From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Proving Your Identity on Federal Websites

Description: We talk about how federal agencies prove your identity when
you use their online services, and what could be done to keep your
information more secure.

Related GAO Work: GAO-19-288: Data Protection: Federal Agencies Need to
Strenghten Online Identity Verification Processes.

Released: June 2019


[ Background Music ]

[ Nick Marinos: ] Federal agencies need to move quickly so that we can
ensure that those that are applying for federal services are who they
say they are.

[ Matt Oldham: ] Welcome to GAO's Watchdog Report, your source for news
and information from the U.S. Government Accountability Office. I'm Matt
Oldham. If you've ever applied for benefits or services from a federal
agency online, there's a chance you've gone through a process called
identity proofing. It's how the government verifies that you are who you
say you are. I'm with Nick Marinos, an Information Technology and Cyber
Security director at GAO. And he led a report that reviewed the federal
government's identity proofing practices. Thanks for joining me, Nick.

[ Nick Marinos: ] Yeah, happy to be here.

[ Matt Oldham: ] So what's the state of these identity verification
methods that federal websites use?

[ Nick Marinos: ] I guess you could say the state is kind of in flux at
this point. We'll step back for a second and just think through kind of
the world that we live in right now. Verifying one's identity relies on
being able to confirm that the person sitting at a terminal or at their
phone is actually who they say they are. And this is at a time where
we're seeing an increasing amount of massive data breaches that are
taking a lot of sensitive information and putting it out there on the
wild. And the reason that this is compelling with respect to identity
verification is that federal agencies and others use what's called
knowledge-based verification as one of the primary ways to verify one's
identity. And what that really means is that you'll get a list of
questions, and probably we've all experienced this at some point,
applying for some kind of service online. We'll get a list of questions,
multiple-choice, that'll ask us for some kind of personal information
verifying that, again, we are who we say we are. So it could be about a
mortgage. It could be past home addresses but something that the
assumption is being made that only we might be the ones aware of.

[ Matt Oldham: ] I assume this isn't information that the government has
at hand on their own. Do they go outside to help them prove people's
identities?

[ Nick Marinos: ] Exactly. So these federal agencies are likely not
managing these kind of identity proofing services themselves. They're
contracting out to vendors and quite often going to credit reporting
agencies, which makes sense because CRAs, credit reporting agencies,
house a lot of information within an individual's credit file and so
they use that information to provide this identity verification service.

[ Matt Oldham: ] Is there any group within the federal government that
looks at this process that provides guidance on how federal agencies
should go about this service?

[ Nick Marinos: ] Yeah. So the National Institute of Standards and
Technology, NIST, is the authority not only on this topic but many
others. So when you're talking about cybersecurity guidance or standards
that a federal agency should follow, NIST is your shop there. And
they've put out guidance that has talked about the fact that
knowledge-based verification is just not a viable method for verifying
one's identity. And so they have really encouraged agencies to move away
from using these methods. And what we saw with our work, we looked at a
host of agencies, is that you know agencies are at different stages of
trying to move towards other alternative ways of doing this. And some
are using alternative methods. These could be things that we're familiar
with like SMS, you know, text messages that send confirmation codes or
even using, you know, traditional post offices, right, and sending a PIN
through snail mail to an individual to then use that to verify that they
are who they say they are. But we think that agencies could be doing
more and do more quickly to move away from knowledge-based verification.

[ Background Music ]

[ Matt Oldham: ] So it sounds like NIST has released guidance strongly
suggesting that federal agencies stop using knowledge-based
verification. What are the risks involved if federal agencies take too
long moving away from knowledge-based verification?

[ Nick Marinos: ] Well, the risk will continue to be there -- that
someone could pick up information as a result of breaches and use it to
mask themselves to be someone else. You know, and what we did find with
the guidance, we think that more can be done there as well. And we've
made recommendations to NIST to help clarify, what are some of those
alternative methods? When we spoke to the federal agencies, some of the
reasons that they had been challenged in moving away from
knowledge-based verification is that they really didn't see viable paths
for alternatives that worked within their particular constituency, if
you will. So for example, one method is to use an SMS code, a text
message. Well, if the general population of those applying don't have
cell phones, then another alternative method could be used. You know,
one thing to point out too, an alternative method that we have seen used
is actually in-person verification. So providing a location that someone
can go and say okay, I don't want to do this verification online. I want
to show up with some information, maybe it's a driver's license, birth
certificate, and verify my identity in person.

[ Matt Oldham: ] So what do you believe is the bottom line of this
report?

[ Nick Marinos: ] The reality is that the massive amounts of data
breaches that have occurred has rendered the main method by which
verification is being done, knowledge-based questions, ineffective. And
federal agencies need to move quickly away from using that as a method
so that we can ensure that those that are applying for federal services
are who they say they are.

[ Matt Oldham: ] Nick Marinos led a GAO report reviewing federal
agencies' practices to verify the identities of people using federal
online services. Thank you for your time, Nick.

[ Nick Marinos: ] Absolutely. Thanks, Matt.

[ Background Music ]

[ Matt Oldham: ] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts.

[ Background Music ]

[ Matt Oldham: ] For more from the congressional watchdog, the U.S.
Government Accountability Office, visit us at gao.gov.