GSA readies single sign-on platform
- By Adam Mazmanian
- Jan 20, 2017
The General Services Administration is moving ahead with its Login.gov project that creates a single sign-on platform for access to federal government services.
The "shared authentication platform" gives individuals personal accounts for accessing government services from participating agencies and gives those agencies the option of using the authentication platform as a shared service, rather than building or contracting for their own sign-on technology.
GSA published a revised systems of records notice for the Login.gov system on Jan. 19. The agency is accepting comments on the plan through Feb. 21 before the notice takes effect and the system can go live.
Run by GSA’s 18F innovation group, Login.gov represents the culmination of efforts across federal agencies throughout the Obama administration. An effort called the National Strategy for Trusted Identities in Cyberspace -- now dubbed the Trusted Identities Group -- gave grants to researchers and companies looking to develop secure, user-friendly ways to authenticate individual web users. As of the end of FY2016, the effort, housed at the National Institute of Standards and Technology, involved more than 170 organizations and led to the development of 14 solutions.
The Login.gov user accounts will have two levels of security, depending on the government service being accessed. The first authentication level uses an email address, password and a phone number. The higher level includes full name, address, date of birth and Social Security number.
The system will leverage multiple private-sector services to confirm user identities based on this data. For instance, the effort could leverage the work of the FIDO Alliance (for Fast IDentity Online), which has brought together a wide range of firms from the financial, online services, hardware, software and security sectors to collaborate on open standards for identity proofing.
If any third-party ID system can't verify a user by matching name, address and Social Security number info, Login.gov can request more user data. The records notice specifies that any of the additional data, perhaps in the form of authentication questions and responses, will not be saved by Login.gov "after the user logs off."
Data in the system is encrypted, and the records notice specifies that "neither the system nor the system operators" can access the name/address/SSN data on a user account "without the user supplying a password or recovery code."
The effort to scale up secure access to government services figured into the report of the Commission on Enhancing National Cybersecurity, which called for the next administration to "require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication."
That report called for secure online access to services related to taxes, immigration, border entry and exit, Social Security accounts, passports and health care programs administered by the Centers for Medicare and Medicaid Services. This is an ambitious call. The IRS and the Social Security Administration in particular have been bedeviled by problems involving both the usability and the misuse of public-facing systems that require authentication.
"The Commission believes strongly that if government requires strong authentication, the private sector will be more likely to do the same," the report stated.
This article was first posted to FCW, a sister site to GCN.
Adam Mazmanian is executive editor of FCW.
Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.
Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.