Login.gov certified for IAL2 by Kantara with selfie biometrics addition

An identity verification system with selfie biometrics for the U.S. General Services Administration’s Login.gov single-sign on service has been certified for compliance to the federal government’s standard for high assurance identity proofing. The announcement came just ahead of a government oversight report suggesting that GSA should hurry up and complete its pilot of biometrics, and learn from the lessons the pilot makes available.

Login.gov’s new identity proofing service includes liveness detection, and is compliant with Identity Assurance Level 2 (IAL2), as defined in NIST SP 800-63.

Multi-factor authentication is used to secure Login.gov access, and additional identity proofing is performed on the first use of Login.gov for partners that require higher certainty, like the IRS. If performed remotely, that means face biometrics. The announcement avoids the use of the term “biometrics,” but states that Login.gov does not perform “one-to-many facial identification” or use submitted photos for any other purpose.

GSA says Login.gov will also continue to offer its existing identity verification and authentication methods alongside the biometrics, IAL2-compliant method.

The agency has not revealed who is supplying the biometric software, but a GSA representative recently told NextGov/FCW that it is among the highest performers in NIST vendor evaluations.

Kantara’s Trust Status List states that the certification was effective September 25.

Login.gov requires users to set up a passphrase (except in the case of federal employees using a PIV or CAC), plus an addition authenticator for MFA.  Those additional authenticators to access Login.gov can include one-time passcodes (OTPs) or WebAuthn methods, such as registered FIDO tokens, Yubikeys, or Titan Security Keys from Google.

GSA Administrator Robin Carnahan notes the importance of identity proofing in receiving government services and benefits, and balancing accessibility with protection against fraud and identity theft.

Login.gov is used by more than 50 state and federal agencies, and performs 300 million sign-ins a year, according to the announcement.

“Login.gov heard from our agency partners with higher-risk use cases that it was important that we offer a version of our strong identity verification service that is IAL2 certified,” says Hanna Kim, director of Login.gov. “We’re glad that we’ve been able to do this while ensuring that users continue to have multiple secure pathways to verify their identity, whether that is in-person or remote.”

Kim was promoted to her role in May to lead the implementation of a new pricing structure and the selfie biometric pilot for the service.

NIST is currently in the process of updating its Digital Identity Guidelines, which set out the requirements for IAL2, but the remote identity proofing process is expected to remain the same.

GAO identifies issues

The Government Accountability Office says in a report on Login.gov published this week that the GSA “has not yet fully addressed alignment with NIST guidelines or the identified technical issues.”

The Report to Congressional Requesters titled “Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned,” also finds that both the remote identity proofing pilot and a USPS in-person identity proofing pilot does not align with the “leading practice” of identifying and documenting lessons learned to inform decisions about integrating the pilot activities. The pilot was found to meet the other four criteria.

A letter dated October 10, the day after the GSA’s announcement, describes the use of identity proofing services from LexisNexis by Login.gov, and the use of third-party services from ID.me, Okta and Experian, either alone or in combination with Login.gov, but government agencies.

Noncompliance with IAL2 was reported as a challenge with Login.gov by 12 of 24 agencies providing feedback to the GAO. Technical issues were reported by 9 and cost uncertainty declared a challenge by 8.

GAO also complains that the Login.gov pilot did not have a scheduled completion date as of May.

Ultimately, the GSA agreed with the GAO’s recommendations to address the technical challenges, set a timeline for the completion of the pilot and incorporate lessons learned.

Article Topics

biometrics  |  digital identity  |  GAO (Government Accountability Office)  |  GSA  |  IAL2  |  identity verification  |  Kantara  |  Login.gov  |  NIST  |  selfie biometrics  |  U.S. Government