Such problems led the IRS and many others to turn to alternatives, such as sending a code to a phone number verified against the credit institution’s records. They also informed about a 2017 revision of the federal digital identity guidelines, which recommended that access to systems that could leak sensitive data or cause financial harm must be verified by a person with a photo ID or a biometric such as a fingerprint. The photo check can be done in person, via video chat or using algorithms that compare images or videos of a person’s face with their ID.
At the same time, selfie checks spread among private companies such as Airbnb, Uber, Lyft, Stripe and cryptocurrency exchange Coinbase.
ID.me, a Virginia-based startup, pioneered facial recognition for government identification purposes, and in 2018 it became the first provider to be certified under the 2017 NIST guidelines. The pandemic has boosted its business . More than two dozen employment agencies have deployed ID.me since the start of the pandemic, often touting the service as a way to speed up claims processing while also preventing the fraud that has plagued pandemic aid programs.
Even before the recent outcry over the IRS’s use of ID.me, the company had its critics. Individuals complained that they had to wait hours or even months to fix a failed selfie check; privacy experts pointed out that harvesting selfies creates new vulnerabilities. California’s state auditor said last year that while the company’s system improved employment claims processing, it rejected an estimated 20 percent of legitimate claimants in the first few months of use.
Daniela Urban, executive director of the Center for Workers’ Rights, a nonprofit organization in Sacramento, California that helps low-wage workers and their families, says that when California’s Employment Development Department adopted ID.me in late 2020, it immediately “set a huge barrier.” raised” for many of its clients.
The service’s standard workflow required both a smartphone and a laptop or other device, something many low-income people lack. And helping people remotely became much more difficult. Now when customers call with ID.me issues, Urban and her employees tell them to use paper forms instead. “We found this to be the easiest solution, as plaintiffs spent weeks or months trying to find someone they knew with a computer or phone who could help them,” Urban says.
The IRS did not respond to a question about how it would verify identity without using facial recognition. Kathleen Moriarty, chief technology officer at the Center for Internet Security, says the strong backlash against the IRS could prompt security experts and standards setters to reconsider if and when facial recognition is an acceptable way to verify identity online. “Sometimes we get to a point where we have to rethink technology use decisions,” she says.
ID.me’s CEO, Blake Hall, says he’s reconsidered some of his own decisions. “There’s a group of users that we didn’t consider,” Hall says. “We are now very aware that there is also a need to offer them a trajectory.” ID.me now lets agencies offer people the choice between automated facial recognition processing or video chat with an agent, a process that was previously only a fallback when facial recognition fails. Hall says he hires hundreds more agents to man those chats, but early tests suggest more than 95 percent of people are opting for facial recognition. The company also has 700 personal identity verification locations in the US.
Even before the IRS controversy, at least one federal agency was skittish about using facial recognition for online ID checks. The Social Security Administration warned NIST in 2020 about “privacy, usability and policy issues” about the technology. “During preliminary testing, we found that a significant number of customers feel uncomfortable submitting a photo or do not have the technical knowledge or hardware to do so successfully,” the agency wrote. It cited concerns about potential minority bias and called for alternatives to be allowed. NIST will publish an updated version of its digital identity guidelines this year, and after public comments, it will be finalized in 2023.
For now, the IRS and other agencies will likely rely on established but imperfect mechanisms such as verification codes sent by text message, despite the proliferation of “sim-swapping” attacks that can hijack the process.
