Every American who wants to access tax information or manage an account on IRS.gov must now register with ID.me, a private company, submitting a government-issued photo ID and, in many cases, a biometric face scan to a system running on commercial cloud infrastructure - with no alternative path available online.

The requirement is not new in its broad outlines, but its scope has crystallised in a way that is drawing renewed attention. According to IRS.gov, "you'll need an account with ID.me to sign in to access your tax information and use services on IRS.gov." The page, last reviewed or updated on June 11, 2026, covers individual accounts, business tax accounts, tax professional accounts, and a list of more than a dozen specific services. One ID.me account, according to the IRS, "lets you sign in to most IRS accounts and services."

What that means in practice: US taxpayers with no prior relationship with ID.me must create an account with a private company before they can interact with their own government on tax matters online. The alternative to completing that process is to conduct business by post, telephone, or in person at a local IRS office - options that carry their own friction, delays, and accessibility barriers.

What ID.me actually does with the data

ID.me is described on the IRS website as "a trusted technology partner of government agencies and businesses" that provides "secure digital identity verification." According to IRS.gov, the company "meets the latest federal security standards" - specifically the National Institute of Standards and Technology Special Publication 800-63-3 Digital Identity Guidelines, a framework governing digital identity assurance levels for federal systems.

The account creation process is structured in two parts. The first is account setup, requiring a personal email address, a password of at least eight characters, and a second authentication factor - described as an authentication app, face or touch unlock, or a mobile phone with text messaging. The second part is identity verification, which must be completed only once and requires a Social Security number or Individual Taxpayer Identification Number, plus a valid government-issued photo ID such as a driver's license, state ID, passport, or passport card.

On the privacy side, the IRS page states: "All selfie, video, and biometric data are automatically deleted for users who verify for the IRS, except for suspicious or fraudulent activity." ID.me's own policy, as described on the IRS site, holds that the company "will not share, sell, rent or trade your personally identifiable information or sensitive information with other parties, except to verify your identity and eligibility."

That framing has attracted scrutiny. Martin Focazio, who identified himself as President and Principal Consultant at Coherent Ways LLC and previously served as VP of Revenue Operations at ITRex Group, posted publicly on LinkedIn on June 25, 2026 - yesterday - to describe the experience of being required to submit biometric data to access IRS services. According to Focazio's post: "I had to sit here and show a machine running on Google Cloud my state-issued photo ID and then give it a nice face scan. I had to 'consent' to using ID.me to proceed - the other option was...there was no other option."

Focazio went further in examining the company's own published policy. According to his post: "They repeat one line five times: 'ID.me will not sell, rent, or trade your Personal Information.' Then the same policy admits they buy data from 'data licensors, aggregators, and marketing companies,' enrich it with your government ID, Social Security number, and biometrics, and sell access to the result."

The IRS website does not address this potential tension between ID.me's stated commitments and the data acquisition practices described in ID.me's own privacy policy documents.

The services gated behind the requirement

The breadth of what now requires ID.me access is worth spelling out. On the individual side, the gated services include digital forms, Forms 2848 and 8821, Free File Fillable Forms, the Freedom of Information Act Public Access Portal, Secure Messages, and the identity and return verification service.

For businesses and tax professionals, the list is longer. It includes the Affordable Care Act Information Returns system, BBA audit forms, the Certification program for professional employer organisations (CPEO), e-Services for tax professionals, Form 990-N (the annual e-postcard for small tax-exempt organisations), the FATCA Registration System, the Income Verification Express Service, the Information Return Intake System, Modernised e-File, payment plans for businesses or power of attorney holders, PTIN registration for tax return preparers, the Qualified Intermediary System, and Secure Messages.

That list covers a substantial share of the professional tax infrastructure in the United States. Tax preparers who have previously used e-Services or the PTIN system must now maintain an active ID.me account as a condition of continuing to do so. Small non-profits filing Form 990-N electronically - a category running into the hundreds of thousands of organisations - are in the same position.

The technical error landscape

The IRS page documents a set of error codes that arise when the verification process fails or is blocked, and these offer a window into some of the friction points users encounter.

Error EC 6000 applies when "a security condition is preventing you from accessing this IRS online service." The advice given is to "select view your alternatives on the error page to find other options to complete your transaction" - which in practice points toward non-digital channels.

Error EC 6001 fires when "the name on your account doesn't match what the Social Security Administration has on file," requiring the user to update their name on ID.me. Name discrepancies between government databases are not unusual - they arise from marriage, divorce, legal name changes, and data entry variations across agencies - and resolving them requires steps outside the IRS system itself.

Error EC 6101 covers users who "verified your identity without using a Social Security number or Individual Taxpayer Identification Number." According to the IRS, "the IRS currently requires one of these to access IRS accounts and services." This is significant for certain categories of foreign nationals and individuals with non-standard identification situations.

For users who cannot verify their identity through the standard flow, the IRS page describes a workaround: navigating to the relevant account or service, selecting sign-in or create account, and then choosing "get your information without signing in" via a link at the top of the page. The scope of what can be accessed through that pathway is not described on the page itself.

The contract behind the integration

The IRS does not appear to disclose the financial terms of its arrangement with ID.me on the public-facing help page. The figure cited in public commentary - including in Focazio's LinkedIn post, which stated the IRS is "paying ID.me over a billion dollars" - has circulated widely in reporting on this arrangement. That figure refers to contract values disclosed through federal procurement records, though the precise current contract value and structure are not verifiable through the IRS.gov page itself.

ID.me was founded in 2010 and has expanded from its initial focus on military and student discount verification to become a major provider of digital identity services to federal and state agencies. Beyond the IRS, the company holds contracts with a significant number of state unemployment agencies, the Department of Veterans Affairs, and other federal bodies.

The scale of that government footprint raises questions that extend beyond any individual user's experience. When a single private company holds verified digital identity records for tens of millions of Americans - records combining government document images, SSNs, biometric data, and identity verification outcomes - the concentration of that data represents a risk profile that differs from what existed when identity verification was handled directly by government systems.

The NIST 800-63-3 framework and what it requires

The standard the IRS cites for ID.me's compliance - NIST Special Publication 800-63-3 - establishes three Identity Assurance Levels (IALs) governing how digital identity verification should work for federal systems. IAL1 requires no identity proofing. IAL2 requires that claimed identity is linked to a real individual through remote or in-person identity proofing. IAL3 requires in-person identity proofing.

The IRS access model, which involves remote document submission and a live face scan compared against the submitted ID, corresponds to IAL2 under this framework. The requirement for biometric comparison as part of remote proofing is built into the NIST standard itself, not an invention of ID.me. That said, the NIST framework is a minimum technical standard, not a policy prescription for which private entities should hold the resulting data.

The broader policy question - whether the government should use private commercial identity providers to fulfill this function, or whether it should build and operate its own digital identity infrastructure - is a separate discussion from whether ID.me meets the technical standard. The IRS page describes the current arrangement as a matter of fact, without addressing the underlying architectural choice.

Security guidance and scam warnings

The IRS adds a section to its ID.me help page on securing accounts, with warnings relevant to the current phishing environment. According to the page, "scammers are constantly evolving and trying to find new ways to access your personal information." The guidance is to use a strong, unique password, avoid password reuse, and never share credentials.

The IRS also states: "We never call, email or send text messages asking you to provide information or sign in to get a transcript or update your profile." This is a reminder that IRS impersonation scams are active - and that legitimate IRS contact about account activity would not arrive as an unsolicited message requesting sign-in.

The page also specifies that if a user believes they have been scammed or had information stolen, they should sign in to the account, change the password, and then report it to the IRS.

The broader digital identity context

The IRS-ID.me arrangement does not exist in isolation. Digital identity verification - and the question of who controls it - has become one of the more contested infrastructure questions in technology policy globally.

In Europe, the trajectory has moved toward state-controlled systems. The EU Digital Identity Wallet framework, requiring deployment across all 27 member states by December 2026, is building a government-issued credential system that allows selective disclosure - meaning users can prove age or identity without revealing more data than necessary. Google announced plans to support EU digital IDs through Google Wallet, with a rollout to select EU member states planned for summer 2026, positioning private infrastructure alongside the public framework rather than replacing it.

In the UK, the Online Safety Act created a parallel pressure toward age verification, with platforms now required to implement robust identity checks for certain content categories. That law triggered a 1,400 percent surge in VPN usage as users sought to circumvent verification requirements - a signal of how friction-laden identity systems produce avoidance behaviour rather than compliance.

Spain's data protection authority, the AEPD, fined the identity verification company Yoti a total of 950,000 euros for three distinct GDPR violations in early 2026, including 500,000 euros specifically for unlawful processing of biometric data. The ruling established that facial scan data held during an active account constitutes biometric data under Article 9 of the GDPR, a classification carrying strict legal requirements. That enforcement logic does not apply to US federal systems, where GDPR has no jurisdiction - but it illustrates the regulatory risk associated with biometric-based verification at scale.

On the legislative side in the United States, House Republicans introduced the SECURE Data Act on April 21, 2026, proposing a single national consumer data privacy framework to replace all state laws. The bill would create a federal data broker registration system administered by the Federal Trade Commission. Whether ID.me, in its role acquiring and enriching identity data from commercial sources, would meet the bill's definition of a data broker is a question the legislation does not directly answer in its current form.

Anthropic updated its own privacy policy on June 8, 2026, effective July 8, 2026, to include biometric identity verification provisions, introducing facial geometry templates as a data category and relying on a third-party KYC provider. Tech lawyer Tanya Chib noted in a widely circulated LinkedIn post that "most users will not notice that their biometric data is being processed by a company they have never heard of, under terms they have not separately reviewed." That observation applies with equal force to the IRS-ID.me arrangement, where taxpayers completing identity verification may not be aware that the process involves a commercial cloud provider - Google Cloud, as noted by Focazio - rather than a government-operated system.

What this means for marketing and ad tech professionals

The implications for the marketing community are less obvious than for individual taxpayers, but they are real. The IRS handles tax records that are directly relevant to advertising budgets, business accounts, and the financial infrastructure that funds media spending. Tax professionals accessing IRS e-Services on behalf of clients - agencies, brands, publishers - now depend on ID.me for that access.

More broadly, the IRS-ID.me model is one instance of a wider pattern: identity verification is migrating from government-operated systems to commercial providers, and those providers operate privacy policies and data practices that differ from what a government agency would be subject to under federal law. As IAB research has highlighted regarding first-party data consent, valid consent requires users to understand what they are agreeing to. Whether a taxpayer clicking through ID.me's verification flow has meaningful understanding of what happens to their biometric data is an open question.

The California data privacy framework - including the DROP platform, which had reached 242,000 sign-ups within its first eight weeks as of April 2026 and allows consumers to delete their data from hundreds of brokers simultaneously - applies to commercial data brokers. It does not apply to a federal government agency or, directly, to a company operating as a government contractor providing identity verification services. That jurisdictional gap is part of what makes the IRS-ID.me model unusual.

The fundamental tension, as Focazio put it on LinkedIn, is between a company that positions itself as privacy-first and the data acquisition practices described in its own published documentation. According to his post: "This is a massive problem and a failure of vision for how government should run. The last thing we need is a private, for-profit entity controlling my digital existence."

That is an individual perspective, not a policy determination. But it captures a structural question that the IRS help page - which describes the mechanics of account creation, not its political economy - does not address.

Timeline

Summary

Who: US taxpayers, tax professionals, and small organisations that need to access IRS.gov accounts and services, together with ID.me, a private identity verification company, and the Internal Revenue Service.

What: The IRS has made ID.me accounts mandatory for access to IRS.gov online services, including individual tax accounts, business tax accounts, and a range of professional and organisational filing systems. The registration process requires a Social Security number or ITIN, a government-issued photo ID, and in many cases a biometric face scan. The IRS page was last updated June 11, 2026.

When: The requirement has been in place in some form for several years, but the current scope - covering virtually all online IRS account access - was confirmed by the IRS help page updated June 11, 2026. Martin Focazio's LinkedIn post describing his experience was published June 26, 2026.

Where: The requirement applies to any person accessing IRS.gov online accounts and services from within the United States. The identity verification process is conducted via ID.me's platform, which runs on Google Cloud infrastructure according to Focazio's account.

Why: The IRS states the purpose is to "verify your identity to protect your privacy and keep your data secure," aligning with the NIST Special Publication 800-63-3 Digital Identity Guidelines for federal systems at Identity Assurance Level 2. The underlying architectural choice - using a commercial provider rather than government-operated identity infrastructure - is not explained on the IRS help page. Critics, including Focazio, argue that outsourcing identity verification to a private company whose data practices include purchasing data from commercial sources creates risks that are not addressed by ID.me's privacy pledges alone.