Login.gov is still 'vital' despite setbacks, GSA official says

Sonny Hashmi, the commissioner of the Federal Acquisition Service at the General Services Administration, talked about the path forward for GSA’s single sign-on service Login.gov Thursday, after a bombshell inspector general report in March revealed the service did not meet the guidelines it had claimed to have.

“A lot has been learned over the last few months, and we want to make sure that internally, we don’t repeat those mistakes,” he said during a keynote at a Carahsoft event.

Even so, “the need for Login as a program has never been more vital,” he said. “It’s incumbent upon us — all of us — to solve for this problem in a way that actually works for all Americans. I don’t think we’re there yet, but we’re making progress.”

The March inspector general report outlined how Login.gov officials had misled other federal agencies over a period of years about what standard of identity proofing the service met. 

The remote identity proofing standard in question is called identity assurance level 2, or IAL2. It’s set by the National Institute of Standards and Technology and is most easily met by using a biometric like facial recognition, something GSA publicly committed not to use in 2022, citing equity concerns.

At the time of the watchdog report, GSA said it would do a top-to-bottom review of the program, and pointed to a new director and a new Login.gov steering committee. The agency also disciplined relevant employees, created a new General Counsel’s Office specifically focused on tech and law and said it was reviewing financial operations and existing financial management controls.

“Our job now, as we move forward with Login, becomes to create a consensus across the federal government in partnership with NIST to build a common set of controls that validate digital identities,” said Hashmi, “We’re working very closely with NIST.” 

NIST is currently updating its digital identity proofing standards for the first time in years and has signaled an interest in “emerging and alternative” tech that doesn’t require facial recognition to reach IAL2.

The draft update released last year also created a new standard for lower-risk situations, meant to give those using these standards more flexibility. 

Login.gov, which also was awarded the biggest single investment from the Technology Modernization Fund to date — nearly $187 million in 2021 — has also been a focus of the White House.

President Joe Biden teased an executive order on identity theft in his 2022 State of the Union address, which has yet to be released. A draft obtained by Nextgov/FCW in February 2023 contained plans to rapidly scale the single sign-on service across government.

Asked about Login.gov in May, federal chief information officer Clare Martorana told Nextgov/FCW that, “it is a system that is required in government. We should be able to sign on simply, seamlessly and securely to any government service.”

Martorana alluded to “the challenges of the last year,” which she said “continue to keep us on a path of wanting to make sure that we are working with the highest level of integrity.”

Even so —“I still am really bullish about Login.gov,” she said. “But I do know that IT organizations in government are on their own path,” noting differences across agencies.

On Thursday, Hashmi talked about the driving principles for Login.gov.

First: “It needs to be usable by everybody,” he said, pointing to unhoused people and people without cellphones or credit histories. 

That rules certain technologies out, said Hashmi, as does a sharp eye against bias in systems.

“Our job becomes harder,” he said. “We take that with pride.”

GSA made public statements in 2022 that the service wouldn’t be using facial recognition because of concerns about bias. 

NIST testing of facial recognition algorithms in 2019 found differentials in performance according to race and gender, although top NIST officials have more recently said that algorithms have generally improved. Photograph quality — particularly exposure levels in photographs of people with darker skin tones — also impacts accuracy.

The second core value is privacy, said Hashmi. “Thirdly, it needs to be based on private sector technologies.”

“We don’t pretend to invent these technologies,” he told the audience, which included government contractors. “We leverage products that you all built, and we want to be able to… bring them together in a way that leverages the best innovation in the private sector.”

Still, Hashmi also argued that the role of the government, versus private companies, is important.

“The whole premise of Login has always been to create a government-issued digital identity that is built and operated by an organization that doesn't have a profit motive to leverage that information, to use people’s data against them, to sell their data for profit or to manipulate their privacy,” he said. 

“There’s a reason why there’s a competition going on in the private sector for owning your identity. There’s a reason why everybody from Facebook to Google to everybody is in the identity business all of the sudden, because they know that once they own the identity… they can control the data,” he said. “When we cede that control to private sector companies who have a profit motive in manipulating that information, then we don’t do right by the American people.”

“That’s unfortunately been going on in pockets… especially at the state and local level for the last few years, because in desperation, without an alternative being present, agencies have had to make difficult choices,” he continued. “They’ve had to say, ‘We’re going to trust that this private company is going to validate your identity. We’re going to trust that they are doing the right thing.’”

Some industry actors and identity proofing vendors, meanwhile, have urged the White House not to lock the government into a single solution, saying it would inhibit innovation.

Hashmi said the need for Login.gov became “acute” during the pandemic, which sped up the move to digital services in government.

“Pick any agency,” he said. “And you say, ‘We’re going to go digital.’ The first thing you ask is, ‘How am I going to know who’s logging in?’

“That’s why Login is important. That’s why, just generally, there’s been so much energy in this space. The White House has been very involved actively thinking about challenges. NIST has been very actively working on these areas,” he added. “So we’re excited about some of the things coming down the pike on this space.”