The US government’s General Services Administration’s (GSA) facial matching login service is now generally available to the public and other federal agencies, despite its own recent report admitting the tech is far from perfect.
The GSA announced general availability of remote identity verification (RiDV) technology through login.gov, and the service’s availability to other federal government agencies yesterday. According to the agency, the technology behind the offering is “a new independently certified” solution that complies with the National Institute of Standards and Technology’s (NIST) 800-63 identity assurance level 2 (IAL2) standard.
IAL2 identity verification involves using either remote or in-person verification of a person’s identity via biometric data along with some physical element, like an ID photograph, access to a cellphone number, for example.
“This new IAL2-compliant offering adds proven one-to-one facial matching technology that allows Login.gov to confirm that a live selfie taken by a user matches the photo on a photo ID, such as a driver’s license, provided by the user,” the GSA said.
The Administration noted that the system doesn’t use “one-to-many” face matching technology to compare users to others in its database, and doesn’t use the images for any purpose other than verifying a user’s identity.
[…]
In a report issued by the GSA’s Office of the Inspector General in early 2023, the Administration was called out for saying it implemented IAL2-level identity verification as early as 2018, but never actually supporting the requirements to meet the standard.
“GSA knowingly billed customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards,” the report claimed.
[…]
Fast forward to October of last year, and the GSA said it was embracing facial recognition tech on login.gov with plans to test it this year – a process it began in April. Since then, however, the GSA has published pre-press findings of a study it conducted of five RiDV technologies, finding that they’re still largely unreliable.
The study anonymized the results of the five products, making it unclear which were included in the final pool or how any particular one performed. Generally, however, the report found that the best-performing product still failed 10 percent of the time, and the worst had a false negative rate of 50 percent, meaning its ability to properly match a selfie to a government ID was no better than chance.
Higher rejection rates for people with darker skin tones were also noted in one product, while another was more accurate for people of AAPI descent, but less accurate for everyone else – hardly the equitability the GSA said it wanted in an RiDV product last year.
[…]
It’s unclear what solution has been deployed for use on login.gov. The only firm we can confirm has been involved though the process is LexisNexis, which previously acknowledged to The Register that it has worked with the GSA on login.gov for some time.
That said, LexisNexis’ CEO for government risk solutions told us recently that he’s not convinced the GSA’s focus on adopting IAL2 RiDV solutions at the expense of other biometric verification methods is the best approach.
“Any time you rely on a single tool, especially in the modern era of generative AI and deep fakes … you are going to have this problem,” Haywood “Woody” Talcove told us during a phone interview last month. “I don’t think NIST has gone far enough with this workflow.”
Talcove told us that facial recognition is “pretty easy to game,” and said he wants a multi-layered approach – one that it looks like GSA has declined to pursue given how quickly it’s rolling out a solution.
“What this study shows is that there’s a level of risk being injected into government agencies completely relying on one tool,” Talcove said. “We’ve gotta go further.”
Along with asking the GSA for more details about its chosen RiDV solution, we also asked for some data about its performance. We didn’t get an answer to that question, either.
