Strengthening Online Security While Ensuring Taxpayer Access

September 27, 2018 — Blog   

The Oversight Subcommittee, chaired by Rep. Lynn Jenkins (R-KS), held a hearing yesterday entitled the “IRS Taxpayer Authentication: Strengthening Security While Ensuring Access.”

This hearing focused on how the Internal Revenue Service (IRS) verifies the identity of taxpayers through a process called “authentication” before allowing them to use the IRS’s online tools and applications.  Authentication is an important protection of taxpayer information because it provides the IRS with a reasonable assurance that it is interacting with the correct taxpayer.

Unfortunately, the IRS’s online tools and applications have experienced a number of breaches and cyberattacks throughout the years, leading to taxpayers having their identities compromised and hundreds of millions of dollars in fraudulent tax refunds being issued.  The breaches and cyberattacks have also raised concerns about how well the IRS authenticates the identity of taxpayers online.

As Chairman Jenkins stressed in her opening remarks, the IRS needs to implement a strategy to solve this:

“The IRS has not implemented a comprehensive authentication strategy to coordinate these efforts even though it has been working on one for nearly three years. Without a strategy in place, the IRS will not be able to establish an agency-wide response to improve authentication.”

Rep. Carlos Curbelo (R-FL) underscored the importance of strong online authentication, stating:

“When people defraud the government, they defraud the public and fellow taxpayers.”

The Subcommittee heard from officials from the IRS, the Government Accountability Office (GAO), and the Treasury Inspector General for Tax Administration (TIGTA). Throughout the hearing, the witnesses noted that although the IRS has taken steps to improve online authentication, a number of weaknesses still exist.

Particularly concerning is that the IRS currently does not comply with federal guidelines for online authentication, nor has the IRS implemented a comprehensive authentication strategy.

As James McTigue, Jr., Director of Tax Issues at GAO, said, this lack of information about how the IRS plans to move forward is concerning:

“It’s critical to have a high-level vision and direction…what GAO’s concern has been is that’s a lot of work, a lot of activities. How much will it cost, what should come first, and what are the trade-offs among those activities? The more information, the more analysis that can support decisions on what to do next and developing the timelines…we think that would further strengthen the IRS’s approach to improving authentication.”

Chairman Jenkins also stressed the importance of ensuring legitimate taxpayers are able to easily access the IRS’s online services when needed.  Edward Killen, Chief Privacy Officer at the IRS, affirmed the IRS’s commitment to ensuring both:

“We’re absolutely committed to taxpayer security and protecting taxpayers’ data but we’re also committed to providing taxpayers with tools and channels in which they can interact with us to fulfill their tax obligations.” 

Rep. Jackie Walorski (R-IN) asked Michael McKenny, Deputy Inspector General for Audit at TIGTA, about TIGTA’s recommendations highlighting the inability of the IRS to monitor for and detect cyberattacks. While the IRS agreed with TIGTA’s recommendations, it still has more work to do, according to Mr. McKenney:

“I think they’re making progress on following those recommendations, and we’re doing additional work on that. But they certainly did agree and they’re doing work on that.”

Rep. Brad Wenstrup (R-OH) questioned how the United States compares to other countries when it comes to authenticating taxpayers online.  Gina Garza, Chief Information Officer at the IRS, said:

“We have had some conversations with other countries, but the ID proofing part is the hard part of it.  Everyone is solving for the authentication piece.  But the ability to ensure that the person that you’re talking to, that the taxpayer, is who they say they are — that’s the part people seem to be having a hard time finding.”

Ms. Garza further explained that ID proofing remains the biggest challenge for the agency:

“… You have to already know that the person is who they say they are. That’s the part that has been very hard to solve…That’s what we’re trying to work through and that’s where we’re trying to explore for new solutions around the ID proofing component.”

Rep. Mike Bishop (R-MI) emphasized also looking to the private sector for authentication best practices:

“When it comes to developing and implementing online multifactor authentication, the idea of getting the private sector involved is a really important process.” 

The Oversight Subcommittee looks forward to continuing its work to ensure taxpayers’ information is protected as we redesign the IRS into an agency that truly puts taxpayers first.

CLICK HERE to learn more about the hearing.