GSA’s Login.gov not ready for authentication volume IRS needs
The U.S. tax deadline is rapidly approaching, arriving on April 18, 2023, for most Americans and as of today, you can still log-in to your online Internal Revenue Service (IRS) account in one of two ways. Login.gov is not one of them.
The first and suggested way is through third-party identity verification vendor ID.me and second way is using an existing IRS account. But according to the warning in red at top of the webpage “This sign-in option won’t work after this filing season.”
The IRS previously announced that it was adopting the GSA’s Login.gov, which is used by other agencies such as USAJobs, Trusted Travel Program and U.S. Small Business Administration, to authenticate citizens for access to taxpayer accounts. The IRS and GSA planned to launch Login.gov during this tax season, but now they are reportedly delaying the deployment due to concerns about heavy web traffic, which you can monitor status here.
This delay in implementation comes only three weeks after the Office of Inspector General’s office published a 28-page report titled GSA Misled Customers on Login.gov’s Compliance with Digital Identity Standards (March 7, 2023 JE3-003). It concluded, “Our evaluation found GSA misled their customer agencies when GSA failed to communicate Login.gov’s known noncompliance with the National Institute of Standards and Technology (NIST) SP 800-63-3, Digital Identity Guidelines.
GSA officials had previously asserted that Login.gov met conformance criteria for Identity Assurance Level 2 (IAL2) on remote identity proofing which includes a provision whereby automated technologies and services (e.g., biometric liveness detection, identity evidence verification and validation, and presentation attack detection, if applicable) ensure the requirements for IAL2 identity proofing are met and protect against spoofing attacks. This process also provides the capability for the identity proofing process to be completed in a single session.
The OIG report states “Login.gov has never included a physical or biometric comparison for its customer agencies. Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3. GSA knowingly billed IAL2 customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards. Furthermore, GSA used misleading language to secure additional funds for Login.gov. Finally, GSA lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture.“
According to the GSA’s Fiscal Year 2023 Annual Performance Plan, the Login.gov program was awarded $187 million from the Technology Modernization Fund (TMF) American Rescue Plan (ARP) appropriation and requested an additional $24.2 million to meet their obligations. To date, the GSA reports that there are approximately 38 million registered users and 221 agency applications using Login.gov and have set a performance target of 41 million registered users and 350 applications for FY2023.
It is clear the GSA performance targets for 2023 will not be achieved through the adoption by the IRS or taxpayers, but it is unclear how many of the 38 million registered Americans were inaccurately proofed prior to the Office of Inspector General’s report uncovered misconduct by the GSA.