Not Just the IRS - 20 US Agencies Are Already Set Up For Selfie IDs

America's Internal Revenue Service created an uproar with early plans to require live-video-feed selfies to verify identities for online tax services (via an outside company called ID.me).

But Wired points out that more than 20 U.S. federal agencies are already using a digital identification system (named Login.gov and built on services from LexisNexis) that "can use selfies for account verification."

It's run by America's General Services Administration, or GSA.... The GSA's director of technology transformation services Dave Zvenyach says facial recognition is being tested for fairness and accessibility and not yet used when people access government services through Login.gov. The GSA's administrator said last year that 30 million citizens have Login.gov accounts and that it expects the number to grow significantly as more agencies adopt the system.

"ID.me is supplying something many governments ask for and require companies to do," says Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions. Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's to establish digital identities used to access government services. Many international security standards are broadly in line with those of the U.S., written by the National Institute of Standards and Technology (NIST).

Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services....
In fact, Wired argues that in many cases, a selfie or biometric data is virtually required by U.S. federal security guidelines from 2017: NIST's 2017 standard says that access to systems that can leak sensitive data or harm public programs should require verifying a person's identity by comparing them to a photo — either remotely or in person — or using biometrics such as a fingerprint scanner. It says that a remote check can be done either by video with a trained agent, or using software that checks for an ID's authenticity and the "liveness" of a person's photo or video.... California's Employment Development Department said that ID.me blocked more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

Caitlin Seeley George, director of campaigns and operations with nonprofit Fight for the Future, says ID.me uses the specter of fraud to sell technology that locks out vulnerable people and creates a stockpile of highly sensitive data that itself will be targeted by criminals. ...

The IRS is backing down

[rsilvergun]

or alternatively they've listened to feedback, but they'll be building out other systems for identity.

Government can be responsive, but you need to pay attention to who you put in charge.

Re:

[hdyoung]

Meh. If states can require an ID to vote, the IRS can require one for taxes.

Re:

[noodler]

Guess what, these numerals are just symbols and there is no order that these symbols need to appear in.
The author never claimed they would list the numerals in any particular order. Nowhere do we see the author tell us that he is going to count.

You took that row of symbols, added a qualifier of your own and called the author stupid for not applying that arbitrary qualifier.

Which is dumber than the shit i found under my shoe yesterday.
You've made a complete ass out of yourself, which is quite an accomplishme

Re:

[noodler]

Yeah, nice try bro, but nothing you say is material to the argument.
The author intended no order and no order is needed.

Re:The IRS is backing down

[aaarrrgggh]

My objection is not having picture id requirements, but the fact that they outsource authentication. Login.gov is adequate for DHS, why not IRS? DHS has my passport data, my fingerprints, and my global entry information. My login.gov account even has a real 2-factor login and not some SMS BS.

These systems do need to be secure; I get that and am ok with it. The problem is when a shady third party like MyID or Clear gets in the middle of the transaction.

Re:

[hdyoung]

As long as it’s the same set of rules that apply to voters, I’m fine with it. If South Carolina wants to put in a voting law that requires a valid state ID and then close every single DMV in the state except for the one in the middle of the most affluent white suburb, that’s fine by me. But then the IRS can require the same ID from Every. Single. Taxpayer. In. The. State. Let’s make sure that rich, white DMV has lines around the block at all hours. Chock full of poor people, white, b

Re:

[Maxo-Texas]

Not really... if you look into it, you'll find that the next step after ID laws is restricting hours in minority areas while providing full service in non-minority/wealthy areas. In one area, they closed the office except from 8am to 4pm... on the 5th wednesday of the 4 months of the year that have them.

So
1) You had to be able to take off work 8am to 4pm.
2) Even then, it was only open 4 days a year.
3) Or you could drive 100 miles (if you had a car) to the offices open 6 days a week near non-minority areas.

Re:

[fustakrakich]

But the state and the IRS must be told to maintain their own systems, not pawn it off on the director's brother-in-law's fly by night company.. If we don't demand accountability and and full transparency, we are goners.

Re:

[Maxo-Texas]

You hand the id to them and they can look at you *face* to *face*.
Unless you are a twin or have plastic surgery you are not getting to vote.

With "deep fake", a video feed is *not* trustworthy.

Re:

[Rosco P. Coltrane]

Nah... The IRS realized doing face recognition on 1960s mainframes [bloomberg.com] in COBOL might prove tricky.

Re:

[DNS-and-BIND]

(Setting: a school. Sign: "Polling place") [imgur.com]

Person behind desk: "No photo ID needed to vote! :)"

Other person: "I'm just here to pick up my kids."

Person behind desk: "In that case...Vax proof and photo ID."

Can't wait for the deep fake identify fraud to

[waspleg]

explode. It's funny when it's a lawyer saying he's not a cat. [youtube.com] It's not funny when your SS disappears, your land deed changes, you end up on a terrorist no fly list, or whatever the fuck else this shit show train wreck has in store.

We Know Who You Are

[zenlessyank]

Now prove it with a selfie.

Figures

[NateFromMich]

Now I'm just waiting for the post from that guy that doesn't have a cell phone or webcam.

Re:

[inode_buddha]

Right here. I still have (and use) my POTS landline with a 1965 Ma Bell rotary dial, thank you very much. I like it when life is simpler. Its already PITA enough without adding to it *and* enriching everyone else in the process...

Re:

[MeNeXT]

You don't need a webcam or a phone to post or show a deep fake.

Never experienced this in the UK

[HuskyDog]

Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's

I'm in the UK and registered with the online tax system (although like the majority of UK adults I don't have to submit a tax return) and used it recently to register for a tax credit due to working from home.

I don't remember the original sign up process which I did several years ago, but I'm sure that it didn't involve any sort of web cam or other live facial recognition. When I log on now (which I only do very occasionally) I use a password and a security code which is sent to my phone as an SMS.

My wife does have to fill-in a tax return (she is self employed) but the sign in process is exactly the same for her.

Perhaps there is some corner of the gov.uk site which requires "Selfie IDs", but I've never come across it.

Re:

[mobby_6kl]

My country wasn't listed as an example, but we have a fairly recent electronic identity system that seems to work pretty well. All ID cards have a chip like on a smart card, and you can use it with a PIN to authenticate yourself to the various systems.

I thankfully only have to deal with the government pretty rarely but I was able to log in and submit a customs declaration for an aliexpress parcel (uhh) in like 10 minutes. You just need a $10 card reader, no need to provide your selfies to a 3rd party. I sup

Re:

[cayenne8]

My country wasn't listed as an example, but we have a fairly recent electronic identity system that seems to work pretty well. All ID cards have a chip like on a smart card, and you can use it with a PIN to authenticate yourself to the various systems.

In the US, we really don't have a National ID card and frankly, I don't want one either.

Re: Never experienced this in the UK

[Malc]

They have an annoying range of unrelated login systems, but I too havenâ(TM)t encountered this and Iâ(TM)ve been self-assessment for about nine years. While calling HMRC, the system has offered to set me up with some sort of voice authentication, but this was optional.

different user ids

[wkk2]

Has anyone managed to resolved a difference between login.gov using an email address for a user id and ssa.gov using an old user name that is not an email address. Login.gov said contact the ssa help line and ssa didn’t know how to resolve the problem.

This couldn't possibly go wrong...

[Megahurts]

My brother has a daughter (approximately 15 months old) and a mother-in-law (60-something years old) who bear a clear resemblance to each other. The mother-in-law has an iphone and uses its facial recognition feature to unlock the phone. One day she handed the phone (locked) to her grand daughter, and a few seconds later, the grand daughter had it unlocks and was starting to tap around on icons and launch apps and stuff.

So yeah, lets force everyone to use this kind of technology to guard their most sensitive financial information.

Re:

[Aighearach]

who bear a clear resemblance to each other

As long as they can both bear it, so can you.

Re:

[test321]

I guess this will be part of a two-factor or three-factor authentication. An attacker still first needs your password to have leaked first, then collect some online videos or take some movies of you when walking the dog. If you are a high-value target they will find their way.

What is your suggestion for the second or third authentication factor? SMS is not secure, fingerprints are everywhere and someone can murder you and cut your finger and unlock a mobile device (unfortunately this already happens), iris

Re:

[Carewolf]

How part NOT using it, since it is inaccurate, easily fooled and easily mistaken?

Re:

[Megahurts]

Something that could be spoofed accidentally by an infant will probably be incredibly easy to spoof intentionally by anyone who wants to and, in turn, would have less than zero value as a security measure.

ID.me's facial recognition doesn't work

[Powercntrl]

I know a bunch of people who had to collect unemployment thanks to Covid, and Florida's unemployment website uses ID.me's snake oil solution. Each person had the exact same experience - ID.me does some stupid flashing light show where it's supposedly recognizing your face, it fails, then you have to wait to be manually verified by a call center representative over video chat.

If I had to guess, I'd say they got all these big juicy government contracts by pulling an old fashioned mechanical turk scam. They claim they're using advanced facial recognition, but it's really just call center workers behind the curtain. It actually seems like this happens quite a bit when the government does this crony capitalism shit - instead of the contract being awarded to a company that actually produces a reliable implementation, it goes to a company with the sleaziest con men salespeople.

Re:

[Whorhay]

The flashy screen thing seemed to work when I used it a week or two ago. It refused to flash properly until I was actually lined up in the frame. So it's working in some very basic way at least, in that it could detect when my face wasn't lined up and close enough to the camera. I didn't have to talk to anyone to get it all setup. It's very possible that it just took a video or picture and some poor slub in a call/work center then had to compare it to my photo ID. I guess I should balk at this sort of crap

Stop mixing and matching

[quonset]

more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

350,000 out of how many claims in those three months? 20% of how many legitimate claims during what time period? You can't give numbers like this without having a common reference.

Re:

[Aighearach]

Math is too hard for slashdot. Can you convert that to Libraries of Congress?

Re:

[Ol Olsoc]

Math is too hard for slashdot. Can you convert that to Libraries of Congress?

I prefer to use cubic cantalopes, if no one minds.

DWIC

[John.Banister]

Sure, for several years I was required to have a Transportation Worker ID Card that absolutely no one wanted to look at. I'm confident the Feds can come up with a Data Worker ID Card that does a rapid DNA check and transmits verification of its identity and then your identity using QR Motion. The technology will be so cool that everyone wearing a security guard uniform will consider it to be fraudulent.

Re:

[kqc7011]

The only time that I had to show my TWIC card was to HR to prove that I had a TWIC card.

Use CAC/PIV

[flink]

The government already issues millions of smart cards for both online and physical security. It's called CAC (DoD) or PIV (civilian). Why couldn't that be scaled up and give everyone a secure cryptographicly verified identity instead of this face ID snake oil?

Re:

[cayenne8]

The government already issues millions of smart cards for both online and physical security. It's called CAC (DoD) or PIV (civilian). Why couldn't that be scaled up and give everyone a secure cryptographicly verified identity instead of this face ID snake oil?

Not sure when the last time you tried to get a CAC/PIV....but it's tough for those folks to find a center that is open and up and running and then to actually get an open appt. there.

Trying to get one for EVERY US citizen?

Nah...that would break that

Not how it's done

[Ol Olsoc]

Comparing a person's face to a photograph probably does not work, certainly if a person had that specific image, it would work perfectly.

Facial recognition that works is comparing features of a person's face, having measured them during setup.

I've done experiments on my new iPhone - it works, and doesn't allow anyone else in. I just set up a new W11 machine yesterday that I have to have an account on for administering. So far, it works, but I'll have some people try to defeat it.

ID.me doesnt' work anyway

[MobyDisk]

I tried to use ID.me earlier this year to do some IRS paperwork, yet when I uploaded a pristine scan of my Real ID driver's license, ID.me couldn't recognize it. Their system couldn't find the driver's license number no it and could not find my face. My state has had Real ID for years, it's not even new. Yet bars and concerts can scan my ID successfully.

Re:

[cayenne8]

I tried to use ID.me earlier this year to do some IRS paperwork, yet when I uploaded a pristine scan of my Real ID driver's license, ID.me couldn't recognize it. Their system couldn't find the driver's license number no it and could not find my face. My state has had Real ID for years, it's not even new. Yet bars and concerts can scan my ID successfully.

I put tape over the back of my "real id" drivers license so they can NOT scan it.

They try a few times and then I tell them to just look at me and read it

Can the IRS compel a contract with a 3rd party?

[schwit1]

Can the government compel people to enter into a contract with a non-government, for-profit business in order to use government services? What if it was Facebook and not ID.ME? Where is the line?

Re:

[kmoser]

The government outsources to for-profit businesses all the time. So whether you like it or not, you're effectively engaging in transactions with (and implicitly entering into contracts with) for-profit businesses every time you deal with the government. For example, if the government contracts with AWS to store data, your information ends up on an Amazon server, even if you didn't ask for it.

Re:

[rastos1]

In your example the liability is at the government. If government does not secure the data in AWS, you will not complain to AWS. You will complain to government. However if ID.ME abuses the data that I had to give them in order to access a government service, do I get to complain to government or to ID.ME?

Re:

[zephvark]

However if ID.ME abuses the data that I had to give them in order to access a government service, do I get to complain to government or to ID.ME?

No. Next!

Because "Deep Fake" hasn't been a thing for years

[Maxo-Texas]

I mean, what could go wrong with relying on video ID?

Re:

[OrangeTide]

The Constitution is a funny thing, it grants the government the authority to collect taxes, but it doesn't give you a special right to pay them.

IRS has declared me dead twice. Not dead yet.

[Gim Tom]

After my wife died in 2012 the IRS declared ME dead when I tried to file my 2013 taxes. It took almost a year to get that straightened out, and receive my refund from my 2013 tax filing.

EXACTLY seven years latter (matching their records retention schedule), I became dead again when I filed my 2019 tax return. Since the IRS was completely closed for COVID, I went through my local Congressman's office (who was able to get in touch with the IRS) but it took them until October 2021 to get my 2019 refund, w

Why not simply digital cert?

[jandoe]

Where I live I just had to apply for a digital certificate on a website and then go to office with my ID to confirm that it's me. Next I've simply received an email with a link to a personal cert which I installed in my browser. Now I can enter government services from this browser and it authenticates me automatically. Why not just do that?

So is this a step towards a national ID?

[rapjr]

Once many agencies use the same ID, they just merge the databases and poof! everyone now has a national ID.