GSA's identity service on track to meet key standards, program director says

Login.gov launched 2017 to help federal agencies solve a pressing problem: how to know that users of secure services are who they say they are.

Housed in the General Services Administration, Login.gov boasts more than 100 million user accounts across federal and state agencies — but scaling up has been a long and winding road. 

Identity verification isn't simple, and it comes with challenges relating to privacy, equity, access and fairness.

“The problem Login.gov is trying to solve is really hard,” Login.gov director Hanna Kim told Nextgov/FCW in an exclusive interview. She joined the team in January before becoming the head of Login.gov in May.

That difficulty has been reflected in the recent history of the service. The program was dinged in a 2023 watchdog report that found that GSA had been misleading other agencies by claiming that Login.gov met a government standard known as identity assurance level two, or IAL2, when it did not. 

The easiest way to meet the IAL2 standard is via a biometric like facial recognition. But GSA leadership told Nextgov/FCW in 2022 that Login.gov wouldn’t use facial recognition until it had done reviews to ensure it could do so equitably. 

And at least some federal agencies with pressing identity verification needs have declined to use Login.gov for that purpose. 

One big potential customer that reaches nearly every U.S. resident – the IRS – doesn't use Login.gov for identity verification in part because it doesn't meet the IAL2 standard.

Now, Login.gov is “in a really good place to be able to meet IAL2 compliance,” Kim said. 

The agency is approaching the problem by using face matching technology, which relies on a one-to-one verification of two images — a selfie submitted by the user along with a photo of their government-issued ID. It’s done by comparing those two images, as opposed to searching through a gallery of images. 

GSA launched the face matching in May with select agency partners, and in July, opened up availability to any agency that wanted to participate. 

People that struggle or don’t want to use facial matching can opt to go in-person to participating post offices to get verified by Login.gov.

Kim added that she felt good about the target October timeline for obtaining an independent  certification, as listed in a Login.gov roadmap from May, with the caveat that she cannot control the board of the group doing the certification. 

So far, Kim said that “a handful” of agencies are using or preparing to use Login.gov’s face matching, but she won't say how many.

"Our general policy is that we want to encourage agencies to reach out to us for experimentation and testing. One of the things that we promise them is that we want to make sure that they own the story of being able to participate in the pilot,” said Kim.

“Some partners are looking to wait until the certification to test this capability, and other partners are willing to move forward with us right now from a one-to-one facial matching capability,” Kim said.

Adding face matching may help GSA meet the standard, but it opens up GSA to criticism about fielding biometrics. A GSA-backed study into how well this type of solution actually works is ongoing and preliminary results have found varying degrees of accuracy. One of the five solutions it tested performed worse for Black people. 

It's also worth noting that NIST, the agency that supports the IAL2 standard, is updating digital identity proofing guidelines to include non-biometric solutions.

“That’s one of the reasons why we were very intentional about making sure we're picking an algorithm and a vendor that has been having good results” in the face recognition vendor testing by NIST, Kim said, when asked about concerns about bias.

She also noted that “equity is a principle that's embedded in every decision,” and pointed out that “the equity study is run by GSA… I too am eagerly waiting for the journal and the article.”

GSA would not provide specifics when asked what vendors and algorithms the agency is using to power the face matching. 

“We’re in the process of integrating new vendors from the recently-awarded Identity Blanket Purchase Agreement,” a spokesperson told Nextgov/FCW via email. “On the algorithm for facial matching, Login.gov’s current vendor considers the specific details of their algorithm proprietary information, however, it is one of the highest performers in the NIST [face recognition vendor test] study.”

The testing “tells us there are good ways to mitigate algorithmic bias in the process,” Kim said. She noted that the error rate of the study looked across the entire process, as opposed to digging into specific steps like face matching in isolation.

The move to IAL2 is a big component of GSA’s work to build trust with agencies and lawmakers since the bombshell OIG report, said Kim, who also said that GSA has implemented all of the watchdog’s recommendations. 

The agency also hosts a quarterly meeting with partner agencies to ensure that it’s making sound investments in Login.gov, and frequently briefs stakeholders on Capitol Hill with an eye toward transparency, said Kim. 

One piece of data that’s not publicly available on Login.gov’s beta data portal is drop-off and pass rates of users.

“The reason why we have currently not published this number is, when you ask anyone in the identity space, ‘What is the proofing rate? What is the definition of proofing rate?’ you get, like, five different answers,” said Kim. 

“We feel like having a number out there, even if we add a definition section, has this risk of being extrapolated outside of context,” she continued, noting that GSA does share agency-specific proofing rates with its partners. 

Part of the reason why Kim has been briefing congressional stakeholders is likely due to the fallout from the GSA Inspector General Report report that called out the agency for its lack of IAL2 compliance and for misleading agency customers.

One committee even launched an investigation into the program. Among the questions was the tie-in with the Technology Modernization Fund, which gave Login.gov $187 million in 2021. 

Login.gov previously used some of that money to allow agencies to “get started” with Login.gov, said Kim, but “all agencies are paying for our services now.”

The TMF money is generally being put toward cybersecurity, anti-fraud, equity and accelerating adoption, she said. That includes funding an “upfront investment” for the in-person proofing capabilities. 

Kim is also navigating Login.gov’s financial setup, particularly that it’s meant to be cost-recoverable. The OIG report cites a comment from a former GSA official saying that the cost recoverability mandate was one of the pressures that may have led to the problems described in the report, along with the autonomy of the Login.gov team.

Sometimes, upfront investments may hurt cost recovery in the short term, but be the right decision long-term, Kim noted, drawing a distinction between public and private sector obligations. 

“I think cost recoverability is an indicator of financial sustainability, but not the whole picture,” Kim said. “As a public sector option, we have this very unique way of being accountable to the public where a private sector entity cannot be… We are not driven by profitability alone. We have an even broader accountability to the public.”