The Future of Authentication – More Secure but More Difficult

The IRS is changing from using a homegrown userid and password based authentication system to a third party single signon type of system run by ID.ME.

Given that the IRS doesn’t have a great track record for security, your first inclination might be “can’t be any worse than what they had before”.

The short version of the answer is that it seems to be better, but it is also much more effort to set up your account the first time. After that, it is really no different than any other system signon with two factor mandatory.

Hence the rub.

Do I want access that is more secure?

Or do I not care about security (until my stuff is stolen); it has to be convenient?

I signed up for an ID.ME account a couple of months ago. Not only does the IRS use it but a couple dozen states use it too.

Unlike me, when Brian Krebs signed up for an account, he blogged about the experience. I will capture what he said about it.

The problem that most web sites have is that they don’t really know that you are you. If someone goes to your bank and, assuming you have not signed up for online banking, they sign up as you (to steal all your money, of course), all they need is a few bits of information that is likely widely available and poof, they are you and they can steal your cash.

The IRS is trying to do it right for a change. Pretty novel.

The sign up process starts out pretty normal. Enter an email address and pick a password and confirm that you got the confirmation email that they sent you.

Next you **MUST** pick a multi-factor authentication mechanism. They support everything from a text message to a FIDO key. I chose one of the several authenticator apps that I use.

Next you have to upload a copy of a government issued ID like a driver’s license.

Then you have to take a selfie of yourself holding your ID.

If the computer can match the two images you move into the next step.

You have to provide them with a phone number. Unfortunately, it does not accept Voice over IP phones. That is all that I have. I gave up my last landline a year ago. This forces you into an alternate authentication loop.

Now you have to go to a live video chat on your phone or computer. You get to start all over and re-upload the documents. This just seems like stupid programming and doesn’t provide any additional security, so maybe they will fix this. In this scenario you have to upload TWO other forms of ID like a Social Security Card or birth certificate. This is the same drill you go through when your employer completes your i-9.

Now you get to wait. The system says that you have to stay connected while you wait. Brian’s screen said the wait time was 3 hours and 27 minutes. This is only an estimate.

Brian, like me, tends to like to make waves so after he say that wait time he sent a “love note” to ID.ME’s founder. Even though this was like ten o’clock at night the threat worked and he got a call from a technician in a few minutes. He resolved the issue and Brian got his ID.

Even in this best case, this is a lot more work than a normal account signup, but it is also more secure. You also have to trust this private company with your information. In the worst case, it is a big pain.

A lot of this can be chalked up to growing pains and are totally resolvable. But some of this is the price of having a higher level of confidence in who is signing up.

For higher security systems, like the military, you have to show up in person. This is certainly more convenient than that. I need to renew my Global Traveler card. In order to do that I have to make an appointment – in my case the first appointment is FOUR MONTHS in the future and then drive myself out to the airport – an hour each way. This is definitely more convenient than that.

For higher security situations, systems like ID.ME are probably the future.

One thing that ID.ME did right is that if you need an account for say the IRS and your State government, one ID is sufficient. All you need to do is authorize ID.ME to share your information with the second entity and you are good to go.

You can ask them to delete your information if you want, at any time, but that inconveniently will also delete your account.

When Brian asked them about their security, they were a bit general – which is understandable – but it definitely sounds like they are taking a lot more care than most web sites. Credit: Brian Krebs

Leave a Reply

Your email address will not be published.