By most accounts, the Internal Revenue Service has made big advances in data security over just a few years ago. But a report by the Government Accountability Office finds the tax agency has fallen short when it comes to authenticating the identities of taxpayers.

The IRS says there are over 100 interactions that require taxpayer authentication. Most of these are by telephone, online, in person and through correspondence.

What GAO Found

The Government Accountability Office says the IRS has indeed made progress on monitoring and improving online taxpayer authentication. But the agency has failed to prioritize the various initiatives that support its strategy, nor has the IRS identified the resources needed to complete the initiatves.

Another area of concern is staying ahead of threats in interactions other than online contacts. The GAO found that the agency didn’t use the same rigorous internal controls it has in place for online authentication in the areas of telephone, in person and correspondence contacts. And because the IRS didn’t seem to collect reliable useful data to monitor authentication outcomes, the GAO says the IRS may not be able to identify current or emerging threats to the tax system.

The IRS apprently has not met implementation of the National Institute of Standards & Technology’s (NIST) new guidance for secure digital authentication—and missed the June implementation date specified by the Office of management and Budget.

“Strong preventive controls can help IRS defend itself against identity theft refund fraud,” the GAO report states. “These controls include taxpayer authentication—the process by which IRS verifies identities before allowing people access to a resource; sensitive data; or, in some cases, a tax refund. The risk of fraud has increased as more personally identifiable information has become available as a result of, for example, large-scale cyberattacks on various entities. IRS's ability to continuously monitor and improve taxpayer authentication is a critical step in protecting billions of dollars from fraudsters.”

Looking ahead, the GAO also found no comprehensive process to identify and evaluate new authentication technologies that could be used in the tax system. Industry representatives, financial institutions and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity.

Evaluating alternatives for taxpayer authentication, the report states,  will help IRS avoid missing opportunities for improving authentication.

Recommendations

The Government Accountability Office made 11 recommendations, including estimating resources for and prioritizing authentication initiatives; addressing internal control issues to better monitor authentication; developing a plan to implement the new NIST guidance; and developing a process to evaluate potential authentication technologies.

The IRS agreed with all 11 recommendations.

(IRS graphic follows)