GSA sets road map for authentication gateway

In about a year’s time, a citizen or government user will sign on just once at the FirstGov portal to conduct many types of online transactions with different agencies.

The E-Authentication Gateway at FirstGov took shape this month in a General Services Administration request for information. The RFI calls for vendor responses by Aug. 8, a working prototype in October and a production system by September of next year.

Jeanette Thornton, the Office of Management and Budget’s portfolio manager for the project, said policy guidance for agencies will be available by the fall.

The authentication gateway initially will serve only OMB’s 24 e-government initiatives, but the RFI specifies a scalable, “technology-agnostic” infrastructure adaptable to e-government processes of any agency that wants to participate. The interface must be the same for all processes.

The gateway must be capable of validating many types of authentication credentials—not merely government-issued certificates—and of distinguishing the trust levels required by agencies’ various applications.

GSA itself will maintain an authorization system for the various sets of agency rules, but it will contract with one or more service providers to build and maintain the gateway.

No personal data

The RFI said the gateway must “be able to communicate via the many disparate protocols required by commercial and legacy validation responders and services.” To safeguard privacy, the gateway itself will not collect any personal information.

Each participating agency must establish administrative, technical and physical protections for the personal information gathered by its applications, and it must tell individuals in writing how such information is used. It must also manage all the permissions and access controls for its own systems.

A user who tries to conduct transactions without having a credential will be directed to a third-party provider.

Credentials can include permanent passwords, one-time passwords, personal identification numbers, X.509 Version 3 digital certificates and smart cards. Once the gateway has accepted a credential, the user does not have to re-authenticate to move on to other applications at the same assurance level.

The gateway will grant four types of admission:
  • An anonymous ticket, like a movie ticket

  • A pass, similar to an airline ticket, containing the user’s full credential

  • A partial pass that the agency application can use to request more information before doing business with the user

  • A voucher, or database index, to obtain even more information about the user.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

  • Defense
    laptop cloud concept (Andrey Suslov/

    Telework, BYOD and DEOS

    Telework made the idea of bringing your own device a top priority as the Defense Information Systems Agency begins transitioning to a permanent version of the commercial virtual remote environment.

Stay Connected