The General Services Administration (GSA) plans to deploy anti-fraud and identity verification measures to login.gov – which provides single sign-on services for numerous government websites and applications – to prevent account takeovers.
The planned anti-fraud measures will provide a secure sign-in service to authenticate and identity-proof users before granting access to participating government websites or applications.
“To protect the public and the integrity of the system, Login.gov needs to detect and prevent fraud while providing redress to users who were unable to complete identity verification,” GSA stated in a Nov. 21 notice posted on the Federal Register.
The third-party identity proofing service will gather input about a user’s device when they access their Login.gov account – including browser type, internet protocol address, and usage patterns.
For accounts for which Login.gov is authenticating the user, the system will collect and maintain email addresses, passwords, and phone numbers. For accounts that require a verified identity, the system will collect and maintain photographs of government-issued IDs, Social Security numbers, and phone numbers or postal addresses.
It will also provide risk scores for the device, including the name, address, and additional identity information associated with that device previously, according to the notice.
The system will send information back to Login.gov about its attempt to identity-proof the user, including transaction ID, pass or fail indicator, date and time of the transaction, and status codes associated with the transaction data.
In addition, each partner agency that utilizes Login.gov for user services may add its own unique identifier to that user’s account information.
GSA did not elaborate on processes that may be used for those deemed risky by the fraud prevention system. The agency also has not offered additional information on when the new services will launch or how many contractors are working on them, but did say in the notice that Login.gov will continue to evolve as needed.
GSA also plans to modify the categories of records in the system, the policies and practices for retrieval and routine records use, and remove outdated references to National Institute of Standards and Technology (NIST) technical standards.
“[This] prevents potential misalignment between Federal guidance and this system of record notice,” the notice says.
Specifically, GSA will remove references to Level of Assurance because that is an outdated NIST technical standard. Instead, the agency will use plain language to describe the system’s authentication and identity-proofing process.
The agency will also use records to increase coverage and access to authentication and identity-proofing services to the public, and use the records to support fraud prevention operations to preserve the integrity of the authentication and identity-proofing system.
GSA is accepting comments on the system of records modification through Dec. 21.
The agency’s proposed deployment of the anti-fraud tools marks one of its biggest announced developments since Dan Lopez took over as director of Login.gov in September. The service is in the process of putting to work $187 million in funding it received last year from the Technology Modernization Fund (TMF), with the aim of expanding adoption across more Federal agencies.
Current Login.gov users include the Office of Personnel Management’s USAJOBS site, the Department of Homeland Security’s TSA PreCheck program, and the Small Business Administration’s business loans and disaster assistance functions.