But agencies, amid a surge in public demand to use government services digitally, as well as a rise in improper payments from COVID-19 stimulus programs, face growing pressure to make customer services easier to access, but also more secure.
Jeremy Grant, the managing director of technology business strategy at Venable and the lead of the Better Identity Coalition, said one of the biggest lessons learned from COVID-19 stimulus programs is that agencies need to set a higher bar for digital identity.
“The evidence has been really clear: When you don’t have identity infrastructure in place, the criminals are going to come in and they’re going to steal a lot of money and a lot of data,” Grant, also a former senior executive adviser at the National Strategy for Trusted Identities in Cyberspace (NSTIC), said in an interview.
Linda Miller, the former deputy executive director of the Pandemic Response Accountability Committee, now a principal at Grant Thornton, said in an interview last month that agencies vary greatly in the sophistication of their identity verification tools.
But faced with an increase in improper payments from COVID-19 programs, Miller said agencies need to “raise the whole level of verification and authentication across the board.”
“Agencies that are doing nothing, and are maybe at lower risk, maybe they don’t make a lot of payments. They might be okay with multi-factor authentication or knowledge-based question types of authentication. Those agencies that are putting out large amounts of benefit dollars are going to need to move to more sophisticated tools, like biometric tools,” Miller said.
While all agency digital services strike a tricky balance between ease of access and security, the IRS, in particular, has dealt with both types of challenges in recent years.
The IRS suffered a breach of its popular Get Transcript application in 2015, only a year after its launch. An agency investigation found that using “sensitive information already in the hands of criminals,” attackers were able to compromise about 390,000 taxpayer accounts.
The IRS took its “Get Transcript” application offline once the breach was discovered.
“Without solving this identity conundrum, a lot of transactions are going to continue to remain offline,” Grant said.
Lawmakers have sent a constant stream of letters to the IRS, demanding the agency respond to their constituents’ correspondence.
Meanwhile, the National Taxpayer Advocate, in her latest annual report to Congress, said the agency’s level of telephone service reached a low point last year, with only 11% of taxpayers getting through to a call center representative.
“To a certain extent, agencies like the IRS are in a bit of a no-win situation,” Grant said.
The IRS is not the only agency facing a higher demand for safe, effective digital services. Federal and state governments scrambled in the early stages of the pandemic to use new online systems to get unemployment insurance benefits to the public.
The Office of Management and Budget, in a Dec. 30 blog post, found improper payments grew most under the Federal-State Unemployment Insurance program, which saw its improper payment rate reach nearly 19%, eight points higher than pre-pandemic rates.
ID.me, the vendor that came under fire for its partnership with the IRS, actually helped address this issue through its services.
“This is why ID.me had this big boom in business. They came to states and said, ‘We’ve got a solution that can solve a lot of this,’” Grant said.
ID.me, which counts 10 federal agencies and 30 states as its customers, recently announced a new option to verify identity without using automated facial recognition, “and will make this available to all public sector government partners.”
ID.me Founder and CEO Blake Hall said in a statement last Tuesday that all of its users will be able to delete their selfies or photos at account.ID.me starting on March 1.
“In recent weeks, we have modified our process so government agencies can empower people to choose to verify their identity with an expert human agent without going through a selfie check. Agencies can now select this configuration,” Hall said.
The IRS announced Monday that it will “quickly develop and bring online an additional authentication process that does not involve facial recognition,” in order for taxpayers to access self-help services on the agency’s website.
While several lawmakers and associations urged the IRS to instead consider Login.gov, a federal service already used by 40 million Americans for 200 websites from 28 agencies, Grant said Login.gov doesn’t have the capability to handle identity proofing.
“Login has focused largely on account management and authentication, but not identity proofing, which is the much harder problem to solve. This is not to say that it should be the private sector running this, but it’s not as if there’s just like a magic set of capabilities just sitting at GSA that has not been used,” he said.
The General Services Administration, meanwhile, said it’s looking for Login.gov to achieve certification of compliance with NIST’s IAL2 Remote Identity Proofing standard, but does not currently have plans to implement facial recognition.
“Although Login.gov team is researching facial recognition technology and conducting equity and accessibility studies, GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations,” a GSA spokesperson said.
While the use of facial recognition across the federal government remains a sensitive topic, Grant said the practice of scanning a driver’s license or passport, and taking a selfie, is gaining traction in private industry.
Companies, he said, have adopted facial recognition in recent years, after fraudsters caught up knowledge-based verification, the last major industry-wide standard for identity verification.
“What was rolled out, [it] was not like IRS was doing something that was unusual, compared to what I think a lot of people might be asked to do for private-sector transactions. I think what certainly struck a nerve was it was requiring the use of a face biometric for a government application, which is something that people were not used to. That has now set off, I think, a good discussion around, well what is the appropriate technology or set of technologies that we should be using. But there aren’t easy answers here,” he said.
Organizations using knowledge-based verification relied on data from credit bureaus, and asked users to verify their identifies by multiple-choice questions about their phone numbers or addresses on file, or the bank they used to obtain a mortgage.
“The whole idea was these were out-of-wallet questions, meaning if I found your wallet on the street or stole it from you, I would not be able to answer the questions. And it worked for a while, until the attackers caught up,” Grant said.
The prevalence of massive data breaches made it easier for malicious actors to obtain the types of information needed to compromise knowledge-based verification.
The National Institute of Standards and Technology said it no longer recognizes knowledge-based authentication as an “acceptable authenticator” by its digital identity guidelines.
“The ease with which an attacker can discover the answers to many KBA questions, and relatively small number of possible choices for many of them, cause KBA to have an unacceptably high risk of successful use by an attacker,” NIST wrote in a frequently asked questions post from 2020.
NIST, under its Special Publication 800-63A, still permits knowledge-based verification for in “resolving identities and, with restrictions, in remote identity verification during enrollment and proofing.”
“This is what happens in security. A threat develops, industry comes up with ways to address the threat, and then the attackers pivot and innovate, and come up with new ways to catch up with it,” Grant said.
While lawmakers have been quick to dismiss the use of facial recognition in government services, few have suggested an alternative to strengthen digital identity.
The legislation would also direct NIST to develop a “digital identity framework” to guide federal, state and local efforts to support identity verification services.
The Better Identity Coalition supports the legislation, and Grant said the bill “needs to move forward as quickly as possible.” At the very least, he said Congress needs to come to some consensus on how agencies should rethink identity verification.
“This is not to say that any one solution is the wrong one or the right one, but I think there’s a bigger tradeoff that policymakers need to be considering right now, which is what kind of services do you want your constituents to access online, and understanding that offering any high-value service, where an agency’s going to disclose personal data or make money available, is going to be a huge target for organized crime. What sorts of solutions are you willing to consider letting agencies use to offer those services in a way that is secure, that is equitable, that protects privacy? There isn’t any single answer,” Grant said.