GAO: U2F Security Keys Could Protect Taxpayers

Yubikey 4C with FIPS support. (Image credit: Yubico)

The IRS recently announced that it has seen an increase in tax scams. As a solution to this problem, the Government Accountability Office (GAO) has recommended the use of phishing-proof FIDO security keys.

Phishing-Proof Taxpayer Authentication

Over the past few years, more and more taxpayer information, including the social security numbers (SSNs) of 145.5 million Americans, have been stolen by malicious hackers. This has made it much easier for criminals to defraud people using their personal and sensitive information.

IRS authenticates millions of taxpayers via the phone, online, in person and through correspondence. These methods have varying costs. A document review or interacting with a live assistant can cost around $60 per interaction. The reason for this high cost is the IRS needs to ensure it’s not dealing with a scammer using someone else’s personally identifiable information (PII). Although some of other methods are cheaper, their authentication process is also not as rigorous.

The IRS learned this the hard way in 2015, when fraudsters used PII of American taxpayers obtained from previous outside data breaches to gain access to tax return information of over 724,000 accounts. The IRS believes that it ended up paying $1.6 billion to fraudsters in 2016, following that incident, as well as the Office of Personnel Management hack.

This may soon get worse for IRS as fraudsters start using data stolen in the Equifax data breach. It’s why the GAO recommended the IRS improve its authentication methods as soon as possible.

U2F Security Keys For Phishing-Proof Authentication

The GAO suggested several authentication methods that could improve the security of taxpayer information and minimize the number of scams, such as using driver’s licenses, authenticating with Google/Facebook profiles, or using third-party services that could identify users and provide authentication services for them.

However, none of those offer as strong authentication guarantees as a security key using the U2F FIDO protocol. As Google recently revealed, none of its employees was successfully phished in the past year once the company made U2F keys for authentication mandatory.

GAO recommended the IRS to allow taxpayers to authenticate to taxpayer systems using the FIDO U2F or UAF (for biometric authentication) protocols. However, GAO doesn’t think that the IRS would provide taxpayers with those security keys.

However, that could happen if in the future, the U.S. government wants to replace the broken SSN system for citizen authentication with something similar to a U2F security key provided to every user. Some countries, such as Estonia, have already adopted a similar solution, except they primarily use smart cards instead. Estonians can use those cards to not only pay their taxes, but also access their bank accounts, check their medical records, vote and much more. With most of American adults’ SSNs stolen in the Equifax hack, a similar solution may be inevitable in the U.S. too.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hotaru251
    I havent ever had my info stolen, but I am all for a modern security measure to protect the citizens when the current form is failing mroe and more.

    Also something for claiming taxes should require multiple forms of identity (maybe a blood sample even :|)
    Reply
  • AnimeMania
    This is a physical object right? Something that can be lost, stolen, destroyed, etc. Issued when you are a baby, to be held onto until the day you die. I don't see how that would create any problems. Every computer in the future will now be manufactured with this legacy port that this security key fits into.
    Reply
  • ubercake
    They need to do something if they want us to be known as numbers and our numbers have been stolen thanks to the credit bureaus - Equifax and Experian!!!
    Reply
  • DrakeFS
    21184604 said:
    This is a physical object right? Something that can be lost, stolen, destroyed, etc. Issued when you are a baby, to be held onto until the day you die. I don't see how that would create any problems. Every computer in the future will now be manufactured with this legacy port that this security key fits into.

    You mean like the US social security card? I can't imagine how they would ever have a replacement process for something like that... The US should be providing USB key fob certs for their citizens. Smartcard might be nice but at this point, every computer has a USB port.

    Sure, USB may eventually not be backwards compatible or just go away entirely. Companies already make adapters for all types of legacy ports that convert to USB. I would assume that what ever replaces USB would have an adapter for legacy USB devices.
    Reply
  • hotaru251
    21184604 said:
    This is a physical object right? Something that can be lost, stolen, destroyed, etc. Issued when you are a baby, to be held onto until the day you die. I don't see how that would create any problems. Every computer in the future will now be manufactured with this legacy port that this security key fits into.

    yes, in event its lost you would prolly have to file that and use multiple ways to prove its you andn to a scammer.

    Its used in other places (not specifically this but a card that has basiclly everything about u on it)

    good thing about modern tech and the future tech...ADAPTERS!


    but ANYTHING is better than the current system.

    Identity theft in States is high.

    all it takes is your SSN (social security number) and a birth certificate and GG your identity is now not just yours. They can access everything.


    Reply
  • ubercake
    Also, even when it's known that your SSN has been stolen, the Social Security Office gives you a hard time about issuing you a new one. It's nearly impossible to get a new SSN in order to protect yourself.
    Reply
  • COLGeek
    Technically, there is a large degree of goodness here, particularly in terms of cybersecurity.

    In regards to privacy and some folks perceptions of "guvment" overreach, I don't see a US digitally enabled ID card. Still, I have been using a similar device (CAC) for 20+ years so we know how to do this.
    Reply
  • AnimeMania
    21188218 said:
    21184604 said:
    This is a physical object right? Something that can be lost, stolen, destroyed, etc. Issued when you are a baby, to be held onto until the day you die. I don't see how that would create any problems. Every computer in the future will now be manufactured with this legacy port that this security key fits into.

    You mean like the US social security card? I can't imagine how they would ever have a replacement process for something like that... The US should be providing USB key fob certs for their citizens. Smartcard might be nice but at this point, every computer has a USB port.

    Sure, USB may eventually not be backwards compatible or just go away entirely. Companies already make adapters for all types of legacy ports that convert to USB. I would assume that what ever replaces USB would have an adapter for legacy USB devices.

    This is slightly different, I throw my US social security card in a drawer and never look at it again until the rare occasion when someone wants to physically look at the card, getting a passport, applying for a new job, not sure what others occasions. That means I have to handle it about once every 5 years or so. How many times have I had to supply my US social security card number, tons and I had that number transferred to my personal memory storage device, my brain and I can be sure that every US citizen knows that number like the back of their hand. I am just wondering how often you are going to need this "fob device" to do your everyday business, every time you use your debit card, punch your time clock at work, sign a document/contract. Will it become your unforgeable signature, and thus your have to have it on you at all times, thus putting it at great risk of what I wrote earlier "Something that can be lost, stolen, destroyed, etc. Issued when you are a baby, to be held onto until the day you die." Not to mention, copied without you even realizing that it has happened, unless the device has a way of preventing copying. You would never know when, where, or what kind of device someone might want you to insert your "fob device" so you will need very strong "protection" to make sure your data is secure, immutable and unreproducible.
    Reply