IRS still needs to strengthen taxpayer authentication, protect PII
The Internal Revenue Service’s (IRS) “ability to continuously monitor its current authentication methods, while also looking ahead to new identity verification technologies, is critical,” James R. McTigue, Jr., Director, Strategic Issues, at the Government Accountability Office (GAO) recently told the House Committee on Ways and Means Subcommittee on Oversight.
“In an environment with an increasing risk of fraud, identity theft (IDT), and cyberattacks, IRS must ensure that its preventative security controls provide the agency with reasonable assurance that it is interacting with the legitimate taxpayer,” he stressed, adding, “Authentication — the process by which IRS verifies taxpayers are who they claim to be — is a critical step in both protecting sensitive taxpayer information and preventing potentially billions of dollars of refunds from being paid to fraudsters each year. According to IRS’s most recent data, it estimates that in 2016, at least $12.2 billion in IDT tax refund fraud was attempted; of this amount, at least $1.6 billion was paid out to fraudsters.
McTigue told the panel the risk of identity theft of taxpayers’ by accessing their personally identifiable information (PII), which can include biometrics and other digital identification information, because hackers are constantly adapting their schemes to thwart IRS’s defenses, “The agency must also strike a balance in designing its authentication programs. Authentication must be strong enough to prevent fraudsters from gaining access to IRS services using stolen personally identifiable information, without being overly burdensome on legitimate taxpayers who also must authenticate.”
McTigue said, “our work found that IRS has taken some steps to improve taxpayer authentication, including working with external partners to identify solutions for combating IDT refund fraud and developing an authentication strategy to address its most pressing authentication challenges. However, we also found that IRS has not prioritized the initiatives supporting its authentication strategy nor identified the resources required to complete them. Further, we found that IRS does not have clear plans and timelines to fully implement [the National Institute of Standards and Technology’s (NIST)] new guidance for secure online authentication [Digital Identity Guidelines, Special Publication 800-63-3], and also lacks a comprehensive process to evaluate potential new authentication technologies, which could provide taxpayers additional options to actively protect their identity. We made 11 recommendations to address these and other weaknesses identified in our report.”
IRS agreed with all 11 of GAO’s recommendations, and “stated that it is taking action to address them.”
The IRS has established organizational structures essential to supporting its taxpayer authentication efforts such as its Identity Assurance Office (IAO), which works with stakeholders across IRS to review and assess the agency’s various authentication programs and efforts. IAO also led an effort that identified over 100 interactions between IRS and taxpayers that require authentication and categorized these interactions based on potential risks to the agency and taxpayers. It also released a “roadmap” for developing a modern and secure authentication environment for all taxpayers regardless of how they interact with IRS.
“We found that IRS has taken preliminary steps to implement NIST’s June 2017 guidance for secure online authentication, however it had not yet established detailed plans, including timelines, milestone dates, and resource needs to fully implement it,” McTigue stated, noting that, “Among other things, NIST’s new guidance directs agencies to assess the risk for each component of identity assurance — identity proofing, authentication, and federation — rather than conducting a single risk assessment for the entire process. According to NIST officials, this approach gives agencies flexibility in choosing technical solutions; aligns with existing, standards-based market offerings; is modular and cost-effective; and enhances individual privacy. In short, following NIST’s new guidance will help provide IRS with better risk-based assurance that the person trying to access IRS’s online services is who they claim to be.”
According to NIST, identity proofing establishes that the person is actually who they claim to be; authentication verifies that the person attempting to access a service is in control of one or more valid authenticators associated with that person’s identity; and federation is the concept that one set of user credentials can be used to access multiple systems.
GAO found the IRS has begun analyzing gaps between its current authentication procedures and the new NIST guidance, and “implemented a more secure online authentication option consistent with the new guidance through its mobile application, IRS2Go. After taxpayers link their IRS online account with the mobile app, they can use it to generate a security code to log into their account. This option provides taxpayers with an alternative to receiving the security code via a text message, which NIST considers to be less secure.”
McTigue said, “We identified several authentication options in our report that IRS could consider, including the following:”
• Possession-based authentication. This type of authentication offers users a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication. For example, as noted in GAO’s audit report, “according to an industry official, authentication using a trusted device or ‘security key’ based on Universal Second Factor standards complies with NIST’s new guidance for digital authentication.” Although “IRS is not likely to provide the devices to taxpayers, it could enable its systems to accept these trusted devices as authenticators for taxpayers who elect to use them.”
• Working with trusted partners. IRS could partner with organizations it trusts that are accessible to taxpayers and enable the partners to identity-proof and authenticate taxpayers. Trusted partners could include tax preparers, financial institutions, or other federal or state agencies. IRS officials stated to GAO they had been exploring such options with both the Social Security Administration and the US Postal Service; however, at the time of GAO’s report, “the agencies had not yet made decisions about next steps.”
“IRS officials told us the agency continually researches new identity assurance processes and technologies and has talked with other agencies, industry groups, and vendors to better understand how particular technology solutions could apply to IRS’s environment,” McTigue told lawmakers. “However, during the course of our work, IRS could not provide us evidence of a repeatable, comprehensive process to identify and evaluate available authentication technologies and services.”
And, “Such a process,” he said, “could compare options for in-house authentication solutions with off-the-shelf solutions based on estimates of cost, schedule, and benefits, as applicable. To this end, we recommended that IRS develop a process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners; and based on this approach, include and prioritize these options, as appropriate, in its roadmap.”
In concluding, McTigue stated, “Taxpayer authentication has become more difficult with the wide availability of personally identifiable information and fraudsters’ ability to develop more complex and sophisticated methods to commit fraud undetected. Addressing the issues we describe[ed] … could better position IRS to identify and mitigate vulnerabilities in its authentication efforts and better protect taxpayers and the Treasury.”