GSA Kicks Off Login.gov Facial Recognition Pilot

Identity management portal provides secure public access to services.

LISTEN

Your browser doesn’t support HTML5 audio

The General Services Administration is currently testing the use of facial recognition technology to access Login.gov, the platform that allows the public to sign on to participating government agencies’ websites.

In the pilot, a handful of agencies are implementing a commercial solution that has been part of the National Institute of Standards and Technology’s Face Recognition Vendor Test (FRVT) initiative, says former GSA Acting Deputy Associate Administrator Rachel Davis.

GSA says the technology is consistent with the NIST’s Digital Identity Guidelines (Special Publication 800-63-3) and will allow it to securely achieve remote identity verification at Identity Assurance Level 2 (IAL2). This indicates that evidence confirms a particular person physically exists and that the user who is attempting to sign on to the platform is that person.

“Login.gov’s facial matching capability uses a privacy-preserving approach that compares ‘selfies’ exclusively with the user’s photo ID, and does not use the image for any other purpose,” Davis says. “The data involved is protected by ensuring it will never be used for any purpose unrelated to verifying the user’s identity by Login.gov or its vendors.”

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

 

GSA Looks to Live Validation Technology

A simultaneous, independent third-party IAL2-compliance assessment that’s being conducted by nonprofit service provider Kantara Initiative will be completed later this year, according to GSA.

Eventually, Davis says, agencies would be able to use either the new IAL2-compliant identity verification option; authentication-only capabilities, without identity verification; or the current Login.gov solution, which provides non-IAL2 identity verification.

Given the increased use of remote access, cloud environments and Software as a Service — coupled with the security advantages and ability to forgo using passwords — Geoff Cairns, a principal analyst at Forrester who specializes in security and risk, says he’s not surprised GSA is looking into the technology.

“It’s a unique combination,” Cairns says. “You've got convenience for the end user, in terms of how they access it, but it also provides an enhanced security mechanism for authentication that's resistant to phishing practices and the social engineering attacks that are plaguing basic multifactor authentication these days.”

There's a lot that goes into it, from user education awareness to getting it in a way that can be absorbed both technically and culturally.”
Craig Watson

Image Group Manager, NIST

While technological advancements (such as AI-generated deep fakes) present some possible concerns, aspects of enhanced facial recognition — such as “liveness” detection, which can determine if an image features a real person in front of a camera or a doctored representation — are helping the solutions provide more nuanced confirmation, Cairns says.

“From an identity verification standpoint, taking selfies and matching that against authorized documentation is critical,” he says.

Agencies Recognize that Clarity Is Key

Although smartphones and other devices today often sport high-resolution cameras, photo quality can still pose issues in identity verification, according to Craig Watson, image group manager at NIST.

Watson’s team has conducted research on how facial recognition technology performs across varying demographics of age, race and gender. The team has also worked with law enforcement on capturing portrait-quality initial images, which Watson says can provide the best opportunities for accuracy in investigations.

MORE FROM FEDTECH: Cloud vendors must consider FedRAMP’s identity controls.

“There are challenges with capturing selfies — what the background looks like, the lighting,” he says. “There's work being done to provide better guidance, looking at things like, is the image blurred? Is the person not looking at the camera?”

In addition to software that will process biometric data, agencies that hope to deploy additional facial recognition capabilities may need to invest in endpoint devices, Cairns says, and potentially undertake other efforts.

“It's not just about technology,” he says. “There's a lot that goes into it, from user education awareness to getting it in a way that can be absorbed both technically and culturally. But the more methods you have at your disposal — especially across an evolving technology landscape — the better.”