In light of the increasing ubiquity of data breaches, Government Accountability Office (GAO) released a report today recommending that Federal agencies should discontinue knowledge-based verification to strengthen their remote identity proofing processes and that the National Institute of Standards and Technology (NIST) should provide guidance in creating alternative identity proofing methods.
When Federal agencies that issue benefits conduct remote identity proofing – a process agencies and organizations use to verify individuals’ identities when they apply online for benefits and services – they often use knowledge-based verification to compare applicants’ identifying information with electronic records consumer reporting agencies (CRAs) hold to confirm their identities.
But with the rise of data breaches, such as with Equifax, a CRA, in 2017, GAO said that hackers could use the stolen data to respond to knowledge-based verification questions and impersonate individuals to access Federal benefits.
Although NIST released technical guidance in 2017 that outlines technical requirements for remote identity proofing and the Office of Management and Budget (OMB) drafted consequent identity management guidance, GAO found NIST’s guidance does not direct agencies how to implement alternative identity-proofing methods. Furthermore, OMB has not issued guidance that require agencies to report their progress in implementing NIST’s guidance.
In this report, GAO compared practices of six agencies – the Centers for Medicare and Medicaid Services (CMS), the General Services Administration (GSA), the IRS, Social Security Administration (SSA), United Stated Postal Service (USPS), and Department of Veterans Affairs (VA) – that have major public-facing web applications that provide benefits and services to NIST’s remote proofing guidance to assess their effectiveness and compared NIST and OMB’s guidance to requirements in Federal law in IT management.
GAO found that GSA and the IRS have eliminated knowledge-based verification and have begun using alternative methods for remote identity proofing for their Login.gov and Get Transcript services. The VA has also implemented alternative identity proofing methods, but it still relies on knowledge-based verification in some instances.
SSA and USPS reported that they plan to eventually reduce or eliminate knowledge-based verification but have no specific strategy to do so. GAO also found GMS does not have plans to eliminate knowledge-based verification.
Officials from the agencies that have or will not adopt alternative identity proofing methods said that high costs and implementation challenges for certain citizens have prevented them from moving away from knowledge-based verification methods. For instance, mobile device verification is not accessible for applicants who do not have mobile devices.
Given its findings, GAO recommended that CMS, SSA, USPS, and VA create plans to strengthen their remote identity proofing processes by discontinuing knowledge-based verification. To support these endeavors, GAO also called upon NIST to create further guidance to help agencies adopt more secure remote identity proofing processes and for OMB to provide guidance requiring Federal agencies to report their progress in adopting secure practices.
“Until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” GAO said, adding that “until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes.”
The Department of Commerce – on behalf of NIST – SSA, USPS, and VA agreed with the recommendations and outlined steps they plan to take in improving their remote identity proofing process security. OMB did not provide comment on the recommendations.
The Department of Health and Human Services, on behalf of CMS, disagreed after claiming the available alternatives to knowledge-based verification were not feasible to the citizens it services. But GAO reinforced its recommendation.
“A variety of alternative methods exist, and GAO continues to believe CMS should develop a plan for discontinuing the use of knowledge-based verification,” GAO said.