ID.me and the future of biometric Zero Trust
The backlash against the recent IRS policy requiring taxpayers to access tax services through the third-party identity provider ID.me has forced both to abandon a requirement to use facial recognition for verification when uploading personal tax information.
This will come as a relief to information security professionals and the U.S. population at large, but it’s also a step backward in the fight against fraud and the evolving threats against our data security.
Facial recognition can be an effective tool for securing personal information — but everything depends upon how it is implemented. Done well, it’s an essential tool; done badly, it’s a privacy and security disaster waiting to happen. Unfortunately, ID.me and the IRS decided to announce and architect the new biometric verification requirement in a way that was unclear and potentially unsafe, putting ID.me in the way of taxpayers and the IRS.
As CBS news explained it, “The IRS wants your selfie. ID.me CEO says don’t worry about it,” which came across as a call-to-action for everyone to worry about it. When asked to explain how its system would work, ID.Me CEO Blake Hall admitted it would use a centralized database containing critical personal information tied to the biometric details of the entire U.S. tax-paying population. ID.me would use Amazon’s Rekognition technology to compare applicants with an existing ID.me database.
Although poorly executed and architected, ID.Me and the IRS were on the right path: biometrics is a great way to verify identity and provides a way to deter fraud. But the second part, the part they missed, is that biometrics only fights fraud if it is deployed in a way that preserves user privacy and doesn’t itself become a new data source to steal.
Personal data fraud has become the seemingly unavoidable penalty for the convenience of digital services. According to consumer reporting agency Experian, fraud has increased 33 percent over the past two years, with fraudulent credit card applications being one of the main infractions. Cisco’s 2021 Cybersecurity Threat Trends report finds that at least one person clicked a phishing link in 86 percent of organizations and that phishing accounts for 90 percent of data breaches.
It’s hard not to think that storing personal and biometric data of the entire United States tax-paying population in one database wouldn’t become a catalyst for the mother of all data breaches.
Biometrics + Verifiable Credentials = Zero Trust
Biometrics aside, the most important step toward implementing a system for verifying identity that protects privacy, boosts usability, and provides meaningful security is to eliminate the use of password-based authentication. Lessons learned from twenty years of data breaches show that password-based systems can’t be well protected, are hard to manage, and each one can become a single point of failure for an entire system.
What ID.me and the IRS could have used instead is decentralized identity and verifiable credentials. These technologies can be the backbone for provisioning biometric security. Built on open standards, they are available in the open-source community and ready for deployment by anyone today.
Verifiable digital credentials replace usernames and passwords and enable you to interact with a website through decentralized encryption keys. They are issued through an organization’s normal know your customer (KYC) or assurance processes, are unique, tamper proof, and can cryptographically prove their origin and ownership without centralized storage or sharing of personally identifying information or checking in with the source of the credential.
By combining verifiable digital credentials, which can be stored on a person’s mobile device, with biometric assurance, only the person who actually owns the device can use the credentials to prove their identity.
Whereas the combination of logins and passwords with biometrics is a double threat to security, the combination of verifiable digital credentials and biometrics becomes a double defense to fight fraud and theft.
And they’re easy to use. The lack of friction in this method also means that a zero-trust security architecture is much easier to implement.
Zero trust, a requirement for federal agencies recently announced by the White House, requires constant verification for every network asset you have permission to access (rather than a single login that gets you in through a network perimeter and access to everything); continuous verification is easy with verifiable credentials.
Both the U.S. government and others are already looking to decentralized identity technology to create secure digital identities for logging onto services and applications by employees and citizens.
But not all agencies are aware that this new technology exists today or what it can do—or fear it’s too complicated to shift to, or too costly to re-platform what they already have.
The sunk cost of centralized databases is not an obstacle to decentralization. Verifiable credentials can be easily layered onto existing systems for better security. They can be used as a tool for orchestrating complexities across multiple identity management systems and databases so that they become privacy preserving and fraud resistant.
Without this kind of verifiable digital credential implementation, taxpayers will return to providing multiple pieces of identification as easily forged paper documents containing personal information that is copied and shared with disconnected systems across local, state, and federal governments.
It is time to innovate, modernize, and secure. The IRS, ID.Me and agencies across the public sector should continue working toward zero trust but with a decentralized data approach using verifiable digital credentials.
This will mean abandoning passwords — which is something everyone will welcome — and, crucially, it means being able to use biometrics in a stronger, friendlier way that people can trust.
Begin your digital identity transformation now!
Orchestrate your systems today
Contact us for a demo on the IdRamp suite of tools and services