The federal government relies on commercial credit agencies to help verify the identities of people who apply for benefits online—such as asking personal questions from credit files. However, the 2017 Equifax data breach has raised questions about this practice.
The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.
The Government Accountability Office (GAO) was therefore asked to review federal agencies’ remote identity proofing practices in light of the Equifax breach and the potential for fraud.
Two of the six agencies that GAO reviewed have eliminated knowledge-based verification. Specifically, the General Services Administration (GSA) and the Internal Revenue Service (IRS) recently developed and began using alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification. One agency—the Department of Veterans Affairs (VA)—has implemented alternative methods for part of its identity proofing process but still relies on knowledge-based verification for some individuals. The Social Security Administration (SSA) and the United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification sometime in the future but do not yet have specific plans for doing so. The Centers for Medicare and Medicaid Services (CMS) has no plans to reduce or eliminate knowledge-based verification for remote identity proofing.
Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.
Sound practices in information technology (IT) management state that organizations should provide clear direction on how to implement IT objectives. However, GAO found that NIST’s guidance does not provide direction to agencies on how to successfully implement alternative identity-proofing methods with currently available technologies for all segments of the public. For example, the guidance does not discuss the advantages and limitations of currently available technologies or make recommendations to agencies on which technologies should be adopted. Further, most of the agencies that GAO reviewed reported that they were not able to implement the guidance because of limitations in available technologies for implementing alternative identify proofing methods. NIST officials stated that they believe their guidance is comprehensive, and at the time of the GAO review they did not plan to issue supplemental implementation guidance to assist agencies.
The Federal Information Security Modernization Act of 2014 ( FISMA) requires that the Office of Management and Budget (OMB) oversees federal agencies’ information security practices. Although OMB has the authority under this statute to issue guidance, OMB has not issued guidance requiring agencies to report on their progress in implementing NIST’s identity proofing guidance. OMB staff plan to issue guidance on identity management at federal agencies, but their proposed guidance does not require agencies to report on their progress in implementing NIST guidance. Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes.
GAO is making a total of six recommendations to CMS, NIST, OMB, SSA, USPS, and VA. Specifically:
- The Administrator of the Centers for Medicare and Medicaid Services should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques.
- The Director of the National Institute of Standards and Technology should supplement the agency’s 2017 technical guidance with additional guidance to assist federal agencies in determining and implementing alternatives to knowledge-based verification that are most suitable for their applications.
- The Director of the Office of Management and Budget should issue guidance requiring federal agencies to report on their progress in adopting secure identity proofing processes.
- The Commissioner of Social Security should develop a plan with specific milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques.
- The Postmaster General of the United States should complete a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques.
- The Secretary of the Department of Veterans Affairs should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques.
Commerce agreed with the GAO recommendation. The department stated that it will develop additional guidance to assist federal agencies with alternatives to knowledge-based verification and expects to do so within one year.
SSA agreed with GAO’s recommendation and stated that it will continue to seek improvements in its existing remote identity proofing process. SSA also stated that, in addition to a roadmap it developed in fiscal year 2019 to update its knowledge-based verification process to a more secure multi-factor authentication technology, it will take steps to ensure compliance with NIST standards for remote identity proofing.
USPS concurred with GAO’s recommendation and stated that it will be developing a roadmap to implement additional identity-proofing tools and techniques through 2020.
VA agreed with the sixth recommendation. The department stated that it will develop a specific plan with time frames and milestones to eliminate knowledge-based verification from the aspects of the remote identity proofing process that it controls. Further, in its response, VA requested that GAO direct a recommendation to the Department of Defense (DOD) to discontinue DS Logon and consider using Login.gov instead. However, GAO said it will not issue any recommendations to DOD because the scope of work did not include auditing DOD’s remote identity proofing processes. Nevertheless, GAO has clarified that Login.gov is one option for identity proofing that agencies should consider when developing plans to discontinue the use of knowledge-based verification.
One agency did not concur with GAO’s recommendation. HHS raised several issues related to the findings. The agency stated that it uses a risk-based approach to designing systems controls and that a unilateral prohibition on the use of knowledge-based verification without alternatives is not a feasible solution.