| you know", such as your adjusted gross income (AGI) that
| the IRS used before.
| PaulDavisThe1st wrote:
| I think the difficulty is that the (federal) government
| can't currently do anything except the "something you
| know" part. It can't use "something you have" (because
| too many people are opposed to federal government issued
| ID), and "something you are" appears beyond the scope of
| the federal govt to implement (correctly) at this time.
| closeparen wrote:
| The government cannot build a competent identity solution
| because a majority of voters believe that to do so
| presages something from genocide ("Papiere, bitte!") to
| the literal end of the world ("Mark of the Beast").
| xenophonf wrote:
| login.gov meets IAL2 since it NIST SP 800-63-3 "allows for
| remote or in-person identity proofing" (800-63A page 8).
| Likewise, TOTP is explicitly mentioned as an allowed multi-
| factor OTP authenticator (800-63B pages 20-21). I'm not
| aware of changes in SP 800-63-4 that would affect
| login.gov's current implementation, but it's been a minute
| since I last read the -4 draft and could be wrong.
| thesimon wrote:
| What about sending a letter to the registered address?
| xenophonf wrote:
| I've also implemented login.gov as an identity provider of
| last resort for a system that requires identity proofing
| (IAL2). It works great once folks are signed up and verified
| for a login.gov account, but the identity assurance process
| always seems to end up requiring a piece of mail sent to new
| users' homes. The phone/utility verification process never
| seems to work right, and the postal mail option adds a week's
| delay (or more) to our user enrollment process. In my and
| several test users' cases, we've had our phone numbers in our
| names for literally decades, so it isn't a matter of public
| records being ambiguous.
|
| We've also had problems getting login.gov to proof new users
| with national but not state IDs. For example, we have someone
| with a passport but no driver's license. They should be able
| to use just the passport for identity proofing since the
| passport itself requires two or more forms of SUPERIOR/STRONG
| evidence (per NIST SP 800-63-3), but login.gov must not
| authenticate the passport with the State Department, meaning
| it fails 800-63A 4.4.1.2 (evidence collection requirements)
| rule 1 and must implement rule 2, instead (collect two pieces
| of STRONG evidence, i.e., national _and_ state IDs both).
| It's really frustrating because I cannot demand my users go
| out and get (pay for) state IDs they don't otherwise want or
| need.
|
| All that said, even though login.gov isn't perfect, I do like
| it and am very impressed with 18F/TTS's work. They've done a
| very thorough job with their SAML implementation compared to
| the ADFSes/Oktas/Pings/etc. of the world.
| helper wrote:
| Now we just need to get all the state government agencies to drop
| this requirement as well (looking at you, California).
| tims33 wrote:
| IRS press release: https://www.irs.gov/newsroom/irs-announces-
| transition-away-f...
|
| Great news for everyone here. I still don't know how this
| provider was actually selected, but at least this change came
| relatively quickly.
| [deleted]
| WalterGR wrote:
| 124 comments about a week back:
| https://news.ycombinator.com/item?id=30126118
| dang wrote:
| Thanks! Macroexpanded:
|
| _Treasury reconsiders IRS's use of ID.me face recognition for
| web_ - https://news.ycombinator.com/item?id=30126118 - Jan 2022
| (121 comments)
|
| _IRS Will Require Facial Recognition Scans to Access Your
| Taxes_ - https://news.ycombinator.com/item?id=30011145 - Jan
| 2022 (20 comments)
|
| _IRS Will Soon Require Selfies for Online Access_ -
| https://news.ycombinator.com/item?id=29996614 - Jan 2022 (428
| comments)
| mwexler wrote:
| Hmm... In the US, login.gov still uses id.me for verification (at
| least on new signup), and this is the sso for TSA stuff like
| Global Entry, and the Social Security site. I guess it's used
| "less" now, but is still present for US Government services.
| ipsin wrote:
| So for anyone who's already used id.me, how hard will it be to
| purge the biometrics? (And same question for if you live in
| California)
| AdmiralAsshat wrote:
| The fact that this was even being considered shows how pitifully
| little anyone learned from the Equifax breach.
| throwhauser wrote:
| It's not just the potential for a breach. I didn't want id.me
| itself to have my information. It's ridiculous to have a
| private company, not accountable to the public, gatekeeping
| government services, regardless of how many certifications they
| have.
|
| Hopefully id.me will get booted from other government agencies
| as well.
| imglorp wrote:
| Forget Equifax ... how about the Office of Personnel
| Management? People may well have lost their lives as a result.
| We may not know for decades.
|
| https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagi...
|
| Oh, and the IRS has already been breached at least once. I'm
| not wild about waiting for the next one. Maybe government is
| not the best group to be holding your personal data.
|
| https://www.nytimes.com/2015/05/27/business/breach-exposes-i...
| woodruffw wrote:
| All things being equal, the US government is simultaneously
| (1) the single most legitimate non-medical third party that
| needs to access my personal data, and (2) the single best
| entity to hold my data _in terms of personal recourse_. That
| 's not saying much, but it _is_ better than the open scorn
| and disrespect for my privacy that corporations offer.
|
| The solution to government breaches is what it's always been:
| to make the breached data _less valuable_. Hacking the IRS
| would be significantly less appealing if we criminalized
| corporate use of SSNs as credentials.
| gruez wrote:
| >the single best entity to hold my data in terms of
| personal recourse
|
| what type of recourse are you talking about? Voting your
| representatives out?
| imglorp wrote:
| Good point, gov has less reason to sell your data
| dylan604 wrote:
| Yeah, that federal deficit surely doesn't need any help
| getting paid down /s
|
| However, this isn't to say that someone doesn't get the
| bright idea that they could fund some sort of slush fund
| with this.
| mLuby wrote:
| What lesson do you think organizations learned from that
| breach? (As it relates to this article.)
|
| The pattern I see is:
|
| 1. Company collects and stores private consumer info.
|
| 2. Company gets hacked.
|
| 3. Company share price unaffected.
|
| 4. Company sued in class-action lawsuit.
|
| 5. Company settles by offering discounted/free products to
| victims of the hack. ("A $50 value!") Lawyers make a few
| million.
|
| Result: company gets _more_ users ' info as they sign up to
| claim the discounted products.
|
| Sounds like a good deal if the company is too big to fail.
| theduder99 wrote:
| thank goodness. I received an ambiguous letter from the IRS last
| week talking about how I may need to file something special this
| year related to the $1400 covid credit. I was going to login to
| the IRS site to get more details until I saw the facial ID
| requirement and quickly noped away from there.
| google234123 wrote:
| Well, hopefully we wont have a 100+ billion dollars stolen from
| the US this year b/c of this decision.
| toomuchtodo wrote:
| Success is possible. Fingers crossed Login.gov is the solution
| they're moving to [1]. Big thanks to everyone who complained to
| the IRS or their Congressional reps.
|
| Onward to yeeting ID.me from state and local government next [2].
|
| [1] "The IRS will also continue to work with its cross-government
| partners to develop authentication methods that protect taxpayer
| data and ensure broad access to online tools." (From IRS' press
| release on the topic in a sibling comment)
|
| [2] https://www.gsa.gov/blog/2021/02/18/logingov-to-provide-
| auth...
| mistrial9 wrote:
| here is a repeat of my comment a few weeks ago, which scored 134
| on YNews. This was about using biometrics for getting social
| benefits.. later, someone said "hey! I object, taxes are not
| benefits" and I reply "the similarity is that biometric
| requirement to use (obviously efficient) online services. That
| includes both social benefits like unemployment, and also
| required interaction like taxes" .. hope that clears it up
|
| the core of the thought is -- if the government interaction is
| flawed such that it is not actually doing only what it says it is
| doing, to the detriment of most ordinary people, and is subject
| to insider gaming with rewards to do so THEN additional and
| perhaps draconian requirements on the ordinary individual, do not
| solve the flaws, burden and antagonize an ordinary person, and
| the implementation becomes a new attention target WITH new
| penalties attached, for the ordinary person. hth
|
| --
|
| American here
|
| "perhaps better known as the online identity verification service
| that many states now use to help staunch the loss of billions of
| dollars in unemployment insurance and pandemic assistance stolen
| each year by identity thieves"
|
| In the great State of California, billions in unemployment
| benefits were sent to the wrong people.. because their internal
| systems were designed to delay, deny and deprive, I say. Actual
| people with real jobs were repeatedly refused, while insiders who
| knew how to fill out paperwork, and apparently knew where the
| blind spots were, filed hundreds of claims in the early pandemic
| days. A newly appointed Director (young, tech savvy woman) soon
| stopped making public statements, and the situation nearly two
| years later, is not resolved. This is at a time when California
| has record income to the State.
|
| Now, some people may jump on this and say "well, you see how
| photo ID would have helped that" and, with incomplete knowledge
| and personal opinion, I say no, it would not solve it. You see,
| people with real jobs, with every real paper filed, were denied
| benefits, while insiders were pulling checks with both hands,
| using certain kinds of identities that would slip through. How
| would ever more restriction, requirement and verification, have
| helped here?
|
| I am deeply against the collective government making ever more
| demands on citizens for "papers, please" enrollment to massive
| money social services (edit e.g. govt unemployment benefits). It
| is not going to have the desired effect, despite superficial
| evidence otherwise. Additionally this represents a slippery slope
| where the ability to interact as an individual will be eroded,
| and opportunity for insider graft will increase
| hannibalhorn wrote:
| I actually gave it a try, and couldn't successfully signup due to
| the phone number check, even though my name is on the line.
| Figure I've wasted a couple hours on it in total. Unnecessary
| friction.
| throwawaysea wrote:
| What I would like to see next is an investigation into why this
| process was considered at all and how the vendor was selected. I
| find this entire situation deeply suspicious, since MOST online
| services (including financial services) do not need this kind of
| invasive verification process and do not require interfacing with
| a random third-party. My cynical guess is that id.me has some
| connection (like via political donations) to those who had the
| power to effect this change.
|
| It also looks like many states use id.me for various purposes
| (example https://www.reuters.com/business/states-using-idme-
| rival-ide...). I would also want those decisions revisited and
| investigated.
| lotsofpulp wrote:
| It is even more suspicious why ID.me would even be thought of
| when login.gov exists.
|
| Let us also find out why a non governmental entity is handling
| security screenings:
|
| https://en.wikipedia.org/wiki/Clear_Secure
| ribosometronome wrote:
| >why this process was considered at all
|
| Tax Refund theft. The IRS pays out billions every year in
| returns filed by scammers.
___________________________________________________________________
(page generated 2022-02-07 23:00 UTC)