A technology arm of the federal government had lax security on about 1 million online accounts because it rejected using facial recognition technology over “equity” concerns, according to an inspector general’s (IG) report released on Tuesday.
The General Services Administration’s (GSA) failed to provide other federal agencies accurate information about the level of security and privacy protection via its Login.gov platform, a report from the GSA’s IG report (pdf) found. It stated that the GSA “misled customers” on Login.gov’s compliance with federal digital identity standards.
“Notwithstanding GSA officials’ assertions that Login.gov met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, Login.gov has never included a physical or biometric comparison for its customer agencies. Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3,” according to the report. SP 800-63-3 refers to federal digital identity guidelines.
What’s more, the GSA “knowingly billed IAL2 customer agencies over $10 million for services” for alleged Level 2 services that did not meet federal “standards,” said the IG report, adding that it “GSA used misleading language to secure additional funds for Login.gov.”
“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 (Level 2) but did not comply. Notwithstanding GSA officials’ assertions that Login.gov met [federal] requirements, Login.gov has never included a physical or biometric comparison in production,” the IG report said. “Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”
Top leaders with GSA’s technology arm found out that the website didn’t comply with the requirements but still did not “notify customer agencies of the noncompliance,” the IG said.
“The inability to meet IAL2 NIST standards became the topic of discussions among Login.gov leaders and personnel at least as early as 2019, and included concerns that using individuals’ selfies to verify their identity could impact Login.gov’s rejection rates based on physical traits,” the report added, “such as skin color and tone.”
In response to this week’s IG report, Federal Acquisition Service Commissioner Sonny Hashmi issued a statement saying that prior “misrepresentations about Login.gov’s compliance” with the standard “were completely unacceptable.” He added, “When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General, and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem.”
“As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed,” Hashmi added. “GSA has also taken significant actions to strengthen the Login.gov program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity.”
The GSA, according to the report, also obtained $187 million in federal funding after current and former GSA officials argued that the login service “is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2)” when it wasn’t the case.
In June 2021, then-Technology Transformation Services (TTS) Deputy Commissioner Vladlen Zvenyach said in a Slack message that he would not be taking steps to make the program compliant, according to the report. The reason why, he said, is because that in order to make it more complaint, it may have a “discriminatory impact.”
“Hey team, I have been hearing that there is still some ambiguity around TTS’ position on liveness detection/PAD [Presentation Attack Detection] as an IAL2 proofing requirement. The position of TTS is that the benefits of liveness/selfie does not outweigh any discriminatory impact, and therefore should not be used as a proofing requirement,” he wrote at the time, the report said.
But the report found that “Zvenyach did not notify customer agencies when TTS suspended efforts to implement selfies to meet the NIST biometric comparison requirement,” adding that the GSA kept information from “customer agencies about Login.gov’s lack of biometric comparison capabilities.”
The Epoch Times has contacted the GSA for additional comment, including questions about whether the security of 1 million accounts was jeopardized due to the lower security standards.