Why GAO Did This Study
IRS offers more than 30 online applications to help taxpayers meet their tax obligations. To guard against fraud and abuse, IRS requires users to prove their identities when accessing these applications. This process can require users to divulge sensitive personal information about themselves.
GAO was asked to review IRS’s identity-proofing program. This report assesses how IRS monitors and oversees the performance of its identity-proofing program.
GAO reviewed IRS policies and procedures associated with IAL2 identity proofing; interviewed relevant IRS officials and ID.me staff; and reviewed ID.me-related performance data and contract information.
What GAO Found
Federal agencies identify and verify that users attempting to access government services, benefits, and other resources are who they claim to be. This identity-proofing process may occur in person, by telephone, or online. The National Institute of Standards and Technology has issued guidance defining three risk-based identity-assurance levels for online interactions: (1) some confidence of claimed identity, (2) high confidence, and (3) very high confidence.
In implementing its identity-proofing program, the Internal Revenue Service (IRS) determined that it needed identity assurance level (IAL) 2 in providing users access to certain online IRS applications. A private credential service provider, ID.me, is IRS’s sole provider of level 2 identity-proofing products and supporting activities. These activities include having individuals provide evidence, such as a driver’s license, and biometric evidence, such as a selfie
The reach of IRS’s digital identity-proofing program is considerable—users accessed IAL 2 applications more than 150 million times between 2021 and 2024, according to IRS data.
IRS is conducting several oversight activities to monitor ID.me and overall program performance. These include (1) issuing 12 directives to ID.me on ensuring its solutions protect users’ privacy; (2) documenting data validation checks to determine if ID.me is adhering to contract terms and conditions; and (3) holding biweekly meetings with vendor representatives to discuss challenges, performance, and associated issues.
However, gaps remain in IRS’s oversight of its identity-proofing program:
- IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.
- ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.
