IRS blunders with facial recognition ‘security’ requirement

Leave it to the IRS to find a way to unite a badly fractured Congress, albeit by bringing Democrats and Republicans together to sharply rebuke the agency. Its sin? A clumsy attempt to require taxpayers to use an online facial recognition system to access their own personal information.

The IRS’s facial recognition whiff is particularly disheartening as it has unnecessarily delayed the agency from instituting a basic and widely endorsed cybersecurity upgrade known as “multifactor authentication.” Had it engaged in some strategic thinking, the IRS could have successfully launched that beneficial security measure with little to no opposition, much less without further smearing the unnecessarily maligned reputation of facial recognition systems.

Everyone can stipulate to the fact that federal government information systems are under cyber siege, and thus in need of constant security upgrades. Moving past a simple username and password network access requirement is one such needed upgrade, as hackers still use stolen access credentials to break into government systems.

The Biden administration knows that, and to that end has recently ordered agencies to “integrate and enforce MFA across applications involving authenticated access to Federal systems by agency staff, contractors, and partners.”

What that practically means is that now federal agencies must require users to present something more than a password to get on restricted networks. That additional authenticator can be anything from chip-powered access card to even — yes — “biometric” identifiers such as fingerprints, voiceprints, or even the dreaded facial picture.

Ironically, that MFA requirement is nothing new to the IRS. For several years the IRS has required its employees to use MFA to gain access to tax information, and with good reason: Studies have shown that well-crafted MFA systems can reduce the possibility of identity compromise by over 99 percent.

Both the general cyber threat environment and the massive security investment return of MFAs should have been — and still are — justification enough for the IRS to expand such a requirement to taxpayers. Agency leaders tripped themselves up by offering weak reasons for the new identity verification program.

Instead of simply saying “MFA is a security best practice for everyone, including taxpayers” and leaving it at that, IRS leaders instead offered a largely unconvincing justification tied to ongoing worries about payments to identity thieves. Yes the IRS has incorrectly paid out billions in tax refunds to identity thieves, but in recent years it has done a remarkably good job in ferreting out such refund claims, cutting their number by 80 perrcent.

The fact that the number of taxpayer identity theft claims still tops 100,000 does provide a credible basis for implementing an MFA program, but not one powered by facial recognition absent compelling supporting evidence. After all, multiple alternative — yet slightly less effective — methods for authenticating someone’s identity, ranging from randomly generated numbers to a onetime passcode sent to a mobile device, exist. Those and other options would have readily met the goal of reducing possible identity fraud via MFA without delving into the inherently delicate world of biometrics.

Yet for some reason the IRS chose the biometric option, and specifically facial recognition, as its additional authenticator. It offered scant justification for that decision, which is remarkable given that the technology has repeatedly been slammed for enabling discrimination due to its purported difficulty in identifying racial and ethnic minorities.

Congressional members predictably recoiled at the IRS’s choice, slamming it as a wholly unnecessary privacy intrusion on taxpayers, and the IRS quickly called a halt to the program. 

The IRS’s retreat in the face of wilting Congressional criticism may have been politically wise in the short run, but in the long term it caused further unnecessary damage to the reputation of facial recognition powered MFA systems.

Remember that millions of Americans use facial recognition systems daily in the form of “face unlock” on their smartphones with little worry. Those identity-matching systems are solely designed to confirm that the face you present to your phone (or in this case the IRS website) matches a photograph previously verified to be you that is resident in a secured database. That’s a process far removed from the separate kind of facial surveillance system linked to discriminatory results (albeit easily mitigated through proper software testing).

Moreover, the IRS could have also easily allayed concerns about the creation of (much less the misuse of or theft from) a large facial scan database by adopting strong controls used by other federal agencies. The FBI, for instance, only allows access to its facial recognition database for very specific uses and after users have gone through rigorous training. Further, encryption capabilities have progressed to the point where any facial scans submitted by a taxpayer is nigh useless if stolen by hackers.

For now, thankfully, the damage done by the IRS’s ill-conceived foray into MFA is limited.

The IRS can quickly and successfully reboot the program using far less intrusive authentication techniques, thereby still achieving the entirely appropriate goal of further security taxpayer records. Other agencies, meanwhile, should use this as a teachable moment: Facial recognition as part of an MFA program is possible, but be well prepared to defend it.

Brian Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP in Washington D.C. Follow him on Twitter @BrianEFinch