IRS Testing Behavioral Analytics to Verify Online Users

golubovystock/Shutterstock.com

Featured eBooks

Digital First
Cloud Smarter
Cybersecurity & the Road Ahead

The agency is piloting a proof-of-concept that will track how individual taxpayers interact with its online systems.

When taxpayers use online systems, the IRS really wants to make sure the people accessing information are who they say they are. The agency has implemented a number of authentication tools over the years—with varying degrees of success—and is now looking at behavioral analytics as an option.

The IRS announced a sole-source contract to BioCatch for a proof-of-concept that would incorporate behavioral analytics for the agency’s eAuthentication system. BioCatch’s technology tracks how a user interacts with their device and the agency’s apps to continually verify their identity.

“BioCatch collects behavioral metrics—i.e., left/right handedness, pressure—while a user is interacting with eAuth without impacting user experience and establishes a profile for the user,” IRS contracting officers wrote in the statement of work. “Once this profile is established, this data is used to detect fraud on subsequent login attempts and to prevent account takeover during the user’s session.”

For the program to be successful, the proof-of-concept has to demonstrate the ability to reliably authenticate users without disrupting the process or adding extra steps.

The proof-of-concept work will go through Jan. 17, at which point the IRS will decide whether to adopt the technology or seek a different solution.

The road to the BioCatch contract started in July 2018, when Treasury Department officials granted funding to the IRS’ Enterprise Services division to “incorporate innovative ideas to bring strong authentication to the IRS online,” according to the statement of work.

“With these funds, a large set of ideas was researched and subsequently narrowed down to a smaller list of potentially implementable solutions,” the document states. “From this list, BioCatch was selected for its behavioral biometrics and fraud reduction capabilities to be tested with eAuth.”