Industry, Congress have eye on Login.gov and the public, private sector role in digital identity

Two tech industry groups are pushing for the federal government to adopt a “technology-neutral approach” to how it manages digital identity.

Two tech industry groups are pushing for the federal government to adopt a “technology-neutral approach” to how it manages digital identity. d3sign / Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

The Software Alliance and Enterprise Cloud Coalition calls for a “technology neutral” solution to digital identity in a recent letter after Congress directed GSA to promote a policy of multiple credential service providers.

Two tech industry groups are pushing the federal government to take a “technology-neutral approach” to digital identity in a recent letter to top White House leaders.

The Software Alliance — also known as BSA — and the Enterprise Cloud Coalition asked top White House actors to “reaffirm” a commitment to “technology neutrality” for digital identity in a Feb. 3 letter shared with FCW to Chris Inglis, the national cyber director who just announced his retirement; Anne Neuberger, deputy national security advisor for cyber and emerging tech; and Eugene Sperling, American Rescue Plan coordinator. 

The proposal is potentially at odds with the General Services Administration’s plan to have its Login.gov platform be the primary secure sign-on system in government.

The letter also follows language in the explanatory statement from Congress for the latest appropriations omnibus directing the General Services Administration to pursue a “government-wide policy that leverages … multiple credential service providers.”

Those developments come as the government continues to grapple with digital identity, or how to verify individuals online, in the context of continued fallout from fraud during the pandemic, much of which occurred via identity theft.

At stake for industry vendors is both the extent to which government agencies are encouraged to look to the market for identity solutions as well as the extent to which GSA itself goes to industry to power Login.gov.Industry “can't come out and say no, because they all see this as a chance for them to make money working with Login.gov, but … they also want to sell their own identity proofing products to the federal government and the to state and local [governments], so it’s a weird, delicate dance,” a former administration official who has worked on identity issues in multiple agencies told FCW. The individual asked not to be named as they were not authorized to speak to press in their current role.

“This letter reflects BSA's view that the U.S. government should continue to support an open marketplace for digital identity solutions,” Henry Young, director of the alliance, told FCW via email. “The U.S. government should not select either a specific solution developed by industry or one the government develops itself because it inhibits innovative approaches to cybersecurity.”

Login.gov does use “over a dozen private-sector tools and services,” according to GSA’s 2022 budget request, including LexisNexis capabilities for identity verification and fraud prevention. 

But GSA has chosen to build its own customer identity and access management functions – a category including things like single sign-on and customer registration – for Login.gov instead of buying them from vendors, said Jeremy Grant, former senior executive advisor for identity management at NIST and current coordinator of Better Identity Coalition.

The industry letter comes soon after Congress also signaled its interest in Login.gov and identity policy in the government funding package for fiscal 2023 passed in December. 

Lawmakers included a note in the joint explanatory statement for the law directing GSA “to promote government-wide policy that leverages portable identity and multiple credential service providers” independently certified against National Institute of Standards and Technology guidelines for “the highest possible pass rates, fraud prevention and cost reduction.”

Credential service providers are the entities, like Login.gov and vendor ID.me, that issue and maintain identity credentials that people use to access online services.

Stakeholders are also waiting for an executive order on digital identity promised by the White House as part of the 2022 State of the Union address. The White House told FCW in December that it still plans on issuing the order, which will focus on identity theft in public benefit programs, although it has yet to release it.

The order is expected to have policies on Login.gov, potentially even compelling agencies to use it, although the details of the order are still being finalized, according to recent reporting from FedScoop.

That move would align with Login.gov’s standing goal to be "the public's one account for accessing government services online.”

Use of the service has exceeded GSA’s goals – currently 322 government applications are integrated with Login.gov, well over the goal for 250, according to agency documents – but it still doesn’t meet the lowest threshold of government standards for digital identity proofing. The National Institute of Standards and Technology is updating those standards now, but the current situation has been a pain point for GSA’s attempts to woo some agencies to the service.

Still, some industry groups are calling for the White House to support a “tech neutral” approach, something defined in a 2011 government memo as a policy of choosing tech in a “case-by-case” and “merit-based” manner.

“This is a very public fight that's being fought rather anonymously,” the former official told FCW.

ID.me’s counsel for government affairs, Jon VanderPlas, told FCW that the company “is pleased to see Congress include this government-wide directive” and that “we have long advocated for providing Americans with login options and an equal playing field, where providers are held to the same standards and compete around the clock to be the users' choice.”

The company’s 2022 lobbying report lists the fiscal 2023 appropriations bill as a lobbying issue.

Nevertheless, the respective role of vendors and government in identity isn’t universally agreed upon.

Sen. Ron Wyden (D-Ore.), Senate Finance Committee chair, was a vocal critic of ID.me after it came into the limelight last year over criticisms of IRS plans to require identity verification via facial recognition through the company to access online tax accounts, concerns over media reports of long wait times for the service and worries about biases in facial recognition technology.

In a 2022 letter to the IRS, Wyden pointed to a section of the fiscal 2016 appropriations law requiring agencies to use “a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication” as developed by GSA, writing in his letter that digital identity infrastructure should be run by the government.

“I continue to believe a government-operated universal verification system like Login.gov is the most user-friendly and efficient way to secure Americans' digital identities,” Wyden told FCW in a statement. “Securely verifying digital identity requires a significant amount of private information that the government already has. There’s no reason for Americans to send that data to a private company as well.”

Rep. Bill Foster (D-Ill.) also said recently that he plans to reintroduce a bill meant to push the government to take a more active role in digital identity with things like opt-in identity validation services. 

The White House and GSA declined to comment for this story.

NEXT STORY: Announcing the 2023 Federal 100

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.