Login.gov stumbles in federal effort to modernize digital identity

A new audit by the U.S. Government Accountability Office (GAO) has delivered a sobering assessment of Login.gov, the General Services Administration’s (GSA) flagship digital identity verification platform. The audit underscores long-standing gaps in Login.gov’s security protocols, particularly its incomplete implementation of backup data testing policies – an issue that leaves the platform and the personally identifiable information it manages more vulnerable to cyber incidents.

Launched by GSA’s Technology Transformation Services division in 2017 as a promising one-stop identity verification platform offering multi-factor authentication and fraud prevention to streamline public access to a range of federal services, Login.gov has been hampered by implementation delays, substandard data protections, and trust-eroding technical failures that continue to reverberate across federal agencies.

While envisioned as a secure, cost-effective alternative to commercial vendors, the platform’s trajectory over the past several years has been uneven, marked by a lag in meeting critical federal standards, notably those laid out by the National Institute of Standards and Technology (NIST).

One of the GAO’s central findings is that Login.gov failed to provide identity proofing services in full alignment with NIST standards until as recently as October 2024. This delay had wide-ranging consequences. From fiscal years 2020 to 2023, federal agencies spent nearly $210 million on commercial identity verification solutions, more than six times the $32.5 million spent on Login.gov. Many agencies reported that they could not rely solely on the GSA platform due to its technical limitations, particularly its inability until recently to perform identity proofing at NIST’s Identity Assurance Level 2 (IAL2), which requires remote or in-person biometric verification.

GSA attributed some of the deficiencies in data backup testing to staffing shortages. Specifically, the security engineering team responsible for Login.gov was not fully staffed until January 2024. Though GSA has since established a data protection policy, GAO found that it has yet to demonstrate that this policy is being effectively executed. The lack of rigorous testing for backup data integrity means that even with existing security protocols on paper, the system may fail under real-world conditions where data recovery becomes necessary.

The government’s push to enhance identity verification is in response to a dramatic rise in fraud and cyberattacks targeting federal systems. According to the Federal Trade Commission, over one million reports of identity theft were logged annually in 2022 and 2023. These incidents exploited data breaches at both government agencies and private institutions, compromising sensitive data like Social Security numbers, passport details, and biometric identifiers. The urgency for federal platforms like Login.gov to meet gold-standard verification protocols is therefore not just theoretical, it is vital to national cybersecurity and public trust.

Login.gov’s shortcomings have extended beyond technical capabilities. GAO said only two out of the five NIST-defined privacy protection practices had been fully implemented by the platform during the review period. While Login.gov had robust protocols for data security and access control, it fell short in demonstrating effective data protection procedures, especially those related to regular system maintenance and backup testing.

This vulnerability becomes even more concerning considering comparative analysis with commercial vendors such as ID.me, LexisNexis, and Experian. All three of these vendors offered remote identity proofing with biometrics and had achieved IAL2 capabilities well before Login.gov was deployed. Their systems also integrated facial recognition technologies and other advanced tools to ensure higher confidence in verifying user identities. By contrast, Login.gov was only able to achieve IAL2 compliance following an October 2024 update that enabled it to compare live “selfies” with government-issued photo IDs, a method long employed by its commercial counterparts.

Notably, this delay in capability cost the federal government millions. Agencies such as the Internal Revenue Service (IRS), Social Security Administration, and Department of Veterans Affairs (VA) relied heavily on commercial services to meet their identity verification needs. A year ago, the VA said it was implementing a more streamlined login process for veterans to access benefit and healthcare services through Login.gov or ID.me accounts. The IRS, meanwhile, has used ID.me to verify taxpayer identities for online services, incurring significant costs to ensure compliance with federal assurance standards.

Even as Login.gov has expanded its capabilities, agency adoption remains hampered by cost and flexibility concerns. The platform operates under two main pricing models: enterprise pricing based on the number of monthly active users, and transactional pricing for each authentication or identity proofing event. Despite the introduction of a revised pricing structure in July 2024 that GSA claims could reduce identity proofing service costs by up to 70 percent, many agencies still report commercial vendors as more cost-effective, especially those with lower transaction volumes or unique technical needs.

In one instance, the Nuclear Regulatory Commission opted to use Experian because it conducts only about 200 identity proofing operations annually, a scale for which Login.gov’s pricing model was deemed excessive. The Department of Justice, notably, does not use any public-facing identity verification solution at all.

GAO’s audit also examined compliance with federal privacy frameworks.

According to the audit report, while Login.gov and two of the selected commercial solutions (ID.me and Okta) implemented several security and privacy measures, only Okta achieved full alignment with all five NIST “protect” function categories. These categories include policies for data security, identity management, and the use of protective technologies. Login.gov, by contrast, only partially addressed categories related to data protection policy enforcement.

In interviews conducted for the audit, commercial vendors frequently cited business sensitivity concerns as the reason for refusing to disclose detailed pricing and technical specifications. This lack of transparency further complicated GAO’s ability to directly compare the cost-effectiveness and security postures of commercial services against Login.gov.

Nonetheless, by leveraging documentation from FedRAMP, GAO was able to conduct a comparative analysis, concluding that Login.gov still has work to do to match the maturity and thoroughness of private sector solutions in data protection and operational resilience.

The implications of these findings extend beyond GSA’s performance and into the broader discussion of federal digital transformation. Login.gov is not just a technical platform, it was a cornerstone of the Biden administration’s effort to modernize government services, reduce fraud, and restore public confidence in digital governance. Its slow progress underscored the challenge of building scalable, secure public-sector IT solutions capable of competing with private-sector innovation.

The Trump administration’s approach to Login.gov has been multifaceted, reflecting both support for its role in combating fraud and scrutiny over its compliance and operational effectiveness. Early this year, GSA’s Technology Transformation Services Director, Thomas Shedd, affirmed Login.gov’s importance in government-wide anti-fraud initiatives, and emphasized plans to accelerate its development roadmap, including the integration of features like facial recognition and support for mobile driver’s licenses to enhance identity verification processes.

Still, Login.gov’s future could be on shaky ground. Fears that it could be axed under Trump have grown amid increasing concerns over identity fraud in government programs. GAO reported that up to $135 billion in unemployment insurance fraud occurred during the pandemic, much of it enabled by identity theft.

GAO made a single but critical recommendation to GSA. And that is it must demonstrate that it has fully implemented the policies and procedures for testing the integrity of its backup data. While GSA concurred with this recommendation, GAO emphasized that that agreement alone is insufficient. GSA must also provide verifiable evidence that the intended results are being achieved, GAO said. In the absence of such accountability, the federal government risks further erosion of trust in its digital infrastructure.

Ultimately, GAO’s latest audit serves as both a critique and a call to action. As identity verification becomes more essential to the delivery of government services, the demand for a secure, compliant, and reliable federal authentication platform will only intensify. Login.gov has made progress, but unless GSA moves quickly to close its remaining gaps, the platform may continue to trail its commercial peers in the race to secure America’s digital front door.

Article Topics

access control  |  biometrics  |  cybersecurity  |  digital identity  |  GAO (Government Accountability Office)  |  IAL2  |  identity verification  |  Login.gov