IRS won't add Login.gov without changes

The IRS was in hot water back in early 2022 when advocacy groups and lawmakers called out the tax agency for incorporating facial recognition technology into a customer account feature. 

One possible way out was adding government-operated identity solution Login.gov as a method for taxpayers to verify themselves to access online IRS accounts and services, something the IRS said in 2022 it intended to do. 

But the Login.gov option never came online at the IRS, and the tax agency eventually clawed back all but $240,000 of a $22.6 million contract to use the digital identity service. A recent oversight report explains why: technology officials didn't trust the security features of the service, which is operated by the General Services Administration.

“Login.gov’s lack of strong anti-fraud controls prohibits the IRS’s ability to detect large-scale exploits, putting billions of dollars of taxpayer payments at risk,” senior executives wrote to the tax agency's deputy chief in a November 7, 2022 memorandum quoted at length in the report from the Treasury Inspector General for Tax Administration.

Specifically, officials were concerned with Login's non-compliance with government standards for remote identity proofing. Those standards, known as Identity Assurance Level 2, require a biometric marker, such as facial recognition. IRS officials were also concerned about Login.gov’s anti-fraud capabilities.

The agency's chief information officer, chief information security officer, chief privacy officer and others warned that "the use of the IAL2 feature of Login.gov would result in IRS sensitive taxpayer data being exploited."

Despite concerns raised in the memo, the IRS issued an authority to operate for Login.gov in mid-November 2022. Later that month, the IRS CIO told the Treasury Department the tax agency would need to see enhanced fraud and IAL2 requirements before Login.gov would be deployed. 

The IRS later found fraud gaps in four separate tabletop exercises, and IRS officials continued to express caution. “I have significant concerns about subjecting 10,000 taxpayers to the risks we’ve identified,” the tax agency’s chief privacy officer wrote in early March.

The planned March deployment didn’t happen — the report states that GSA postponed the planned deployment because of concerns about launching during peak processing season at the IRS — but the IRS continued to plan a limited scope launch to provide information that could help determine future actions, a plan that eventually was abandoned in April of this year. The next month, the IRS revised cost estimates for its Login usage and dramatically lowered the overall value of its contract to use the identity service.

GSA officials have also come under fire for telling customer agencies like the Department of Veterans Affairs and the Department of Labor that Login.gov met IAL2 standards, when it did not. 

This was known at GSA, where the administrator asked the Office of Management and Budget to assess Login.gov and give a written statement to GSA affirming that Login.gov provides comparable security levels as IAL2. 

In September 2022, a panel of experts assembled by the Office of the Federal Chief Information Officer found that Login.gov didn’t meet NIST IAL2 standards, but did provide the strength intended by them, although it needed a better anti-fraud program. According to the oversight report, GSA had not implemented anti-fraud controls sought by experts as of June 7, 2023.

A GSA spokesperson didn't directly address whether the OMB recommendations were ever put in place. “The platform continues to incorporate proven tools and practices in fraud prevention, including the ability to actively monitor registrations and block fraudulent users,” the GSA spokesperson told Nextgov/FCW in an emailed statement. “Login.gov takes seriously its responsibility to safeguard user privacy and ensure equitable access to all."

GSA is planning on achieving the IAL2 compliance sought by the IRS "in a way that meets our agency partners’ needs while also upholding our commitment to privacy, security and equity for the public,” the spokesperson told Nextgov/FCW.

IRS already taps Login for some use cases that don’t require proving the identity of the end user. An internal IRS roadmap approved in July states that the IRS needs at least two options for taxpayers to prove their identities to log into IRS services — including both government and non-government options, according to the report. 

"The IRS looks forward to engaging with the General Services Administration to assess expanding Login.gov services once its identity proofing process meets federal digital identity and fraud guidelines,” an IRS agency spokesperson told Nextgov/FCW in an emailed statement.