GAO Recommends FIDO

By Brett McDowell, Executive Director, FIDO Alliance

Thousands of people have lost millions of dollars and their personal information to tax scams, and the U.S. Government Accountability Office (GAO) is now pointing to FIDO Authentication as a way to help.

One of the most common ways that criminals collect information for tax scams is through phishing and social engineering attacks – emails and phone calls aiming to trick citizens into handing over their personal information like passwords and social security numbers. These attacks show no signs of stopping; the IRS reports “a steady onslaught of new and evolving phishing schemes as scam artists work to victimize taxpayers during filing season.”

Given the persistence of taxpayer fraud, the GAO published a public report, “Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts,” to determine what the IRS can do to strengthen its authentication methods while improving services to taxpayers in the future.

FIDO Authentication is one of the authentication options that the GAO recommends the IRS consider. The report states that possession-based authentication, such as solutions using FIDO standards, offer users “a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.” In other words, allowing citizens to use a FIDO-enabled device to log in to IRS services would give them additional protection without impacting convenience.   

In addition, FIDO Authentication meets National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication at the highest level of assurance, which the GAO recommends the IRS implement as a priority.

This is not the first time that a government agency has been urged to adopt FIDO Authentication. Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to the Social Security Administration (SSA) asking the agency to support FIDO Security Keys because they are “resistant to all phishing.”

FIDO Authentication is proven to work against phishing and social engineering attacks. None of Google’s 85,000+ employees have been phished since early 2017 when the company began requiring all employees to use FIDO-based Security Keys. If the IRS follows the GAO recommendations and enables users to login with FIDO Authentication, we can expect a drastic reduction in phishing-related tax scams – saving money, time and hassle for citizens and government.


More

FIDO Alliance Releases Authenticate U.S. 2026 Agenda

Carlsbad, Calif., July 9, 2026 – The FIDO Alliance has announced the agenda for Authenticate…

Read More →

Request for Proposal (RFP): ISO/IEC 17065 Accreditation Consultancy

The FIDO Alliance is seeking a specialized consulting partner to guide us through the ISO/IEC…

Read More →

New FIDO Alliance and HID Study Reveals Major Gap Between Identity Security Confidence and Reality

Research Reveals 94% of Enterprises Claim They Can Revoke Employee Access Within 24 Hours, Yet…

Read More →


12373 Next

Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.