Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned

What GAO Found

Login.gov collects a variety of personally identifiable information (PII) from users accessing government applications and websites. After collecting PII from users, Login.gov shares the data with multiple third-party vendors to determine whether users' claimed identity is their real identity. Login.gov uses a range of methods to protect collected and shared PII, such as multi-factor authentication.

Twenty-one of the 24 Chief Financial Officers Act of 1990 (CFO Act) agencies reported using Login.gov for identity proofing services. The agencies identified benefits from its use. Specifically, 16 reported improved operations, 11 reported enhanced users' experiences, and seven reported reduced costs. The agencies also reported challenges, with 12 citing Login.gov's lack of alignment with National Institute of Standards and Technology's (NIST) digital identity guidelines, nine identifying technical issues, and eight noting cost uncertainty.

The General Services Administration (GSA) has not yet fully addressed alignment with NIST guidelines or the identified technical issues. For example, GSA has been taking steps to align Login.gov with NIST digital identity guidelines, including (1) completing a pilot on in-person identity proofing in March 2024 and (2) beginning a separate pilot on remote identity proofing. However, the remote identity proofing pilot is not yet available because GSA has not established an expected completion date for the pilot. Accordingly, non-compliance with NIST guidance continues.

The two pilot programs fully aligned with four of five leading practices.

Table: GAO Assessment of General Services Administration's Identity Proofing Pilot Programs

Source: GAO-16-438 and GAO analysis of agency documentation | GAO-25-106640

Key: ● Fully Aligns. ◐ Partially Aligns. ○ Does Not Align.

For the pilot that is underway, a plan to identify lessons learned, if implemented effectively, could generate and apply important lessons to broader efforts.

Why GAO Did This Study

GSA established Login.gov as an identity proofing system that is used to access federal agencies' websites with the same username and password. In 2017, NIST developed technical guidelines for federal agencies to follow when implementing digital identity services. However, in 2023, GSA's Inspector General reported that Login.gov was not fully aligned with NIST's guidelines.

GAO was asked to review Login.gov. This report examines (1) how Login.gov collects, shares, and protects PII while providing identity proofing services, (2) how many of the 24 CFO Act agencies use Login.gov and what benefits and challenges the agencies have reported, (3) the actions GSA is taking to align Login.gov with NIST's Digital Identity Guidelines, and (4) the extent to which GSA's actions are aligned with leading practices for pilot programs.

To do so, GAO reviewed documentation describing Login.gov's identity proofing processes and efforts to align the system with NIST guidelines, compared Login.gov's project plans to GAO's leading practices for pilot programs, and conducted interviews with agency officials.