Login.gov facing technical difficulties and cost uncertainty, watchdog says

The General Services Administration’s Login.gov, a single sign-on platform that recently made remote identity proofing generally available, needs to address technical challenges concerning the biometric validation pilot program, according to a new government watchdog report. 

The Government Accountability Office said that nine of the participating 21 Chief Financial Officers Act agencies reported issues with Login.gov, including lack of fraud controls and visibility into authentications as well as high failure rates. Additionally, eight agencies shared challenges regarding Login.gov’s pricing, including the inability to get a multi-year pricing plan or insight into the service’s annual renewal process, as well as the potential for prices to rise between years. 

Significantly, 12 agencies shared reports of challenges with Login.gov’s noncompliance with NIST 800-63 Identity Assurance Level 2 (IAL2) — a standard that introduces the need for either remote or physically present identity proofing. Marisol Cruz Cain, GAO’s director of Information Technology and Cybersecurity, told FedScoop that the watchdog confirmed with GSA and a third-party auditor that “the IAL2 certification was successfully issued for Login.gov.”

“As stated in the report, we do expect that the recommendation to establish a completion date for the remote pilot will be closed as implemented,” Cruz Cain said in an email after the report’s release. “However, the IAL2 certification does not address the other two recommendations. We will continue to work with GSA to close these recommendations as information becomes available.”

The Department of Treasury, one of the 12 agencies concerned with IAL2 challenges, reported to GAO that using Login.gov for applications needing these aligned services would “expose the agency to security risks, such as cybercriminals and exploiting systematic weaknesses.” 

Small Business Administration officials claimed that a report from the GSA’s Office of Inspector General about Login.gov’s noncompliance “caused the agency to pause their plans to use the system.”

In addition to the recommendation regarding IAL2 status, the GAO suggested that the GSA’s administrator direct the agency’s Technology Transformation Service to “propose actions to address the technical challenges that the agencies identified related to Login.gov and develop mutually agreed upon time frames for taking those actions.” 

“Without GSA-proposed actions and time frames for addressing the challenges, agencies will continue to experience technical issues with the system,” the report states. 

Of the nine agencies that reported technical issues, the Department of Labor expressed concern with the lack of real-time visibility into application authentications as a “major challenge,” and noted the capability as “essential for identifying and addressing potential security threats, performance issues or compliance issues in a timely manner.”

The Office of Personnel Management, one of the eight agencies that reported challenges with cost uncertainty, said that there was uncertainty with Login.gov’s annual renewal process and cost differentiation from year to year. OPM explained that “the pricing model for enterprise users can result in steep cost increases when their user volume increases.”

The GAO also recommended that the administrator for GSA direct TTS to ensure that it develops a plan for lessons learned for the program’s in-person proofing pilot.