Hacks cause Login.gov to advance digital ID verification through remote proofing

In response to more than a few serious breaches of Login.gov, the General Services Administration (GSA) is driving a major technological upgrade of the Login.gov platform through its Next Generation of Remote Unsupervised Identity Proofing Solutions program.

This effort, outlined in the Functional Area 1 (FA1) Call Order Statement of Work (SOW), reflects a strategy to securely and efficiently expand digital identity verification services to a broader population, including users across the United States and abroad. The overarching goal is to maintain compliance with the National Institute of Standards and Technology’s (NIST) SP 800-63-3 guidelines while enabling secure, unsupervised, remote identity verification at scale.

Recent events revealed significant vulnerabilities in the current system. GSA disclosed in a partially redacted Limited Sources Justification document that in April an unspecified entity flagged numerous potentially fraudulent accounts which had successfully passed Login.gov’s Identity Assurance Level 2 (IAL2) verification process.

An internal investigation by the Login.gov Anti-Fraud Team confirmed that these accounts bore indicators of fraud. The perpetrators and their methods remain redacted, but GSA acknowledged that the sophistication of these identity fraud attempts is likely to escalate rapidly. In response, the Anti-Fraud Team determined that relying solely on a single identity verification method within any functional area leaves the system exposed.

This assessment has led to an immediate strategic pivot. GSA now recognizes the urgent need to introduce a secondary identity verification layer within Functional Area 2 (FA2), particularly to reinforce the platform’s resilience as new fraud techniques continue to evolve. This adjustment underscores the necessity of building a multi-solution framework to effectively adapt and respond to emerging threats in real time.

This next generation of Login.gov’s remote unsupervised identity proofing solutions, which has a potential total value of $7.5 million, reflects a transformative shift in how the federal government is operationalizing identity verification. It is designed not only to increase security and accuracy, but also to prioritize usability, accessibility, and inclusivity.

By mandating high performance, strict compliance with federal standards, and transparent reporting from contractors, the initiative is positioning Login.gov as a national model for secure and equitable digital access to public services.

The Next Generation of Remote Unsupervised Identity Proofing Solutions is a strategic initiative to modernize and secure how digital identities are verified remotely. The effort focuses on remote, unsupervised identity proofing that aligns with NIST IAL2 standards which allow for strong identity verification without requiring an in-person or live video session.

The pre-solicitation phase for this program began as a sources sought notice, signaling GSA’s intent to gather input and solutions from industry leaders capable of delivering secure, equitable, and innovative identity verification technologies. A subsequent award announcement indicated a shift in contract support from legacy providers such as LexisNexis as GSA transitioned to more advanced and diversified vendor solutions under new task orders.

NIST guidance confirms that while unsupervised remote identity proofing is acceptable at IAL2, it is not permitted at the more stringent IAL3 level due to the absence of real-time human oversight. These standards ensure that digital identity solutions strike a balance between security, usability, and accessibility for millions of Americans seeking to interact with federal services online.

Login.gov’s identity verification strategy encompasses three interlocking service categories: document capture, document authentication, and document validation. These form the foundation of FA1 and are designed to ensure that users’ identity evidence such as driver’s licenses, passports, or other government-issued documents is accurately captured, verified for authenticity, and validated against authoritative databases.

Document capture tools, referred to as Identity Evidence Document Capture products, are required to operate on both web browsers and mobile platforms, including legacy and accessibility-challenged devices. These products must support languages including English, Spanish, and French, while maintaining compatibility with all major operating systems released in the last four years. Furthermore, these tools must adhere to Section 508 and Web Content Accessibility Guidelines accessibility standards.

Once captured, identity documents must be authenticated by Identity Evidence Document Authentication (IEDA) services which utilize algorithmic or human-in-the-loop techniques to classify and confirm the legitimacy of uploaded documents. The SOW mandates that these systems be capable of recognizing a wide range of document types issued by state, federal, tribal, and foreign governments, and must deliver 99 percent accuracy in document authentication when provided with quality images. Additionally, the IEDA services must return not only the authentication outcome but also reasons for the success or failure of the validation, along with extracted personal data.

Subsequent validation is carried out through Identity Evidence Document Validation services which confirm the document’s authenticity by cross-referencing information with authoritative databases, such as the issuing agencies.

The goal is to achieve a minimum of 95 percent validation accuracy across tribal, state, and federal levels. This multilayered identity verification model strengthens the reliability and trustworthiness of the identity proofing process while enabling a seamless, self-service experience for users.

Complementing the document-based proofing process is FA2, which centers on one-to-one facial image matching. This facet is particularly vital for verifying that the individual submitting the documents is indeed the person they claim to be. Facial image matching tools are required to capture and analyze user photographs in a privacy-conscious manner. This process must include passive and, optionally, active liveness detection to prevent spoofing and presentation attacks.

In alignment with NIST guidelines, facial comparison software must exhibit strong biometric performance with a false match rate of 1 in 10,000 and a false non-match rate of 1 in 100 or better. Contractors are required to disclose technical specifications, the provenance of training data, and performance metrics based on evaluations such as NIST’s Face Recognition Technology Evaluation.

Security is a pillar of the initiative, and all contractor systems must comply with FedRAMP and NIST 800-series guidelines. The evaluation and authorization process depends on data sensitivity, retention, and interaction with GSA systems.

Contractors are responsible for delivering security plans, including static and dynamic application security testing reports, software bills of materials, and cyber-supply chain risk management documentation. They also must be capable of responding to unplanned outages within 15 minutes and restoring services within a six-hour window. Emergency vulnerabilities must be patched within 24 hours, and less critical ones within 30 to 90 days depending on severity.

Privacy considerations are equally critical. All contractors must provide draft Privacy Impact Assessments, data field usage documentation, and details of all external services used during processing. Contractors must follow GSA’s internal privacy policies and federal law to ensure that data collected for identity proofing is neither enriched nor commercialized beyond its intended government purpose.

Data ownership under this SOW explicitly affirms that Login.gov retains full control over data and prohibits third-party enrichment. Contractors are restricted in how data may be retained or reused to ensure the integrity of the system and the privacy of the users.

Operationally, contractors must deliver on rigorous performance objectives, including maintaining 99.9 percent uptime in production environments and handling a total of at least 200 transactions per second. They must generate and share regular service usage, success rate, and outage analysis reports. In addition to performance monitoring, contractors must support ad hoc requests for performance analytics and submit a roadmap outlining upcoming software changes or updates.

Management and oversight are also emphasized in the SOW. A designated program manager must act as the key liaison with Login.gov, ensuring coordination between technical implementation and administrative needs. Management responsibilities include producing continuity of operations and disaster recovery plans, ensuring system backups, and delivering meeting minutes from recurring staff engagements.

Article Topics

biometric matching  |  biometrics  |  digital identity  |  document verification  |  GSA  |  IAL2  |  IAL3  |  Login.gov  |  remote identity proofing  |  selfie biometrics  |  U.S. Government