The IRS will use ID.me's authentication and identity proofing service exclusively starting sometime this summer. The identity proofing portion employs facial scanning by a third party, causing some concern.
Scott Lemon alerted me to a move by the IRS to use ID.me, and facial scanning, for authentication. Id.me is an identity proofing and authentication company that seems to be getting a lot of government contracts. ID.me is used, for example, by a lot of states for access to unemployment benefits. I first ran across them when I signed up for an ID.me account so I could access the Dept. of Veterans Affairs website back in 2019.
As I recall, when I signed up, I provided ID.me enough personal information that they could grab my address and other information from a credit reporting company. I also uploaded my drivers license and my DD214 (US military discharge papers). I don't recall doing a face scan. The login is pretty standard, a username and password plus some form of multi-factor authentication (MFA). They use any of SMS, phone calls, authenticator apps, and Fido tokens for MFA.
The controversy surrounding the IRS's use of ID.me is that the IRS is requiring a live facial scan to match with the photo ID that ID.me has. When you create a new account with ID.me, you upload some acceptable photo ID first (drivers license or passport). The facial scan is to ensure the person creating the account is the one in the photo ID. I recall doing something similar with Onfido, another online identity proofing company.
I tried the IRS ID.me login. Since I already had an account and a photo ID on record with ID.me, they jumped directly to the facial scan after I logged in. I was on my computer and it wanted the browser to use the webcam. That failed miserably, hiding my browser window and failing to activate the camera. So, I moved to my phone. That also failed initially since my preferences didn't allow Safari to use the camera. ID.me told me to give it permission, but no further hints. I was left to wallow around in the settings to find it (i.e., Is it under camera preferences or browser? Browser, as it turns out.).
When I finally got that working it scanned my face and asked me if I was OK sending personal data back to the IRS.
Krebs on Security has a nice write up of the ID.me process.
As far as I can tell, the facial scan is just done once, not every time you log in. ID.me doesn't say whether they save the scan or just use it to validate the photo ID and toss it. I don't know why they'd save the scan, but you never know. I'd just as soon not have it sitting on their computers.
While I've got a lot of concerns about widespread facial recognition, this doesn't appear to be that. This kind of face scanning to proof an identity document is just a way to bridge the gap between the online and offline world using old-school physical credentials. Verifiable credentials will significantly reduce the need for this in time.
To see why, consider a state drivers license issued as a verifiable credential. The DMV or licensing bureau would be doing the identity proofing, taking the picture, and checking the documents. They issue it to me and I hold it in my wallet. When I present it to the IRS (or whoever), the underlying credential exchange protocol offers the IRS cryptographic confidence that the credential was issued to me. There's no need for a third party to do that.
Alas, we're not there yet, so we'll need companies like ID.me and Onfido to bridge the gap for now. Ultimately, we need to look to self-sovereign identity to protect us from intermediating administrative identity systems and their harms.
Photo Credit: A Face in the Crowd publicity photo (Patricia Neal & Andy Griffith) from Warner Brothers Pictures Distributing Corp (public domain)