Login.gov: Administration and Identity Authentication
May 4, 2023
Login.gov: Administration and Identity Authentication
In recent years, Congress and the executive branch have
satisfaction. OMB Memorandum M-16-11, Improving
worked to digitize and streamline processes where members
Administrative Functions Through Shared Services, created
of the public interact with the federal government. In 2015,
a shared services governance model for executive branch
Congress required the General Services Administration
agencies and made GSA’s Office of Unified Shared
(GSA) to develop and implement a single sign-on trusted
Services Management responsible for providing
identity platform for individuals accessing public agency
implementation direction and guidance to shared service
websites (6 U.S.C. §1523(b)(1)(D)). As a result, GSA
providers.
partnered with the United States Digital Services, a
component of the White House Office of Management and
In the case of Login.gov, GSA executed 22 interagency
Budget (OMB), to create Login.gov.
agreements (IAAs) between 2018 and 2021, whereby GSA
provides authentication services and agencies reimburse
In an August 22, 2017, announcement, GSA described
GSA for the services rendered. IAAs provide the terms,
Login.gov as “a single sign-on solution for government
conditions, funding, and billing information under which
websites that will enable citizens to access public services
GSA provides Login.gov services to other federal agencies.
across agencies with the same username and password.”
Further, Login.gov aims to allow users to “securely sign in
Technology Modernization Fund (TMF)
to participating government websites and securely verify
In addition to GSA funding and agency reimbursements,
their identity.” Login.gov provides shared authentication
Login.gov has also received over $187 million from the
and identity verification services for multiple federal
Technology Modernization Fund (TMF). The TMF awards
organizations and is subject to implementation guidance
federal agencies funds for IT modernization projects.
from OMB and the National Institute of Standards and
Agencies submit project proposals for the TMF board to
Technology (NIST). At the end of FY2022, GSA reported
review and consider for funding. The board has used TMF
that Login.gov had 41 million active users.
funding in the American Rescue Plan Act of 2021 (P.L.
117-2) to prioritize modernizing high priority systems,
However, questions remain regarding the ability of
cybersecurity, public-facing digital services, and cross-
Login.gov to support shared services across agencies and
government collaboration services.
state and local governments, the security of Login.gov’s
identity authentication, and oversight of GSA’s
Identity Proofing and Digital
implementation of the program. The following provides an
Authentication
overview of the management and funding mechanisms
For Login.gov, OMB Memorandum M-19-17, Enabling
behind Login.gov, information on OMB and NIST
Mission Delivery through Improved Identity, Credential,
requirements on conducting identity proofing and digital
and Access requires agencies to comply with NIST
authentication, and information on Login.gov’s adoption by
guidance on identity proofing and digital authentication
federal and intergovernmental programs.
protocols. Further, Memorandum M-19-17 directs agencies
to share proofing confirmations across agencies in order to
Management and Funding of Login.gov
reduce public burden for having to resubmit identity data.
GSA’s Technology Transformation Services (TTS), a
Guidance on these topics is contained in NIST Special
Publication SP 800-63-3, Digital Identity Guidelines. NIST
component of the Federal Acquisition Service (FAS),
explains, “Identity proofing establishes that a subject is who
manages Login.gov. An overarching goal of FAS is to use
the federal government’s purchasing p
they claim to be. Digital authentication establishes that a
ower to decrease
subject attempting to access a digital service is in control of
duplication across agencies. TTS focuses on how agencies
one or more valid authenticators associated with that
procure, use, and share information technology. The
subject’s digital identity” (NIST SP 800-63-3, p. iv).
operations for TTS are funded via appropriations,
reimbursable work, the Acquisition Services Fund
NIST guidance requires agencies to select the appropriate
(authorized by 40 U.S.C. §321), and agency contributions
levels of identity proofing and digital authentication based
to the Federal Citizen Services Fund (authorized by 40
on risks to the individual of unauthorized disclosure of their
U.S.C. §323).
information. GSA, in providing Login.gov, offers agencies
Login.gov as a Shared Service
a product that conforms to certain NIST digital identity
components. These components include an Identity
Login.gov operates as a shared service, which is a business
Assurance Level (IAL), referring to the identity proofing
function that is provided for consumption by multiple
process, and an Authenticator Assurance Level (AAL),
organizations within or between federal agencies. GSA
referring to the authentication process.
states that the goal of shared services is to promote
standardization, reduce costs, and increase customer
https://crsreports.congress.gov
Login.gov: Administration and Identity Authentication
The three different IALs and AALs have different
governed by Section 302 of the Intergovernmental
documentation and verification requirements and therefore
Cooperation Act (ICA; P.L. 90-577). Under the ICA and
present different levels of individual risk and security.
related OMB Circular No. A-97 guidance, a federal agency
Login.gov initially presented partners with the option of
may provide technical services to these other governments
authentication at the AAL1 or AAL2 levels and identity
if it provides similar services for its own use, it is especially
proofing at the IAL1 or IAL2 levels. However, a March
equipped and authorized to perform such services, and the
2023 report by the GSA inspector general (IG) disputed
requesting government cannot “reasonably or
Login.gov’s ability to provide IAL2 identity proofing, and
expeditiously” procure such services through ordinary
this option has since been removed.
business channels. In September 2022, the news website
FCW reported that the Arkansas Division of Workforce
Services is piloting using Login.gov to verify the identities
Understanding IALs and AALs 1 and 2
of applicants for the unemployment insurance program
NIST SP 800-63-3, Executive Summary and Section 5.2
using grant funding from the Department of Labor.
Identity Assurance Level (IAL) conveys the degree of confidence
that the applicant’s claimed identity is their real identity.
Issues for Congress
Login.gov recently came under scrutiny in a March 7,
•
IAL1: There is no requirement to link the applicant to a specific
2023, GSA IG report and as the subject of a March 29,
real-life identity. Any attributes provided in conjunction with the
2023, House Committee on Oversight and Accountability
authentication process are considered self-asserted.
hearing. Congress may continue to consider the role and
•
IAL2: Evidence supports the real-world existence of the claimed
ability of the federal government to provide identity
identity and verifies that the applicant is appropriately associated
authentication more broadly.
with this real-world identity. IAL2 introduces the need for either
remote or physically present identity proofing.
The GSA IG report noted challenges to obtaining and
Authenticator Assurance Level (AAL) refers to the robustness of
properly using biometric information to comply with the
the authentication process itself and the binding between an
more stringent requirements of higher IALs. In addition to
authenticator and a specific individual’s identifier.
considering the ability of federal agencies to manage in-
•
person verification processes, Congress might assess the
AAL1: Provides some assurance that the claimant controls an
appropriateness of government collection of the
authenticator registered to the subscriber and requires single-factor
information versus agencies partnering with private
or multi-factor authentication.
entities, such as ID.me, to supply such a service.
•
AAL2: Provides high confidence that the claimant controls
authenticator(s) registered to the subscriber. Proof of possession
Congress might examine whether NIST guidelines can be
and control of two different authentication factors is required
uniformly enforced across agencies while also keeping
through secure authentication protocol(s). Approved cryptographic
pace with technology updates and public expectations of
techniques are required at this level.
privacy and security. While NIST issues criteria for
At the end of FY2022, GSA reported that it had three
identity authentication processes, legislators may explore
identity vendors and government data source providers to
how agencies enforce their implementation and if their
conduct identity verifications. GSA has also launched a
ability to monitor their progress is adequate.
partnership with the U.S. Postal Service that allows some
users to begin the verification process online at Login.gov
For example, the GSA IG report found that despite
and complete it in person at post offices.
Login.gov not meeting the NIST criteria for IAL2, GSA
continued to advertise and bill for IAL2 services. Relatedly,
Federal Agency Use of Login.gov
as NIST continues to revise SP 800-63, as it most recently
did in April 2023, this may affect the ability of agencies to
Examples of agencies using Login.gov include the Office of
conform to the guidance. Policymakers could consider the
Personnel Management (USAJOBS.gov and Retirement
ability of agencies to balance administrative consistency
Services Online) and the Department of Homeland Security
with the need to incorporate newer technologies and
(Trusted Traveler Programs, including TSA PreCheck,
techniques for identity authentication.
Global Entry, and SENTRI). GSA also uses Login.gov for
accounts created through SAM.gov, eSRS.gov, FSRS.gov,
Regarding implementation of Login.gov, Congress may
and FPDS.gov, all of which feed into federal financial
examine the ability of the service to perform adequately for
information and reporting systems.
agencies with large numbers of public users. For example,
during a May 3, 2022, Senate Appropriations Committee
The Internal Revenue Service (IRS) announced in February
hearing, the IRS commissioner testified that Login.gov
2022 that it would transition away from ID.me, a private
could not provide the transaction processing speed the IRS
sector identity verification company, and begin to explore
needs.
using Login.gov. While the IRS did not deploy Login.gov
for filings for the 2022 tax year, it does offer Login.gov and
Dominick A. Fiorentino, Analyst in Government
ID.me as options for accessing certain IRS services online.
Organization and Management
Use by State, Local, and Territorial Governments
Natalie R. Ortiz, Analyst in Government Organization and
In 2021, GSA announced that it would make its Login.gov
Management
services available to state, local, and territory governments
Meghan M. Stuessy, Analyst in Government Organization
when related to federal programs. Such services are
and Management
https://crsreports.congress.gov
Login.gov: Administration and Identity Authentication
IF12395
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12395 · VERSION 1 · NEW