GAO Report Seems a Little Late in Flagging Login.gov Issues

A new report from the Government Accountability Office finds fault with Login.gov’s Single Sign-On system—but it already seems to be out of date.

The GAO’s October 2024 report, GAO-25-106640, evaluates the General Services Administration’s (GSA) Login.gov identity verification service, which allows individuals to access federal websites using a single set of login credentials. The GAO identified several critical issues with the service, notably its failure to meet the National Institute of Standards and Technology (NIST) guidelines for Identity Assurance Level 2 (IAL2).

As of the report’s writing, Login.gov was noncompliant with NIST standards, which require either in-person or remote identity proofing with biometric verification. The GAO report also cited technical problems, including high failure rates in user registration and confusion over multi-factor authentication methods.

The report states that while Login.gov is used by 21 of the 24 CFO Act agencies and supports over 100 million user accounts, it has struggled with compliance. “Login.gov has not yet fully addressed alignment with NIST guidelines or the identified technical issues,” the GAO wrote.

A critical component missing from the service was its failure to include a biometric comparison between a user’s provided identity information and a physical attribute, such as a live selfie, which NIST’s IAL2 standard requires. The GAO also noted that Login.gov had been charging customer agencies for IAL2-level services despite not meeting the standard, leading to significant concerns about both compliance and trust.

However, new developments following the report’s publication suggest that Login.gov has since made considerable strides in addressing these issues. In an interview published on October 4, 2024, Login.gov’s Director, Hanna Kim, expressed confidence that the platform is now well-positioned to meet IAL2 standards, thanks to the implementation of face matching technology.

“We’re in a really good place to be able to meet IAL2 compliance,” Kim stated, pointing to the introduction of selfie-based authentication as a key solution.

The new system matches a user’s live selfie with their government-issued ID and has been made available to all federal agencies since July 2024. The new feature allows Login.gov to offer both remote and in-person identity proofing options, marking a significant step forward in meeting NIST’s requirements. This directly addresses the GAO’s concerns about the service’s reliance on third-party verification rather than biometric or physical comparisons.

The GSA also confirmed that the technology has now been certified as IAL2 compliant by an independent third-party auditor, a major milestone for the platform.

In addition to the technical advancements, Login.gov has taken steps to increase transparency and rebuild trust with its agency partners. The GAO report noted that some agencies were hesitant to continue using Login.gov after the 2023 Inspector General report revealed misrepresentations about IAL2 compliance. To regain confidence, GSA has implemented quarterly meetings with partner agencies and regular briefings on Capitol Hill. Kim emphasized the agency’s commitment to accountability, particularly in light of the $187 million in modernization funds it received to enhance cybersecurity and anti-fraud measures.

While the GAO report serves as an important snapshot of the challenges Login.gov faced earlier in 2024, recent developments indicate that many of these issues are now being addressed. The rollout of biometric verification and IAL2 compliance represents a significant step forward for the platform.

Source: GAO

–

October 21, 2024 – by Cass Kennedy