Since announcing that it is making its new Direct File program permanent and has a goal of expanding to all 50 states plus Washington, D.C., the IRS has begun including several additional states to Direct File for next tax season. This expansion comes after an extremely limited pilot of the program earlier this year which encompassed only 12 states, many with no state income tax. Taxpayers using the pilot were eligible only under specific income circumstances and were able to claim very few credits.
As the IRS grapples with how to dramatically scale up the controversial program, it also must address longstanding, persistent questions about its taxpayer identity verification procedures. The National Taxpayer Advocate is one of several sources that have documented and criticized the Service’s poor taxpayer information security—and even poorer remediation procedures—for more than a decade.
The IRS currently relies solely on a single third-party credential service provider (CSP), ID.me, and its proprietary platform to authenticate users’ identities prior to filing their taxes with Direct File. The IRS’s relationship with ID.me has been an issue in the past, with the IRS having been pressured into cutting ties with ID.me by members of Congress as recently as two years ago after questions arose from taxpayers trying to claim their expanded Child Tax Credit. Whether this relationship is renewed, or expanded, or additional vendors are permitted to enter the space, substantial oversight by Congress is necessary. Most immediately, however, the IRS has several urgent tasks before the 2025 filing season: ensuring that Direct File users have a smooth experience with ID.me, resolving integration problems with the federal government’s own CSP (Login.gov), and conducting previously promised market research into other providers.
Standards developed through the National Institute of Standards and Technology (NIST) help decide which identity verification software should be used for the government’s digital tools. NIST requires online applications to be classified under an Identity Assurance Level (IAL) corresponding to how confident the agency can be that the user’s claimed identity is their true identity.
Confidence levels range from some confidence for IAL1, high confidence for IAL2, and very high confidence for IAL3. Login.gov is currently applicable at the IRS for IAL1 applications and is used for Form 990-N e-filing and for Foreign Account Tax Compliance Act-Qualified Intermediary (FATCA-QI) reporting, according to the Treasury Inspector General for Tax Administration (TIGTA). It may not be a comfort to taxpayers or third party information providers that their filings or reportings are being made via applications with only “some confidence” in their identity verification security.
ID.me is applicable for IAL2 applications, such as accessing IRS Individual Online Accounts and Direct File, because it requires either photo identity verification or live video verification. When the IRS first announced its partnership with ID.me, it faced serious concerns about any third-party provider collecting sensitive taxpayer biometric data for facial recognition software. Despite the IRS seeming to shy away from ID.me after the controversy, ID.me is currently an integral part of the IRS’s “in-house” tax filing program as well as taxpayers’ online accounts.
In a recently released report, TIGTA highlights that the IRS still has not adequately addressed security concerns with Login.gov that prevented it from being used for the Direct File pilot this year. Login.gov is a single-sign on service launched by the General Services Administration (GSA) in 2017. It is used as an identity verification tool at the Department of Veteran Affairs, the Social Security Administration, and other federal agencies. Login.gov has experienced its own share of past controversies, among them the embarrassing revelation that GSA knowingly misled federal “customers” about the platform’s compliance with NIST standards.
The failure of the IRS to add Login.gov as an identity verification option has been well documented by TIGTA. According to a TIGTA report from September 2023, the use of Login.gov initially raised security concerns, although the exact concerns are redacted in the report. TIGTA claims that it “has worked with and communicated its concerns to IRS leadership since July 2020,” yet “no solution was implemented and discussions stopped in March 2023.” After the TIGTA report was released, the IRS developed a set of criteria that Login.gov must meet in order to be used for more sensitive IAL2 applications, referred to as the Login.gov Integration Consideration document. Yet, TIGTA notes in its latest report that upon inquiring about the status of implementation, the IRS responded that it “does not know whether the Department of the Treasury sent the Login.gov Integration Consideration document to the GSA, nor do they know whether the GSA has sufficiently addressed and met the requirements.”
Not only has the IRS failed to ensure that information is communicated in order to get Login.gov ready for use by 2025, it also has yet to conduct market research into other identity verification CSPs. The IRS has repeatedly promised to look into other CSPs, both last year when it first announced that it would be using ID.me for Direct File and in response to TIGTA’s questions. In fact, last year the IRS specifically pledged to conduct this research if Direct File were to be made permanent, stating: “if the 2024 pilot is successful and a decision is made to continue Direct File in future years, we are committed to evaluating additional public and private options to ensure that future iterations of Direct File allow taxpayers the choice of how they authenticate their identity.”
IRS Commissioner Werfel claims that Direct File merely provides taxpayers with additional filing options, yet the IRS is failing to provide taxpayers more meaningful options on how the tool captures their most sensitive information. Such options are important because taxpayers, like customers, have different needs and preferences.
Currently, if taxpayers choose not to upload their biometric data for facial recognition scanning, they must speak to a live representative. The ID.me sign-up process also requires taxpayers to give the program access to their credit profile data under the Federal Fair Credit Reporting Act (FCRA), which some taxpayers may not be comfortable with. ID.me also cannot be used for taxpayers under age 18, and if verification through ID.me fails, taxpayers seeking information from their online account are directed to request an account transcript by mail.
Unfortunately, taxpayer identity verification is only one of many problems that the IRS should have resolved prior to making Direct File permanent. This is all without mentioning the fact that the IRS completed its pilot and is pushing ahead with Direct File without authority to do so. Furthermore, the IRS has a preexisting free tax filing program through Free File, which is far more efficient and taxpayer friendly than what the government can provide. It is ironic that the IRS is attempting to take over a service long provided by trusted tax professionals, even as it neglects to build trust in the identity verification processes that taxpayers must use.