The IRS Just Introduced a Login Identification Process — How Secure Is It?
The Internal Revenue Service (IRS) recently implemented an improved identity verification and sign-in process that requires facial identification through a selfie and a photo of an identity document — such as a driver’s license, state ID or passport — according to IRS.gov. Taxpayers will continue to access the IRS portal through IRS.gov but will now sign in using their ID.me account.
ID.me is a third-party technology provider for the IRS that uses facial recognition to verify identity. The process is simple, fairly quick, and secure. ID.me asserts that it does not sell users’ biometrics or personal information, financial or otherwise.
In a press release detailed by CNET, ID.me founder Blake Hall said, “Our 1:1 face match is comparable to taking a selfie to unlock a smartphone.”
What You Need to Know About ID.me Verification
The new process is designed to make it easier and more secure for taxpayers to manage their child tax credit, check IRS accounts, and perform “other routine tasks,” related to taxes, the IRS stated in a news release.
If you already have an IRS username, you can continue to use those credentials to log in to the site until summer 2022 but will be prompted to create an ID.me account as soon as possible, according to IRS.gov. Those who already set up an ID.me to access the child tax credit update portal can use those credentials to log in for any other IRS business, including filing taxes. They will not have to reauthenticate their identity.
IRS Commissioner Chuck Rettig said in the release, “This new verification process is designed to make IRS online applications as secure as possible for people.”
Is the ID.me Process Secure Against Hackers?
Security expert Nick Santora, CEO of security awareness training platform Curricula, noted that the process is “absolutely more secure,” than the IRS’ former methods for identity verification, which largely relied on a user’s social security number. “This is setting a precedent. This is where we need to be in order to start taking the security of people’s identity seriously,” Santora told GOBankingRates.
He added that the new process acknowledges a social security number is not a good authentication tool. “For the most part, people’s social security numbers are already out there from previous third-party data breaches.”
Santora emphasized that hackers may still try to infiltrate the system. But the ID.me process adds so many steps to authentication that it’s designed to make hackers decide such a venture is not worth the trouble, he explained.
With the new identity authentication process, the danger lies not in hackers stealing your identity from other sites and using it to create accounts, but in using social engineering tools to get you to provide them with the information they need to access your account. The system can only provide security if people use it properly.
“A hacker can essentially target you after you’ve set up your ID.me account and do what they do best, which is play on your sense of urgency,” Santora said. For instance, a hacker may reach out by phone or email and say they are from ID.me — or the IRS — and that you need to reset your password or authenticate your account.
If you follow a fake website link a hacker might provide and follow the steps they issue, you could be giving them access to your IRS account. “It’s no different than if you were walking into your house and a burglar came up behind you and navigated you to open the door for them. They didn’t need to steal your key or make a copy of it. They just walked through the door with you,” Santora explained.
To protect yourself, he advised, “Never use your email as a trampoline to get to any website. Don’t just bounce over to the IRS site by clicking a link. Type in the IRS.gov website manually. The agency is using that safe space to make sure you get to the right place.”
He added, “ID.me is a trusted and secure website. But problems could arise if hackers set up fake websites that resemble ID.me. Their goal will be to trick you to go to one of those other sites.”
Santora emphasized that taxpayers should only access the IRS.gov portal through the direct website. Do not click on any email links or visit any websites suggested by phone or email. The IRS will never email or call you directly and ask you to access the site, verify your identity, or reset your password.
More From GOBankingRates