Login.gov Debuts In-Person Identity Verification at Post Offices Alongside New Facial Recognition System
October 19, 2023
The General Services Administration (GSA) announced today that it will debut three options for individuals to verify their identity to access online services across the federal government. The agency is building on last month’s announcement that all Cabinet-level agencies have started using the single-sign-on service. Currently, a person can create a single account with Login.gov to use at various federal agencies, and certain agencies require that the service collect additional information to verify their identity, like a driver’s license, home address, or other personal information. Under the new scheme, individuals will have three more options: an in-person identity check at any U.S. Postal Service location, an online identity verification done by a real person over a video chat, or a 1:1 facial recognition comparison against a driver’s license.
The GSA was criticized earlier this year for offering Login.gov to federal agencies at the NIST-benchmarked IAL2 level of security without complying with NIST’s standard that currently requires facial recognition or another biometric verification step. IAL2 is the confidence level for identity verification that is considered appropriate for most public-facing federal benefits systems. EPIC and the ACLU recently urged NIST to modify the IAL2 standard so that the Institute isn’t forcing government agencies to implement large-scale biometric monitoring, particularly as biometrics prove vulnerable to deepfakes and data breaches.
EPIC is broadly opposed to the expansion of facial recognition technology, though we recognize that the 1:1 matching against a verified document used here is more reliable and, when done properly, can present fewer privacy concerns than 1:many searches used to identify someone through a service like Clearview AI. Still, GSA’s partnership with the Postal Service to offer in-person identity verification is a substantial step forward, addressing underserved populations who may lack the technical savvy or internet connection to effectively verify their identities online. This same setup could be a crucial building block in a privacy-preserving and accessible digital identity system in the U.S.
But the devil is in the details. The announcement doesn’t specify whether federal agencies will be required to accept all of Login.gov’s verification options, or if an agency could choose to only accept the facial recognition path. And it’s important that this system actually work to build legitimacy for Login.gov. EPIC will closely monitor the rollout of these features to ensure that the GSA takes the most privacy-protective route possible.