Challenges remain in effective digital ID management for public benefits, report says
The methods state agencies employ for identity proofing and authentication in online public benefits applications play a crucial role in determining how efficiently applicants can access essential services. And as governments increasingly digitize their services, balancing the needs of security, accessibility, and equity becomes paramount, with identity proofing and authentication forming the backbone of digital identity management in public benefits systems.
However, a new report from the Beeck Center for Social Impact (BCSI) says that while the landscape of identity proofing and authentication in U.S. federal and state public benefits applications is evolving, there was only incremental progress in 2024. The new report looks at identity proofing and authentication practices across six federally funded, state-administered programs to understand when and how states use account creation, authentication, and identity proofing in initial online public benefits applications.
“The way state agencies structure online account creation processes and requirements for applicants and beneficiaries to prove who they are may impact whether and how quickly individuals can apply for and start receiving benefits,” the report says, noting that while some states are adopting innovative practices and offering greater flexibility, challenges still remain in achieving equitable and effective digital identity management.
By prioritizing human-centered, risk-based approaches and fostering cross-sector collaboration, the report says, state agencies can enhance the accessibility and security of public benefits systems, ensuring that all eligible individuals can access the support they need.
“By documenting the landscape of current practices, this project aims to help the broad ecosystem of peer states, federal agencies, advocates, academics, and civic tech organizations identify states that are taking unique, unusual, or potentially promising approaches,” the BCSI report said, noting that “the dataset also identifies states that are putting up potential barriers through their implementation of account creation, authentication, and identity proofing.”
The report says that in 2024, identity proofing requirements increased only slightly, with 42 applications implementing such measures compared to 37 in 2023. Identity proofing was most common in unemployment insurance applications, reflecting the high fraud risk associated with these benefits.
However, applications for programs like MAGI Medicaid also showed a significant presence of identity proofing requirements, with 52% of applications incorporating such steps. By contrast, applications for Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) assistance remained the least likely to include identity proofing, with only one state, Michigan, employing optional identity proofing in its combined application process for Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Medicaid, WIC, and childcare.
The timing of identity proofing steps can significantly impact user experience and system efficacy. Of the applications requiring identity proofing, 21 placed this step before an applicant could initiate the application process, while 11 integrated it into the application itself. The placement of identity proofing at the start of the process may inadvertently create barriers for individuals unable to complete this step due to technical difficulties or insufficient documentation.
Such barriers, the BCSI report says, could result in eligible individuals being excluded from the application process entirely, with their struggles not being reflected in system metrics like abandonment rates. Some states, however, adopted an optional approach to identity proofing, allowing users to skip this step initially or proceed with the application even if identity verification failed. This practice, observed in 19 applications, mitigates potential exclusion while still facilitating eventual verification through alternative means.
Diverse methods of identity proofing are employed across states, reflecting varying levels of risk tolerance and resource availability. Unemployment insurance (UI) applications, for instance, have seen an increasing reliance on biometric solutions, with 24 state workforce agencies utilizing technologies like ID document upload paired with live selfies for verification.
By comparison, non-UI programs predominantly relied on knowledge-based verification or document submission, either in person or through the mail. The report says biometric methods often offer high levels of accuracy but can also raise concerns about privacy and accessibility. For example, individuals without access to necessary technology or those uncomfortable with biometric data collection may face difficulties completing the process.
“Recognizing that beneficiaries and applicants have different levels of comfort with and access to technology, benefits administering agencies can offer beneficiaries and applicants choices about when and how to create accounts or verify their identities, if those identity management steps are relevant for a particular online interaction,” the BCSI report says.
The report also says that “if applicants and beneficiaries are unable to use self-service pathways to regain access to their account when they forget or lose their password, this can drive up calls to call centers and prevent people from responding to important notices or requests for information.”
A key element of effective identity proofing is offering applicants choices about how they verify their identities. The report says that in 2024, 21 agencies were found to provide multiple pathways for identity proofing, such as choosing between self-service biometric verification, video calls, or in-person verification at kiosks or post offices. This flexibility acknowledges the diversity in applicants’ circumstances and technological access, promoting inclusivity.
Authentication practices in public benefits applications also varied widely, reflecting different priorities in security and user experience. In 2024, 75% of applications required users to create an account to apply online, a figure consistent with 2023. Account creation requirements were particularly prevalent in unemployment insurance applications. Among applications requiring account creation, 76% mandated the provision of an email address, underscoring the central role of email in digital identity management.
Single sign-on (SSO) systems were used in 36 applications, enabling users to access multiple government services with a single set of credentials. While SSOs streamline the user experience, they also can introduce challenges if stringent security requirements, such as mandatory identity proofing, are universally applied across services with differing risk levels. Fourteen applications permitted login via third-party credentials, such as Facebook, Google, or ID.me, offering additional flexibility but raising concerns about data privacy and interoperability.
Authentication methods also included layering multiple factors to enhance security. Of the reviewed applications, 79% employed at least one additional authenticator alongside passwords. These measures included one-time passcodes sent to email addresses or phones, security questions, and authenticator apps. While 56% of applications offered multiple authenticator types, enabling users to choose the most convenient option, there were notable gaps in adopting modern and secure practices. For instance, only one state, Michigan, utilized passkeys as an authentication option, which the National Institute of Standards and Technology (NIST) identifies as a phishing-resistant authenticator.
Security questions, though still used by 27 applications as the sole authenticator, exemplify an outdated practice that offers minimal security benefits, the BCSI report says, noting that such questions are susceptible to breaches and can create unnecessary friction for users. NIST’s guidelines do not recognize security questions as a reliable authenticator, highlighting the need for agencies to modernize their practices.
Another significant challenge in authentication lies in ensuring that measures work effectively for diverse user populations. For example, requiring a one-time passcode sent via text may exclude individuals without reliable access to a mobile phone. Similarly, processes that demand specific technological capabilities, such as downloading an authenticator app, may not be feasible for all applicants. Human-centered design principles, which prioritize the needs and constraints of users, are critical in addressing these challenges.
An emerging area of interest is the integration of phishing-resistant authenticators and risk-based authentication approaches. These methods adjust security requirements based on the sensitivity of the transaction or the user’s behavior, offering a tailored balance between security and usability. As public benefits programs explore such innovations, they must remain mindful of equity implications, ensuring that security enhancements do not inadvertently disadvantage vulnerable populations.
The report states that identity proofing and authentication processes must be viewed as integral components of the broader service design for public benefits applications, and that effective implementation requires close collaboration among state agencies, federal partners, and technology vendors.
BCSI said partnerships with organizations like NIST and the Center for Democracy and Technology are instrumental in developing guidelines that address the unique needs of public benefits programs. These collaborations aim to create frameworks that promote access while safeguarding sensitive data.
Article Topics
Beeck Center | biometric authentication | biometrics | digital ID | digital inclusion | government services | identity proofing | social protection
Comments