GSA biometrics evaluation raises scope and purpose questions ahead of pilot

An evaluation of biometric identity verification technologies recently conducted by the U.S. General Services Administration assessed their accuracy, both overall and for the many demographic groups that will be expected to use Login.gov for access to government services. The setup of the evaluation has raised questions, however, in particular about the limited number of vendors contributing technology to be assessed, and the third-party provision of core biometric technology.

Remote identity verification with a high level of assurance is necessary for high-value interactions like filing tax returns has proven a struggle for the U.S. government. Identity assurance level 2 (IAL2) requires an inherence factor, or biometrics, and practical considerations around how people connect remotely for access to services makes face biometrics the modality of choice for Login.gov, as authorities upgrade it to meet the standard.

Login.gov Director Hanna Kim tells NextGov/FCW that doing so is “really hard,” but also that the platform is “in a really good place to be able to meet IAL2 compliance.”

The GSA found a significant range in performance between vendors reflected in overall accuracy, but also in terms of the presence of bias, with two vendors found to work poorly with particular ethnicities. The agency assessed five of TransUnion, Socure, Jumio, LexisNexis, Incode and red violet, and anonymized them in the published results.

But FaceTec SVP for North American Operations Jay Meier takes issue with the way the evaluation was carried out. He begins by emphasizing in an email to Biometric Update that “GSA is not a testing authority.” Testing experts were involved in the evaluation, but the extent to which they were involved in designing it will likely have to wait for the publication of the final report next year.

He questions the appropriateness of the vendors chosen for the evaluation, arguing in a LinkedIn post that the GSA chose identity verification integrators over actual biometrics vendors. The GSA, Meier says, “refused to test anyone but IDV service vendors who typically outsource the component parts … like face matching. Its hard to know where they outsourced the biometric tech from, but there’s a LOT of junk on the market and you get what you pay for.” Incode is the only one of the possible vendors that has submitted an algorithm for evaluation in NIST’s FRTE 1:1.

Meier proceeds to argue that bias challenges are inherent to 2D face biometrics systems, and that “3D systems don’t exhibit bias.”

When a face biometrics algorithm is settled on, it will prioritize results in NIST testing to ensure that the system works equitably for different demographic groups.

Kim says that Login.gov is on track for independent certification of compliance to the IAL2 standard this month, or soon after. She also says that a “handful” of federal agencies have begun using selfie biometrics, or are preparing to do so.

A GSA representative told the publication that Login.gov’s current biometrics vendor is among the highest performers in NIST’s FRTE. The GSA is also integrating the vendors that collectively won a $194.5 million Blanket Purchase Agreement earlier this year: Experian, Idemia I&S, Carahsoft, LexisNexis, Aderas, Celerity, Diamond Capture Associates and TransUnion.

The Biden Administration has stipulated that Login.gov must be used across the government, and also that it must work equitably, Meier says, “and for good reason.” But, he notes, “if Login.gov cannot be shown to be equitable, it cannot be used the way the Administration wants.  So, what is the goal?  Is the ‘goal’ to utilize the best capabilities, the state of the art in Identity Verification and Authentication?  Or is the ‘goal’ to show that somebody achieved what was deemed to demonstrate equitable face matching, so all the requirements to deploy Login.gov are satisfied?  We may never know.”

NextGov/FCW notes that a non-biometric alternative is being added to the IAL2 criteria. That method involves a passcode delivered by snail mail to a confirmed physical address.

Article Topics

accuracy  |  biometric matching  |  biometric-bias  |  biometrics  |  face biometrics  |  FaceTec  |  GSA  |  IAL2  |  identity verification  |  Login.gov  |  selfie biometrics  |  U.S. Government