Login.gov deployment at US tax agency still on rocky ground
For more than a year between December 2022 and March 2023, the Personally Identifiable Information (PII) of more than 57,000 users of the U.S. Internal Revenue Service’s (IRS) Login.gov portal may have been compromised.
“We … were unable to conclusively confirm that PII associated with … 57,417 IRS user authentications were not affected by [a] critical vulnerability” that caused PII to be “sent to unauthorized locations outside of the United States by a Login.gov vendor’s fraud prevention solution,” said the U.S. Department of the Treasury’s Inspector General for Tax Administration (TIGTA) in a report released last week.
An additional 613,407 IRS user authentications for Login.gov were also “potentially placed at risk.” TIGTA found the IRS did not always complete the required Login.gov continuous monitoring security reviews, nor were Continuous Monitoring Reports consistently sent to the appropriate official to review. Consequently, “the IRS was unable to adequately and timely assess whether Login.gov’s security controls were operating as intended, remained effective, and protected against threats and vulnerabilities.”
These are just some of the most glaring problems identified by TIGTA, and none of which should come as a surprise. Deployment of Login.gov across the federal government has been a problem since it was launched in April 2017 to provide authentication and identity proofing services for federal government information systems and applications. It is supposed to allow individuals to securely use a single username and password to access public services offered by other participating federal government agencies.
But the effectiveness and security of the deployment of Login.gov by the IRS continues to be problematic, TIGTA said.
“Login.gov must be a trusted identity platform that meets federal and agency information security and investigative requirements,” TIGTA said. But “if these requirements are not met, identity proofing and authentications are weakened, potentially placing [PII] at risk of loss or theft, and investigations are jeopardized. In addition, if Federal Risk and Authorization Management Program [FedRAMP] continuous monitoring security reviews are not completed timely and reported consistently, the IRS would be unable to adequately and timely assess whether Login.gov’s security controls are operating as intended, remain effective, and protect against threats and vulnerabilities.”
FedRAMP is the U.S. government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.
The U.S. Government Accountability Office (GAO) said in a June “high-risk” report to Congress that there is a multitude of “urgent action[s] … needed to address critical cybersecurity” weaknesses in federal agency information security programs, including Login.gov. GAO said it has an on-going review of “the extent to which Login.gov collects, shares, and protects personally identifiable information while providing identity proofing services.”
GAO said it’s also reviewing Login.gov’s cost and protection capabilities in comparison to other vendor solutions.
A year ago, the U.S. General Services Administration’s (GSA) Office of Inspector General reported finding that “GSA misled their customer agencies when GSA failed to communicate Login.gov’s known noncompliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines.”
Because Login.gov is a federal information system, its system standards must include minimum information security requirements as determined by the NIST Act of 2017.
“Notwithstanding GSA officials’ assertions that Login.gov met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, Login.gov has never included a physical or biometric comparison for its customer agencies,” the GSA IG said. “Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3.”
GSA’s IG said “GSA knowingly billed IAL2 customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards. Furthermore, GSA used misleading language to secure additional funds for Login.gov. Finally, GSA lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture. We found that because of its failure to exercise management oversight and internal controls over Login.gov, [the] Federal Acquisition Service (FAS) shares responsibility for the misrepresentations to GSA’s customers.”
Login.gov is a component of GSA’s Technology Transformation Services (TTS) under FAS.
The GSA IG’s investigation of the login.gov program was prompted by the Treasury Department’s Office of General Counsel having identif[ied] potential misconduct within Login.gov.”
“Our evaluation found GSA misled their customer agencies when GSA failed to communicate Login.gov’s known noncompliance with NIST Special Publication (SP) 800-63-3,” and that “at multiple points starting in 2019, Login.gov officials should have notified customer agencies that Login.gov did not comply with IAL2 requirements in SP 800-63-3. However, Login.gov did not notify their customer agencies until Feb. 3, 2022, after a Wired article reported that Login.gov used selfies for verification … Before then, Login.gov not only portrayed publicly that it was compliant with IAL2 requirements, but also misinformed customer agencies through interagency agreements stating that they met and/or were consistent with the IAL2 requirements.”
“Login.gov has never met the technical requirements for identity proofing and authentication at NIST’s IAL2 level, which include either a physical comparison or biometric comparison for identity verification,” GSA IG Carol Fortine Ochoa told the U.S. House Committee on Oversight and Government Reform’s Subcommittee on Government Operations and the Federal Workforce in March of last year.
The IRS deployed Login.gov in December 2022 to provide authentication services as one of its credential service providers (CSP), which are designated independent and trusted third parties that issue user authenticators and provide electronic credentials for accessing an information system or application. The IRS leverages Login.gov as a CSP for its Secure Access Digital Identity system.
According to IRS documentation, the Secure Access Digital Identity system employs the NIST digital identity standards that cover identity proofing and authentication of users, e.g., employees, contractors, and private individuals, who interact with federal government information systems or applications over open networks.
About a year ago, though, TIGTA “concluded that documented key events [showed that] at multiple stages IRS management raised concerns regarding the implementation of Login.gov.” And, according to IRS management, “with emphasis towards Login.gov deployment provided by the Department of the Treasury, the IRS continued planning efforts and expending resources, e.g., personnel and funds, to evaluate implementing Login.gov for IRS IAL2 applications even though Login.gov security concerns raised by IRS leadership and TIGTA’s Office of Investigations were not fully addressed by the GSA.”
About a year ago, TIGTA found that both FAS and TTS had hyped the Login.gov platform under false pretenses with 22 customer agencies and 2.1 million users between 2018 and 2022.
TIGTA said that in November 2019, GSA’s Chief Information Officer had “permitted Login.gov customer deployment of IAL2 services, with certain conditions, including strict limitations on users’ personally identifiable information and limiting IAL2 integrations to 2.1 million users in fiscal year 2020, among others. Our evaluation found that despite assertions made by Login.gov officials that they met SP 800-63-3, Login.gov has never included either a physical comparison or biometric comparison available to customer agencies, as required for identity verification at the IAL2 level. Rather than conducting physical or biometric comparisons, Login.gov was instead using a third party to compare identification cards to information contained in LexisNexis.”
Login.gov also dismissed additional safeguards when NIST strengthened the standards for identity verification, TIGTA said.
A biometric comparison measures both physical characteristics, such as a facial image, iris recognition, or fingerprints, and behavioral characteristics, such as typing cadence.
It was only last November that the IRS told TIGTA it did not know whether the Treasury department had sent the Login.gov Integration Consideration document to GSA, or even whether GSA had “sufficiently addressed and met the requirements.” This document specifies the service offerings, requirements, and commitments that Login.gov must meet prior to expanding authentication services to IRS IAL2 applications.
Specifically, it states that Login.gov must:
- Meet NIST IAL2 and Authorization Assurance Level 2 standards, including liveness presentation attack detection;
- Obtain independent certification of alignment to NIST, Special Publication 800-63 Revision 3, assurance levels;
- Complete and execute a memorandum of understanding to share fraud data subject to IRS Publication 1075.8; and
- Implement four specific controls to improve its anti-fraud program as required by the U.S. Office of Management and Budget.
“Taking these steps will help move the IRS towards ensuring that Login.gov is NIST IAL2 compliant and reduce[s] the risk of unauthorized accesses going undetected,” TIGTA said.
“However, we identified additional security controls that need improvements,” TIGTA added.
Treasury’s IG said IRS’s Login.gov Integration Consideration document also doesn’t specify that Login.gov must comply with and meet the audit trail requirements in TIGTA’s Office of Investigations Audit Trail Needs document, which is short for Audit Trail Needs for the Secure Access Digital Identity Project.
The Audit Trail Needs document sets forth the “audit trail requirements and details the necessary data elements that CSP audit trails for IAL2 applications must include for investigations to be conducted properly.”
Further, TIGTA reported that “the IRS does not have consolidated guidance requiring CSPs that leverage the Secure Access Digital Identity system to capture all audit trail, including investigative, data elements. The Login.gov Integration Consideration document states that prior to providing identity proofing services for IAL2 applications, Login.gov must meet the draft Treasury/IRS/Login.gov Shared Requirements (also known as the IRS CSP baseline requirements but applies to Login.gov only). However, TIGTA’s Office of Investigations review of IRS CSP baseline requirements determined that they omit critical investigative audit trail data elements listed in its Audit Trail Needs document.”
Article Topics
biometrics | data privacy | digital identity | IAL2 | identity verification | IRS | Login.gov | U.S. Government
Comments