An online hub for Americans to access benefits and services across the federal government is giving its users a new option to sign on.
The General Services Administration will begin offering facial recognition technology as an option for users of Login.gov, a one-stop for government-provided public services, to verify their identities.
GSA's Technology Transformation Services announced Wednesday it will allow Login.gov users to verify their identity online through facial technology that meets standards set by the National Institute of Standards and Technology's 800-63-3 Identity Assurance Level 2 (IAL2) guidelines.
Login.gov will allow its users to match a "selfie" with the photo on a government ID, such as a driver's license.
GSA said the facial recognition technology used by Login.gov does not rely on "one-to-many facial identification," and does not use these images for any purpose other than verifying a user's identity.
The facial recognition option builds on Login.gov's existing identity verification process, which requires validation of a government-issued ID and a phone number or address.
GSA Administrator Robin Carnahan said in a statement that the facial recognition option is "another milestone in ensuring agencies have a wide variety of strong identity verification options."
"Proving your identity is a critical step in receiving many government benefits and services, and we want to ensure we are making that as easy and secure as possible for members of the public, while protecting against identity theft and fraud," Carnahan said.
GSA began testing a facial recognition option for Login.gov in May.
The agency previewed the rollout of IAL2-compliant facial recognition tools in a blog post last October.
GSA said it's been working with other agencies to "evaluate the effectiveness of the Login.gov product across demographic groups, monitor for algorithmic bias in identity verification, and to evaluate additional pathways to verify identities at the IAL2 level, such as compensating controls."
Login.gov Director Hanna Kim said in a statement that GSA will "continue to uphold our values of equity, privacy, and transparency by incorporating best-in-class technology and learning from academic and user research."
"Login.gov heard from our agency partners with higher-risk use cases that it was important that we offer a version of our strong identity verification service that is IAL2 certified," Kim said. "We're glad that we've been able to do this while ensuring that users continue to have multiple secure pathways to verify their identity, whether that is in-person or remote."
Login.gov users are also able to verify their identity in person at over 18,000 post offices across the country, if they are unable to do so online.
More than 99% of the U.S. population lives within 10 miles of a post office.
Since its launch in 2017, Login.gov now serves more than 50 federal and state agencies, and supports 300 million annual sign-ins.
GSA's rollout of facial recognition technology on Login.gov comes a year after its inspector general's office found it misled agency customers and the Technology Modernization Fund board about meeting NIST's IAL2 standard for remote identity proofing.
The IG report found that, rather than conducting physical or biometric comparisons, such as through facial recognition or fingerprints, as required by NIST, Login.gov was instead using a third party to compare identification cards to information contained in LexisNexis.
"Login.gov has never met the technical requirements for identity proofing and authentication of NIST Special Publication 800-63-3 for Identity Assurance Level 2 (IAL2). At multiple points starting in 2019, Login.gov officials should have notified customer agencies that Login.gov did not comply with IAL2 requirements in SP 800-63-3. However, Login.gov did not notify their customer agencies until Feb. 3, 2022, after a Wired article reported that Login.gov used selfies for verification," the March 2023 report states. "Before then, Login.gov not only portrayed publicly that it was compliant with IAL2 requirements, but also misinformed customer agencies through interagency agreements stating that they met and/or were consistent with the IAL2 requirements."
GSA said it notified its inspector general's office in February 2022 of the misrepresentations and initiated the audit.
Former Federal Acquisition Service Commissioner Sonny Hashmi told reporters last year that the "misrepresentations about Login.gov's compliance with the NIST IAL2 standard, starting in 2018, were completely unacceptable."