The government’s fourth attempt to build a single sign-on identity management capability for federal services is off to a better start than its predecessors. The General Services Administration launched the Login.gov platform in April. The platform, which already has five agencies ready to test it out, experienced a spike of user accounts in October.
Joel Minton, the director of the Login.gov platform run by GSA’s 18F organization, said they are driving privacy, security and usability to give citizens confidence in using federal services.
“We support two different protocols,” Minton said in an exclusive interview with Federal News Radio. “One is OpenID Connect and the other is Security Assertion Markup Language (SAML). Some agencies choose to use SAML and some choose to use OpenID Connect. There are various reasons why one agency might choose one or another. It may be the knowledge they have about a certain protocol. It could be what the current systems are written in. Generally, we like to make sure that whatever experience they are building in has the utmost security. Our first use cases with Customs and Border Protection are mobile apps. Those mobile apps we found that we can do a much better job of ensuring the security of them with OpenID Connect.”
Minton said CBP is the first agency using Login.gov in production and four others are in the process of finalizing memorandums of understanding and moving into production.
The U.S. Digital Service reported in July that the Social Security Administration, Department of Education and Railroad Retirement Board have also signed MOUs.
“Login.gov, at a high level, provides capabilities to do authentication, which includes multi-factor authentication, as well as identity proofing and great agency integration,” Minton said. “We are here to build it really well, and try to partner with the agencies to make sure we can provide functionality in a much more easy-to-use way for the users.”
CBP has two different applications in production — CBP Jobs and CBP Outlying Areas Reporting System (OARS). Minton said the other agencies are expected to go into production in the coming year.
GSA announced Login.gov in 2016 using the United Kingdom’s example of Gov.UKVerify as a model.
Over the last 18 months, 18F has developed the structure around the platform, relying on user testing to ensure it’s meeting the needs of the agencies and citizen customers.
“We wanted to start with smaller use cases — agencies that had in the thousands of users, not millions of users, to start,” he said. “Once you show some success there, then you start going to some of the medium-size agencies and the larger agencies after that. We were very thoughtful about signing on a lot of agencies and then starting with the smaller-use cases and ramping up from there.”
Minton said 18F is measuring the success of Login.gov in several ways, but maybe most important is whether the citizen or user is getting the service they want or need.
18F’s effort to build Login.gov will take some time to catch on, and hasn’t gone without its share of doubters and critics. Several agencies are still building their own single sign-on capability, for both internal and external users.
Part of how 18F is trying to win over agencies is by ensuring the privacy, security and usability of the platform.
“We have a lot of decisions that we make on a weekly basis and all of those decisions require us to think about those three things and those three trade-offs. Anyone who runs an identity system will tell you that those three things, while they all are important, every decision will have pros and cons that will affect each of those decisions and each of the trade-offs of those three things very differently,” Minton said. “Security, for example, we are very strong with encryption. We want to make sure we are protecting our data very well at-rest. We want to make sure we are protecting our data in transit. We want to make sure we have great penetration testing. We have a variety of penetration tests that we’ve done and we are continuing to do a lot of them to make sure we can protect the data. We have other people looking at it and those are penetration tests within our own environment as well as people from the public looking for issues as well.”
He added 18F makes the code for Login.gov open source, so experts can look for problems and let GSA know so they can fix them quickly.
As for privacy, Minton said 18F has thought a lot about privacy with details published in their Systems of Record Notice (SORN) and the Privacy Impact Assessment (PIA).
Minton said the key for any site is usability, the third leg of the stool.
“We are basically talking to users all the time. We are testing with them, we are saying, ‘Does this make sense? Does that make sense?’ and that’s how we make all of our decisions related to that,” he said.
Minton said 18F has a lot of plans for the future of Login.gov, starting with security and ensuring the data and processes are secure and usable.
“We are building out a lot of identity-proofing capabilities. In order to be able to provide a lot of government services to individuals, we have to know who they are and we have to validate they are who they say they are,” he said. “In addition to the functionality, we also need to make sure we support agencies really well. We have an agency integration team that goes out to the agencies and actually talks to them and understands their use cases and what they need for their customers, and we make sure we can support them and provide the functionality that will allow them to serve their users better.”
Minton said 18F can take on more use cases and are talking to potential agency customers every week.