FB pixel

US Congressional investigator specifies Login.gov’s persistent technical issues

US Congressional investigator specifies Login.gov’s persistent technical issues
 

While most of the 24 Chief Financial Officers (CFO) of federal agencies that use Login.gov for identity proofing services identified benefits associated with the use of Login.gov, these same CFOs also reported challenges with technical issues, according to the report of a recent audit by the Government Accountability Office (GAO) that was performed from December 2022 to October 2024.

Up until earlier this month, some federal agencies were continuing to tell GAO that they had issues with Login.gov not being compliant with National Institute of Standards and Technology (NIST) IAL2 standards. Though the issue of Login.gov’s noncompliance was satisfactorily addressed shortly before GAO released its report to the public, technical issues remain, the federal auditor said.

The General Services Administration (GSA) established Login.gov as an identity proofing system to access federal agencies’ websites using the same username and password. Login.gov collects a variety of personally identifiable information (PII) from users accessing government applications and websites. After collecting PII from users, Login.gov shares the data with multiple third-party vendors to determine whether users’ claimed identity is their real identity. Login.gov uses a range of methods to protect collected and shared PII, such as multi-factor authentication.

GAO said that at the time of its audit GSA had “not yet fully addressed alignment with NIST guidelines or identified technical issues” but had taken steps to align Login.gov with NIST digital identity guidelines, including completing a pilot on in-person identity proofing in March 2024 and beginning a separate pilot on remote identity proofing.”

Before GAO’s audit report was completed. Congress’ investigative arm said GSA announced that its remote identity proofing pilot and certification of Login.gov as an IAL2 compliant identity proofing solution had been concluded early this month and “that partner agencies will now have the option to select a new IAL2-compliant capability that offers a higher identity assurance level.”

GSA further announced that the new capability added one-to-one face biometrics matching technology that allows Login.gov to confirm that a live “selfie” taken by a user matches the photo on an ID, such as a driver’s license, provided by the user. GSA also informed GAO that the IAL2 certification covers both the remote and in-person identity verification offerings, effectively ending their remote identity proofing pilot.

GAO said it “confirmed that GSA obtained the IAL2 certification and verified that the agency now considers the pilot complete. GAO added that GSA took the necessary steps to align with NIST guidelines and to offer IAL2 services to its partner agencies and had “conducted a pilot that resulted in Login.gov offering users the option to conduct in-person proofing at post office facilities at the start of the identity-proofing process.”

Technical issues remain, however, and were next on the list of problems the CFOs addressed with GAO, which noted that nine agencies reported challenges involving technical issues with Login.gov such as not having visibility into authentications, high failure rates, and lack of fraud controls.

“For example,” GAO said, “the Department of Labor [DOL] reported the lack of real time visibility into application authentications as being a major challenge.”

GAO said the department “noted that this real-time visibility is essential for identifying and addressing potential security threats, performance issues, or compliance issues in a timely manner.”

“In addition,” GAO reported, “the Small Business Administration told it “that their public users experienced difficulties accessing and setting up Login.gov accounts. Specifically, officials noted that users had a 30-40 percent failure rate during account creation and reported that the multi-factor authentication options could be confusing to users.”

“Further,” GAO said, “the US Agency for International Development (USAID) reported that Login.gov’s SMS authentication option that uses text messaging or phone calls is not available in some countries, which impacts their employees’ ability to access the Development Information Solution.”

GAO said, USAID has added more countries for international phone support such as using a multi-factor authentication method to receive texts, but “reported that phone numbers from some countries remain unsupported by Login.gov and GSA has not provided any timeframes for when this will be addressed.”

GAO found that Login.gov officials are communicating with agencies and taking steps to address the reported technical challenges, but that “GSA has not yet provided solutions or timelines to address these challenges. For example, during Login.gov’s Partner Advisory Group meetings, [DOL] requested advanced monitoring tools and a customer dashboard to address its challenge related to real-time visibility into authentications,” but that “GSA responded that they would consider implementing tools and a dashboard in the future but did not provide any information on these proposed changes or timelines for implementing them.”

GAO said the Social Security Administration continues to work with GSA to improve fraud controls and prevent inappropriate or criminal access to the PII they safeguard, and that USAID said it currently “does not have an immediate need to utilize GSA’s identity proofing solution but will ensure it aligns with NIST’s IAL2 guidelines before considering its use.

The Department of Veterans Affairs told GAO one of the challenges it has experienced associated with Login.gov is that as of June, “the system is not fully compliant with section 508 of the Rehabilitation Act of 1973. The department noted that ensuring access to information and communications technologies is essential to accomplishing its mission.

In 1998, Congress amended the Rehabilitation Act of 1973 to require federal agencies to make their electronic and information technology accessible to people with disabilities.

Fifteen federal agencies had no comment on GAO’s draft report.

Related Posts

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Liquid identity verifications surge past 60M as Japan leans into chip-scanning

Liquid has reached the 60 million digital identity verification milestone with its online KYC service, with a surge in verifications…

 

Car dealerships rev up digital ID verification to counter rise in identity fraud

Whether it’s a fake credit history, a phony license or a test driver with a stolen identity who makes tracks…

 

GovTech to deliver $10 trillion in value by 2034, says WEF

At the meeting of the World Economic Forum (WEF) in Davos this week, tech is front and center – and…

 

Davos discusses digital wallets, AI economy

This year’s Davos World Economic Forum (WEF) is bringing not only tense trade talks between the U.S. and Europe but…

 

ASEAN updates guidance on deepfakes

The threat of deepfakes is entering high-level discussions from Southeast Asia to Davos. The Association of Southeast Asian Nations (ASEAN)…

 

Philippines faces 36 million backlog in ID cards

The Philippines are still facing a 36 million backlog in distributing the country’s national ID cards which will need additional…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events