Skip to main content

Proving You’re You: How Federal Agencies Can Improve Online Verification

Posted on October 08, 2019

So much of how we collect and share information in today’s world is done online. We get our news. We do our shopping and banking. We book appointments. And online access has even made it easier for us to apply for benefits and services within the federal government. But just how safe is our information out there in the federal cyber world?

In today’s WatchBlog, we look at our report on federal online verification processes. Read on and listen to our podcast with Nick Marinos, a director in our Information Technology & Cybersecurity team.

Proving Your Identity on Federal Websites

spacer

Photo of a Person Working at a Computer

Verifying you are really you

When you apply online for benefits and services, many federal agencies rely on consumer reporting agencies to help verify your identity through a process called knowledge-based verification. This process usually involves answering a series of personal questions derived from information found in your credit files and is largely based on the assumption that only the true owner of the identity would know the answers. If you answer the questions correctly, your identity is considered verified.

For example, the Social Security Administration uses this technique to verify the identities of anyone seeking access to the “My Social Security” online service, which allows users to request a replacement Social Security or Medicare card, check the status of benefit applications, or request various other services.

However, data stolen in recent breaches, such as the 2017 Equifax data breach, has raised new questions about the safety of this practice. The risk is greater now that someone other than you may know the answers to questions about your personal credit history—leaving the door open for possible fraud and identify theft.

How the federal government is responding

This fraud risk prompted the National Institute of Standards and Technology to issue guidance in 2017 that prohibits federal agencies from using such knowledge-based verification process for sensitive applications. Alternative methods are available that offer stronger security, such as comparing a photo of an ID card captured on a cell phone to documentation on file.

Image Showing Examples of Alternative Identity Verification and Validation Methods that Federal Agencies Have Reported Using

However, these alternative methods can be limited by cost, convenience, and technological maturity. In addition, they may not be viable for everyone to use—for example, not all applicants may have cell phones to allow them to share their photo and verify their identity.

A closer look at federal identity proofing practices

We recently reviewed remote identify proofing practices for 6 agencies—all of which have major public-facing web applications that provide access to benefits or services.

We found that:

  • The Internal Revenue Service and General Services Administration had eliminated knowledge-based verification and began using alternative methods.
  • Veterans Affairs partially implemented an alternative method, but still relied on knowledge-based verification for some individuals.
  • The Social Security Administration and the U.S. Postal Service intended to reduce or eliminate knowledge-based verification in the future, but didn’t yet have specific plans. The U.S. Postal Service has recently addressed our recommendation by implementing a remote identity verification solution for its Informed Delivery service that does not rely on knowledge-based verification.
  • The Centers for Medicare and Medicaid Services had no plans to reduce or eliminate knowledge-based verification, citing high costs and challenges with implementing new practices.

Until these agencies take steps to eliminate their use of knowledge-based verification, however, the public that they serve may remain at increased risk of identity fraud. We made 6 recommendations, including that the National Institute of Standards and Technology provide guidance on implementing these alternative methods. The U.S. Postal Service has recently addressed one of our recommendations by implementing a remote identity verification solution for its Informed Delivery service that does not rely on knowledge-based verification.

Check out our report to learn more.


GAO Contacts

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.