IRS login makes you take a selfie for this security company you've never heard of

I see no way this could possibly go wrong.

You'll soon have to prove your identity to a Virginia-based security company called in order to file a return, check tax records, or make payments on the Internal Revenue Service (IRS) website. Your old username and password credentials -- if they still work -- will stop working in the summer of 2022. [...] compares your selfie with your driver's license or passport image to verify you are who you say you are. It might also ask for other documentation, such as a copy of a recent bill. If the system still isn't satisfied, it may even ask you to jump on a video call with a human representative. [...] The company says it's also devised ways for overseas, under-documented, or homeless people to verify their identities.

Uh huh. says a total of ten federal agencies use its system, including the Department of Veterans Affairs and the Social Security Administration.

The IRS, of course, is a big agency that deals directly with many millions of individuals and businesses. will become responsible for a huge amount of personally identifiable information -- at a time when cyberattacks on government networks have become common. Recall the 2015 cyberattack on the United States Office of Personnel Management (OPM), in which cybercriminals gained access to 22.1 million government personnel records, including those of government employees and their families, and people who had undergone background checks. [...]

And can store tax filers' personal data for up to seven and a half years, the representative tells me in an email. [...]

In the event of a data leak, however, your options for redress are somewhat limited. At the very top of the terms of service, you'll find an all-caps statement saying that by using you agree to binding arbitration in the event of a dispute, and wave your right to join a class action against the company.

I first encountered this bullshit a few months ago.

My business, DNA Lounge, tried to apply for the "California Venues Grant Program funded by the State of California and administered by CalOSBA", and we couldn't even begin the application process without me personally submitting to this techbro biometric-harvesting bullshit by And I wouldn't do that, so we couldn't apply.

There are many ways to prove who I am to the State of California, and giving my biometric information to some third-party for-profit data-harvester with a Montenegro domain is not an acceptable one.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , ,

36 Responses:

  1. Don says:

    What’s insane is that, created all out in the open by 18F, is a thing! But nope they go in with this trash.

    • Doctor Memory says:

      And is... really good! It even supports WebAuthn/Yubikeys, which it's basically a lock that your bank hasn't figured out yet. I had to set up an account there to get my Global Entry renewal processed and it was like a breath of fresh air.

      • Nick Lamb says: also works with FIDO Security Keys just like (I don't know if they use WebAuthn or legacy U2F but for this purpose it doesn't matter).

        The special sauce is the matching of accounts to specific US citizens. I have a account, but I'm not a US citizen and I haven't visited the US this century. Which is fine, doesn't care whether I'm a US citizen. But the IRS certainly does, and can help them figure out which US citizen the account belongs to which means there's more chance you get your refund cheque not some scammer tele-operating a team of mules from overseas.

        The original article (not the one our host linked) mentions that several US government services which don't need to be sure exactly who you are offer the choice of or while the IRS only offers

  2. MrSpookTower says:

    Being (mostly) self-employed, I make the quarterly payments to the IRS, and IRS Direct Pay is pretty handy for that purpose -- especially since it lets you schedule payments in advance. Looks like I'll be sending them checks in the mail starting sometime later this year.

    • Elusis says:

      I also use that service, being partly self-employed.

      My logins almost never work two quarters in a row. I inevitably get to a point when I need to have them mail me another Enrollment ID, which sometimes expires by the time it reaches me. This most recent quarter, I tried to phone to see if I could get help logging on or get a reset. The phone queue was over two hours long. So I put in for a callback at the earliest time available (8pm that night), which never came.

      I'm sure this new service is going to be so much better. [/sarcasm]

      I'm also going to go price checks for my sole's bank account.

      • Jim says:

        As much as I hate the abstract concept, I find their CEO's arguments about why they're better than the previous Direct Pay and alternative possibilities persuasive, especially for the homeless and pre-employment youth.

        • jwz says:

          Cool story that you fell for their marketing propaganda, but under no circumstances should a for-profit data-mining corporation be in the critical path between me and the IRS. Or any government service, mandatory or otherwise. If the government needs an authentication mechanism, they should own one.

          Spoiler alert, they already do.

          • Jim says:

            Not arguing the principle, but look at how the process operates imagining you're homeless.

            • jwz says:

              "Here's a bug, so let's scrap the program and sell out every citizen to a grifter."

              • Jim says:

                Well what's a viable way forward? Has the government ever acquired a vital services startup?

                And can we get them to nationalize FICO too? Having credit score computation in private hands seems a whole lot more consequential day-to-day than biometrics.

                • Paul says:

                  You can change what accounts you have open & credit cards you use but not your biometrics. Do you get a fee for this?

                  • Jim says:

                    No I do not get a fee. Equifax, Experian, TransUnion, and PRBC all use FICO scores, which are only disclosed in terms of five broad categories, and not in any way that would allow a consumer to verify they are correct as we are expected to do with financial statements.

                  • jwz says:

                    You may be shocked to learn that two things can be terrible at the same time: data brokers, and also VCs embedding their biometric-harvesting scam into tax collection.

            • Clyde says:

              Jesus Christ, no. Take a look at id-me and imagine the same.

              Due to various reasons (read: dumb, unjust, asinine, endlessly complex reasons), I had to log into my SSA account this past weekend. My old login was struck down and they asked me to go through this nonsense. After googling the shit (finding the same article Jamie did, and another puff piece in I think Bloomberg Biz Week). Long story short, I reluctantly used this new service. Multiple attempts to upload a photo of my drivers license eventually worked (sometimes the error was "we couldn't find the photo of your face on the document", sometimes just nothing, a gray screen with no message and no way forward). Once it did accept the photo (one of the two I just kept trying over and over), it all went well enough. The selfie used my macbook webcam (so you know it was low-res and somewhat fisheyed) to "scan" my face, with a live vector view of my face and flashing colors to verify the bad photo on my ID matched the no-depth-info image they were getting from the 720p sensor...I guess I am white and clean-shaven enough that it all went ok, no need to live-verify with someone in a call center.

              For the same dumb reasons I had to go through this, I will have to walk my mom through it at some point soon enough...if she were doing it herself she'd be sunk. How well does their house-of-cards verification work if you're on your own, elderly, non-white, perhaps have a non-photo ID (still a thing in my state, if you've had one forever), have a cheap, broken phone to set up the whole thing, are perhaps homeless, etc, etc. Learning that there already is a government system that they could have used is just the shit on the cupcake. The system, by the way, looks to be leagues easier. And doesn't involve the value-add libertarian skimmers to get involved.

              • Jim says:

       requires a mailing address but doesn't. Both require a live photo and a photo of photo id by default ( will do a live interview for people without photo ids, or other deficiencies.)'s advance is that you have to rotate your head to prove that you aren't sending in two static photos.

  3. Nelson says:

    California started requiring for identity in the middle of the Covid epidemic. It didn't go particularly well:

  4. jwz says:


    Hold up, wait a minute, they give you more money when you give them more info. 🤦‍♂️

    "...the more information Users share the more rewards and benefits, such as deals, discounts, cash back rebates and employment and educational opportunities, the User may be eligible to receive..."

    From the very-low-contrast link at the bottom of the page, tucked under the cookie notice.

    • Jon says:

      If you are using the Service in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.

      For whatever that's worth.

      • Derpatron9000 says:


      • Big says:

        “ we will not use your verification information for any type of marketing or promotional purposes.”

        Of course they won’t. That’d be completely contrary to their core business. They’ll “share” it with “selected parameters” who’ll do that. Presumably including their wholly self owned debt collection subsidiary…

  5. Jim says:

    I had to do this just over a year ago. It failed initially because they didn't know that voter registration cards had been standardized statewide. Their corrporate account was unresponsive on Twitter, but their CEO, @Blake_Hall, was immediately responsive and corrected the issue completely in less than three hours.

    • joe luser says:

      well what a coincidence! shilling for this breathtakingly bad idea above, and down here you're on a first-name basis with the ceo. fascinating!

      • Jim says:

        Exchanging five tweets doesn't put me on a first name basis. I've never met any of them in person and I have no financial, familial, or any other relationship with them. If it wasn't clear, my initial interaction with them was extremely unsatisfactory because they failed to research current voter registration forms for the largest state in the US.

  6. Walex says:

    The people who matter do all their business via their agents or employees; the little people don't matter. Usual reminder:
    Scott McNealy, 1999: “You have zero privacy anyway. Get over it!”

  7. Toe says:

    State of VA made this a requirement to receive unemployment benefits. I was less than thrilled.

  8. NCnobody says:

    State of NC added this recently, it wasn't in place while I was actually getting unemployment, but when logging in to look for tax forms they forced me through it.

  9. jwz says:

    Violet Blue: Uber, but for collapse of the US taxpayer system:

    But wait, you say. This isn’t the Trump regime and its clown show of technologically incompetent, proven con men. Surely after the hellish OPM breach any federal decision maker smart enough to not walk in front of a speeding truck for the sake of a selfie, or go to Cancun during a snowstorm, would see this as the threatiest threat to ever waggle its threatening butt in our faces.

    The company is using broken AI and facial scanning, claims anyone unable to use it is a scammer, and promises there’s no racial bias but won’t allow independent inspection of anything. Like security. Welp. [...]

    I am fairly certain, as an adult who has witnessed the collisions of 'innovation' and humans for pretty much my lifetime, that the facial-scanning startup that is clearly full of shit should have thrown five hundred red flags before getting anywhere near greenlit to be responsible for government functions. It's a red flag factory. All my security and hacking cohorts are like, wow. Impressed in the wrong ways and worried, so bummed. It's like seeing Facebook's 'blame the user' playbook at scale, for a country. The ID-dot-me situation needs an adult. I guess we'll find out about the AI's racial and sexual discrimination issues after a lot of people have their lives crashed.

    Seriously: we don't need to do this anymore.

  10. Bobo says:

    A Montenegro domain is cute for something innocuous, but I find it a bit odd for something as important as this. I once owned a single character .me domain, and they were extremely controlling about how I could use it. It wasn't just a normal domain registration. They were very interested in my specific plans for it, and there was a deadline on when I got my (in development at registration time) site up and running before they took the domain away me.

    Does a .me domain mean a foreign government now has the ability to break a US government login system whenever they feel like it?

  11. Fleeno says:

    Apparently they are no longer going to switch over to this system:

    It isn't clear on what they'll use instead, but I'm glad it's not this.

  • Previously