Login.gov moving ahead

On its final full day, the Obama administration moved ahead with a project to establish a single login for access to federal government online services.

The Login.gov project, run by the General Services Administration's 18F innovation group, is envisioned as a "shared authentication platform" that gives individuals personal accounts for accessing government services and allows agencies the option of using the authentication platform as a shared service, rather than building or contracting for their own sign-on technology.

GSA published a revised systems of records notice for the Login.gov system on Jan. 19. The agency is accepting comments on the plan through Feb. 21 before the notice takes effect and the system can go live if the developers are ready.

Login.gov represents the culmination of efforts across federal agencies throughout the Obama administration. An effort called the National Strategy for Trusted Identities in Cyberspace -- now dubbed the Trusted Identities Group -- gave grants to researchers and companies looking to develop secure, user-friendly ways to authenticate individual web users. As of the end of FY2016, the effort, housed at the National Institute of Standards and Technology, involved more than 170 organizations and led to the development of 14 solutions.

The Login.gov user accounts will have two levels of security, depending on the government service being accessed. The first authentication level uses an email address, password and a phone number. The higher level includes full name, address, date of birth and Social Security number.

The system will leverage multiple private-sector services to confirm user identities based on this data. For instance, the effort could leverage the work of the FIDO Alliance (for Fast IDentity Online), which has brought together a wide range of firms from the financial, online services, hardware, software and security sectors to collaborate on open standards for identity proofing.

If any third-party ID system can't verify a user by matching name, address and Social Security number info, Login.gov can request more user data. The records notice specifies that any of the additional data, perhaps in the form of authentication questions and responses, will not be saved by Login.gov "after the user logs off."

Data in the system is encrypted, and the records notice specifies that "neither the system nor the system operators" can access the name/address/SSN data on a user account "without the user supplying a password or recovery code."

The effort to scale up secure access to government services figured into the report of the Commission on Enhancing National Cybersecurity, which called for the next administration to "require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication."

That report called for secure online access to services related to taxes, immigration, border entry and exit, Social Security accounts, passports and health care programs administered by the Centers for Medicare and Medicaid Services. This is an ambitious call. The IRS and the Social Security Administration in particular have been bedeviled by problems involving both the usability and the misuse of public-facing systems that require authentication.

"The Commission believes strongly that if government requires strong authentication, the private sector will be more likely to do the same," the report stated.