How the VA’s adoption of Login.gov is going

The Department of Veterans Affairs has made progress implementing Login.gov as an identity proofing and sign-on tool for patients and beneficiaries, although the work of migrating existing users from its legacy systems and offering more accessible options for identity proofing and multi-factor authentication is still to come.

The effort has financial backing from the Technology Modernization Fund, which awarded the project around $10.5 million in April.

Login.gov, a shared service fielded by f the General Services Administration, started out as a sign-on service for agencies, and has since expanded to offer identity proofing capabilities. The service is the recipient of its own $187 million TMF award.

So far, several thousand VA users have already moved to Login.gov. The department added Login.gov to VA.gov, the department's main landing page for veterans, in March, John Rahaghi, digital services expert at the VA, told FCW. It's currently offered on many, but not all, VA online services and platforms. 

Currently, the VA is still offering two legacy options and ID.me, an identity verification company thrust into the spotlight earlier this year after the IRS received criticism for using the company's facial recognition features. The VA does not use facial recognition with ID.me, said Rahaghi.

Eventually, the VA's will sunset the legacy credentialing options, although they will still be available in the short term. 

"Having Login.gov as that modern secure government credential is a big step because it allows the VA… not have to rely on or maintain the other government credentials that are not as easy to use or as secure as Login.gov," Rahaghi said. "This is the government providing a service that is on par with anything you could find in the commercial sector or better."

The agency doesn't have any plans currently to move away from ID.me, said Rahaghi, but how many options the department wants to offer "is something that we are looking at, and we're again continually evaluating what is going to make the most sense for us as we move forward."

Now, the VA will be using TMF funding to address three specific challenges with migrating to Login.gov. So far, the VA hasn't spent any of that funding, according to Rahaghi.

The first TMF project is moving users that have already been identity proofed through a legacy option called My HealtheVet, a personal health record service at the VA, to Login.gov.

There are around 200,000 people eligible to be moved, and the VA is hoping to pilot an effort at the end of the year to ask if those people want to be moved to Login.gov, said Rahaghi, who pointed out that the process will benefit the Login.gov team in addition to these individuals by giving them new, already-proofed users. 

The VA is also standing up an in-person identity proofing option through the network of VA facilities, something that will be helpful for people who struggle to go through the identity proofing process online because of a lack of connectivity or existing digital credentials.

"They could go into a VA facility, work with a My HealtheVet coordinator and then walk out with an identity proofed Login.gov account that they could then use when they're at home," said Rahaghi.

The third project is focused on multi-factor authentication, specifically a pilot with security keys that could be used by people that might otherwise struggle with multi-factor authentication. 

In terms of what the VA's move to Login.gov means for the Login.gov service itself, GSA is already aiming to scale adoption of the service. But some agencies have said that the fact that the service doesn't currently offer digital identity proofing at a certain level, identity assurance level 2, as laid out by guidelines from the National Institute of Standards and Technology has been a blocker for adopting the service. 

Rahaghi previously worked in the U.S. Digital Service as the privacy and security product owner for Login.gov for about one year before and one after the service's launch. He said that the identity assurance level standard offered by Login.gov was "absolutely a consideration" at the VA. 

"We are always looking, as we know the Login team is and really every agency, trying to figure out how to balance the right usability, security, compliance, privacy, fraud mitigation, accessibility - there's a lot of factors," said Rahaghi.

"We need to meet users where they are, so even if the latest and greatest so-to-speak identity proofing technology is in place, that doesn't mean we're going to be able to adopt it at VA right out of the gate," he continued. "We have to consider what user base we have and what users are going to be challenged with… We always want to maintain the highest level of compliance of course, we just have to have a pathway ourselves to get there. So that's how we've been approaching it."

Rahaghi said that the tightrope of balancing accessibility with security comes up "often" at the VA, pointing to the implementation of multi-factor authentication, something mandated by the cybersecurity executive order issued last year.

The VA is implementing multi-factor authentication, but "we still don't have all of our users adopting multi-factor yet because we know that that would lock them out of their accounts," he said. "We need to make sure that we maintain accessibility for our users to their products and services that they depend on."