The Current State of eAuthentication at the IRS and a Proposal for a New Approach

Why the IRS needs to switch from text-based authentication mechanisms to cryptographically secure methods.

Depending on who you ask the identity theft is a multimillion or multi-billion dollar problem for the Internal Revenue Service (IRS) and the American taxpayer. The IRS protects public facing websites using the information it knows about its users based on data from its internal tax administration systems and third parties. This Knowledge-Based Authentication (KBA) approach is no longer secure and a transition to self-service credentials is the logical permanent solution.

The current state of eAuthentication

To access most publicly facing IRS systems the agency requires customers to provide formerly private information such as SSN or TIN, information reported to credit bureaus (e.g., credit card, loan), and access to a US-based non-virtual phone number. It’s a well-known fact that none of the “private” information is private and using SMS as a method of two-factor authentication is often circumvented. A popular hacked sites tracker lists 363 pwned (breached) sites that resulted in the theft of user data from 7,858,185,878 accounts. The availability of once-private data renders Knowledge-Based Authentication obsolete. As a workaround, the IRS offers an “Identity Protection PIN” to verified victims of identity theft and citizens of select states. The new PIN code is then sent annually by mail and is thereafter required for filing tax returns. While the agency is planning to extend this service, it is not available to everyone today and furthermore not a secure, durable, nor economical solution (see page 21 of the US Senate Committee on Finance report). This problem is well known to the IRS and its oversight body, Treasury Inspector General for Tax Administration (TIGTA), which actively monitors and probes this topic.

Why this matters now?

There is only one data trove of Personally Identifiable Information (PII) that hasn’t yet been hacked at scale, and that’s your tax data. Yes, the breach in 2015 affected 334,000 taxpayers, but we’re not in the millions yet. It’s hard to trump the OPM’s treasure trove hack that included the theft of 5.9 million biometric fingerprints, but tax data is a very private matter for many.

Solving the problem of eAuthentication at the IRS is paramount not only to protect what hasn’t been hacked, but to future-proof the evergreen source of PII that grows every year for each individual. Individual privacy is a cornerstone of democratic societies that must be protected, and tax-related data deserves a ranking of top importance.

Identity theft in the Web 2.0 world

Most of the services you use (E.g., Dropbox, Ancestry.com, Comcast, Dominoes, Experian) use centralized databases to store your data. Once their security is breached, all of the data is extracted for sale and shared among other criminals. Unwittingly or not, this information is increasingly made available to anyone on the internet. Stolen semi-secret fragments of text that establish your identity are combined with other data sets and then used to impersonate your actions. The hijacked identity is then used by a bad actor to conduct illegal activities on your behalf at your expense.

A New Approach for eAuthentication at the IRS

The IRS should consider switching from text-based authentication mechanism to taxpayer self-service cryptographically secure methods. The cybersecurity professionals in the IRS ecosystem like to say that third parties are security holes. What if we “eliminated” third parties? One way to do this is through a sovereign identity solution managed by each individual taxpayer.

Using this solution, the IRS would have the ability to instantly verify taxpayer identity without asking for text data from a third party. On request from the IRS a taxpayer would package, cryptographically sign, and send a set of digitally signed attestations from banks, USPS, DMV, credit cards, proving their identity. This transaction can be compared to the process of collecting a set of digital signatures in a PDF without the friction of actually sending around the document. This approach collects and provides to the IRS digitally signed immutable facts about the taxpayer identity without relying on knowledge-based data.

The Solution: Decentralized Identity Owned by a Taxpayer

We need a new identity mechanism that is not owned by a third party (e.g., Google, Facebook, government) but is instead trusted by the IRS. A person must be able to independently create a universally recognizable global identifier without a third party. Then attach cryptographically secured facts about themselves to that identifier. Over time a person will be able to collect verified attestations (i.e., facts) about themselves to establish the ownership of their identity.

Imagine getting a digital version of an empty passport book. It’s blank with no passport number and every book looks the same. Using existing open source Public Key Infrastructure (PKI) technology that secures billions of dollars of trade on the Internet, you would generate a private key to lock and unlock your passport book to prevent unauthorized access. This process doesn’t require a third party or even a connection to the Internet, and because it is based on open source standards anybody can generate and claim ownership to a blank passport book. Once you lay the claim to a blank passport book this process generates a unique identifier just like a passport number: now the passport book is yours. Unlike a centralized system, like the U.S. State Department, you generate your own passport book identifier by providing a secret (private key) into an offline program that implements the cryptographic logic. For your identifier to be found by others it needs to be anchored to an always-on decentralized network so that it can be found using URL-like address. Now the decentralized identity is ready to accept cryptographically signed facts about your interactions with people, businesses, organizations, and government entities.

The most important feature of the decentralized identity solution is that the PII data and associated attestations (facts and verified credentials about a taxpayer) are not stored on a centralized network. There are different ways to implement this solution and one way is by encrypting and storing the data on the user’s device with enterprise-grade recovery options in case of a device loss.

Collecting the facts about yourself

With the decentralized identity setup, a taxpayer can start collecting facts about themselves from trusted sources. Let’s say a taxpayer, Alice, has a mortgage with the Wells Fargo Bank. Alice uses her existing credentials to log into the Wells Fargo website and requests a digital copy of Form 1098, Mortgage Interest Statement. Wells Fargo cryptographically signs the digital copy of Form 1098 against Alice’s decentralized identity and provides it to Alice. Now Alice can store the form in her personal attestations collection. She can present this fact about her mortgage to the IRS or to anyone else she chooses. The IRS now can independently verify the authenticity of Form 1098 by checking the digital signature of the issuer. The digitally signed attestation from the bank would include all the data the IRS needs for tax calculation: the mortgage amount as of Jan 1, 2019, interest paid in 2018, and the fact that the mortgage belongs to the decentralized identifier corresponding to Alice. This data cannot be modified by anyone without breaking the cryptographic seal of authenticity issued by the bank.

This process can now be repeated for other sources of data. Perhaps an employer can provide an attestation for W-2, a payer for 1099, another employer for 1095-C, a stockbroker for 1099-DIV and 1099-INT. To demonstrate the broad potential, imagine a situation where a department of motor vehicles issues an attestation for the fact that you have a driver’s license and you are who you say you are. Perhaps your local government office can also issue an attestation showing that you paid your local taxes. Each attestation generates a cryptographically secured fact that’s an order of magnitude more secure than plain text.

It’s time to file your taxes

The IRS requires for you to sign your tax return before you file. In 2019, if you were eFiling and using a tax preparer, you entered a five digit pin in lieu of a physical or digital signature. You authorized a preparer to sign on your behalf via Form 8879. Instead of securing your tax return with a real digital signature you used a very primitive method and entrusted the integrity of your tax return into the hands of a third party. Tax preparers don’t care if a bad actor is signing your tax return. They collect their $100 (plus $39.99 for state) fee and let the victim of identity theft and the IRS deal with hundreds of millions of dollars worth of fraud (IRS paid out $591 million in fraudulent payments between fiscal years 2015 through 2017). But identity theft use case is just the beginning. This approach can be applied to correspondence authentication and making information returns (e.g., form 1099-INT) tamper-proof. That approach would take a large chunk out of income underreporting problem the IRS is facing annually. That’s a $400B annual problem for the United States (see page 3 on this IRS Research report).

Why is this better?

Knowledge-based authentication on stolen data is no longer a viable option. The IRS and the American taxpayers will be better off relying on cryptographically secure mechanisms by rebuilding their identities by establishing digital proofs that the IRS can instantly trace and independently verify.

Notable, this solution would eliminate the need for a copy B and copy C for information returns. Line item reconciliations will no longer be required. The data reported on the information return is sealed with a digital fingerprint. Now you can just compare the digital fingerprint of the data (its hash) to determine if there is a mismatch between what the taxpayer is reporting and what the business side is reporting.

This article was written by Constantin Kostenko, Senior Solutions & Strategy Architect at ConsenSys

Please leave comments below on how you feel about this approach or feel free to contact me on Twitter or LinkedIn.

Thank you to Wayne Chang and Mayson Nystrom for your comments and feedback.

Disclaimer. The views, information, and opinions expressed are solely those by the author above do not necessarily represent the views of Consensys AG. They are meant for informational purposes only, are not intended to serve as a recommendation or investment advice to buy or sell any securities, cryptoassets, or other financial products.