Decades ago, governments designed paper forms that required in-person interviews to collect needed information and process applications for medical, food, unemployment assistance, or other services. While our expectations for online transactions have evolved as private companies offer slick websites, government digital services are slow to catch up. For example, while Europeans scanned QR codes to prove their COVID-free or vaccination status, most Americans pulled out paper-based vaccine cards containing hand-written information. Fraud, loss, and confusion were common occurrences.
And yet logging in and in some cases, proving who you are, has become a critical part of government service delivery. Many Americans felt this acutely as they tried to apply for assistance during the COVID-19 pandemic. Reports of applicants getting stuck in various digital queues and processes were rampant when people needed the help most.
Part of the problem is that government provides a wide array of services, and the application processes are as different as the services provided. Paying for your state park pass is (and certainly should be) different than applying for Medicaid benefits. For agencies that administer public benefits, successfully providing access to applications and enrollment processes remotely involves balancing multiple, potentially conflicting priorities around privacy, fraud prevention, and accessibility to ensure equitable outcomes. In addition, the technologies used to secure online transactions and interactions in recent decades such as password-based authentication and knowledge-based verification (KBV) are not infallible. For instance, KBV, which typically presents a user with a series of questions based on their credit history or other sources to confirm their identity, has been compromised due to sophisticated web scraping technologies, data breaches, identity theft, and targeted attacks. Knowledge-based verification questions may also create obstacles for people with limited credit history, as well as immigrant parents applying for services on behalf of their children.
In response to evolving threats and risks, new technologies have been rolled out in recent years. Many of these rollouts happened without proper evaluation of the technologies’ potential for discrimination, surveillance, and barriers to entry for government services. It is clear that a combination of actions are needed to address equity and ethics considerations. However, the rapid rate of change requires a nimble response that sets guard rails and has potential for evolution, without restricting specific technologies.
Digital Identity Standards
The National Institute of Standards and Technology (NIST) issues digital identity guidelines for authentication and identity proofing for users interacting with federal technology systems, including the public, employees, and contractors. In the standards, NIST provides requirements for federal systems, which influences industry solutions as well as providing a common way to assess the functionalities of different public and private digital identity solutions. Third parties, such as the non-profit Kantara Initiative, also use NIST’s guidelines to evaluate capabilities of identity solutions. State, local, tribal, and territorial governments are not required to follow the NIST guidelines, but the guidelines can offer technical and legal expertise that may not be available elsewhere. Indeed, many private sector companies also rely on the NIST guidelines given the lack of a comparable set of standards focused on private sector applications.
NIST guidelines define the technical requirements for:
- Identity proofing, or establishing that someone is a specific person
- Authentication, or determining the validity of the means used to claim an identity
- Federation, which allows identity information to be shared across systems, for example, going through an identity proofing process once, and then being able to use that identity and authentication to access multiple services.
Additionally, the guidelines note that identity proofing should not be required for all online transactions, nor should it be used as a method to determine suitability or entitlement to access a benefit or service.
Core to the NIST digital identity guidelines is providing a framework for assurance levels broken out by identity (IAL), authentication (AAL), and federation (FAL). Each level can be tuned up or down depending on the service and potential risk factors. Levels can also be adjusted to support privacy-enhancing techniques and to ensure that the minimal amount of personal information is collected or shared. The levels allow for componentized technology, so that solutions can be used in conjunction with another, rather than all in one monolithic solution.
NIST last published an update to its digital identity guidelines in 2017. The organization ran a public pre-draft call for comment in 2020, and conducted research on real-world implementation, risks, and industry advancement. The digital identity guidelines have entered a draft review and comment period, with feedback due by March 24, 2023. In the new draft guidelines, NIST has sought to advance equity by assessing risks and harms to communities. The new guidelines also offer optionality and choice for consumers, including multiple ways to verify identity. Additionally, they outline paths to deter fraud and advanced threats through updated threat models to account for automated attacks against enrollment systems and address lessons learned from implementation. There are many other notable updates to the guidelines, and we’ve captured a few of them below.
For example, the draft guidelines include a framework for conducting an initial impact assessment, which includes impacts to organizations and individuals. Additionally, the guidelines include a new identity assurance level, (IAL0) for situations where an individual does not need to be identity proofed to access an account or transaction, and also opens a question for what types of evidence and technologies could be used for the fully remote identity proofing at IAL2 without using facial recognition. To address further usability and equity considerations, the guidelines recommend greater optionality by allowing for multiple types of identity evidence. This evidence includes using multiple data verification sources and multiple methods for verifying identity including trained workers – known as trusted referees – who can assist in the proofing process, in person and remote opportunities, and additional assistance, such as allowing applicant references to verify on a user’s behalf. Additionally, if biometrics such as fingerprints, iris structures, or facial features are used, the guidelines provide requirements for their use, including documentation related to the collection, storage, use, and removal of biometric data.
As part of the draft review, NIST has asked for feedback on several challenging, forward-looking questions. These include:
- Integrating new types of digital identity evidence (e.g., mobile driver’s licenses) into existing identity proofing assurance levels
- Whether the new draft guidance fully addresses potential equity concerns
- The impacts, benefits, and risks of specifying requirements for a credential service provider to establish and maintain fraud detection, response, and notification capabilities. (In this context, a credential service provider describes a “trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers.”)
- How to integrate equity, privacy, and usability impacts into the selection of assurance levels and digital identity risk management model.
Following the comment period, NIST will review public communications and input and decide on next steps. This includes deciding if the draft is close to its final, published form or is still in need of significant revisions. In both cases NIST will publish an updated schedule.
Congress also responded to the need for national identity solutions and oversight. Proposed legislation such as the Improving Digital Identity Act, first introduced in 2020, has received bipartisan support. The Act would increase federal involvement in identity verification in the private and public sectors. The bill was marked up by both the House Oversight Committee and the Senate Homeland Security and Governmental Affairs Committee (HSGAC) in 2022, but fell just short of becoming law before the 117th Congress ended. In January of 2023, Rep. Bill Foster (D-Ill.) indicated that he intended to reintroduce the bill in this session. Senator Kyrsten Sinema introduced the bill to the Senate on March 21, 2023, and on March 29, HSGAC advanced the bill out of committee.
If passed, the recently introduced version of the bill would create a Digital Identity Task Force to “establish and coordinate a government-wide effort to develop secure methods for Federal, State, local, Tribal, and territorial agencies to improve access and enhance security between physical and digital identity credentials, particularly by promoting the development of digital versions of existing physical identity credentials, including driver's licenses, e-Passports, social security credentials, and birth certificates.” That work is framed as a path to protect individuals' privacy and security, promote reliable, interoperable digital identity verification in the public and private sectors, while reducing identity theft, promoting trusted transactions, and ensuring equitable access to identity verification. The bill also highlights NIST’s role in developing and updating standards for federal, state, and local governments to use in digital identity verification. The legislation tasks GAO with submitting a report to Congress estimating the potential savings to the government as a result of increased adoption and widespread use of digital identification. That report would consider savings to the Federal government from averted fraud – as well as to the broader U.S. economy from averted identity theft. Groups such as the Better Identity Coalition, the U.S. Chamber of Commerce, the ID Theft Resource Center, and the Electronic Transactions Association, have urged Congress to act on previous versions of this bill.
In early March of 2023, the Senate and House reintroduced the Facial Recognition and Biometric Technology Moratorium Act. The bill is focused on curbing the use of these technologies in law enforcement surveillance, but could have wider implications for government service delivery. The draft legislation places prohibitions on the use of facial recognition and biometric identification by federal agencies, in federal grants, and in judicial proceedings. It provides a private right of action for individuals whose information is used in violation, and also provides a pathway allowing states and localities to enact laws regarding the use of facial recognition and biometric technologies.
The draft bill defines two categories of automated or semi-automated processes used to infer information such as location, association, activities, or emotion of an individual:
- Facial recognition, which captures and utilizes characteristics of their face or body; and
- Biometrics, which captures and utilizes an individual’s gait or voice, and in the case of this bill, precludes finger and palm prints.
The draft bill has received strong support and endorsements from civil liberties groups, though to date, it has not advanced through any committee of jurisdiction.
Addressing Identity Theft and Combating Fraud
Recent actions around identity in the executive and legislative branches have been focused on unemployment insurance and pandemic assistance. However, it is likely that those actions will also have an impact on other benefit programs and areas of service delivery as technology systems are overhauled and new solutions deployed.
While pandemic assistance supported millions of families during a crisis, it also exposed additional vulnerabilities in benefits delivery technology and infrastructure. Only recently have the full extent of funds stolen come to light. Over $888 billion in aid was distributed, and the U.S. Department of Labor Office of the Inspector General recently published a report stating that more than 21%, or $191 billion, of it was distributed as improper payments, with a significant portion as fraud. Every state was inundated with valid claims along with fraudulent activity. Many states implemented new authentication and identity proofing technologies to reduce the risk of lost funds. An ongoing investigation that includes potential safeguards for the future continues across multiple areas of the government.
One example comes from the 2021 American Rescue Plan Act, which includes $2 billion for the modernization of unemployment insurance. The DOL created the Office of Unemployment Insurance Modernization, which works with state and federal partners to help prevent fraud, support equitable access, and ensure timely payments to beneficiaries. One focus for this work has been facilitating more effective identity verification. Solutions include user experience pilots, investing in the use of Login.gov, in-person identity proofing at U.S. Postal Service locations, and access to the Integrity Data Hub, which allows for cross-state and other data matching to help prevent fraud.
Originally announced in the 2022 State of the Union – and mentioned again in the 2023 State of the Union – President Biden committed to an executive order to address the issues of fraud and identity theft in public benefit programs. In early March 2023, the White House released a fact sheet for a proposed $1.6 billion legislative investment in further investigations and prosecution of those committing systemic fraud, enhancing fraud prevention and identity theft protection, and supporting victims of identity theft.
In July 2022, the Joint Financial Management Improvement Program, a project between GAO, OMB, the Office of Personnel Management, and the Department of the Treasury, published a report offering guidance to federal agencies. It includes best practices for implementing identity verification to prevent fraud while mitigating disparate impacts and bias. Alongside this report, the JFMIP also released an ID Verification Controls simulator which allows users to model program performance for a hypothetical government program, based on different identity verification decisions.
Another document, the Biden Administration’s National Cybersecurity Strategy, released March 1, 2023, outlines the administration’s approach to improving cybersecurity as a whole. The plan aims to foster collaboration around five key pillars – defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in the future, and forging international partnerships to pursue shared goals. The section, investing in a resilient future for cybersecurity, identifies the development of a digital identity ecosystem as a strategic objective. The document points to the lack of “secure, privacy-preserving, consent-based digital identity solutions” as an enabler of fraudulent activity inside and outside government programs, and links the issue to identity theft.
While the document does not provide a detailed roadmap for facilitating a digital identity ecosystem, it lists various priorities including strengthening security of digital credentials, providing attribute and credential validation services, and developing digital identity platforms that promote transparency and measurement. The document also lists the administration’s stated goals for its digital identity policies and technologies including protecting and enhancing individual privacy, civil rights, and civil liberties, preventing unintended consequences, bias, and potential abuse, and enabling vendor choice and voluntary use for individuals.
Meanwhile, the House Government Accountability and Oversight Committee and the House Ways and Means Committee held hearings in February 2022 to examine the full extent of COVID-19 relief money fraud. Gene Dodaro, comptroller of the GAO explained in his testimony to both committees that outdated computer systems – along with an unprecedented volume of claims – contributed to the fraud and breakdown of the UI system at the state level. That same month, the House Ways and Means Committee held a mark-up for a bill, H.R. 1163, that would rescind unexpired funding appropriated in 2021 in the American Rescue Plan Act to modernize the UI system. The bill, the Protecting Taxpayers and Victims of Unemployment Fraud Act, would incentivize states to recover UI funds lost to fraud. In a letter, the DOL outlined the consequences the bill would have on the agency’s current efforts to modernize the UI system. These consequences include potential disruptions to DOL’s ongoing work to prevent fraud and upgrade the unemployment system, such as the continuation of Tiger Team deployments, rollout of new identity verification tools, and fraud prevention grants.
Technology Demonstrations, Pilots, and Rollouts
Multiple federal agencies are exploring new digital identity technologies, including mobile driver’s licenses (mDLs) and face recognition. The REAL ID Modernization Act of 2020 allowed electronic and mobile driver's licenses to be REAL ID compliant. The Transportation Security Administration (TSA) defines mobile driver’s licenses as a type of digital ID, which digitally represents “information contained on a state-issued physical driver’s license, stored on a mobile electronic device, such as a smartphone, and read electronically.” Through the Next Generation Identity: Mobile Driver’s License project, the Department of Homeland Security Science and Technology Directorate (DHS S&T) Biometric and Identity Technology Center (BI-TC), TSA, and NIST are working with states, standards-developing organizations, and technology developers to facilitate the creation and acceptance of mDLs standards and technology. In early 2022, TSA also began testing acceptance of certain digital IDs, including mDLs from participating states at select TSA PreCheck checkpoints. (For information on the status of individual states’ mDL implementations, see AAMVA.)
On March 15, 2023, NIST publicly announced a project to study and evaluate international standards on mobile driver’s licenses: ISO/IEC 18013-5, which focuses on uses of mDLs in attended use cases, and ISO/IEC 18013-7, which is currently under development and focused on use of mDLs in online, unattended use cases. NIST is requesting feedback on the project description in March 2023, and will invite various stakeholders including issuing authorities, digital identity solutions providers, verifiers, and third-party trust service providers that implement these standards to participate in project demonstrations and prototypes in the coming months. Comments on the project description are due by March 31, 2023.
While mobile driver’s licenses may facilitate in-person identity checks and support digital identity proofing processes, civil liberties organizations such as the ACLU have expressed concern around use of mDLs. The organization points to potential risks related to surveillance and privacy. The ACLU recommends a series of safeguards that may mitigate those risks, stating that “a digital identity system could prove just and worthwhile, if it is done right,” though the report remains skeptical.
At the same time, federal agencies are already employing or testing facial recognition technologies in a variety of situations and use cases. U.S. Customs and Border Protection (CBP), for instance, uses facial biometrics for entry and exit processes at border checkpoints including entry processes at all airports in the U.S. as part of their “Simplified Arrival” program. CBP states in its FAQs on biometrics that U.S. citizens are not required to have their photos taken when entering/exiting the country. The 2017 publication, “Face Scans at Airport Departure Gates” from the Center on Privacy and Technology at Georgetown Law provides additional context on the establishment of the biometric entry/exit program while also questioning the authority of the program to collect biometrics from U.S. citizens. A Government Accountability Office (GAO) report in 2022 found that CBP had “not consistently provided travelers with information about [facial recognition technology] locations and that its “privacy signage provided limited information on how travelers could request to opt out of FRT screening and were not always posted.” CBP has also faced criticism for its use of facial recognition technology in the CBP One app, which some groups of asylum seekers use to schedule appointments and submit required information to the U.S. government.
The CBP isn’t the only DHS agency using biometric technology. The TSA explains it is evaluating the use of biometrics and is testing facial identification for TSA PreCheck travelers at select airports. In February 2023, Senators Merkley, Markey, Booker, Warren, and Sanders sent a letter to the TSA requesting further information about the agency’s use of facial recognition technology at U.S. airports, including details about a passenger’s ability to opt out and how that personal data will be handled.
The DHS BI-TC has also hosted Biometric Technology Rallies to test new and emerging biometric technologies since 2018. The 2022 rally focused on evaluating how well biometric acquisition systems and face biometric matching algorithms could identify small groups of individuals who had opted in, without processing individuals who had not opted in. The demonstration results concluded that many of the included systems were effective at excluding bystanders who had not opted in. Nine of the results met the 95% identification threshold for all skin tones, while 26 achieved that metric for medium skin tones, suggesting the potential for demographic differentials. (DHS does not release names of industry participants publicly, but does release aliased results). The 2023 rally will focus on Remote Identity Validation Technology. The demonstration project will be split into multiple tracks, beginning with a demonstration of identity document validation solutions, followed by demonstrations for solutions that match a “selfie” photo to an identity document, and finally, a demonstration of tools that can assess “liveness” of a photo.
Historically, some facial recognition technologies have been less effective at appropriately identifying faces of Black, Asian, and Native American individuals. This disparity is well documented by a NIST study as well as independent academic research. Even as the technology may become less biased, though, the use of facial recognition tools raise other important questions. As the Center for Democracy and Technology has explained, the use of biometrics may offer convenience for various kinds of interactions, including verifying identities, establishing unique identifiers, and verifying electronic visits, but it also presents challenging issues around privacy, equity, and data security. Although most of the activities we have highlighted in this document focus on different face recognition uses, biometric data can capture any physical or behavioral characteristic of a person such as fingerprints, palm prints, iris images, and DNA. How these other types of data are stored and exchanged have important implications for privacy and civil liberties, too. NIST is currently working on an update to its standard, “Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information” to define biometrics shared across systems and jurisdictions.
As part of our continued work on digital identity, the Digital Benefits Network and the Beeck Center will closely monitor efforts to create additional standards for identity verification, management, and authentication, which could have major implications for online access to government services including public benefits.
You can find more resources about digital identity on the Digital Benefits Hub.
Agencies or individuals interested in our research on digital identity can subscribe to the DBN and follow updates. If you would like to discuss our research further, or are interested in sharing your own experiences administering identification and authentication processes in a benefits program, we encourage you to reach out to us at email@example.com.