General Services Administration officials addressed allegations that the agency misrepresented identity proofing standards of Login.gov at a hearing Wednesday, as lawmakers pondered the potential for fraudsters in the system.
After a report outlined discrepancies in Login.gov’s identity proofing standards, lawmakers peppered General Services Administration officials with questions Wednesday about what they are doing to ensure the missteps haven’t enabled fraudsters.
The House Subcommittee on Government Operations and the Federal Workforce hearing centered on a March 7 inspector general report detailing how GSA officials misrepresented the level of identity proofing standards met by the government-run single sign-on service, Login.gov, subsequently billing agencies millions as a result.
But lawmakers from both sides of the aisle honed their questions on whether the identity proofing discrepancies could enable fraudsters to gain accounts and, therefore, government services.
“We rely on Login.gov to help us to root out potential fraudsters,” said ranking subcommittee member Kweisi Mfume (D-Md.), who asked about possibly involving the Justice Department. “For this to have gone on this long, we don't know if they were siphoning off money from essential government programs.”
Although Federal Acquisition Service Commissioner Sonny Hashmi told lawmakers that GSA has “no evidence… that this has led to any particular cases,” Mfume appeared unconvinced.
“I don't think we can make the assumption that nothing bad happened,” the Maryland congressman said.
Rep. William Timmons (R-S.C.) also weighed the potential of increased fraud as a result of the identity proofing discrepancies, asking GSA officials, “If Login.gov had done what it said it could do, would it be harder to steal from the [Paycheck Protection Program and Economic Injury Disaster Loan] and easier to hold people accountable that did?”
The Small Business Administration — which managed both COVID-relief programs and saw fraud spike during the pandemic — does use the identity management service, according to Login.gov’s website, but the GSA inspector general stressed that making conclusions about any link would require a more thorough look at the context.
When asked by subcommittee chair Pete Sessions (R-Texas) if the program was checking the rolls for fraudsters following the report, Hashmi pointed to existing Login.gov identity proofing and fraud controls.
“I want to make it clear that Login.gov itself is a strong service,” said Hashmi. “We strongly believe in the product. We believe in the fraud capabilities that product already offers. For that reason, we will continue to invest in those capabilities.”
In terms of identity proofing, Hashmi said that Login.gov, which vets information against third party data and state driver databases and also uses phone and address verification, is “checking all of the accounts against [these data sources] constantly.”
A main reason that the service does not meet the digital identity guidelines set by the National Institute of Standards and Technology, known as Identity Assurance Level 2, is the lack of a biometric like facial recognition as part of its remote identity proofing process. GSA made public statements in 2022 that it would not use facial recognition due to equity concerns, and the report details an internal decision not to use them in 2021.
Under the current guidance, using biometrics like facial recognition is the easiest way to get to IAL2 compliance remotely, although NIST is currently updating the standard.
Hashmi called biometrics “the key failing” and “the key thing that prevents us from achieving IAL2,” saying that the agency “is continuing to investigate whether biometric technology is the right thing to implement at this point.”
There are legitimate privacy and equity concerns for facial recognition systems, although differentials vary depending on the camera system and matching algorithm. Charles Romine, director of NIST's Information Technology Laboratory, told lawmakers in 2020 that “users, policy makers and the public should not think of facial recognition as either always accurate or always error prone.”
Still, Hashmi also came prepped with a pitch about why lawmakers and the government writ large should still back Login.gov.
“The success of this program is paramount for the government to deliver digital services to their constituents,” said Hashmi, pointing to fraud prevention, privacy protections and simple access to government programs.
“We want to make sure that this is done in transparency and full accountability, because in this particular case, we feel very strongly that this program has the right philosophy to add value to the American people. And we want to make sure that we have the right accountability in place,” he said.
So far, GSA has notified agency partners and the board of the Technology Modernization Fund about the misrepresentations of Login.gov’s identity proofing standards, modified interagency agreements, put new oversight mechanisms in place and pursued disciplinary action for some employees, said Hashmi.
“As of today, none of the employees who were identified to have misled their customers knowingly, are employed by the GSA,” he said. “So while due process continues, we will make sure that those employees are no longer employed by our agency.”
The agency is also doing is a top-to-bottom review of the Login.gov program. So far, they have found that the team lacks fraud management experts, said Hashmi.
“We're starting to build a small team of folks who have previously not only litigated, but processed fraud cases so that we can really understand how do we build the products that are actually designed to prevent those cases from happening?” he said.
Hashmi also said that since GSA notified customer agencies last year about the discrepancy around its identity proofing standards, “we have made sure that they understand exactly which accounts have come into their systems and they have independent ways to validate the mechanisms so that those individuals can can be subsequently vetted again.”
The timing of the hearing falls as the White House considers a push of Login.gov across government agencies via executive order. Still, some identity vendors have asked the government not to limit itself to Login.gov alone.
Some Republicans on the committee are wary about any plans to expand use of Login.gov – Sessions said that he had “concerns that the Biden administration may be making the problem worse,” noting that “Login.gov remains a significant part of the recently announced anti-fraud plan.”
Editor's note: An earlier version of this story misstated that the main reason Login.gov doesn't meet IAL2 standards was because of a lack of identity proofing. The service lacks a biometric screening capability as part of its remote identity proofing process.