The federal government’s central technology arm jeopardized nearly one million online accounts by rejecting facial recognition technology when it was required for the high-security accounts, then cited “equity” to justify years of lying about its compliance with federal rules, The Daily Wire has learned.
The General Services Administration’s (GSA) technology group was tasked with creating Login.gov, a service that federal agencies would use to create accounts permitting access to government websites detailing personal or sensitive information. The service was required to follow rules set by the National Institute for Standards and Technology (NIST), and included offering a hacker- and impersonator-resistant option for agencies dealing with the most sensitive data, which must conform to a NIST standard called Identity Assurance Level 2 (IAL2).
GSA earned $187 million off the service after telling a government funding board that its solution met NIST’s exacting standards, and $10 million more from agencies who purchased the highest-security solution from GSA on the basis of its representations.
But GSA knew that its system was anything but compliant with IAL2, because it disregarded one of its most important security features: Using biometrics such as facial recognition, eye scans, or fingerprints to prove those seeking access to sensitive data were who they claimed to be. Officials opted to simply ignore that category because they said facial recognition technology might discriminate based on skin color, the GSA Inspector General found in a new audit.
“Put simply, Login.gov opted to ignore the standards and instead focused on selling Login.gov to customers without regard to NIST requirements,” the IG wrote. The audit said GSA “misled their customer agencies” and “knowingly billed” them for a product they were not receiving.
In response to IG, GSA acknowledged wrongdoing.
“Given that employees misled customer agencies about Login.gov’s compliance with NIST standards,” the director of Login.gov was reassigned, employee misconduct actions had been opened, and a “top-to-bottom review” of Login.gov had been ordered, officials said.
The audit found that top officials ignored insiders who pointed out that a product whose sole aim was cybersecurity was not actually secure, and that once they were caught, they misled agencies into believing they were withdrawing the webcam security feature because of new policy on “equity.” In reality, it had been out of compliance the whole time, with GSA having tricked agencies into using insecure software for years—sending federal agency officials tasked with online security into a tailspin when they learned the truth.
“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 but did not comply,” the IG said. “Notwithstanding GSA officials’ assertions that Login.gov met [the] requirements, Login.gov has never included a physical or biometric comparison in production. Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”
At multiple points, senior leaders with GSA’s Technology Transformation Services (TTS), the division under the Federal Acquisition Service (FAS) in charge of the project, “learned that Login.gov did not comply with IAL2 requirements. They did not, however, notify customer agencies of the noncompliance. The inability to meet IAL2 NIST standards became the topic of discussions among Login.gov leaders and personnel at least as early as 2019, and included concerns that using individuals’ selfies to verify their identity could impact Login.gov’s rejection rates based on physical traits, such as skin color and tone,” it said.
“GSA misled the Technology Modernization Board in securing funding for Login.gov,” the IG wrote in September 2021.
GSA secured $187 million in federal funding after TTS Director/FAS Deputy Commissioner Vladlen “Dave” Zvenyach, then-GSA Chief Financial Officer Gerard Badorrek, and GSA Chief Information Officer David Shive attested that “Login.gov is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2).”
Back in 2019, the GSA touted its “selfie” feature in marketing materials, stated in an “Agency Authorization to Operate” that the system “can support user validation at Identity Assurance Level 1 or 2 (IAL1 or IAL2),” and authorized agencies who were required to use IAL2 authentication to use Login.gov, even though a former Login.gov Product Manager told the IG “that the team knew that Login.gov did not comply with NIST 800-63-3 [another name for IAL2] as early as 2018.”
By January 2020, a senior advisor went to the top to sound the alarm about noncompliance, telling then-GSA Assistant Commissioner Dominic Sale and others. Sale “told him that because he was not the Director of Login.gov, it was not the Senior Advisor’s role to pursue the issue,” the IG found. In August 2020, a consultant flagged the same issue for a TTS employee, but the employee did not do anything about it because “he believed that everyone knew that Login.gov was not compliant.”
Zvenyach was put in charge of TTS in January 2021, and his boss, FAS Commissioner Sonny Hashmi, told the IG that “Zvenyach told him clearly that Login.gov met the IAL2 standards, and they were signing interagency agreements that stated they met the standard.”
Yet internal records showed that by June 24, 2021, not only was it not compliant, but Zvenyach had disavowed taking any steps that could get it into compliance. “The position of TTS is that the benefits of liveness/selfie does not outweigh any discriminatory impact, and therefore should not be used as a proofing requirement,” he wrote to staff in a Slack message.
The IG noted that there was no formal “documented justification” of this, “Zvenyach did not notify customer agencies when TTS suspended efforts to implement selfies to meet the NIST biometric comparison requirement,” and GSA “continued to withhold information from customer agencies about Login.gov’s lack of biometric comparison capabilities.”
The jig was up in January 2022, when a federal agency asked point-blank how the login system could possibly be compliant when it didn’t use webcams, fingerprints, or eye scanners. On January 20, 2022, the GSA released an “Equity Action Plan” that it said was required by the Biden administration, and days later, the GSA relied on the new policy to say that it would not meet NIST standards with Login.gov.
“On February 3, 2022, seven months after Zvenyach’s June 2021 internal announcement, GSA finally notified customer agencies that the IAL2 service included in their interagency agreements, for which they were paying, did not comply with NIST requirements,” the IG wrote. It told them with a statement that cited the days-old equity policy and “linked the lack of a biometric comparison feature to equity concerns. It omitted any mention of the duration and nature of Login.gov’s noncompliance with NIST’s IAL2 requirements.”
Federal security officials were shocked that they could no longer count on a secure login. “I reiterate how frustrating this is,” one wrote. “We have been promoting the use of IAL2 solutions pretty heavily,” another wrote. “Having a clear understanding of this is critical.”
“This is quite an issue. … You are now stating that IAL2 is no longer available as of today?” a third wrote. But the truth was worse–contrary to the message that misleadingly blamed a new equity policy, the agencies had unknowingly been out of compliance the whole time.
Agencies who relied on secure logins from GSA told the IG that “Login.gov’s noncompliance with the IAL2 standard created a greater risk of fraud for the customer agency,” “had an impact on the credibility of their program,” and could create liability because “the customer agency would be held responsible for allowing access to individuals at the wrong level.”
The IG said that after learning of TTS’ equity-justified misrepresentations, GSA “reviewed the agreements for other misrepresentations,” and found that its authentication system was also not in compliance.
GSA Deputy Administrator Katy Kale notified the Technology Modernization Board that its proposal made statements “that could be interpreted to say Login.gov’s service meets NIST guidelines.” The IG slammed Kale for attempting to soften it, noting that “in fact,” GSA explicitly stated that it did verbatim.
“On August 16, 2022, the GSA Administrator announced the Zvenyach’s departure from GSA,” the IG said.
Reporting from The Daily Wire.