Skip to main content

GAO: U2F Security Keys Could Protect Taxpayers

Yubikey 4C with FIPS support. (Image credit: Yubico)

The IRS recently announced that it has seen an increase in tax scams. As a solution to this problem, the Government Accountability Office (GAO) has recommended the use of phishing-proof FIDO security keys.

Phishing-Proof Taxpayer Authentication

Over the past few years, more and more taxpayer information, including the social security numbers (SSNs) of 145.5 million Americans, have been stolen by malicious hackers. This has made it much easier for criminals to defraud people using their personal and sensitive information.

IRS authenticates millions of taxpayers via the phone, online, in person and through correspondence. These methods have varying costs. A document review or interacting with a live assistant can cost around $60 per interaction. The reason for this high cost is the IRS needs to ensure it’s not dealing with a scammer using someone else’s personally identifiable information (PII). Although some of other methods are cheaper, their authentication process is also not as rigorous.

The IRS learned this the hard way in 2015, when fraudsters used PII of American taxpayers obtained from previous outside data breaches to gain access to tax return information of over 724,000 accounts. The IRS believes that it ended up paying $1.6 billion to fraudsters in 2016, following that incident, as well as the Office of Personnel Management hack.

This may soon get worse for IRS as fraudsters start using data stolen in the Equifax data breach. It’s why the GAO recommended the IRS improve its authentication methods as soon as possible.

U2F Security Keys For Phishing-Proof Authentication

The GAO suggested several authentication methods that could improve the security of taxpayer information and minimize the number of scams, such as using driver’s licenses, authenticating with Google/Facebook profiles, or using third-party services that could identify users and provide authentication services for them.

However, none of those offer as strong authentication guarantees as a security key using the U2F FIDO protocol. As Google recently revealed, none of its employees was successfully phished in the past year once the company made U2F keys for authentication mandatory.

GAO recommended the IRS to allow taxpayers to authenticate to taxpayer systems using the FIDO U2F or UAF (for biometric authentication) protocols. However, GAO doesn’t think that the IRS would provide taxpayers with those security keys.

However, that could happen if in the future, the U.S. government wants to replace the broken SSN system for citizen authentication with something similar to a U2F security key provided to every user. Some countries, such as Estonia, have already adopted a similar solution, except they primarily use smart cards instead. Estonians can use those cards to not only pay their taxes, but also access their bank accounts, check their medical records, vote and much more. With most of American adults’ SSNs stolen in the Equifax hack, a similar solution may be inevitable in the U.S. too.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.