IRS login makes you take a selfie for this security company you’ve never heard of

You’ll soon have to prove your identity to a Virginia-based security company called ID.me in order to file a return, check tax records, or make payments on the Internal Revenue Service (IRS) website. Your old username and password credentials—if they still work—will stop working in the summer of 2022.

When I tried to log in to my own IRS.gov account today, I was met with this advisory:

If you have an existing IRS username, please create a new ID.me account as soon as possible. We’re bringing you an improved sign-in experience. You won’t be able to log in with your existing IRS username and password starting in summer 2022.

ID.me compares your selfie with your driver’s license or passport image to verify you are who you say you are. It might also ask for other documentation, such as a copy of a recent bill. If the system still isn’t satisfied, it may even ask you to jump on a video call with a human representative. ID.me says this is something like the digital equivalent of going to an IRS office and reviewing identity documents with a representative. The company says it’s also devised ways for overseas, under-documented, or homeless people to verify their identities.

The conversion to ID.me’s system marks the first time the IRS will rely on personal biometric data to verify accounts. But it won’t be the first federal agency to use it. ID.me says a total of ten federal agencies use its system, including the Department of Veterans Affairs and the Social Security Administration.

What is ID.me?

ID.me, which has been around since 2010, was originally used by e-commerce sites (and still is) to verify the identity of retail customers. State governments then began adopting the ID.me system as a way of preventing people from defrauding their unemployment claims systems. Reuters reported in July that 27 states were then using the ID.me system.

The IRS, of course, is a big agency that deals directly with many millions of individuals and businesses. ID.me will become responsible for a huge amount of personally identifiable information—at a time when cyberattacks on government networks have become common. Recall the 2015 cyberattack on the United States Office of Personnel Management (OPM), in which cybercriminals gained access to 22.1 million government personnel records, including those of government employees and their families, and people who had undergone background checks.

Asked if ID.me is working directly with the Department of Homeland Security on ways to secure all the personally identifiable data the company holds, a company representative told Fast Company that ID.me obtained a FedRAMP Moderate ATO (authority to operate) from the General Services Administration. This was granted after the company proved compliance with federal standards developed by the National Institute of Standards and Technology (NIST) that govern authenticating individuals to government agencies.

And ID.me can store tax filers’ personal data for up to seven and a half years, the representative tells me in an email. The company, however, says it will comply with user requests to delete their personal information at any time.

In the event of a data leak, however, your options for redress are somewhat limited. At the very top of the ID.me terms of service, you’ll find an all-caps statement saying that by using ID.me you agree to binding arbitration in the event of a dispute, and wave your right to join a class action against the company.

The IRS’s imminent change over to ID.me was first noted by security researcher Brian Krebs at Krebs on Security.