IRS online applications don’t meet NIST authentication standards

The processes the Internal Revenue Service has in place to verify taxpayers’ identities and prevent tax fraud do not comply with National Institute of Standards and Technology guidelines, the agency’s inspector general found.

The IRS has too many varying authentication methods and lacks a service-wide strategy for its growing number of online taxpayer applications. As the IRS brings more of its services online, the agency is struggling to verify taxpayers’ identities when they file a...

READ MORE

The processes the Internal Revenue Service has in place to verify taxpayers’ identities and prevent tax fraud do not comply with National Institute of Standards and Technology guidelines, the agency’s inspector general found.

The IRS has too many varying authentication methods and lacks a service-wide strategy for its growing number of online taxpayer applications. As the IRS brings more of its services online, the agency is struggling to verify taxpayers’ identities when they file a return or access their accounts.

“Our analysis of the e-Authentication processes used to authenticate users of the IRS online Get Transcript and IP PIN applications found that the authentication methods provide only single-factor authentication, despite NIST standards requiring multi-factor authentication for such high-risk applications,” a report from the Treasury Inspector General for Tax Administration said.

TIGTA came down particularly hard on two of the IRS’ online applications, the IP PIN process and Get Transcript hub.

The IRS only attempts to verify a tax filer’s identity when it issues an IP PIN to confirmed or at-risk victims of identity theft. TIGTA suggested the agency use IP PINs for every individual who files a return but recommended the IRS finish a required authentication risk assessment for the application first.

“According to IRS management, a risk assessment was not completed for the IP PIN application because the e-Authentication framework will provide for multi-factor authentication once completed. However, the IRS does not anticipate having the technology in place to provide multi-factor authentication capability before the summer of 2016.”

Problems with IRS’ Get Transcript application came to light over the summer, after hackers stole old tax returns and personal information from as many as 334,000 people on the agency’s system.

The IRS put the risk of an attack on its Get Transcript system too low, TIGTA said. Though taxpayers must go through multiple steps to verify their identities on the application, those steps do not meet government multi-factor authentication standards, TIGTA said.

As the IRS is slow to implement multi-factor authentication, the agency’s current single-factor e-Authentication framework does not meet NIST standards either, TIGTA found.

NIST guidelines require that agencies collect basic personal information and a valid, current government identification number, such as a driver’s license or passport number, and then verify that the personal information on the individual’s application checks out.

But the IRS doesn’t require taxpayers to use a government ID number, opting to use a series of knowledge-based security questions instead. That practice ultimately proved problematic for the IRS and its Get Transcript system, because hackers used common information from those questions to gain access to the application.

“Had the IRS required multi-factor authentication, unscrupulous individuals may not have been able to access tax return information through the Get Transcript application,” the report said.

Beyond the agency’s struggles to meet NIST authentication standards, the IRS lacks an overall vision to protect its customers, TIGTA said, because each online application requires different steps and asks different questions of the taxpayer.

TIGTA recommended the IRS create a function within the agency that develops and oversees a service-wide authentication strategy.

The agency’s Authentication Group, which the IRS Wage and Investment Division established in June 2014, was supposed to serve that function.

But the group hasn’t developed new agency-wide authentication strategies and isn’t looking at common trends and practices in the field to make those decisions, TIGTA said.

And though the group is supposed to have the authority to make such broader policies, TIGTA said, other functions within the IRS are stepping on the Authentication Group’s toes. For example, The IRS cybersecurity function sets policies and oversees the technical work on agency’s e-Authentication framework.

TIGTA recognized the series of new authentication measures and information sharing practices IRS Commissioner John Koskinen announced in October, in partnership with 20 industry tax organizations and 34 state fiscal departments under the IRS Security Summit.

But TIGTA said the lack of an agency-wide strategy puts the work that the Summit has done at risk.

The IRS largely agreed with most of TIGTA’s recommendations.

It already created a new position and appointed Rene Schwartzman, a business modernization executive at the IRS’ Wage and Investment Division, to take the lead in developing a service-wide authentication approach, according to Debra Holland, the Commissioner of the Division for Wage and Investment, in her written response to TIGTA’s recommendations.

The agency is also working with the U.S. Digital Service to make improvements.

“We are joining forces with a team from USDA as we develop the future taxpayer digital experience and the foundational authentication standards that will enable secure digital exchanges between IRS and taxpayers,” Holland wrote. “Rene [Schwartzman] has been tasked as the IRS lead for this effort, and she will be serving in this critical capacity on behalf of the entire enterprise, keeping the IRS Digital Subcommittee, DCSE and Commissioner apprised about the direction, status and progress of this effort on a regular basis.”

Related Stories