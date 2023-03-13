With Tax Day less than a month away, the IRS is gearing up to implement a government-run identity verification system: Login.gov. Taxpayers will be able to use the single sign-on tool to access tax documents and make payments through IRS.gov starting next week, FCW and Nextgov has learned.

The news comes a year after the IRS was confronted outcry on requirements for taxpayers to verify their identity using facial recognition technology from provider ID.me to access IRS accounts online and a week after an internal audit showed Login officials had suspended their efforts to implement similar technologies and mislead the agencies on these plans.

At the end of the 2022 tax season, the IRS committed to working with the General Services Administration, which operates Login.gov, to add the service as an option for users. The tax agency cited the need for higher security standards and scale for Login.gov.

That time has come, according to multiple sources, with Login on track to be integrated as an identity verification and authentication option for IRS.gov accounts next week. Already, two IRS apps that do not require proof of identity offer Login.gov as an option.

Once fully onboarded, taxpayers will be able to log into IRS.gov using their Login.gov credentials, which are used on a host of other federal websites, including benefits sites operated by the Department of Veterans Affairs and the Social Security Administration.

But stakeholders on all sides have expressed concerns about whether Login can meet the needs of the IRS, especially on Tax Day, the heaviest traffic day of the year, and what that will mean. for the program.

Reputation is my primary concern, a TTS staffer said in a June 2022 internal Slack post seen by reporters. For example, the IRS may survive this, but for Login.gov, it could make or break us.

This reputation will be more important than ever as the White House considered a massive push for the service under a long-awaited executive order intended to combat identity fraud in government benefit programs, though the executive order is yet to be finalized.

A single sign-on solution for users

The initial Login.gov prototype was built by the US Digital Service, White House Technical Unit and 18F, the GSA-hosted digital consultancy, with the goal of providing a single sign-on service. that would one day be used across government.

The service launched in 2017 and has grown over time, adding vendor support for various services, including data broker LexisNexis, which provides fraud detection and identity verification for the service.

In 2021, Login.gov received an investment of nearly $187 million from the GSA’s revolving technology fund, the Technology Modernization Fund, to help it expand to more agencies.

And a partnership with the IRS would help those efforts, as it will introduce Login to a much wider group of users.

There will be a big one-time identity verification tsunami happening at the front, that will be the big test, said Dominic Sale, who from September 2019 to February 2021 served as deputy commissioner of GSA Solutions, the group under TTS responsible for manage Login.gov, among other services.

Once these accounts are verified, however, the beauty is that they won’t have to berate them every time they log into other government websites, Sale told FCW and Nextgov. Will someone like the IRS have to absorb some of that upfront? Maybe. I just hope they’re ready to do it.

But the service has struggled to meet identity verification standards set by the National Institute of Standards and Technology, leaving some agencies hesitant to use the service, including the IRS.

“The connection I left would not be able to handle the increase in users, Sale said. I can only hope they wouldn’t claim they could handle it and then don’t not be able to handle it. “The connection I left would not be able to handle the increase in users, Sale said. I can only hope they wouldn’t claim they could handle it and then don’t not be able to handle it.

The GSA told the press in early 2022, as the IRS and ID.me faced public pushback for facial recognition requirements, that the agency would not use facial recognition until a review rigorous would not give us the assurance that we can do it fairly and without harming vulnerable populations.

This decision, as set out in a recent report by the GSA’s Office of Inspector General, has placed Identity Assurance Level 2, or IAL2, out of reach for Login.gov, since NIST requires biometrics to meet this standard.

Despite this requirement, advocates concerned about governments’ use of facial recognition technology have long pointed to NIST tests conducted in 2019 that found different demographics had significantly different proofing rates among certain recognition systems. facial.

The Login.gov team put concerns about audience experience and identity security front and center from the start, so much so that they have now been drafted for actions related to them giving prioritize user needs over full compliance with a standard so controversial that a vendor conforms to it. caused a bipartisan political storm last year, said Aaron Snow, co-founder of 18F and former deputy commissioner of TTS, referring to the ID.me line.

Regardless of any errors or misrepresentations that may have been made regarding NIST compliance, the bottom line is that Login.gov is an important, secure, and indispensable cornerstone of our national governments’ digital infrastructure. -he declares.

NIST is currently updating the standards at the center of the recent monitoring report. THE draft updatereleased last year, would add performance requirements for biometrics in identity verification and independent testing for identity providers.

NIST is also establishing a new, lower security threshold for identity verification that would require no biometrics, which will certainly create a new option for agencies where you could use a somewhat lower level of assurance, said Jeremy Grant, former senior executive. Advisor to NIST’s National Strategy for Trusted Identities in Cyberspace. I don’t know if this will solve the problem at all levels, he added.

Also at issue is the extent to which the IRS and GSA will be able to address known barriers to digital identity verification for people who do not have access to identity tools or ID information. identification needed to confirm their identity without being in person. Users who don’t have a smartphone or don’t have access to their credit history could be left out.

These are the hardest people to prove, according to Sale. Regardless of the proofing rates they have, overall, demonstrated so far, if you choose a specific demographic that is historically difficult to prove, your proofing rates will drop.

What’s the fallback if someone isn’t being remotely controlled, which I’m guessing half won’t, Sale said. Will there be something tentative, like a tentative ballot, where you can log in tentatively and then go somewhere in person to complete proofing?

The GSA has a pilot project to allow users to prove their identity at certain US Postal Service locations, but according to the public GSA documents as of January, the effort is limited to a small number of federal partners and select USPS outlets. The GSA is evaluating the option extension in 2023.

Last October, the pilot was limit at seven locations in and around Washington, DC, but the Login.gov website no longer lists specific locations for the driver.

Technically ready?

The potential problems also go beyond ethical and equity concerns. Several technical issues have arisen since this time last year, such as whether Login.govs’ servers can handle an extreme influx of users, particularly in the closing hours of Tax Day, when a deluge of anxious taxpayers attempt to connect to IRS systems at the last minute.

We’ve been working very, very closely with the IRS and making progress, said a TTS source who worked directly on this implementation. Nextgov. The narrative that says the connection isn’t ready or can’t is actually not the case.

While the login system should expect its highest traffic rates yet on Tax Day, the source said ongoing improvement efforts funded in part by TMF awards should bring the system where he should be.

The connection I left would not be able to handle the increased number of users, Sale said. I can only hope they wouldn’t claim they could handle it and then not be able to handle it.

However, Sale noted that the program had received a large influx of funding since he was in government.

Login has a lot more money now than he did when I was there, largely for those purposes, he said.

A GSA spokesperson confirmed in October that the TMF price was used to ensure connection capacity to scale as needed.

Stakeholders also wondered aloud who would take phone calls when disgruntled users inevitably run into technical issues while trying to sign up.

Although the IRS is familiar with handling customer calls on Tax Day, the agency does not operate Login.gov and would not be able to provide technical assistance to users.

Conversely, although the Login.gov team knows their system, the unit has traditionally not been staffed to handle these types of events.

We need [a] definitive answer to how the IRS approaches customer support. This is a major risk to the GSA and the public in terms of the weight and volume we may incur. Please notify, a concerned TTS staff member said in an internal Slack message in June, noting that they had been asking the question for several months. I asked in person, over email and at weekly meetings. The only answer I got in person was: We don’t do customer support at the IRS.

A GSA spokesperson referred questions about the agreement to the IRS and directed users to Login.gov Help Desk, which they claim offers 24/7 support. They did not respond to follow-up questions about scaling the help desk before Tax Day.

The IRS did not respond to requests for comment.