The US government's General Services Administration's (GSA) facial matching login service is now generally available to the public and other federal agencies, despite its own recent report admitting the tech is far from perfect.
The GSA announced general availability of remote identity verification (RiDV) technology through login.gov, and the service's availability to other federal government agencies yesterday. According to the agency, the technology behind the offering is "a new independently certified" solution that complies with the National Institute of Standards and Technology's (NIST) 800-63 identity assurance level 2 (IAL2) standard.
IAL2 identity verification involves using either remote or in-person verification of a person's identity via biometric data along with some physical element, like an ID photograph, access to a cellphone number, for example.
"This new IAL2-compliant offering adds proven one-to-one facial matching technology that allows Login.gov to confirm that a live selfie taken by a user matches the photo on a photo ID, such as a driver's license, provided by the user," the GSA said.
The Administration noted that the system doesn't use "one-to-many" face matching technology to compare users to others in its database, and doesn't use the images for any purpose other than verifying a user's identity.
"Proving your identity is a critical step in receiving many government benefits and services, and we want to ensure we are making that as easy and secure as possible for members of the public, while protecting against identity theft and fraud," GSA Administrator Robin Carnahan said of the news.
"Login.gov's new IAL2-compliant product offering is another milestone in ensuring agencies have a wide variety of strong identity verification options," Carnahan added.
The GSA told The Register that, with the certification, government agencies are now free to adopt its offering, but that it won't be instant across the government.
"Each agency opts in to the Login.gov solution that they deem appropriate for their use case and risk profile," the GSA told us.
Remote identity frustration
The GSA's relationship with RiDV and facial recognition technology hasn't always been so cozy.
In a report issued by the GSA's Office of the Inspector General in early 2023, the Administration was called out for saying it implemented IAL2-level identity verification as early as 2018, but never actually supporting the requirements to meet the standard.
"GSA knowingly billed customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards," the report claimed.
At the time, the GSA said it didn't intend to deploy facial recognition tech until it was able to be "implemented equitably and without causing disproportionate harm to vulnerable populations."
We're told the GSA has since implemented all of the OIG's recommendations.
Fast forward to October of last year, and the GSA said it was embracing facial recognition tech on login.gov with plans to test it this year - a process it began in April. Since then, however, the GSA has published pre-press findings of a study it conducted of five RiDV technologies, finding that they're still largely unreliable.
- Cops love facial recognition, and withholding info on its use from the courts
- Facial recognition tech has outpaced US law – and don't expect the Feds to catch up
- Face Off: IRS kills plan to verify taxpayers with facial recognition database
- Can I phone a friend? How cops circumvent face recognition bans
The study anonymized the results of the five products, making it unclear which were included in the final pool or how any particular one performed. Generally, however, the report found that the best-performing product still failed 10 percent of the time, and the worst had a false negative rate of 50 percent, meaning its ability to properly match a selfie to a government ID was no better than chance.
Higher rejection rates for people with darker skin tones were also noted in one product, while another was more accurate for people of AAPI descent, but less accurate for everyone else - hardly the equitability the GSA said it wanted in an RiDV product last year.
When asked, we were reminded by the GSA that those study results were just preliminary, and not in any way related to yesterday's general availability announcement for RiDV on login.gov.
“Login.gov made the decision to move forward with facial matching because it is important to offer an IAL2-compliant identity verification service to agency partners, and because the state of facial matching technology has improved considerably over time," login.gov director Hanna Kim told us in an email. Kim added that GSA only went forward with adoption once it had established an in-person identity verification alternative at post offices.
"[The] study has informed our key investment areas, including vendor diversification and data monitoring/analytics," Kim informed us. "Ensuring general availability of an alternative identity verification pathway... bolstering our data monitoring and evaluation capabilities, and diversifying our vendor base [are all] steps the login.gov team is taking that are informed by equity study learnings.”
We're told that the study wasn't performed by the login.gov team, and didn't utilize its technology infrastructure. The GSA declined to answer questions about what solution it has adopted.
What's the rush?
It's unclear what solution has been deployed for use on login.gov. The only firm we can confirm has been involved though the process is LexisNexis, which previously acknowledged to The Register that it has worked with the GSA on login.gov for some time.
That said, LexisNexis' CEO for government risk solutions told us recently that he's not convinced the GSA's focus on adopting IAL2 RiDV solutions at the expense of other biometric verification methods is the best approach.
"Any time you rely on a single tool, especially in the modern era of generative AI and deep fakes … you are going to have this problem," Haywood "Woody" Talcove told us during a phone interview last month. "I don't think NIST has gone far enough with this workflow."
Talcove told us that facial recognition is "pretty easy to game," and said he wants a multi-layered approach - one that it looks like GSA has declined to pursue given how quickly it's rolling out a solution.
"What this study shows is that there's a level of risk being injected into government agencies completely relying on one tool," Talcove said. "We've gotta go further."
Along with asking the GSA for more details about its chosen RiDV solution, we also asked for some data about its performance. We didn't get an answer to that question, either. ®