Such problems led the IRS and many others to switch to alternatives, such as sending a code to a phone number checked against credit agency records. They also informed a 2017 overhaul of the federal guidelines for digital identity, which recommended that access to systems that can leak sensitive data or cause financial harm should require verifying a person with a photo ID or a biometric like a fingerprint. The photo check can be done in person, via video chat, or using algorithms that compare images or video of a person’s face to their ID.
ID.me, a Virginia-based startup, pioneered face recognition for identity proofing at government agencies, and in 2018 it became the first provider certified against NIST’s 2017 guidelines. The pandemic has boosted its business. More than two dozen state employment agencies have deployed ID.me since the pandemic began, often touting the service as a way to speed the processing of claims while preventing the fraud that has plagued pandemic aid programs.
Even before the recent outcry about IRS use of ID.me, the company had its critics. Individuals complained of waiting for hours or even months to remedy a failed selfie check; privacy experts pointed out that harvesting selfies creates new vulnerabilities. California’s state auditor said last year that while the company’s system improved processing of employment claims, it rejected an estimated 20 percent of legitimate claimants in its early months of use.
Daniela Urban, executive director of the Center for Workers’ Rights, a Sacramento, California, nonprofit that helps low-wage workers and their families, says that when California’s Employment Development Department adopted ID.me in late 2020 it immediately created “a huge barrier” for many of her clients.
The service’s default workflow required both a smartphone and a laptop or other device, something many low-income people lack. And helping people from a distance became much harder. When clients now call with ID.me problems, Urban and her staff tell them to apply using paper forms instead. “We found this was the easiest workaround, because claimants were spending weeks or months trying to find someone they knew with a computer or phone who could help them,” Urban says.
The IRS did not respond to a query about how it would verify identity without using face recognition. Kathleen Moriarty, chief technology officer at the Center for Internet Security, says the strong backlash to the IRS may prompt security experts and standards-setters to reconsider if or when face recognition is an acceptable way to verify identity online. “Sometimes we come to a place where we have to rethink decisions on how to use technology,” she says.
ID.me’s CEO, Blake Hall, says he has been rethinking some of his own decisions. “There’s a group of users we didn’t account for,” Hall says. “We’re now very aware there’s a need to offer them a pathway too.” ID.me will now let agencies offer people a choice between automated processing with face recognition or a video chat with an agent, a process that was previously only a fallback if face recognition failed. Hall says he is hiring hundreds more agents to staff those chats, but that early tests suggest more than 95 percent of people choose face recognition. The company also has 700 locations for in-person ID verification across the US.
Even before the IRS controversy, at least one federal agency was skittish about using face recognition for online ID checks. The Social Security Administration warned NIST in 2020 of “privacy, usability, and policy concerns” about the technology. “In preliminary testing, we have found a sizable number of customers are uncomfortable submitting a photograph or lack the technical knowledge or hardware to do so successfully,” the agency wrote. It cited concerns about potential bias affecting minority groups and asked that alternatives be permitted. NIST is due to publish an updated draft of its digital identity guidelines this year, and after public comment will finalize it in 2023.
For now, the IRS and other agencies are likely to rely on established but imperfect mechanisms like verification codes sent by text message—despite the growth of “SIM-swapping” attacks that can hijack the process.