GAO Recommends FIDO

By Brett McDowell, Executive Director, FIDO Alliance

Thousands of people have lost millions of dollars and their personal information to tax scams, and the U.S. Government Accountability Office (GAO) is now pointing to FIDO Authentication as a way to help.

One of the most common ways that criminals collect information for tax scams is through phishing and social engineering attacks – emails and phone calls aiming to trick citizens into handing over their personal information like passwords and social security numbers. These attacks show no signs of stopping; the IRS reports “a steady onslaught of new and evolving phishing schemes as scam artists work to victimize taxpayers during filing season.”

Given the persistence of taxpayer fraud, the GAO published a public report, “Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts,” to determine what the IRS can do to strengthen its authentication methods while improving services to taxpayers in the future.

FIDO Authentication is one of the authentication options that the GAO recommends the IRS consider. The report states that possession-based authentication, such as solutions using FIDO standards, offer users “a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.” In other words, allowing citizens to use a FIDO-enabled device to log in to IRS services would give them additional protection without impacting convenience.   

In addition, FIDO Authentication meets National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication at the highest level of assurance, which the GAO recommends the IRS implement as a priority.

This is not the first time that a government agency has been urged to adopt FIDO Authentication. Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to the Social Security Administration (SSA) asking the agency to support FIDO Security Keys because they are “resistant to all phishing.”

FIDO Authentication is proven to work against phishing and social engineering attacks. None of Google’s 85,000+ employees have been phished since early 2017 when the company began requiring all employees to use FIDO-based Security Keys. If the IRS follows the GAO recommendations and enables users to login with FIDO Authentication, we can expect a drastic reduction in phishing-related tax scams – saving money, time and hassle for citizens and government.


More

Authenticate Update: 2024 Agenda Released

Carlsbad, Calif, August 14, 2024 – The FIDO Alliance has announced its agenda today for…

Read More →

New CISA Guide Calls for Phishing-Resistant Forms of Authentication and Passkeys by Default

Andrew Shikiar, FIDO Alliance Executive Director & CEO In a significant move to bolster software…

Read More →

Strengthening Authentication with Passkeys in Automotive and Beyond

On July 16th, 2024, the FIDO Alliance held a seminar focused on the fit for…

Read More →