The General Services Administration will partner with a vendor to bring a “best-in-class” facial recognition option to Login.gov as one of several new verification pathways being introduced to the platform in the coming year.
The planned addition of face matching to Login.gov comes as GSA attempts to boost the program’s remote “identity proofing” offerings, even as the National Institute of Standards and Technology explores whether there are comparable alternatives to facial recognition.
In addition to offering face matching as a remote identity proofing option, GSA will also give Login.gov customers the option to prove their identity in-person at their local Post Office or through a live video chat with a “trained identify verification professional.”
Agencies that use Login.gov will have the option of whether to use these new verification pathways. GSA will begin rolling out the updates within the next year, the agency wrote in a blog post today.
“These offerings will complement Login.gov’s already strong anti-fraud capabilities and provide an even stronger identity verification solution to protect against increasingly sophisticated identity fraud and cyber attacks,” the blog post continues.
Agencies are increasingly adopting Login.gov as a way for the public to access various government benefits and services online. GSA announced in September that all cabinet-level agencies are using the log-in service for at least one program or application.
In its blog post, GSA writes that the addition of multiple “evidence-based” verification options to Login.gov will bring the platform in line with NIST’s identify-proofing standards referred to as “Identity Assurance Level 2” (IAL2).
“Together, these pathways build on top of Login.gov’s existing identity verification process, which requires validation of a government-issued ID and a phone number or address,” GSA wrote. “They will help agencies with high-risk use cases meet their unique security needs.”
Earlier this year, the GSA inspector general found that between 2018 and 2022, the Login.gov program had deceived customer agencies about meeting the IAL2 standards, prompting a firestorm of criticism and compelling GSA leadership to launch a top-down review of the program.
Meanwhile, the addition of facial recognition to the widely used login platform comes more than a year after the IRS canceled its plans to use a third-party facial recognition platform due to concerns over privacy and bias, as well as the lack of alternatives for taxpayers seeking an online account.
“For our fully remote identity verification offering, we will choose a vendor that uses best-in-class selfie matching algorithms and are evaluating additional alternatives,” a GSA spokeswoman told Federal News Network. “Login.gov will integrate this technology into its existing identity verification flow as a configurable option for agency partners; this means that not all agencies will use these technologies.”
GSA is pledging to protect user privacy by only having Login.gov compare a selfie with a user’s photo ID. The data “will never be used for any purpose unrelated to verifying your identity by Login.gov or any vendors we contract with,” the agency wrote in its blog.
The agency also plans to monitor the effectiveness of its face matching tool across different demographic groups. Prior NIST research and other studies have shown some facial recognition algorithms are less accurate for non-white faces.
“GSA is planning to invest in monitoring the real-world performance of both the selfie matching and the rest of the Login.gov platform, across demographic groups, to support equity and help prevent any algorithmic bias,” the GSA spokeswoman said.
GSA will also work with agencies “to evaluate additional pathways to verify identities at the IAL2 level, such as compensating controls,” the agency wrote in its blog.
The agency specifically sought comment on the possibility of alternatives to facial recognition to meet the IAL2 standard.
“NIST sees a need for inclusion of an unattended, fully remote Identity Assurance Level (IAL) 2 identity proofing workflow that provides security and convenience, but does not require face recognition,” the agency wrote.
Ryan Galluzo, digital identity program lead for NIST, said the agency has now adjudicated about 90% of approximately 3,900 comments it received on those draft documents. He said NIST now plans to release second drafts of the base digital identity guidelines, as well as the identify proofing standards.
“The reasons that we’re going to go down that pathway are based upon the volume of changes, as well as some of the changes that we’ve received public comments on around things like the integration of verifiable credentials and mobile driver’s licenses into the identity proofing side of the house,” Galluzo said at the Authenticate 2023 conference on Tuesday.
He said NIST aims to release the new versions of those documents by this coming April.