Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned
Fast Facts
The public increasingly relies on the internet to access government services and benefits. The General Services Administration launched Login.gov to give federal agencies a secure, reliable way to verify users' identities.
Agencies using Login.gov said it offers many benefits, such as improved user experiences and reduced costs. But technical issues aren't being resolved in a timely way—potentially delaying further adoption throughout the government.
Also, GSA hasn't completed work to ensure that Login.gov aligns with federal guidelines for verifying identities digitally.
Our recommendations address these issues and more.
Highlights
What GAO Found
Login.gov collects a variety of personally identifiable information (PII) from users accessing government applications and websites. After collecting PII from users, Login.gov shares the data with multiple third-party vendors to determine whether users' claimed identity is their real identity. Login.gov uses a range of methods to protect collected and shared PII, such as multi-factor authentication.
Twenty-one of the 24 Chief Financial Officers Act of 1990 (CFO Act) agencies reported using Login.gov for identity proofing services. The agencies identified benefits from its use. Specifically, 16 reported improved operations, 11 reported enhanced users' experiences, and seven reported reduced costs. The agencies also reported challenges, with 12 citing Login.gov's lack of alignment with National Institute of Standards and Technology's (NIST) digital identity guidelines, nine identifying technical issues, and eight noting cost uncertainty.
The General Services Administration (GSA) has not yet fully addressed alignment with NIST guidelines or the identified technical issues. For example, GSA has been taking steps to align Login.gov with NIST digital identity guidelines, including (1) completing a pilot on in-person identity proofing in March 2024 and (2) beginning a separate pilot on remote identity proofing. However, the remote identity proofing pilot is not yet available because GSA has not established an expected completion date for the pilot. Accordingly, non-compliance with NIST guidance continues.
The two pilot programs fully aligned with four of five leading practices.
Table: GAO Assessment of General Services Administration's Identity Proofing Pilot Programs
Leading practice |
Description |
USPS in-person identity proofing pilot |
Remote identity proofing pilot |
---|---|---|---|
Measurable objectives |
Establish clear, measurable objectives. |
● |
● |
Assessment methodology |
Articulate a data gathering and assessment methodology that details the type and source of the information necessary to evaluate the pilot, and methods for collecting that information, including the timing and frequency. |
● |
● |
Evaluation plan |
Develop a plan that defines how the information collected will be analyzed to evaluate the pilot's implementation and performance. |
● |
● |
Lessons learned |
Identify and document lessons learned from the pilot to inform decisions on whether and how to integrate pilot activities into overall efforts. |
○ |
○ |
Stakeholder communication |
Appropriate two-way stakeholder communication and input should occur at all stages of the pilot. Relevant stakeholders should be identified and involved. |
● |
● |
Source: GAO-16-438 and GAO analysis of agency documentation | GAO-25-106640
Key: ● Fully Aligns. ◐ Partially Aligns. ○ Does Not Align.
For the pilot that is underway, a plan to identify lessons learned, if implemented effectively, could generate and apply important lessons to broader efforts.
Why GAO Did This Study
GSA established Login.gov as an identity proofing system that is used to access federal agencies' websites with the same username and password. In 2017, NIST developed technical guidelines for federal agencies to follow when implementing digital identity services. However, in 2023, GSA's Inspector General reported that Login.gov was not fully aligned with NIST's guidelines.
GAO was asked to review Login.gov. This report examines (1) how Login.gov collects, shares, and protects PII while providing identity proofing services, (2) how many of the 24 CFO Act agencies use Login.gov and what benefits and challenges the agencies have reported, (3) the actions GSA is taking to align Login.gov with NIST's Digital Identity Guidelines, and (4) the extent to which GSA's actions are aligned with leading practices for pilot programs.
To do so, GAO reviewed documentation describing Login.gov's identity proofing processes and efforts to align the system with NIST guidelines, compared Login.gov's project plans to GAO's leading practices for pilot programs, and conducted interviews with agency officials.
Recommendations
GAO is making three recommendations to GSA to address NIST digital identity guidance, agency identified technical issues, and lessons learned from its ongoing pilot. GSA concurred with each of the three recommendations. Just prior to issuing this report, GSA took action to address one of the recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
General Services Administration | The Administrator of GSA should direct the Technology Transformation Service division to propose actions to address the technical challenges that the agencies identified related to Login.gov and develop mutually agreed-upon time frames for taking those actions. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
General Services Administration | The Administrator of GSA should direct the Technology Transformation Service division to establish a completion date for the remote identity-proofing pilot. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
General Services Administration | The Administrator of GSA should direct the Technology Transformation Service division to ensure that it develops and documents a plan for lessons learned for Login.gov's remote identity-proofing pilot program. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|