The fourth attempt to build a common authentication platform between government and its citizens already is starting on shaky ground.
The General Services Administration’s 18F organization released a request for quotes for a vendor to provide online identity proofing and fraud detection Sept. 27 for its Login.gov portal. Bids were due Oct. 11.
This was the second time in a matter of weeks that 18F issued this RFQ. It issued the first one in mid-September through Schedule 70 and decided to pull it back soon after. It’s unclear why GSA decided to withdraw the solicitation.
An industry source said the reason GSA pulled back the initial RFQ was due to it releasing it under the wrong schedule. The source, who requested anonymity, said vendors also complained to GSA that the RFQ appeared to be “wired” to Experian or Equifax.
Other sources say the RFQ is based on “old thinking” that even the National Institute of Standards and Technology says isn’t good enough for identity proofing.
David Zvenyach, the acting executive director of 18F and deputy commissioner of the Technology Transformation Service, defended 18F’s path. He said the RFQ had a quick turnaround time of only two weeks because either companies provide this type of service—identity proofing and fraud detection—or they don’t. Like many RFQs, GSA extended the due date at the request of the vendors who were interested in submitting bids.
“The purpose there is to make sure people who are signing up for our services, we can actually identify and prove that they are who they say they are,” he said in an interview with Federal News Radio. “Some of the must haves relate to the way you do identity proofing so some of this is looking at financial data to make sure you are who you say you are. You look through things like address matching to make sure that the address actually match. Also, we wanted to make sure we had enough coverage. For example, we wanted to make sure you covered at least 75 percent of the United States population. The other thing I’d note that this was actually access to services through an application programming interface (API).”
The RFQ outlined 29 “must haves” and 12 “nice-to-haves” across six functional areas. In addition to identity proofing and fraud detection, the RFQ includes validation and logging and reporting.
“We always want to make sure that we are structuring our acquisitions to ensure adequate competition. We work really hard to make sure there is adequate competition,” Zvenyach said. “This is ultimately a commercial service and these are companies that do this in the market right now and we are accessing their services through an API. So in a sense you either do this or don’t, and it’s not the sort of thing that you are trying to develop big bang solution for us.”
“For access to services or records that require Level of Access 3 (LOA3), the user will be asked for personally identifiable information(PII) that will be used for identity proofing, and then maintained in the system,” GSA wrote in the notice. “Attributes requested for the proofing process are full name, date of birth, address, phone number, and social security number (SSN). The identity proofer will also ask the user credit and financial related questions. Login.gov does not have access to or retain the commercial identity verification information, questions asked of a user or the responses provided thereto.”
GSA says the information given by the user is not shared among agencies unless the user gives his/her permission.
As for the use of KBAs, Zvenyach said if this was the only approach to identity proofing and authentication, then maybe it an issue.
“I do not expect this will be the only way we manage authentication,” he said. “Obviously, one of the best practices that exist are multi-factor authentication and the like and we intend to use best practices when it comes to security and identity.”
He said other procurements are in the works, but didn’t feel comfortable talking about the strategy. Zvenyach said the identity proofing and authentication services are essential for Login.gov and one of several pieces that still need to come together.
“Ultimately the point here is to make sure we have a great product that is being delivered for the American public,” he said. “I think our RFQ and requirements contained in it will provide that level of service that the American public wants and needs. I think there are a number of companies that can do this work and we want to work with the best.”
Along with this RFQ, 18F awarded Agileana a $1.2 million contract Sept. 9 to work with their office and other federal agencies “to build integration (using Security Assertion Markup Language (SAML) or other appropriate technology) between agency web properties and 18F identity management product.”
Agileana also will provide 18F with feedback based on agency requirements in order to improve the identity management product.
18F also created an identity playbook, detailing five principles such as focusing on user needs and building a flexible product.
These are the first pieces to come in place since GSA’s 18F announced its plans to develop Login.gov in May. The Office of Management and Budget followed 18F’s announcement by quietly issuing a memo in June supporting this effort, but saying it would be monitoring its progress.
Zvenyach said the Login.gov team has learned from past experiences whether it was the Connect.gov initiative or e-Authentication.
“We have a pretty robust engineering team and a technical team, including designers and product managers, working with 18F to make sure we have the right people within 18F and GSA to deliver this service,” he said. “We also are using a cloud based platform that is scalable and available for the entire United States. We also are focused a lot more on user research to make sure they have a really good experience and we are delivering a user centered product. Also, this is pretty significant, we are focusing on providing our own agency integrations to make sure they are successful. So there are some process, technology and people pivots we’ve made over the last few years.”