IRS direct file participants will have to use ID.me for identity verification

The coming IRS direct file pilot, which will allow taxpayers in certain states to file their taxes directly to the government, will require participants to verify their identity via ID.me, according to a new IRS blog post.

That means that the IRS still isn't ready to adopt the government-owned identity solution Login.gov. IRS officials have had concerns about the security features of Login.gov, which has been in hot water this year over the fact that it doesn’t meet certain identity verification standards. Since then, the General Services Administration announced that it will be adding face matching technology to Login.gov to meet the standard in question.

But sticking with ID.me could resurface old controversies. The vendor came under scrutiny from lawmakers and civil society groups in early 2022 after the IRS started using ID.me — which offers facial recognition to verify identities — to its sign-in processes for online IRS accounts. 

In February 2022, the IRS added new options via ID.me that use a live, virtual interview instead of biometrics to verify identities. The IRS also announced that they intended to add support for Login.gov in the future, but that still hasn't happened. 

Now, the tax agency says that eligible taxpayers who want to use the IRS direct file tool will have to go through ID.me, although the IRS stresses that the pilot is intended as another option for tax filing in the states where it will be offered, not a requirement.

More broadly, some of the concerns raised in early 2022 focused on selfie-matching technology itself, especially in terms of potential bias. 2019 testing by the National Institute of Standards and Technology found evidence of demographic disparities in the accuracy of algorithms it studied. But since then, NIST officials have stressed to policymakers that performance differs across different algorithms and that the technology overall has improved since 2019.

Using biometrics is also the easiest way to meet the commonly sought-after standard for digital identity verification set by NIST that Login.gov has had trouble clearing, called identity assurance level 2.

ID.me's vice President and head of government affairs Michael Cassel told Nextgov/FCW in a statement that "since 2019, ID.me has deployed US based human agents to verify users who could not verify through the automated method. In 2022, we deployed a configuration that allowed users to meet with an agent directly if they did not wish to go through the automated flow."

The pathway using biometrics "leverages a top-performing facial verification algorithm assessed by NIST and DHS," he said.

Long term, the IRS says that if it decides to continue to offer the direct file option after the coming tax season, “we will continue to evaluate additional public and private options to ensure that future iterations of Direct File allow taxpayers the choice of how to authenticate their identity.” The pilot is being built in-house by the IRS, U.S. Digital Service and 18F. 

The tax agency is using ID.me for now, it says, because the company is “the only credential service provider currently available to the IRS that meets the identity assurance level 2 standard for identity verification and sign-in services.” 

“The IRS takes seriously its obligation to protect taxpayer data and prevent identity theft in all aspects of our work, and follows all applicable laws, regulations, and rules governing the protection of taxpayer data and federal government information systems,” the blog post states. “The Direct File pilot is no different.”

Editor's note: This article has been updated to include a statement from ID.me.