Fed Contract Pros™

View Original

GSA’s Login.gov: Identity Verification Progress and Challenges

This GAO report highlights the critical role of Login.gov, an identity proofing platform created by the General Services Administration (GSA), in facilitating secure access to government websites and services. While the platform offers significant benefits, including operational efficiency and enhanced user experience, it faces notable technical and compliance challenges. This report underscores the complexity involved in ensuring alignment with federal standards for identity verification and the importance of addressing technical and policy gaps to improve public trust and functionality.

Since its launch, Login.gov has been implemented by over 40 agencies, making it a central component in verifying individuals accessing government services. The platform employs non-biometric verification methods, requiring users to provide personal information, such as names, addresses, and Social Security numbers. These details are then shared with third-party vendors, including LexisNexis, to validate user identities. However, Login.gov’s primary verification level—known as Identity Assurance Level 1 (IAL1)—lacks the linkage of users to specific real-world identities, making it unsuitable for high-assurance transactions. This shortfall has created friction for agencies needing compliance with the National Institute of Standards and Technology (NIST) guidelines, particularly IAL2, which requires more rigorous proofing through biometric comparisons or physical verification.

Efforts to address these shortcomings are underway. GSA has initiated pilot programs to explore both in-person and remote identity proofing options. The in-person pilot, concluded in March 2024, allowed users to verify their identity at U.S. Post Office locations. While this option saw success and was permanently implemented, GSA’s efforts to roll out remote identity proofing are still in progress. This remote option would enable users to submit “selfies” matched against official identification images, meeting IAL2 standards. However, the timeline for the full implementation of the remote solution remains uncertain. A third-party audit for IAL2 compliance is in process, and as of October 2024, the system has not yet achieved certification, leaving some agencies cautious about full adoption.

The report also details challenges reported by 24 Chief Financial Officer (CFO) Act agencies, many of which rely on Login.gov. Although 21 agencies reported that Login.gov improved operations, enhanced user experiences, and reduced costs, they identified critical issues related to noncompliance, technical performance, and pricing. For instance, the platform’s noncompliance with IAL2 guidelines has caused some agencies, such as the Small Business Administration, to pause their integration efforts. Additionally, agencies reported high failure rates in multi-factor authentication processes and difficulties setting up accounts, with some users encountering technical issues in international contexts.

Technical transparency and communication with agencies have also been areas of concern. For example, agencies expressed frustration over the lack of real-time monitoring tools and customer dashboards to manage authentication flows. GSA acknowledged these concerns but has yet to provide firm timelines for resolving these technical challenges. Additionally, cost uncertainty was highlighted by several agencies, with complaints about the lack of multi-year pricing models and unpredictable renewal costs. GSA responded by introducing a new pricing model in July 2024, intended to provide greater cost stability and transparency.

The report emphasizes the need for better alignment with leading practices for pilot programs, especially in documenting lessons learned. While both pilot programs successfully met key benchmarks—such as establishing measurable objectives and maintaining stakeholder communication—GSA did not adequately document insights from the in-person identity proofing pilot. Without capturing these lessons, the agency risks missing valuable information that could inform future efforts, including the remote identity proofing pilot.

Ultimately, the GAO’s recommendations stress the importance of closing technical and compliance gaps. GSA must ensure that Login.gov aligns with NIST guidelines, propose actionable solutions to the identified technical issues, and set clear timelines for implementation. As the federal government continues to expand its digital presence, the successful rollout of a secure and reliable identity proofing system like Login.gov will be essential for safeguarding public trust and ensuring smooth access to services.

This blog post is intended for informational purposes only and does not constitute legal advice. While efforts have been made to ensure the accuracy of the information presented, readers are encouraged to consult official sources or legal professionals for specific guidance.