GSA's Login to offer face recognition to customer agencies
Agencies using the government-created service will have the option to incorporate new face-matching capabilities or stick with existing offerings.
After months of testing, the federal government’s identity proofing and single sign-on service, Login.gov, is opening up its face recognition capabilities across the government to agencies that want to use them.
The General Services Administration says that the offering of one-to-one face matching has been independently certified as compliant with a government-backed standard for digital identity proofing set by the National Institute of Standards and Technology, called identity assurance level two.
Federal agencies use Login.gov for people to verify their identities when logging in to access government benefits and services. The offering has over 100 million users already across over 50 federal and state agencies, and this news could affect how future users have to verify their identity to access information and benefits.
“Proving your identity is a critical step in receiving many government benefits and services, and we want to ensure we are making that as easy and secure as possible for members of the public, while protecting against identity theft and fraud,” said GSA Administrator Robin Carnahan in a statement.
“Login.gov’s new IAL2-compliant product offering is another milestone in ensuring agencies have a wide variety of strong identity verification options,” she continued.
That certification comes over a year and a half after a bombshell watchdog report found that GSA had been misleading other agencies by claiming it met IAL2 when it did not.
GSA says that Login.gov will continue to offer its existing identity verification options to agencies as well, although they can now choose to require this more stringent level of identity verification.
“Login.gov heard from our agency partners with higher-risk use cases that it was important that we offer a version of our strong identity verification service that is IAL2 certified,” said Login.gov Director Hanna Kim in a statement.
The IAL2 digital identity standard is most easily met using a biometric. Login.gov uses one-to-one face matching to compare a user's selfie with a submitted photo of their government ID, as opposed to one-to-many, where a selfie is compared against a database of photos.
GSA also offers an in-person option at post offices for people that struggle to verify themselves online or don’t want to.
Despite the fact that face matching brings GSA into compliance with the NIST standard, the implementation of face recognition remains controversial.
A group of Republicans on the House Science, Space and Technology Committee penned a letter to NIST Director Laurie Locascio yesterday asking for more details on the technology and NIST’s role, noting that “concerns remain with the reliability, accuracy, and security of the technology.”
NIST is currently updating its guidance and offering new options to meet IAL2 that don’t require the technology.
Questions also remain about how well the setup of matching IDs with selfies works and for whom, despite the fact that some private sector options that also rely on one-to-one matching proliferated during the pandemic.
“At the end of the day, we don't really have a lot of information about how well they work,” Arun Vemury, senior engineering advisor for identity technologies at DHS’ Science and Technology Directorate, previously told Nextgov/FCW of this type of solution.
GSA itself is also working with academics to test identity verification setups, and preliminary results found that one of the five tested solutions performed worse with Black people. GSA had previously stated that it would wait to use the technology in Login.gov until it had done “rigorous review” about equity.
The performance of the tested solutions varied widely, but the best one still had an overall false rejection rate — where a real person with their actual ID is rejected — of about 10%.
Kim noted that GSA is using a face matching algorithm with good test results in NIST reviews when asked about bias concerns in a recent interview with Nextgov/FCW.
“We're glad that we've been able to do this while ensuring that users continue to have multiple secure pathways to verify their identity, whether that is in-person or remote,” she said in a statement about the latest news. “Looking ahead, we will continue to uphold our values of equity, privacy, and transparency by incorporating best-in-class technology and learning from academic and user research.”