Industry, Congress have eye on Login.gov and the public, private sector role in digital identity

Two tech industry groups are pushing the federal government to take a “technology-neutral approach” to digital identity in a recent letter to top White House leaders.

The Software Alliance — also known as BSA — and the Enterprise Cloud Coalition asked top White House actors to “reaffirm” a commitment to “technology neutrality” for digital identity in a Feb. 3 letter shared with FCW to Chris Inglis, the national cyber director who just announced his retirement; Anne Neuberger, deputy national security advisor for cyber and emerging tech; and Eugene Sperling, American Rescue Plan coordinator. 

The proposal is potentially at odds with the General Services Administration’s plan to have its Login.gov platform be the primary secure sign-on system in government.

The letter also follows language in the explanatory statement from Congress for the latest appropriations omnibus directing the General Services Administration to pursue a “government-wide policy that leverages … multiple credential service providers.”

Those developments come as the government continues to grapple with digital identity, or how to verify individuals online, in the context of continued fallout from fraud during the pandemic, much of which occurred via identity theft.

At stake for industry vendors is both the extent to which government agencies are encouraged to look to the market for identity solutions as well as the extent to which GSA itself goes to industry to power Login.gov.Industry “can't come out and say no, because they all see this as a chance for them to make money working with Login.gov, but … they also want to sell their own identity proofing products to the federal government and the to state and local [governments], so it’s a weird, delicate dance,” a former administration official who has worked on identity issues in multiple agencies told FCW. The individual asked not to be named as they were not authorized to speak to press in their current role.

“This letter reflects BSA's view that the U.S. government should continue to support an open marketplace for digital identity solutions,” Henry Young, director of the alliance, told FCW via email. “The U.S. government should not select either a specific solution developed by industry or one the government develops itself because it inhibits innovative approaches to cybersecurity.”

Login.gov does use “over a dozen private-sector tools and services,” according to GSA’s 2022 budget request, including LexisNexis capabilities for identity verification and fraud prevention. 

But GSA has chosen to build its own customer identity and access management functions – a category including things like single sign-on and customer registration – for Login.gov instead of buying them from vendors, said Jeremy Grant, former senior executive advisor for identity management at NIST and current coordinator of Better Identity Coalition.

The industry letter comes soon after Congress also signaled its interest in Login.gov and identity policy in the government funding package for fiscal 2023 passed in December. 

Lawmakers included a note in the joint explanatory statement for the law directing GSA “to promote government-wide policy that leverages portable identity and multiple credential service providers” independently certified against National Institute of Standards and Technology guidelines for “the highest possible pass rates, fraud prevention and cost reduction.”

Credential service providers are the entities, like Login.gov and vendor ID.me, that issue and maintain identity credentials that people use to access online services.

Stakeholders are also waiting for an executive order on digital identity promised by the White House as part of the 2022 State of the Union address. The White House told FCW in December that it still plans on issuing the order, which will focus on identity theft in public benefit programs, although it has yet to release it.

The order is expected to have policies on Login.gov, potentially even compelling agencies to use it, although the details of the order are still being finalized, according to recent reporting from FedScoop.

That move would align with Login.gov’s standing goal to be "the public's one account for accessing government services online.”

Use of the service has exceeded GSA’s goals – currently 322 government applications are integrated with Login.gov, well over the goal for 250, according to agency documents – but it still doesn’t meet the lowest threshold of government standards for digital identity proofing. The National Institute of Standards and Technology is updating those standards now, but the current situation has been a pain point for GSA’s attempts to woo some agencies to the service.

Still, some industry groups are calling for the White House to support a “tech neutral” approach, something defined in a 2011 government memo as a policy of choosing tech in a “case-by-case” and “merit-based” manner.

“This is a very public fight that's being fought rather anonymously,” the former official told FCW.

ID.me’s counsel for government affairs, Jon VanderPlas, told FCW that the company “is pleased to see Congress include this government-wide directive” and that “we have long advocated for providing Americans with login options and an equal playing field, where providers are held to the same standards and compete around the clock to be the users' choice.”

The company’s 2022 lobbying report lists the fiscal 2023 appropriations bill as a lobbying issue.

Nevertheless, the respective role of vendors and government in identity isn’t universally agreed upon.

Sen. Ron Wyden (D-Ore.), Senate Finance Committee chair, was a vocal critic of ID.me after it came into the limelight last year over criticisms of IRS plans to require identity verification via facial recognition through the company to access online tax accounts, concerns over media reports of long wait times for the service and worries about biases in facial recognition technology.

In a 2022 letter to the IRS, Wyden pointed to a section of the fiscal 2016 appropriations law requiring agencies to use “a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication” as developed by GSA, writing in his letter that digital identity infrastructure should be run by the government.

“I continue to believe a government-operated universal verification system like Login.gov is the most user-friendly and efficient way to secure Americans' digital identities,” Wyden told FCW in a statement. “Securely verifying digital identity requires a significant amount of private information that the government already has. There’s no reason for Americans to send that data to a private company as well.”

Rep. Bill Foster (D-Ill.) also said recently that he plans to reintroduce a bill meant to push the government to take a more active role in digital identity with things like opt-in identity validation services. 

The White House and GSA declined to comment for this story.