297 thoughts on "IRS Will Soon Require Selfies for Online Access"

1. Alex January 21, 2022

   Absolutely despise this and it is a complete travesty to hand over data to an unreliable private 3rd party that almost assuredly got this contract by rubbing the proper elbows in DC.

   That said, pretty hilarious that people are out here complaining about the "gubmint" and the "CCP" and "deepstate" when it’s exactly libertarian ideals of privatization and small government that led us here.

   An essential public job being sold out to a third party contractor to make a huge profit is not communism.

   It’s the after effect of a brand of capitalism that cannot fathom any form of social function or action without some rich, well-connected snob profiting from it. Defund public functions, sell everything off as much of it as possible to private parties who can do no wrong because the profit motive, right?

   The refusal to admit that any public action is anything but beast to be starved, and that privatization can do no wrong, is what leads us to this messed up worst of both worlds – a public function is sold to a private party, and we collectively lose any form accountability.

   But of course, just the use of any of form of the word "collective" probably already created the pavlovian of "DONT MAKE ME THINK THINGS, YOU COMMUNIST, CCP SHILL" response that years of indoctrination have conditioned you lot to.

   (And don’t even get me started on how it’s blind patriotism that led to the personal data collection and spying machine post-9/11)

   Reply →
   1. JamminJ -January 21, 2022

      I agree. The government should just use their own GSA idP that has already proven successful. No need for this privatization at all.

      I think one of the many Qanon sects have begun to troll en masse here.
      Qanon is one of those things where anybody can pick and choose from a smorgasbord of different theories (some actually conflict with others). "The deep state, everything is CCP, and every decision is being made to further strip away freedoms. There are tracking devices in everything from vaccines to space lasers. And this serious attempt to combat the endemic surge of identity theft and fraud, is just a smoke screen for some cabal trying to control all Americans."

      It’s sickening for those of us who have had such high hopes for the Internet, to see how toxic this place has become. We security practitioners just want to help secure the terrain, butthe political disinformation and mass psychosis have turned this into a nightmare full of zombies.

      -Reply →
      1. Sunman42 -January 22, 2022

         I suspect that the IRS got (consultant; the Congressional GOP has starved the agency of funds to hire people to staff the customer support lines, and IT, for years) advice that they would save money and have better security with a third party doing this. Considering how many large government IT acquisitions for modernization of large IT systems — including the IRS — have foundered over the last couple of decades, that was probably not bad advice.

         Recall that it was the OPM’s (at least two) failures to upgrade an ancient database of information on civilian employees who had had any sort of security clearance (including anyone who had a government-issued chip card for logging into government systems) that led to the (Chinese?) downloading the entire db. Which is why I’ve had freezes on my credit reporting outfits accounts for the last six years. (Thank you again for the advice, Mr. Krebs.)

         -Reply →
         1. JamminJ -January 22, 2022

            Yeah, probably right. Private sector often makes promises of being cheaper and safer than anything the government can build themselves. That doesn’t always turn out to be true, but given the history, it’s a compelling argument.
            My data was breached by OPM too. The whole point of 2FA with CAC is that the stolen static data is no longer enough for hackers to get into those government systems. Of course, issuing a CAC is an "in-person" ordeal.
            And the whole point of identity proofing with ID.me, or Login.gov, is that the static data stolen from OPM is no longer enough to create a valid user account.

            -Reply →
   2. John Holmes -January 21, 2022

      The IRS (Government) still does not care about Seniors. Who the hell is going to help Seniors complete this process?

      -Reply →
      1. orly -January 22, 2022

         The same people who help seniors file their taxes. They will instruct you that you don’t actually need an account with the irs.gov website.

         -Reply →
   3. Kiers -January 23, 2022

      A "Virginia" software firm…….i already knew what to expect!

      -Reply →
      1. Bb -January 26, 2022

         Most seniors won’t need to do this.

         -Reply →
   4. Christopher -January 24, 2022

      No. The real capitalist solution is that we stop paying taxes to fund commie crapola. Social security is a ponzie and the taxes are used for benefit of some, not all. It’s not theirs to give to their friends and voters, especially at the federal level.

      -Reply →
   5. Black Wolf -January 26, 2022

      There is a very GREAT difference between libertarian ideals of private capitalist companies doing what Government does badly and the Government choosing a particular company to be the sole provider of access to Government services. A true libertarian approach would allow multiple companies to authenticate people’s IDs. This is just crony capitalism.

      -Reply →
2. K. M. Peterson January 21, 2022

   Well, THIS story has generated a lot of comment. Hopefully this isn’t redundant…

   There is a well-established vein of practice in the US based on the idea that there should not be a federal, mandated, identity credential. The lack of such – usually expressed as an ID "card" but presumably also respecting a digital credential – has led to the multiplication of partially-authoritative documents.

   The "driver’s license" at the state level is the closest thing to a universal id, and the weaknesses of the many issuing state systems led to the "Real ID" standard. Getting a Real ID in Massachusetts, for example, has been well-publicized as being very difficult.

   It’s not clear when the inconvenience or real inability to participate as a citizen will make it untenable for people to maintain the right to not use these systems, but sooner or later it will happen. The actual problem is that because there is enough pressure on the federal government to block these efforts to centralize identity registration, agencies will go around it by employing contractors like id.me. Maybe the best way forward, as (arguably) with the "public option" for health insurance, is an agency offering identity as a service. As the Post Office participates in passport application, perhaps that would be a good place to start.

   I’m not naive about the problems – I have an SF-86 on file, which was undoubtedly leaked – but the problem is not going to go away.

   Reply →
   1. JamminJ -January 21, 2022

      Thanks. That’s a very good understanding of the problem.
      Our nation is unique in our persistent fear of concentrated government. Our federalism is a result of compromise between the federalists and anti-federalists of old. Hamilton / Madison / Jefferson / and others.

      But you did leave out an important corollary. The Social Security Number.
      It started out as just a unique numeric identifier, at the federal level, and because 51 separate DL numbers would not work and Driver privileges were not fully inclusive enough to cover the number of Americans that needed to pay into (and receive from) the Social Security pool.
      It was the "identity" that most people got early in life, kept for a lifetime, and used for most interactions with the federal government when it came to paying taxes. Even the states, which could levy their own taxes, require their own forms of ID to file state taxes, still found the SSN most useful.

      Of course, SSN have also been fought against for as long as it’s been in use. Many still regard their SSN as the "mark of the beast", or a form of government overreach.

      Perhaps that’s the biggest failing with the comments that have flooded in. That proper digital identity proofing is needed now, BECAUSE identifiers like Social Security Numbers have failed us for so long. The financial sector had abused the SSN by using it for more than just an identifier, but as a secret password. So they have been complicit in most identity thefts when they issue funds to criminals who do a little bit of recon on the full name, date of birth, address, and an SSN. Too easy for crooks, but users don’t care about security if it makes it harder than this.
      To get a new SSN, it is usually a difficult process too. But the people complaining about ID.me, are people who got their SSN at birth and don’t remember the process to submit birth certificates. Likewise, the the process to change an SSN is a very arduous process. But that is the nature of identity proofing from scratch.

      The GSA (General Services Administration) has a "public option" already. Not sure why IRS.gov isn’t using it like the SSA is currently.

      -Reply →
3. al January 21, 2022

   This is a most timely article. I had to make a payment to the IRS in the amount of $10.00. I previously had an account with the IRS which no longer existed. I was directed to create an account with ID.me.

   I started the process at nine in the morning. I scanned and uploaded the required documents (hint, take a photo of the documents and upload them…the scans do not provide a clear enough image). After much re-uploading until they were satisfied I then had my face scanned, which turned out to be a hilarious series of failures until finally the scan was accepted (or they just gave up on the effort).

   I was then informed that I would have a 2 hour wait in the queue to be interviewed by a remote interview person. By then it was almost lunch time so I started fixing breakfast and watching the screen. Part way through cooking my eggs I was notified my turn was up. A representative showed on my screen…he could hear me but he couldn’t see me so he terminated the video call (damn cheap webcam). I was notified that it would be an hour before I would be contacted. So I continued cooking breakfast. Before my toast was done my turn came up again. This time the rep could see and hear me. She looked over my documents and said they were ok and then put her face right up to her monitor so she could see that my face was a match ( I really did try not to laugh watching all this).

   At around ten that night I completed the process. Normally I would have abandoned the whole thing…I have never been through such a ridiculous process before (including my time in army) but I just wanted to see what was going to happen.

   I logged into the IRS site to make my $10.00 payment and felt very proud of myself to have the perseverance to complete the process. That is not like me.

   I am so glad I found your article so I know I am not the only one out there.

   Reply →
   1. Idp -January 22, 2022

      I guess the alternative would be to go to an irs office somewhere to pay or not be lazy and mail a check.

      -Reply →
4. kingJames January 21, 2022

   Went through same. It will be helpful if all requirements are spelt out as well as the estimated time of completion.

   Reply →
5. jay January 21, 2022

   I hate this change to use ID.me and hate handing over all my personal information to yet another 3rd party company. I would have preferred using login.gov credential at IRS too like the SSA website & others. I switched SSA to login.gov while back. At least, with login.gov your personal information is with some government website (not that it will be any safer but at least the entity is not a private company). I wish there was a way to create the ID.me account, disable online access to related sites, remove the personal information & only deal with snail mail for communications.

   Reply →
6. Ron Cleven January 21, 2022

   I would be fine with this change if the same concept was also used to secure elections. But nobody wants secure elections, so never mind, I guess …

   Reply →
   1. JamminJ -January 21, 2022

      Of course we want secure elections. And I would certainly consider identity proofing as a way to do voter registration.
      However, using a site like IRS.gov (which is not a requirement for just regular tax payers), is very different than a system that every eligible voter must use.

      150 million Americans pay taxes, but there are 240 million eligible voters. That includes the homeless, jobless, and those in extreme poverty.
      It is expected that the IRS website could require more hoops to jump through, like getting a hold of a smart phone / computer / internet. But for voters, no.

      Now, there are ways to do identity proofing in person, without infrastructure, and without costing the voter a single cent.
      The US military routinely uses biometrics to register people and filter known insurgents. But that’s something Americans are unwilling to tolerate at home.

      I would be willing to support fingerprinting all voters to satisfy the secure voting objectives of the right. But only if the government paid for it in its entirety. They would need to be within easy travel distance without a car or paid fare. That means they would have to be at every post office.
      Now, to the people who say they want secure elections, when they see the bill for everything needed to do secure identity proofing with biometrics and have it inclusive enough to be completely free and accessible to even the homeless… then you’ll see a lot of hypocrisy and backtracking revealing the truth. Many people who SAY they want more secure elections, really just want an opportunity to suppress the votes of political opposition.

      -Reply →
7. Bill January 21, 2022

   I got "validated" for IRS access today. Already had an ID.Me account for military and education discounts, but still had to go through the whole verification process. Although it says you can upload a PDF of a document (I scanned my driver’s license to a PDF), it rejected it as a "photo of a photo" and I had to take a photo with my phone (which was lower quality than the scanned PDF!). After submitting the replacement, I had to wait a couple hours for an email that said my documents were good. I then logged back in, got the "wait message" (mine was only just over an hour), and was told I would do a video call when I came up in the queue. After about 35 minutes, I got a text with a link to initiate the video call. The call took about 10 minutes during which I had to confirm my identifying information, hold up my driver’s license to the phone and then my passport. Then he took the "selfie" and validated my access. Fairly painless, though a little time consuming. I’mm for anything to help prevent identify theft and someone filing a false tax return with my identity.

   Reply →
   1. TRX -January 25, 2022

      > video call

      How is this accomplished? Some specific web browser or browser extension?

      I don’t have a cellular phone, and my desktop runs openIndiana, not Windows or Linux.

      -Reply →
      1. orly -January 25, 2022

         Then you don’t need the website. You need to go through the mail like you normally do.

         -Reply →
8. Tyrhonda Stone January 21, 2022

   The hacker will have a field day with the site. I remember several years ago when the IRS database was hacked and my information was compromised in a system that was supposed to be secure but it wasn’t as secure as they thought. I was given free membership with the credit bureau to monitor my credit for a couple of years. The membership allowed me to lock and unlock my report. Add a selfie on the IRS database and the ability for them get in spell disaster.

   Reply →
   1. B.D -January 22, 2022

      People willingly upload selfies to social media every hour, for the attention.

      The point of doing all this, is to make sure that the previously compromised information is no longer of any value to those criminals. Credit monitoring didn’t prevent fraud. This will.
      Your stolen information could previously have been used to allow hackers access to your taxes, refunds and benefits. Now, they can’t. Not even if they have your "selfies". They would need to be live, and interacting with a real person. Static information won’t work to steal your identity anymore.

      -Reply →
      1. Elaine Biggerstaff -January 22, 2022

         I’m not one of those who upload anything to any social media. And as a senior citizen using only Tracphone as a cell phone and only got it for emergencies, soon I will not be able to do or get anything because everything will depend upon having a smartphone. So, those of us without the latest technology are non-entities who are discriminated against for not wanting to join the technocracy rulers over life.

         -Reply →
         1. Susan -January 23, 2022

            How are you paying taxes right now?
            Doesn’t look like anything will change for you at all.
            I know people who still mail their forms to the IRS, the internet and all this technology hasn’t changed as much as you think.

            -Reply →
         2. John Cox -January 24, 2022

            Certainly there are many people who lack access to computers or smart phones.
            As to your specific concern, a smart phone is NOT required to complete the ID.me sign-up. A computer with a webcam will work just fine.

            -Reply →
9. John January 22, 2022

   I have existing accounts at IRS.gov and SSA.gov where I initiate the login with a username and password. ID.me is shown as an option on both sites. The IRS site states "ID.me is our trusted technology provider in helping to keep your records safe." The Social Security Administration, quite surprisingly, has a disclaimer saying "links to certain websites [namely login.gov and ID.me] are not affiliated with the United States government. If we provide a link to such a website, this does not constitute an endorsement by SSA or any of its employees of the information or products presented on the non-SSA website. Also, such websites are not within our control and may not follow the same privacy, security or accessibility policies." The Social Security Administration offers this option, but what they are really saying is you are on your own. The information I would need to provide for ID.me enrollment is likely more sensitive than the information the IRS or Social Security is trying to protect.

   As one who has been affected by the 2015 US Office of Personnel Management data breach, where the most personal details of my family and myself were released, and to a lesser degree, details on my neighbors, I would not trust ID.me or any other such organization. The other 22 million people involved in the OPM data breach would likely feel the same.

   Reply →
   1. JamminJ -January 22, 2022

      "The information I would need to provide for ID.me enrollment is likely more sensitive than the information the IRS or Social Security is trying to protect."
      No, that is backwards.

      The information is private, but it’s sensitive precisely because it can be used to open up accounts for the purposes of lending money, paying benefits, refunding tax dollars, etc.
      The solution cannot be to claw back sensitive data. That’s like asking people who’ve had their SSN stolen, to just get a new one. It’s not practical.
      Although having you and your families information out there is still scary… The proper solution, which has been recommended by security professionals for a long time, is the eliminate the practical value of those "personal details". If fraudsters can’t really use those personal details to open lines of credit, or get benefits in your name,… then that solves the fraud and identity theft problems.

      Yes, I was also affected by the OPM breach too. And what’s worse, is that it was about the same time I began working in this field. So I knew then the exact implications of the breach and how it was going to affect everyone. Even further, I knew that credit monitoring could only be a band aid on a gaping wound. And that the real solution would be to neuter the data that was breached. Make it so that SSN/DOB/address are practical useless. Of course we also knew the way to do that is strong identity proofing and MFA that users are not gonna like.

      -Reply →
10. Trustnot Irs January 22, 2022

    Doesn’t anyone else worry about the use of the .ME tld (which I block) over a .gov TLD? I have just a tad more trust (just a tad) that the requirement for a domain to be parked in .gov is not as easy as getting a .me . A small step indeed, but security is made of of many small steps, no one thing to save everyone. This just help drive bad behavior. Thank you, IRS.

    Reply →
    1. JamminJ -January 22, 2022

       There was a big shift, don’t remember how many years ago, that unleashed TLDs from what they once were, country codes often used by firewalls… to anyone can buy pretty much any custom TLD now.
       So .me TLD isn’t particularly unsafe compared to .com anymore.

       .gov does indeed have some restrictions still in place though. So your point is well made. Another reason why the GSA’s login.gov should be used instead.

       -Reply →
11. Louise January 22, 2022

    The privacy policy states:

    We provide certain services and products of the Website through Third-Party service providers. These "Third-Party Service Providers" perform functions on our behalf, such as sending out and distributing our administrative and promotional emails. We may share your Personally Identifiable Information with such Third-Party Service Providers to remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results and links, process credit card payments, operate the Website, troubleshoot, and provide customer service.

    Brian, it would be nice if CEO Blake Hall would supply a LIST of top 20 affiliates/partners by volume of data, such as the owner / operator of the face recognition software ID.ME uses . . . not just Third Party Advertising Companies . . . that are members of the Network Advertising Initiative ("NAI"), which include Google/Alphabet companies.

    "These companies may use Non-Personally Identifiable Information about your visits to this and other websites in order to provide, through the use of network tags, advertisements about goods and services that may be of interest to you."

    Google is going to receive a windfall of Non-Personally Identifiable Information to refine its database of US citizens including

    "remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results."

    If Google or Alphabet is supplying the facial recognition software, or any other softwares enabling the processing of ID information, it will be able to fine-tune its information on US Citizens. The terms and privacy are murky!

    Of course,

    "You will defend, indemnify and hold ID.me harmless against any and all claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) arising out of or in connection with a claim by a third party related to your use of the Website and the ID.me Service."

    Reply →
    1. notlegaladvice -January 22, 2022

       That’s not the privacy policy, that’s the Terms of Service.

       1) Give up your right to sue as an individual or as part of a class and instead submit to forced arbitration. These terms are legal, but can be bypassed with good lawyers.

       2) When the TOS refers to PII as a Submission. That’s different than the live video calls and uploaded documents to perform the identity proofing. Those policies are not in the TOS, but in the Privacy policy and the biometrics policy.
       The TOS is referring to "comments, feedback, … considered non-confidential". That’s the standard TOS for many web services that have comment sections, feedback forms, and the like.
       Ask a lawyer if that TOS is out of the ordinary or if that means they could sell your Driver License photo to a 3rd party. The answer would be no.

       The Terms of Service are not the only binding policy document in play.
       -https://www.id.me/biometric
       -https://www.id.me/privacy

       Don’t cherry pick from the TOS, Submissions section, in order to suggest that it covered confidential and sensitive things, when it does not. The privacy and biometric documents discuss those items, and it is far more reasonable.

       If you are still so concerned about the TOS being too broad, then talk to your representatives and senators in Congress. Tell them to enact privacy policy similar to GDPR and CCPA at the national level. This would really make a lot of these nightmare interpretations really impossible to legally enforce.

       -Reply →
       1. Louise -January 24, 2022

          Hi, Thanx for the reply.

          I should have posted the link: id.me/privacy – most of the quote, above, is from the privacy policy, some under the heading, if you scroll down:

          We may share your information with Authorized Third Party Service Providers

          "We may share your Personally Identifiable Information with such Third-Party Service Providers to remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results and links, process credit card payments, operate the Website, troubleshoot, and provide customer service."

          So, this concerns, PII. Just saying, you KNOW this info will be shared with Google: "provide search results."

          Thanx for publishing my comment, Brian Krebs!

          -Reply →
12. Spencer January 22, 2022

    I had been resisting RealID, but then read about the IRS’ new process. By chance, just before seeing this post, I had just finished signing up on ID.me and then going to IRS, signing in with the ID.me button, then following the instructions online. Compared to Chris’ experience, mine went reasonably smoothly. I use Firefox with NoScript and uBlocker and tracking disabled. So, when I could not upload the photos of my driver’s license [it said upload, then hit Continue, but the Continue button remained greyed out], I disabled all these filters, but it still would not work. Luckily, it also will send a link to your phone to take the photos, and this worked fine. When I got to the video-mugshot part, it complained a couple of times [before I removed my eyeglasses to match the license], but then finished and sent a Verify to my phone and that completed the process. Easier than I expected, and it never asked for any other documents.

    Reply →
13. Sane One January 23, 2022

    There is absolutely no reason after establishment of your identity through the ID.me process and creation of your unique token that ID.me would need to retain your biometrics. The fact that they retain it means they intent to use and profit from it in the future either by selling (and then requiring) iris or DNA matchine and/or selling their services to other entities which will require you to facial scan at point of transaction with them. It’s shadier than heck and absolutely should be opposed.

    Reply →
    1. notlegaladvice -January 23, 2022

       -https://www.id.me/biometric
       They don’t sell biometric data.
       And just like your DMV, they keep the data.

       Opposing this should begin with adopting something like California’s CCPA nationwide.

       -Reply →
14. David January 23, 2022

    Very helpful, thank you. I set up an account for myself but can it also be used for client matters in my CPA Practice?

    Reply →
15. art January 23, 2022

    I dont put personal photos online of myself. ever.

    Reply →
16. Ben Hyde January 23, 2022

    Interesting how the cost of testing with a proctor has become a lot cheaper. "Thanks Internet" Deciding to not add more procedures to your security scheme is a hard sell in many organizational settings.

    Reply →
17. Nicholas Spagnola January 24, 2022

    IF YOU SUBMIT DOCUMENTS that do not have EXACT name matches, including middle NAMES, yoiu get flagged, switched to a real person, etc.

    BUT, I JUST FOUND THIS on the SOCIAL SECURITY WEB SITE, regarding middle name – – it is NOT A LEGAL PART OF THE NAME !!!!! so if THAT is true, then all this matching up is NOT following truly LEGAL guidelines???? DOES the left hand know what the right hand is doing??

    FROM social security web site

    RM 10205.120 How the Number Holder’s Name is Shown on SSN Card
    The number holder’s (NH) first and last name on his or her SSN card must agree with the first and last name shown on the document submitted as evidence of identity or legal name. A middle name or suffix is not considered part of the legal name. It does not matter if the middle name or suffix is included, omitted, or incorrectly shown on an SSN card.

    For SSN purposes, a NH’s legal name consists of the first (or given name) and last (or family name or surname) that is used to sign legal documents, deeds, or contracts.

    Reply →
18. alton rouser January 24, 2022

    I will be surprised the public will put up with this highly intrusive change. This is a horror show in the making. Time to complain to your Congressman and everywhere else.

    1. The government can’t be trusted to keep all your private information secure. Privacy and personal security matter.
    2. Lots of people can’t deal with computers, such as the disabled and old. There needs to be an analog fallback mechanism.
    3. The procedure chosen is way too cumbersome sanctioned by out of control bureaucrats.

    Starting to discuss alternatives:

    1. What happened to the notary public? (In this case you show up in person and present your one or two ID’s and get a notarized document back to send in with your paper application for an account.) This would be a good job for post offices to do: identity verification.

    2. Why can’t the IRS piggyback on https://secure.login.gov ?

    3. Why can’t the IRS use its own verification methods. I seem to recall it required the previous year’s AGI for verification. Address validation has sometime been used by other government accounts. You can already get an IRS pin to file your return with. Why not piggyback on some of that?

    4. Plus there are many more verification methods, such as state ID’s, credit cards, passports, bank accounts for payments and refunds, and credit reports. Why can’t the IRS piggyback on state ID’s, etc?

    Reply →
    1. JamminJ -January 25, 2022

       –
       1. True, and neither can private enterprise. Government systems can be breached. Private systems can be breached and decide to sell your data.
       2. There are already analog fallback mechanisms for everything you can do online with IRS.gov. Those people who can’t deal with computers themselves already use proxies, agents, accountants, tax prep companies and the US Mail.
       3. Secure 2FA and identity proofing procedures were not created by the government. They have been recommended for many years by the experts. Identity theft and other common fraud targeting the IRS, had proposed solutions. This is the result.
       –
       1. Yes, notaries are still used in many cases when dealing with the IRS. Certainly still in use for those who don’t have an IRS.gov account.
       2. That is a good question. They absolutely should have that as the default option.
       3. Those methods of verification (AGI, home address, and even mailed PIN) are terrible for identity proofing. Rife with fraud. Dumpster diving is one easy way. Stolen mail is very common. This kind of "static" data, has been abused by scammers and is the reason why the secure way must avoid them.
       4. State issued IDs and Passports are the methods of pre-existing identity verification that ID.me uses. Of course, verification of those items is still needed to make sure they are not forged. And the static information in credit reports is a horrible idea; most of that info is open source and available on the internet.
       –
       Good security is not intuitive to people outside the security community. It may seem like "common sense", but it really is complicated and nuanced. That’s why we need good journalists like Krebs to bridge the gap and explain this stuff.
       To have a secure system that can significantly reduce fraud and identity theft, we have to understand the subtle difference in the types of data and also the capability of fraudsters. I know it’s cumbersome, but it HAS to be difficult for criminals.

       -Reply →
19. Private January 24, 2022

    Everyone upset about the involvement of a private-sector party in the comments — please tell the IRS that you want login.gov implemented for IRS accounts before they discontinue legacy accounts at https://www.improveirs.org/submit-a-suggestion/ which is their "submit a suggestion" form.

    Reply →
20. JamminJ January 24, 2022

    It would not surprise me at all if the IRS is still in the process of allowing "Login.gov" from the GSA.
    With large bureaucracies, there are often roadblocks that may not exists when contracting out to a private 3rd party, but do make it a long process for two separate parts of government to work together.

    Reply →
21. J Cunningham January 25, 2022

    Interesting… I took me all of 15 minutes to get approved after I discovered my IRS account is not there anymore.. the longest part was getting me phone to produce the Live Photo they wanted… I finally ended up using my bathroom lights to illuminate my face and voila done… Like the author all of my Credit history are locked…

    I was comprised in the OPM hack…

    So now what?

    Reply →
22. Jay Libove January 25, 2022

    This is a great summary of the process and the problems with the process .. for US-resident Americans.
    I’m an ex-pat American. No bank, phone, utility, Internet, etc bill would be accepted by ID.me’s processes, and we do not have US-side mobile phones, so not only did my wife and I have to go through the video verification (which, once we got to it, worked well), but we had to figure out how to get TO the video verification, since it only happens after you submit "acceptable" documents. It takes a series of failures and human email intervention from ID.me to get a video verification in this case. In some ways I was impressed by ID.me’s system, but it clearly is not well thought out for ex-pats. (Nor for seniors/ the less "technically savvy", which fortunately I’m not). It must be improved.

    Reply →
23. James Mac January 26, 2022

    Very interesting. I live in Jersey – the original one, not the knock-off copy over the river from New York. Our government introduced an identity system not unlike ID.me for access to online tax returns about three years ago, software called Yoti.

    Once it’s on my phone it works very well.
    Getting it installed was an absolute nightmare, and like you it was mainly because of video.
    Getting it uninstalled and moved from one phone to a newer phone is basically impossible.

    I think this whole thing about photos and videos for biometrics is likely a dead end, and it’s going to cause a lot of grief on the way.

    Reply →
    1. JamminJ -January 26, 2022

       Photos and videos for biometrics is indeed bad. Since the technology for deepfakes has become easy to get and use.
       However, LIVE video for biometrics is still good, for now. Doing a deepfake with a live video stream is not currently good enough to be believable. This may change, and when it does, we’ll have to go back to in-person interviews for identity proofing.

       Biometrics are a great thing, if implemented correctly. I’ve long said that biometrics should only be considered secure for identification, if "supervised" during biometric reading. That means no fingerprint readers on car door handles, but yes to face scans to gain access to a government building with guards watching.
       ID.me video interview process is a compromise, figuring that live video chat is sufficient supervision while taking biometrics. With today’s technology, it is good enough.
       Fraudsters are not going to risk getting on live video unless they can mask their true face with a convincing deepfake of the victim.

       -Reply →
24. Smartacus January 26, 2022

    How about you DON"T cooperate with the police state that Democrats are building, rather than geek out on the details? There are broad and terrible consequences of giving this to the government. You all know they do not require this to hand out money to illegal aliens, right? The 100% purpose of this is to make it easier to control dissent.

    Reply →
    1. Q -January 26, 2022

       Go back to alex jones.
       We all know you people hate this country. You want your dictator reinstated, Constitution be damned.

       -Reply →
25. S Vine January 27, 2022

    What’s not being reported anywhere is this verification doesn’t just affect those trying to use irs.gov or online filing.

    We’ve been working with several elderly PAPER filers who have refunds tied up because of "fraud flags" that this private company identified. In these cases, the victims of this company have been unable to complete website or video "verification" in some cases lacking the required documents (utility bills) or technology (webcams and smartphones) to use the service. Calls to local IRS offices or the taxpayer advocate service indicate they are unable to clear these blocks and refer the victims to an ID.me phone number which has not been answered in over three months.

    All the valid concerns about privacy and government overreach aside, It’s appalling to roll out these technologies without making provisions for the people who will be most disadvantaged and discriminated by their use.

    Reply →

A New York Times Bestseller!

Read this.

Click image for my skimmer series.

Badguy uses for your PC

Your email account may be worth far more than you imagine.

Innovations from the Underground

ID Protection Services Examined

The reasons for its decline

File 'em Before the Bad Guys Can

A crash course in carding.

Sign up, or Be Signed Up!

Finding out is not so easy.

...For Online Safety.