Skip to main content

The Internal Revenue Service plans to migrate its set of online services for tax professionals to third-party provider ID.me this summer despite objections raised in Congress against the authentication company.

The IRS said in an email to tax professionals on Wednesday that the following products and applications would be affected:

• Affordable Care Act (ACA) for Transmitter Control Code (TCC);
• Application Program Interface (API) Customer Identification Application;

• Request for electronic file;
• Information Statements (IR) for TCC;
• Income Verification Express Service (IVES) application;
• Applications Status (EFIN Status and TDS Status);
• TIN matching, including bulk and interactive TIN matching;
• Transcription Delivery System (TDS);
• Secure Object Repository (SOR);
• Modernized electronic file (MeF); and
• ACA Information Statements (AIR).

The IRS noted that while e-Services applications will not use ID.me until this summer, tax professionals can prepare for the migration and create an ID.me account now using Tax Pro account. The transition appears to have been planned so as not to interfere with the regular tax season which ended last month.

Headquarters of the Internal Revenue Service IRS in Washington, D.C.

Stefani Reynolds/Photographer: Stefani Reynolds/B

Even though tax season is officially over, the agency could still be pushed back on this. The IRS began using ID.me last November to authenticate taxpayers who wanted to create new taxpayer accounts online to help combat identity theft. However, complaints were soon filed by privacy advocates about the company forcing taxpayers to use selfies for facial recognition and submit government documents such as passports and driver’s licenses to the IRS (see the story).

These concerns were echoed in Congress, and in February the IRS allowed users to opt out of biometric facial recognition requirements and instead offer a virtual interview option with agents (see the story). The IRS said it would also look at alternatives to ID.me, which is widely used by many state governments and other parts of the federal government.

IRS Commissioner Chuck Rettig was questioned by lawmakers during a Senate oversight hearing on the IRS budget on Tuesday about the IRS’ plans to move from ID.me to the service. Login.gov from the federal government, but he noted that Login.gov does not yet have the capacity to handle all the activity the IRS is used to getting on its online services. However, the IRS is working with Login.gov to improve the authentication service’s capability.

“We were getting about a million people a week trying to create online accounts,” Rettig said. “The system we had before had about a 40% authentication rate, so taxpayers trying to authenticate that, yes, it’s Chuck Rettig, but about 60% weren’t getting into the system and had to enter a site or call.”

This was impractical when the IRS faced a backlog of millions of tax returns to process last year. “With ID.me, the authentication rate is well over 70%, both on the biometric part, which is facial recognition, but taxpayers have the alternative of connecting with a live ID.me person”, Rettig said. “Facial recognition is offered in eight different languages. The in-person course is offered in over 30 different languages. We have moved significantly from a service perspective to our multilingual efforts.

He compared this to the current capacity of Login.gov. “Login.gov can handle less than 30 transactions per second,” Rettig said. “We need around 1,500 transactions per second. We need level 2 authentication that once that person comes in, that’s the person.

The IRS is exploring other alternatives, Rettig noted, while trying to improve bandwidth on Login.gov. In the meantime, ID.me will be able to support the IRS’ envisioned suite of online services. However, the agency faced data breaches in 2015 on some of its self-service tools such as Get Transcript and Identity Protection (IP) PIN and had to shut them down to add better authentication in 2016.

“Some people think fraud is someone sitting in their backyard, but we’re against nation states,” Rettig said. “We get 1.8 billion cyberattacks a year, so to protect the data people trust us, we need to be at a higher level of authentication, or not have as many options available.”