Making Login.gov even more secure
The General Services Administration already provides an authentication service that provides citizens with government-provided digital identities. Login.gov resolves different data attributes including name, Social Security number and date of birth before issuing a username/password. Now it wants to be able to tie a user to an address of record by validating government-issued IDs as part of its remote identity proofing process.
In an Aug. 24 request for information, GSA’s Technology Transformation Services said it is researching a vendor service that would collect documentary evidence of identity that users submit to Login.gov – such as a state ID, driver’s license, passport, trusted traveler document -- and return a real-time verification from the data and the results of the comparison. Based on the response, GSA will determine whether the documentary evidence meets its requirements as evidence of the individual’s identity.
GSA wants the ID confirmation to meet standards for strong authentication set out in the National Institute of Standards and Technology’s Digital Identity Guidelines, 800-63-3A. Contractors must be able to confirm whether a submitted record containing government-issued IDs from states as well as U.S. passports and passport cards, for example, meets those guidelines by inspecting the document for quality and evidence of fraud. The solution would then return a calculated risk score and flag and describe discrepancies via an application programming interface.
GSA also wants vendors to be able to confirm that a record does not meet the 800-63-3A standards by using birth, marriage or death certificates, a court order, or other documentary evidence and confirm that the security features of the ID are as expected.
Because data input will vary, solution must work poor-quality images that may result in poor quality capture, and it must categorize the input as a true positive, false positive, true negative or false negative.
Machine learning should be leveraged to spot fraudulent activity trends and help improve the software’s integrity and boost pass rates. To protect privacy images and information sent to the service from GSA must not be retained.
Responses are due Sept. 7. Read the RFI here.
Connect with the GCN staff on Twitter @GCNtech.