A new report from the Treasury Inspector General For Tax Administration (TIGTA) sheds light on why the Internal Revenue Service (IRS) scrapped plans to use Login.gov as an alternative for taxpayers to identify themselves to utilize IRS tools and services for 2023 tax season.
Initially, the agency had planned to give taxpayers the option to use facial recognition technology – considered controversial at the time – along with using Login.gov as the other alternative.
But the Sept. 27 TIGTA report identified that Login.gov did not comply with some National Institute of Standards and Technology (NIST) standards and found that “login.gov has not fully implemented specific controls to improve its anti-fraud controls to improve its anti-fraud program as required by the Office of Management and Budget (OMB).”
The IRS initially set up a $22.6 million contract to help establish use of Login.gov, but eventually walked it back and brought the total contract amount down to approximately $240,000.
Additionally, the report outlines a timeline of events that led to the IRS from wanting to use Login.gov – which was created by the General Services Administration (GSA).
“Login.gov’s lack of strong anti-fraud controls prohibits the IRS’s ability to detect large-scale exploits, putting billions of dollars of taxpayer payments at risk,” said senior executives in a November 2022 memorandum to the deputy commissioner for operations support at the IRS.
“The success of the IRS online fraud-fighting efforts relies on end-to-end visibility of user’s online activity data predicted on a fully compliant [Identity Assurance Levels] IAL2 registration pipeline,” added the senior executives.
The IAL2 solution proposed in the letter refers to some of NIST’s varying levels of security standards, with IAL2 referring to granting access to people based on remotely or physically identifying individuals.
Although taxpayers cannot currently Login.gov to file their taxes, there are other smaller use cases in which the IRS is utilizing the service, including the submission of IRS tax forms for small organizations.
“The IRS maintains highly sensitive financial, Personally Identifiable Information (PII) data, and Federal Tax Information (FTI) across the taxpayer community and is a prime target of cyber-fraud,” said the senior executives mentioned in the TIGTA report.
“Bad actors have aggressively targeted IRS online applications leveraging identity theft that occurred outside the IRS with compromised third-party information,” concluded the senior executives.
While Login.gov has not yet achieved the IAL2 compliance, the GSA is currently working towards achieving this goal, an agency spokesperson said.
“Login.gov has long included a robust set of anti-fraud capabilities that have helped ensure its security. The platform continues to incorporate proven tools and practices in fraud prevention, including the ability to actively monitor registrations and block fraudulent users,” said the GSA spokesperson.
“As a government-provided identity verification service that serves nearly 50 federal and state agencies with varying security and compliance requirements, Login.gov takes seriously its responsibility to safeguard user privacy and ensure equitable access to all. Login.gov will continue to incorporate best practices for responding to constantly changing cybersecurity threats and to work toward achieving IAL2 compliance in a way that meets our agency partners’ needs while also upholding our commitment to privacy, security and equity for the public,” the spokesperson said.