Login.gov has one lingering data-security priority to address, watchdog says

Eight years since its launch, Login.gov has narrowed the capabilities gap with many of its commercial counterparts, according to the Government Accountability Office, but there’s one outstanding data priority that the General Services Administration’s single sign-on platform needs to address.

In a report released Tuesday, the GAO detailed progress Login.gov has made since the watchdog last examined the identity-verification service, specifically on data security, maintenance, protective technology, and identity management, authentication, and access control. Those strides have put Login.gov — which agencies use to confirm the identity of website users — in favorable company with Okta, ID.me and others.

Where Login.gov has room for improvement, however, is in data-protection policies, processes, and procedures, the GAO found, with unfinished business on the testing of backup data. 

GSA told the watchdog that Login.gov’s security engineering team wasn’t fully staffed until January of last year. 

“At the conclusion of our review, GSA provided its updated policy for testing Login.gov’s backup data,” the report stated. “However, it is not yet evident that the policy has been fully implemented or if it is achieving the intended results. Until GSA demonstrates that it has fully implemented its data protection policy to test data backups, Login.gov officials will have less assurance that they are consistently and effectively ensuring the integrity and availability of its data.”

Login.gov’s public-facing applications are currently in use by 15 of the 24 Chief Financial Officers Act agencies, per the GAO, while another six use the platform paired with a commercial option and three agencies rely solely on a commercial provider. Those providers include offerings from ID.me, Okta, Experian and LexisNexis.

The agencies that provide services to the largest swath of Americans — Social Security and health insurance administrators among them — have the highest user numbers for Login.gov, per the GAO. 

“According to data reported by the CFO Act agencies, more users utilized Login.gov’s services compared to the commercial identity proofing solutions,” the report noted. “For example, about 190 million users utilized Login.gov compared to approximately 60 million users that utilized the four commercial solutions combined from fiscal years 2020 to 2023.”

Given the rapid growth in users since the platform’s 2017 launch — and the giant target on federal agencies’ backs due to the sheer amount of sensitive data they hold — the GAO said it is critically important for Login.gov to hit the National Institute of Standards and Technology recommendation on testing backup data. 

“For example, if Login.gov’s backup data was not tested to ensure that its integrity was not compromised, then it could result in complete loss of data if a breach were to occur,” the GAO wrote. “By ensuring that data backups are maintained and testing that the integrity of the backups is not compromised, a vendor can reduce the impact of these data loss incidents.”

The watchdog recommended that the GSA administrator direct the agency’s Technology Transformation Services, which houses the program, to confirm that Login.gov fully implements the policy to test data backups. 

“Addressing this gap will be an important step towards ensuring that the integrity and availability of that data will be protected,” the GAO concluded, “as well as the continuity of access to important government services that have a significant impact on the everyday lives of U.S. citizens.”