Yubikey 4C with FIPS support. Image credit: Yubico
The IRS recently announced that it has seen an increase in tax scams. As a solution to this problem, the Government Accountability Office (GAO) has recommended the use of phishing-proof FIDO security keys.
Phishing-Proof Taxpayer Authentication
Over the past few years, more and more taxpayer information, including the social security numbers (SSNs) of 145.5 million Americans, have been stolen by malicious hackers. This has made it much easier for criminals to defraud people using their personal and sensitive information.
IRS authenticates millions of taxpayers via the phone, online, in person and through correspondence. These methods have varying costs. A document review or interacting with a live assistant can cost around $60 per interaction. The reason for this high cost is the IRS needs to ensure it’s not dealing with a scammer using someone else’s personally identifiable information (PII). Although some of other methods are cheaper, their authentication process is also not as rigorous.
The IRS learned this the hard way in 2015, when fraudsters used PII of American taxpayers obtained from previous outside data breaches to gain access to tax return information of over 724,000 accounts. The IRS believes that it ended up paying $1.6 billion to fraudsters in 2016, following that incident, as well as the Office of Personnel Management hack.
U2F Security Keys For Phishing-Proof Authentication
The GAO suggested several authentication methods that could improve the security of taxpayer information and minimize the number of scams, such as using driver’s licenses, authenticating with Google/Facebook profiles, or using third-party services that could identify users and provide authentication services for them.
However, none of those offer as strong authentication guarantees as a security key using the U2F FIDO protocol. As Google recently revealed, none of its employees was successfully phished in the past year once the company made U2F keys for authentication mandatory.
GAO recommended the IRS to allow taxpayers to authenticate to taxpayer systems using the FIDO U2F or UAF (for biometric authentication) protocols. However, GAO doesn’t think that the IRS would provide taxpayers with those security keys.
However, that could happen if in the future, the U.S. government wants to replace the broken SSN system for citizen authentication with something similar to a U2F security key provided to every user. Some countries, such as Estonia, have already adopted a similar solution, except they primarily use smart cards instead. Estonians can use those cards to not only pay their taxes, but also access their bank accounts, check their medical records, vote and much more. With most of American adults’ SSNs stolen in the Equifax hack, a similar solution may be inevitable in the U.S. too.