Login.gov has achieved IAL2 certification by Kantara, incorporating selfie biometrics in its identity verification process. This update responds to government oversight urging faster implementation of biometric pilots, addressing security and accessibility requirements while maintaining compliance with federal standards. Despite some reported challenges, Login.gov represents a step forward in secure digital identity services for U.S. agencies providing over 300 million annual sign-ins.
Login.gov has been certified for Identity Assurance Level 2 (IAL2) compliance by Kantara, incorporating a new identity verification method that utilizes selfie biometrics. This advancement comes timely as a government oversight report urges the General Services Administration (GSA) to expedite its biometric pilot project and leverage insights gained from it. The enhanced identity proofing service integrates liveness detection, complying with the standards set forth in NIST SP 800-63 for IAL2. Users of Login.gov apply multi-factor authentication (MFA) for secure access, with stricter identity verification protocols required for certain federal partners, such as the IRS. The service employs facial biometrics primarily for remote identity verification, although it explicitly avoids “one-to-many facial identification” and does not repurpose submitted images. The GSA has committed to maintaining existing identity verification methods alongside the new biometric approach. While the supplier of the biometric technology remains undisclosed, it is reportedly a high performer in the NIST vendor evaluations. As of September 25, 2023, per Kantara’s Trust Status List, the certification is officially in effect. To access Login.gov, users must create a passphrase and utilize an additional authenticator for MFA, which could range from one-time passcodes (OTPs) to FIDO tokens like Yubikeys or Google’s Titan Security Keys. GSA Administrator Robin Carnahan emphasizes the need for a balance between accessibility to government services and safeguarding against fraud and identity theft. With over 50 government agencies relying on Login.gov, the platform facilitates approximately 300 million sign-ins each year. Hanna Kim, director of Login.gov, shared, “Login.gov heard from our agency partners with higher-risk use cases that it was important that we offer a version of our strong identity verification service that is IAL2 certified. We’re glad that we’ve been able to do this while ensuring that users continue to have multiple secure pathways to verify their identity, whether that is in-person or remote.” Kim recently advanced to her position to oversee the introduction of a new pricing model and implement the selfie biometric trial. Meanwhile, the Government Accountability Office (GAO) has reported that the GSA has not sufficiently resolved discrepancies with NIST guidelines or technical issues surrounding the service. The report titled “Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned” highlights that the methods utilized in both the remote identity proofing pilot and a USPS in-person pilot fail to align with best practices for documenting lessons learned to enhance decision-making. Noncompliance with IAL2 standards has been flagged by 12 out of 24 agencies responding to the GAO, with various technical challenges and cost uncertainties raised as obstacles. In response to GAO’s findings, the GSA pledged to tackle the identified technical issues, establish a timeline for pilot completion, and integrate lessons learned into future planning.
The push for enhanced identity verification methods within the U.S. government is driven by the need for higher security standards in accessing federal services. Identity Assurance Level 2 (IAL2) provides rigorous standards for verifying an individual’s identity, ensuring safe and secure access to sensitive services. The incorporation of biometric technologies, particularly selfie biometrics, supports these needs by providing robust, user-friendly verification while also seeking to maintain compliance with federal guidelines set by NIST. As more agencies adopt these technologies, the conversation around balancing security and accessibility continues to evolve, especially in response to oversight reports highlighting areas for improvement.
Login.gov’s recent certification for IAL2 compliance showcases a significant advancement in federal identity verification standards by integrating selfie biometrics and ensuring user security through multi-factor authentication. Despite challenges reported by the Government Accountability Office regarding alignment with NIST guidelines and technical issues, the GSA is moving forward with a commitment to address these concerns. The evolving landscape of digital identity verification is crucial for safeguarding government services against identity theft and fraud while prioritizing user accessibility.
Original Source: www.biometricupdate.com
