[HN Gopher] IRS to ditch biometric requirement for online access ___________________________________________________________________ IRS to ditch biometric requirement for online access Author : bonyt Score : 119 points Date : 2022-02-07 20:23 UTC (2 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | strangesongs wrote: | "Login.gov is already used to access 200 websites run by 28 | Federal agencies and over 40 million Americans have accounts," | Wyden wrote in a letter to the IRS today. "Unfortunately, | login.gov has not yet reached its full potential, in part because | many agencies have flouted the Congressional mandate that they | use it, and because successive Administrations have failed to | prioritize digital identity. The cost of this inaction has been | billions of dollars in fraud, which has in turn fueled a black | market for stolen personal data, and enabled companies like ID.me | to commercialize what should be a core government service." | | not great! | cproctor wrote: | If the IRS (or Sen. Wyden) is looking for a "core government | service" which has been inappropriately commercialized, they | might start with tax preparation. | Rebelgecko wrote: | I recently had to sign up for login.gov (to renew my Global | Entry, after they moved away from their own one-off CBP login | system) and was pleasantly surprised with how good it was. | Hopefully the TreasuryDirect.gov folks migrate some day | monksy wrote: | Are they still giving out those decoder cards? | StanislavPetrov wrote: | Not great that there is billions of dollars in fraud or that | the government uses a private company to harvest and retain the | biometric data of over 40 million Americans. Great that the IRS | is no longer part of this biometric data harvesting scheme that | represents a massive attack on the privacy and dignity of every | taxpayer. | jackson1442 wrote: | I was extremely confused when I was asked to create an ID.me | account for IRS. I have implemented Login.gov for some projects | and it's rather easy; I can't see why they'd choose something | else. | Spooky23 wrote: | Easy, the answer is right here: | https://developers.login.gov/overview | | Login.gov is a fine authentication service, but cannot | deliver the identity assurance level (IAL-2) required to | identify people. (It may not be able to deliver AAL-2 | authentication soon either as standard evolve.) Uploading a | picture of your drivers license is not a meaningful | validation of your identity. | | The reaction of the Senators here is the equivalent of "I'm | shocked to hear there is gambling happening here". Typical | pandering. Literally every drivers license and ID in the | country is running through a biometric identity provider run | by a contractor to identity duplicate licenses. Many DMVs | outsource credential production to a third party. | | I don't think ID.me is the best solution, but it is better | than providing a trivially stolen number "what was your AGI | last year" that facilitates billions of dollars of fraud | annually. | akersten wrote: | No third party/private solution is appropriate here. | | The government that oversees the issuing of these IDs and | attests that they are sufficient for government use (Real | ID) cannot themselves validate said ID? | | Corruption or incompetence are the only paths that lead to | outsourcing federal identity verification. | Spooky23 wrote: | The only IDs issued widely by the US government are | military credentials, immigration credentials, and | passports. Driver's licenses are issued by states and | other entities. They are also fraught with problems as | millions of people do not have REAL IDs, yet need to | interact with government. | | The problem is that any bartender who has scanned your | drivers license has the information required to scam an | online validation without some other validation. | | If you want good online validation for the public, you | need a third party right now. In the future, in some | states, you'll be able to use a mobile drivers license, | provided you own a smartphone. Also problematic, as the | government has to support everyone. Foreign nationals pay | tax. People in nursing homes who cannot appear before a | DMV need to pay taxes. | | You can yak about corruption and incompetence, but that | honestly attests to ignorance on the topic. | toomuchtodo wrote: | You continue to make some good points, but at the end of | the day, this is a government function and | responsibility, not that of a private company. | | This is a call to enhance Login.gov's identity abilities, | and US government citizen identity management in general. | Login.gov (and perhaps USPS for in person proofing) | should be funded to do this, not ID.me. Higher level, | this is about building strong public goods and defending | them. | mpyne wrote: | > You continue to make some good points, but at the end | of the day, this is a government function and | responsibility, not that of a private company. | | Private companies have been part of the government | discharging its responsibilities since first days of the | Republic. You'd probably be shocked when you learn who | does credit monitoring after government servers get | hacked, by the way. | | By your logic the government couldn't use cloud computing | (run by a private company), couldn't use computer | hardware even if they wanted to run a private cloud | (hardware is built by private companies). | PaulDavisThe1st wrote: | > You continue to make some good points, but at the end | of the day, this is a government function and | responsibility, not that of a private company. | | I 100% agree. Problem is, the federal government (and the | state governments and to a large extent big chunks of the | citizenry) are fundamentally opposed to the issuance of a | non-passport general citizen's ID and/or number. Those | opposed to it don't have any good solution to "how to | protect information the government keeps about you" | either, so it's no good asking them. | | Devising an actual public system for identity | verification when you're being told the government cannot | identify people is ... challenging. | Spooky23 wrote: | USPS is already the agent for a national id program in | all but name -- passports and passport cards, which are | much better than DMV issues credentials in many ways. | | As another poster mentioned, the problem is that both | progressive and conservative constituencies are strongly | against meaningful national identity for different | reasons, some of which are insane. | | It's a policy problem that won't be solved in our | lifetime. Our best bet long term is for states to issue | mobile credentials, but even that is problematic because | it will disenfranchise people. | hn-sucks wrote: | techsupporter wrote: | > If you want good online validation for the public, you | need a third party right now. | | In all reality, this is fine. I have no particular | problem with using facial recognition, but I want it | regulated and I want recourse. | | Fine, outsource it to ID.me. But the terms of service | better be a page, maximum, and include the ability for me | to appeal a decision that says I am not who I say I am | and to use other forms of validation that may be slower | or more procedural (such as presenting myself to a Post | Office). I want no binding arbitration clause in the | agreement, and if that means the Federal government has | to indemnify ID.me, then so be it. I want it in the TOS | that the data ID.me uses for this will be segregated and | kept for a very limited time and that I have the right to | review and correct it. | | Use the third party for what they are good for but | enforce suitable rights for the rest. This is doable, it | just wasn't fully done here. | jdmichal wrote: | I generally agree with you. However: | | Real ID validates that you are the person you are at the | time of issuance, but does not guarantee that the | possessor of the ID is that person. This stems from the | fact that an ID is "something you have". Like any secure | system, you should use multifactor authentication. The | facial scan is "something you are", so the combination of | ID and scan provides that. One might also use "something | you know", such as your adjusted gross income (AGI) that | the IRS used before. | PaulDavisThe1st wrote: | I think the difficulty is that the (federal) government | can't currently do anything except the "something you | know" part. It can't use "something you have" (because | too many people are opposed to federal government issued | ID), and "something you are" appears beyond the scope of | the federal govt to implement (correctly) at this time. | closeparen wrote: | The government cannot build a competent identity solution | because a majority of voters believe that to do so | presages something from genocide ("Papiere, bitte!") to | the literal end of the world ("Mark of the Beast"). | xenophonf wrote: | login.gov meets IAL2 since it NIST SP 800-63-3 "allows for | remote or in-person identity proofing" (800-63A page 8). | Likewise, TOTP is explicitly mentioned as an allowed multi- | factor OTP authenticator (800-63B pages 20-21). I'm not | aware of changes in SP 800-63-4 that would affect | login.gov's current implementation, but it's been a minute | since I last read the -4 draft and could be wrong. | thesimon wrote: | What about sending a letter to the registered address? | xenophonf wrote: | I've also implemented login.gov as an identity provider of | last resort for a system that requires identity proofing | (IAL2). It works great once folks are signed up and verified | for a login.gov account, but the identity assurance process | always seems to end up requiring a piece of mail sent to new | users' homes. The phone/utility verification process never | seems to work right, and the postal mail option adds a week's | delay (or more) to our user enrollment process. In my and | several test users' cases, we've had our phone numbers in our | names for literally decades, so it isn't a matter of public | records being ambiguous. | | We've also had problems getting login.gov to proof new users | with national but not state IDs. For example, we have someone | with a passport but no driver's license. They should be able | to use just the passport for identity proofing since the | passport itself requires two or more forms of SUPERIOR/STRONG | evidence (per NIST SP 800-63-3), but login.gov must not | authenticate the passport with the State Department, meaning | it fails 800-63A 4.4.1.2 (evidence collection requirements) | rule 1 and must implement rule 2, instead (collect two pieces | of STRONG evidence, i.e., national _and_ state IDs both). | It's really frustrating because I cannot demand my users go | out and get (pay for) state IDs they don't otherwise want or | need. | | All that said, even though login.gov isn't perfect, I do like | it and am very impressed with 18F/TTS's work. They've done a | very thorough job with their SAML implementation compared to | the ADFSes/Oktas/Pings/etc. of the world. | helper wrote: | Now we just need to get all the state government agencies to drop | this requirement as well (looking at you, California). | tims33 wrote: | IRS press release: https://www.irs.gov/newsroom/irs-announces- | transition-away-f... | | Great news for everyone here. I still don't know how this | provider was actually selected, but at least this change came | relatively quickly. | [deleted] | WalterGR wrote: | 124 comments about a week back: | https://news.ycombinator.com/item?id=30126118 | dang wrote: | Thanks! Macroexpanded: | | _Treasury reconsiders IRS's use of ID.me face recognition for | web_ - https://news.ycombinator.com/item?id=30126118 - Jan 2022 | (121 comments) | | _IRS Will Require Facial Recognition Scans to Access Your | Taxes_ - https://news.ycombinator.com/item?id=30011145 - Jan | 2022 (20 comments) | | _IRS Will Soon Require Selfies for Online Access_ - | https://news.ycombinator.com/item?id=29996614 - Jan 2022 (428 | comments) | mwexler wrote: | Hmm... In the US, login.gov still uses id.me for verification (at | least on new signup), and this is the sso for TSA stuff like | Global Entry, and the Social Security site. I guess it's used | "less" now, but is still present for US Government services. | ipsin wrote: | So for anyone who's already used id.me, how hard will it be to | purge the biometrics? (And same question for if you live in | California) | AdmiralAsshat wrote: | The fact that this was even being considered shows how pitifully | little anyone learned from the Equifax breach. | throwhauser wrote: | It's not just the potential for a breach. I didn't want id.me | itself to have my information. It's ridiculous to have a | private company, not accountable to the public, gatekeeping | government services, regardless of how many certifications they | have. | | Hopefully id.me will get booted from other government agencies | as well. | imglorp wrote: | Forget Equifax ... how about the Office of Personnel | Management? People may well have lost their lives as a result. | We may not know for decades. | | https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagi... | | Oh, and the IRS has already been breached at least once. I'm | not wild about waiting for the next one. Maybe government is | not the best group to be holding your personal data. | | https://www.nytimes.com/2015/05/27/business/breach-exposes-i... | woodruffw wrote: | All things being equal, the US government is simultaneously | (1) the single most legitimate non-medical third party that | needs to access my personal data, and (2) the single best | entity to hold my data _in terms of personal recourse_. That | 's not saying much, but it _is_ better than the open scorn | and disrespect for my privacy that corporations offer. | | The solution to government breaches is what it's always been: | to make the breached data _less valuable_. Hacking the IRS | would be significantly less appealing if we criminalized | corporate use of SSNs as credentials. | gruez wrote: | >the single best entity to hold my data in terms of | personal recourse | | what type of recourse are you talking about? Voting your | representatives out? | imglorp wrote: | Good point, gov has less reason to sell your data | dylan604 wrote: | Yeah, that federal deficit surely doesn't need any help | getting paid down /s | | However, this isn't to say that someone doesn't get the | bright idea that they could fund some sort of slush fund | with this. | mLuby wrote: | What lesson do you think organizations learned from that | breach? (As it relates to this article.) | | The pattern I see is: | | 1. Company collects and stores private consumer info. | | 2. Company gets hacked. | | 3. Company share price unaffected. | | 4. Company sued in class-action lawsuit. | | 5. Company settles by offering discounted/free products to | victims of the hack. ("A $50 value!") Lawyers make a few | million. | | Result: company gets _more_ users ' info as they sign up to | claim the discounted products. | | Sounds like a good deal if the company is too big to fail. | theduder99 wrote: | thank goodness. I received an ambiguous letter from the IRS last | week talking about how I may need to file something special this | year related to the $1400 covid credit. I was going to login to | the IRS site to get more details until I saw the facial ID | requirement and quickly noped away from there. | google234123 wrote: | Well, hopefully we wont have a 100+ billion dollars stolen from | the US this year b/c of this decision. | toomuchtodo wrote: | Success is possible. Fingers crossed Login.gov is the solution | they're moving to [1]. Big thanks to everyone who complained to | the IRS or their Congressional reps. | | Onward to yeeting ID.me from state and local government next [2]. | | [1] "The IRS will also continue to work with its cross-government | partners to develop authentication methods that protect taxpayer | data and ensure broad access to online tools." (From IRS' press | release on the topic in a sibling comment) | | [2] https://www.gsa.gov/blog/2021/02/18/logingov-to-provide- | auth... | mistrial9 wrote: | here is a repeat of my comment a few weeks ago, which scored 134 | on YNews. This was about using biometrics for getting social | benefits.. later, someone said "hey! I object, taxes are not | benefits" and I reply "the similarity is that biometric | requirement to use (obviously efficient) online services. That | includes both social benefits like unemployment, and also | required interaction like taxes" .. hope that clears it up | | the core of the thought is -- if the government interaction is | flawed such that it is not actually doing only what it says it is | doing, to the detriment of most ordinary people, and is subject | to insider gaming with rewards to do so THEN additional and | perhaps draconian requirements on the ordinary individual, do not | solve the flaws, burden and antagonize an ordinary person, and | the implementation becomes a new attention target WITH new | penalties attached, for the ordinary person. hth | | -- | | American here | | "perhaps better known as the online identity verification service | that many states now use to help staunch the loss of billions of | dollars in unemployment insurance and pandemic assistance stolen | each year by identity thieves" | | In the great State of California, billions in unemployment | benefits were sent to the wrong people.. because their internal | systems were designed to delay, deny and deprive, I say. Actual | people with real jobs were repeatedly refused, while insiders who | knew how to fill out paperwork, and apparently knew where the | blind spots were, filed hundreds of claims in the early pandemic | days. A newly appointed Director (young, tech savvy woman) soon | stopped making public statements, and the situation nearly two | years later, is not resolved. This is at a time when California | has record income to the State. | | Now, some people may jump on this and say "well, you see how | photo ID would have helped that" and, with incomplete knowledge | and personal opinion, I say no, it would not solve it. You see, | people with real jobs, with every real paper filed, were denied | benefits, while insiders were pulling checks with both hands, | using certain kinds of identities that would slip through. How | would ever more restriction, requirement and verification, have | helped here? | | I am deeply against the collective government making ever more | demands on citizens for "papers, please" enrollment to massive | money social services (edit e.g. govt unemployment benefits). It | is not going to have the desired effect, despite superficial | evidence otherwise. Additionally this represents a slippery slope | where the ability to interact as an individual will be eroded, | and opportunity for insider graft will increase | hannibalhorn wrote: | I actually gave it a try, and couldn't successfully signup due to | the phone number check, even though my name is on the line. | Figure I've wasted a couple hours on it in total. Unnecessary | friction. | throwawaysea wrote: | What I would like to see next is an investigation into why this | process was considered at all and how the vendor was selected. I | find this entire situation deeply suspicious, since MOST online | services (including financial services) do not need this kind of | invasive verification process and do not require interfacing with | a random third-party. My cynical guess is that id.me has some | connection (like via political donations) to those who had the | power to effect this change. | | It also looks like many states use id.me for various purposes | (example https://www.reuters.com/business/states-using-idme- | rival-ide...). I would also want those decisions revisited and | investigated. | lotsofpulp wrote: | It is even more suspicious why ID.me would even be thought of | when login.gov exists. | | Let us also find out why a non governmental entity is handling | security screenings: | | https://en.wikipedia.org/wiki/Clear_Secure | ribosometronome wrote: | >why this process was considered at all | | Tax Refund theft. The IRS pays out billions every year in | returns filed by scammers. ___________________________________________________________________ (page generated 2022-02-07 23:00 UTC)