GSA makes a case for Login.gov on Capitol Hill following scathing report

Rep. Kweisi Mfume (D-Md.) was among several lawmakers concerned that Login.gov's lack of biometric proofing could have opened the door for fraud in government services.

Rep. Kweisi Mfume (D-Md.) was among several lawmakers concerned that Login.gov's lack of biometric proofing could have opened the door for fraud in government services. Chip Somodevilla / GETTY IMAGES

Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

General Services Administration officials addressed allegations that the agency misrepresented identity proofing standards of Login.gov at a hearing Wednesday, as lawmakers pondered the potential for fraudsters in the system.

After a report outlined discrepancies in Login.gov’s identity proofing standards, lawmakers peppered General Services Administration officials with questions Wednesday about what they are doing to ensure the missteps haven’t enabled fraudsters.

The House Subcommittee on Government Operations and the Federal Workforce hearing  centered on a March 7 inspector general report detailing how GSA officials misrepresented the level of identity proofing standards met by the government-run single sign-on service, Login.gov, subsequently billing agencies millions as a result.

But lawmakers from both sides of the aisle honed their questions on whether the identity proofing discrepancies could enable fraudsters to gain accounts and, therefore, government services. 

“We rely on Login.gov to help us to root out potential fraudsters,” said ranking subcommittee member Kweisi Mfume (D-Md.), who asked about possibly involving the Justice Department. “For this to have gone on this long, we don't know if they were siphoning off money from essential government programs.”

Although Federal Acquisition Service Commissioner Sonny Hashmi told lawmakers that GSA has “no evidence… that this has led to any particular cases,” Mfume appeared unconvinced. 

“I don't think we can make the assumption that nothing bad happened,” the Maryland congressman said.

Rep. William Timmons (R-S.C.) also weighed the potential of increased fraud as a result of the identity proofing discrepancies, asking GSA officials, “If Login.gov had done what it said it could do, would it be harder to steal from the [Paycheck Protection Program and Economic Injury Disaster Loan] and easier to hold people accountable that did?”

The Small Business Administration — which managed both COVID-relief programs and saw fraud spike during the pandemic — does use the identity management service, according to Login.gov’s website, but the GSA inspector general stressed that making conclusions about any link would require a more thorough look at the context.

When asked by subcommittee chair Pete Sessions (R-Texas) if the program was checking the rolls for fraudsters following the report, Hashmi pointed to existing Login.gov identity proofing and fraud controls.

“I want to make it clear that Login.gov itself is a strong service,” said Hashmi. “We strongly believe in the product. We believe in the fraud capabilities that product already offers. For that reason, we will continue to invest in those capabilities.”

In terms of identity proofing, Hashmi said that Login.gov, which vets information against third party data and state driver databases and also uses phone and address verification, is “checking all of the accounts against [these data sources] constantly.”

A main reason that the service does not meet the digital identity guidelines set by the National Institute of Standards and Technology, known as Identity Assurance Level 2, is the lack of a biometric like facial recognition as part of its remote identity proofing processGSA made public statements in 2022 that it would not use facial recognition due to equity concerns, and the report details an internal decision not to use them in 2021.

Under the current guidance, using biometrics like facial recognition is the easiest way to get to IAL2 compliance remotely, although NIST is currently updating the standard.

Hashmi called biometrics “the key failing” and “the key thing that prevents us from achieving IAL2,” saying that the agency “is continuing to investigate whether biometric technology is the right thing to implement at this point.”

There are legitimate privacy and equity concerns for facial recognition systems, although differentials vary depending on the camera system and matching algorithm. Charles Romine, director of NIST's Information Technology Laboratory, told lawmakers in 2020 that “users, policy makers and the public should not think of facial recognition as either always accurate or always error prone.” 

Still, Hashmi also came prepped with a pitch about why lawmakers and the government writ large should still back Login.gov.  

“The success of this program is paramount for the government to deliver digital services to their constituents,” said Hashmi, pointing to fraud prevention, privacy protections and simple access to government programs.

“We want to make sure that this is done in transparency and full accountability, because in this particular case, we feel very strongly that this program has the right philosophy to add value to the American people. And we want to make sure that we have the right accountability in place,” he said. 

So far, GSA has notified agency partners and the board of the Technology Modernization Fund about the misrepresentations of Login.gov’s identity proofing standards, modified interagency agreements, put new oversight mechanisms in place and pursued disciplinary action for some employees, said Hashmi. 

“As of today, none of the employees who were identified to have misled their customers knowingly, are employed by the GSA,” he said. “So while due process continues, we will make sure that those employees are no longer employed by our agency.”

The agency is also doing is a top-to-bottom review of the Login.gov program. So far, they have found that the team lacks fraud management experts, said Hashmi.

“We're starting to build a small team of folks who have previously not only litigated, but processed fraud cases so that we can really understand how do we build the products that are actually designed to prevent those cases from happening?” he said.

Hashmi also said that since GSA notified customer agencies last year about the discrepancy around its identity proofing standards, “we have made sure that they understand exactly which accounts have come into their systems and they have independent ways to validate the mechanisms so that those individuals can can be subsequently vetted again.”

The timing of the hearing falls as the White House considers a push of Login.gov across government agencies via executive order. Still, some identity vendors have asked the government not to limit itself to Login.gov alone. 

Some Republicans on the committee are wary about any plans to expand use of Login.gov – Sessions said that he had “concerns that the Biden administration may be making the problem worse,” noting that “Login.gov remains a significant part of the recently announced anti-fraud plan.”

Editor's note: An earlier version of this story misstated that the main reason Login.gov doesn't meet IAL2 standards was because of a lack of identity proofing. The service lacks a biometric screening capability as part of its remote identity proofing process.

NEXT STORY: Another Democrat joins chorus of concerns about CBP’s mobile app

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.