Login.gov is still 'vital' despite setbacks, GSA official says

FAS Commissioner Sonny Hashmi said Thursday that Login.gov provides identity proofing that "doesn't have a profit motive."

FAS Commissioner Sonny Hashmi said Thursday that Login.gov provides identity proofing that "doesn't have a profit motive." SEAN GLADWELL / Getty Images

Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

In a Thursday keynote, Sonny Hashmi talked about the future plans for the single sign-on following a bombshell watchdog report about the program in March.

Sonny Hashmi, the commissioner of the Federal Acquisition Service at the General Services Administration, talked about the path forward for GSA’s single sign-on service Login.gov Thursday, after a bombshell inspector general report in March revealed the service did not meet the guidelines it had claimed to have.

“A lot has been learned over the last few months, and we want to make sure that internally, we don’t repeat those mistakes,” he said during a keynote at a Carahsoft event.

Even so, “the need for Login as a program has never been more vital,” he said. “It’s incumbent upon us — all of us — to solve for this problem in a way that actually works for all Americans. I don’t think we’re there yet, but we’re making progress.”

The March inspector general report outlined how Login.gov officials had misled other federal agencies over a period of years about what standard of identity proofing the service met. 

The remote identity proofing standard in question is called identity assurance level 2, or IAL2. It’s set by the National Institute of Standards and Technology and is most easily met by using a biometric like facial recognition, something GSA publicly committed not to use in 2022, citing equity concerns.

At the time of the watchdog report, GSA said it would do a top-to-bottom review of the program, and pointed to a new director and a new Login.gov steering committee. The agency also disciplined relevant employees, created a new General Counsel’s Office specifically focused on tech and law and said it was reviewing financial operations and existing financial management controls.

“Our job now, as we move forward with Login, becomes to create a consensus across the federal government in partnership with NIST to build a common set of controls that validate digital identities,” said Hashmi, “We’re working very closely with NIST.” 

NIST is currently updating its digital identity proofing standards for the first time in years and has signaled an interest in “emerging and alternative” tech that doesn’t require facial recognition to reach IAL2.

The draft update released last year also created a new standard for lower-risk situations, meant to give those using these standards more flexibility. 

Login.gov, which also was awarded the biggest single investment from the Technology Modernization Fund to date — nearly $187 million in 2021 — has also been a focus of the White House.

President Joe Biden teased an executive order on identity theft in his 2022 State of the Union address, which has yet to be released. A draft obtained by Nextgov/FCW in February 2023 contained plans to rapidly scale the single sign-on service across government.

Asked about Login.gov in May, federal chief information officer Clare Martorana told Nextgov/FCW that, “it is a system that is required in government. We should be able to sign on simply, seamlessly and securely to any government service.”

Martorana alluded to “the challenges of the last year,” which she said “continue to keep us on a path of wanting to make sure that we are working with the highest level of integrity.”

Even so —“I still am really bullish about Login.gov,” she said. “But I do know that IT organizations in government are on their own path,” noting differences across agencies.

On Thursday, Hashmi talked about the driving principles for Login.gov.

First: “It needs to be usable by everybody,” he said, pointing to unhoused people and people without cellphones or credit histories. 

That rules certain technologies out, said Hashmi, as does a sharp eye against bias in systems.

“Our job becomes harder,” he said. “We take that with pride.”

GSA made public statements in 2022 that the service wouldn’t be using facial recognition because of concerns about bias. 

NIST testing of facial recognition algorithms in 2019 found differentials in performance according to race and gender, although top NIST officials have more recently said that algorithms have generally improved. Photograph quality — particularly exposure levels in photographs of people with darker skin tones — also impacts accuracy.

The second core value is privacy, said Hashmi. “Thirdly, it needs to be based on private sector technologies.”

“We don’t pretend to invent these technologies,” he told the audience, which included government contractors. “We leverage products that you all built, and we want to be able to… bring them together in a way that leverages the best innovation in the private sector.”

Still, Hashmi also argued that the role of the government, versus private companies, is important.

“The whole premise of Login has always been to create a government-issued digital identity that is built and operated by an organization that doesn't have a profit motive to leverage that information, to use people’s data against them, to sell their data for profit or to manipulate their privacy,” he said. 

“There’s a reason why there’s a competition going on in the private sector for owning your identity. There’s a reason why everybody from Facebook to Google to everybody is in the identity business all of the sudden, because they know that once they own the identity… they can control the data,” he said. “When we cede that control to private sector companies who have a profit motive in manipulating that information, then we don’t do right by the American people.”

“That’s unfortunately been going on in pockets… especially at the state and local level for the last few years, because in desperation, without an alternative being present, agencies have had to make difficult choices,” he continued. “They’ve had to say, ‘We’re going to trust that this private company is going to validate your identity. We’re going to trust that they are doing the right thing.’”

Some industry actors and identity proofing vendors, meanwhile, have urged the White House not to lock the government into a single solution, saying it would inhibit innovation.

Hashmi said the need for Login.gov became “acute” during the pandemic, which sped up the move to digital services in government.

“Pick any agency,” he said. “And you say, ‘We’re going to go digital.’ The first thing you ask is, ‘How am I going to know who’s logging in?’

“That’s why Login is important. That’s why, just generally, there’s been so much energy in this space. The White House has been very involved actively thinking about challenges. NIST has been very actively working on these areas,” he added. “So we’re excited about some of the things coming down the pike on this space.”

NEXT STORY: SSA says it will offer data matches to government benefit programs

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.