The agency needs to be able to identity proof online users at a certain level to be able to offer a full menu of online services, Rettig told lawmakers.
The IRS’ ability to offer an array of online services to Americans is contingent upon the agency’s ability to feel confident the people logging on to its online services are who they claim to be, IRS Commissioner Charles Rettig told lawmakers at a Tuesday hearing in front of a subcommittee of the Senate Appropriations Committee.
Identity proofing users is something the agency has struggled to do for years. It recently faced public scrutiny from lawmakers and digital privacy advocates over using facial recognition provided by digital identity company ID.me to verify identities.
In February, the IRS announced it would offer options other than facial recognition and would work to add the General Services Administration's Login.gov service after the 2022 tax filing season.
At the same time, the tax agency faces a paper backlog of tax returns and correspondence that Rettig has vowed to get “healthy” by the end of the year. The agency’s ability to offer services via call centers has also plummeted: employees manning the phone lines are the same ones in charge of the paper backlog, Rettig said. But the IRS faces pressure to increase the number of services it offers to Americans via online accounts.
Erin Collins, the national taxpayer advocate, urged the IRS to expand the services Americans can find via online IRS accounts in a blog last week, writing that “online service offerings are even more important for taxpayers as the IRS continues to deal with processing disruptions, low levels of telephone service, delays in correspondence, and limited options for walk-in assistance—currently taxpayers simply do not have many viable options for offline service.”
The agency is “about five years from, I think, being what the agency should be in terms of the ability of the folks who want to just interact with us online, to do everything with us online, with the exception of filing a return,” said Rettig. “It could be a little more. It depends upon the funding that we get. It depends upon the technologies that develop.”
The IRS’ ability to expand and maintain online services, though, will also depend on its ability to do identity proofing.
Standards laid out by the National Institute of Standards and Technology outline different “identity assurance levels” that align with “the degree of confidence that the applicant’s claimed identity is their real identity,” according to NIST.
“Once I know this is you, that is your account, I can open up a whole list of services that you can do automatically online,” said Rettig. “When that authentication level might be different, we have to pull back because of the levels of fraud that we encounter.”
“We’re up against nation-states,” he continued. “We get about 1.8 billion cyberattacks per year, and so to protect the data that people trust us with, we have to be at a higher authentication level or not have so many options available.”
Rettig said the agency turned to ID.me’s services because the IRS’ old system struggled to authenticate legitimate users.
“The system we had before had about a 40% authentication rate… About 60% were not getting into the systems and had to walk into the site or had to call, which when we are on our heels from an inventory perspective is not a meaningful thing for the people in this country,” said Rettig.
ID.me’s authentication rate is “far in excess of 70%,” and its facial recognition option is offered in eight languages. Other ID.me options are offered in over 30 languages, said Rettig.
GSA’s Login.gov, which the IRS is currently looking to add as an option, can currently handle “less than 30 transactions per second,” said Rettig. “We need more than about 1,500 transactions per second.”
The IRS is also in need of identity assurance level 2 (IAL2) as defined by NIST, Rettig said, and is working with GSA to increase Login.gov’s assurance level and transaction rate. Login.gov’s website currently states that it “continues to work toward achieving certification of compliance with NIST’S IAL2 standard from a third-party assessment organization.”
In a March 2 letter to the House Oversight and Reform Committee, Rettig wrote that the IRS needs Login.gov to reach certain data security standards, as well as offer live support and multilingual customer service options, have capacity for IRS needs and “meet other security, fraud and data protection requirements.”
Rettig told lawmakers Tuesday that “if [Login.gov gets] to the point, we’ve already indicated that we would shift.”
“These are some of the many difficult choices we have to make,” said Rettig. “Because I think collectively, we all want the person who’s capable of going online to be able to do 100% of their interactions with the IRS online seamlessly.”