New GAO Report Recommends IRS Adopt FIDO to Strengthen Taxpayer Authentication
By Brett McDowell, Executive Director, FIDO Alliance
Thousands of people have lost millions of dollars and their personal information to tax scams, and the U.S. Government Accountability Office (GAO) is now pointing to FIDO Authentication as a way to help.
One of the most common ways that criminals collect information for tax scams is through phishing and social engineering attacks – emails and phone calls aiming to trick citizens into handing over their personal information like passwords and social security numbers. These attacks show no signs of stopping; the IRS reports “a steady onslaught of new and evolving phishing schemes as scam artists work to victimize taxpayers during filing season.”
Given the persistence of taxpayer fraud, the GAO published a public report, “Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts,” to determine what the IRS can do to strengthen its authentication methods while improving services to taxpayers in the future.
FIDO Authentication is one of the authentication options that the GAO recommends the IRS consider. The report states that possession-based authentication, such as solutions using FIDO standards, offer users “a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.” In other words, allowing citizens to use a FIDO-enabled device to log in to IRS services would give them additional protection without impacting convenience.
In addition, FIDO Authentication meets National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication at the highest level of assurance, which the GAO recommends the IRS implement as a priority.
This is not the first time that a government agency has been urged to adopt FIDO Authentication. Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to the Social Security Administration (SSA) asking the agency to support FIDO Security Keys because they are “resistant to all phishing.”
FIDO Authentication is proven to work against phishing and social engineering attacks. None of Google’s 85,000+ employees have been phished since early 2017 when the company began requiring all employees to use FIDO-based Security Keys. If the IRS follows the GAO recommendations and enables users to login with FIDO Authentication, we can expect a drastic reduction in phishing-related tax scams – saving money, time and hassle for citizens and government.
MORE Building the Business Case