Taxpayer Identity Verification: IRS Should Strengthen Oversight of Its Identity-Proofing Program
Fast Facts
How does IRS know that people are who they say they are when they file their taxes or access online taxpayer resources?
IRS relies on one vendor, ID.me, to prove taxpayers' identities for many of its applications. Usually, the process entails uploading documentation—e.g., a driver's license—and providing biometric evidence, like a selfie.
IRS monitors some aspects of the process, such as safeguarding taxpayer privacy—but can do more. For example, IRS hasn't set its own performance goals for the vendor's work or listed ID.me's artificial intelligence technology in its inventory of AI uses.
Our recommendations are to strengthen oversight.
Highlights
What GAO Found
Federal agencies identify and verify that users attempting to access government services, benefits, and other resources are who they claim to be. This identity-proofing process may occur in person, by telephone, or online. The National Institute of Standards and Technology has issued guidance defining three risk-based identity-assurance levels for online interactions: (1) some confidence of claimed identity, (2) high confidence, and (3) very high confidence.
In implementing its identity-proofing program, the Internal Revenue Service (IRS) determined that it needed identity assurance level (IAL) 2 in providing users access to certain online IRS applications. A private credential service provider, ID.me, is IRS's sole provider of level 2 identity-proofing products and supporting activities. These activities include having individuals provide evidence, such as a driver's license, and biometric evidence, such as a selfie (see figure).
High-Level Identity Assurance Level 2 Digital Identity-Proofing Process
The reach of IRS's digital identity-proofing program is considerable—users accessed IAL 2 applications more than 150 million times between 2021 and 2024, according to IRS data.
IRS is conducting several oversight activities to monitor ID.me and overall program performance. These include (1) issuing 12 directives to ID.me on ensuring its solutions protect users' privacy; (2) documenting data validation checks to determine if ID.me is adhering to contract terms and conditions; and (3) holding biweekly meetings with vendor representatives to discuss challenges, performance, and associated issues.
However, gaps remain in IRS's oversight of its identity-proofing program:
- IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers' performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.
- ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers' rights are protected and that the technologies are accurate, reliable, effective, and transparent.
Why GAO Did This Study
IRS offers more than 30 online applications to help taxpayers meet their tax obligations. To guard against fraud and abuse, IRS requires users to prove their identities when accessing these applications. This process can require users to divulge sensitive personal information about themselves.
GAO was asked to review IRS's identity-proofing program. This report assesses how IRS monitors and oversees the performance of its identity-proofing program.
GAO reviewed IRS policies and procedures associated with IAL2 identity proofing; interviewed relevant IRS officials and ID.me staff; and reviewed ID.me-related performance data and contract information.
Recommendations
GAO is making four recommendations to IRS, including (1) defining and documenting measurable goals and objectives for its identity-proofing program; (2) regularly evaluating and documenting the results of its identity-proofing program; and (3) ensuring that procured identity-proofing solutions that involve the use of AI included in IRS's AI inventory are consistent with applicable legal requirements and are subject to IRS's AI oversight process. IRS agreed with all of the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should define and document measurable goals and objectives for its digital identity-proofing program. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should regularly evaluate and document results of its digital identity-proofing program in terms of meeting the goals and objectives established in recommendation 1. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should establish procedures for routinely sharing and communicating identity-proofing vendors' performance data to relevant officials. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that procured digital identity-proofing solutions that involve the use of AI are included in IRS's AI inventory, consistent with applicable legal requirements, and go through IRS's AI oversight process. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|