Login.gov is a fine authentication service, but cannot deliver the identity assurance level (IAL-2) required to identify people. (It may not be able to deliver AAL-2 authentication soon either as standard evolve.) Uploading a picture of your drivers license is not a meaningful validation of your identity.
The reaction of the Senators here is the equivalent of “I’m shocked to hear there is gambling happening here”. Typical pandering. Literally every drivers license and ID in the country is running through a biometric identity provider run by a contractor to identity duplicate licenses. Many DMVs outsource credential production to a third party.
I don’t think ID.me is the best solution, but it is better than providing a trivially stolen number “what was your AGI last year” that facilitates billions of dollars of fraud annually.
No third party/private solution is appropriate here.
The government that oversees the issuing of these IDs and attests that they are sufficient for government use (Real ID) cannot themselves validate said ID?
Corruption or incompetence are the only paths that lead to outsourcing federal identity verification.
The only IDs issued widely by the US government are military credentials, immigration credentials, and passports. Driver’s licenses are issued by states and other entities. They are also fraught with problems as millions of people do not have REAL IDs, yet need to interact with government.
The problem is that any bartender who has scanned your drivers license has the information required to scam an online validation without some other validation.
If you want good online validation for the public, you need a third party right now. In the future, in some states, you’ll be able to use a mobile drivers license, provided you own a smartphone. Also problematic, as the government has to support everyone. Foreign nationals pay tax. People in nursing homes who cannot appear before a DMV need to pay taxes.
You can yak about corruption and incompetence, but that honestly attests to ignorance on the topic.
You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company. Login.gov can use the same AWS services in GovCloud as ID.me uses (Rekognition, available since 2017 in GovCloud). With USDS and 18F, it cannot be argued GSA (which Login.gov falls under) doesn’t have the skills available to build this capability.
This is a call to enhance Login.gov’s identity abilities, and US government citizen identity management in general. Login.gov (and perhaps USPS for in person proofing) should be funded to do this, not ID.me. Higher level, this is about building strong public goods and defending them.
USPS is already the agent for a national id program in all but name — passports and passport cards, which are much better than DMV issues credentials in many ways.
As another poster mentioned, the problem is that both progressive and conservative constituencies are strongly against meaningful national identity for different reasons, some of which are insane.
It’s a policy problem that won’t be solved in our lifetime. Our best bet long term is for states to issue mobile credentials, but even that is problematic because it will disenfranchise people.
> You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company.
I 100% agree. Problem is, the federal government (and the state governments and to a large extent big chunks of the citizenry) are fundamentally opposed to the issuance of a non-passport general citizen's ID and/or number. Those opposed to it don't have any good solution to "how to protect information the government keeps about you" either, so it's no good asking them.
Devising an actual public system for identity verification when you're being told the government cannot identify people is ... challenging.
> Problem is, the federal government (and the state governments and to a large extent big chunks of the citizenry) are fundamentally opposed to the issuance of a non-passport general citizen's ID and/or number.
I wonder if this mightn't change with states increasingly requiring voter ID.
After all, it'd be pretty dumb to on one hand mandate that every voter have government-issued ID, and on the other to oppose it.
The bulk of those who are pushing for more voter ID are from the most political alliance most vocal about both (a) insisting the voting is a state matter (b) federal government issuing ID is not OK.
> You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company.
Private companies have been part of the government discharging its responsibilities since first days of the Republic. You'd probably be shocked when you learn who does credit monitoring after government servers get hacked, by the way.
By your logic the government couldn't use cloud computing (run by a private company), couldn't use computer hardware even if they wanted to run a private cloud (hardware is built by private companies).
> If you want good online validation for the public, you need a third party right now.
In all reality, this is fine. I have no particular problem with using facial recognition, but I want it regulated and I want recourse.
Fine, outsource it to ID.me. But the terms of service better be a page, maximum, and include the ability for me to appeal a decision that says I am not who I say I am and to use other forms of validation that may be slower or more procedural (such as presenting myself to a Post Office). I want no binding arbitration clause in the agreement, and if that means the Federal government has to indemnify ID.me, then so be it. I want it in the TOS that the data ID.me uses for this will be segregated and kept for a very limited time and that I have the right to review and correct it.
Use the third party for what they are good for but enforce suitable rights for the rest. This is doable, it just wasn't fully done here.
ID.me does have the ability to appeal the decision by hopping on a video call to complete the registration. They also do have the ability to close your account and through that delete all your data.
> If you want good online validation for the public, you need a third party right now.
I should not under any circumstances need to enter into a direct agreement with a private entity like id.me in order to access public services. The government might reasonably subcontract out some of the work, but public services need public accountability. The government service itself needs to be the direct counterparty to the public.
The government issues HSPD-12's, of which CAC/military PIV cards qualify as. In theory both federal staff and contractors need an HSPD-12 compliant ID/"smart credential" to access facilities and networks.
Just wanted to point out that there are lots and lots of federal IDs that are not military, immigration, or passports.
Real ID validates that you are the person you are at the time of issuance, but does not guarantee that the possessor of the ID is that person. This stems from the fact that an ID is "something you have". Like any secure system, you should use multifactor authentication. The facial scan is "something you are", so the combination of ID and scan provides that. One might also use "something you know", such as your adjusted gross income (AGI) that the IRS used before.
I think the difficulty is that the (federal) government can't currently do anything except the "something you know" part. It can't use "something you have" (because too many people are opposed to federal government issued ID), and "something you are" appears beyond the scope of the federal govt to implement (correctly) at this time.
Every IRS, Social Security, DHS/CBP, and USPS branch are locations where they could proof your identity in person. It is simply a matter of will to implement the policy and enable the software features for government employees to perform the function.
I would also propose finding ways to drastically reduce the cost of issuing smart passport cards, and slowly transforming that into a national ID over time as the electorate composition changes. Your passport number eventually becomes your national ID number.
The government cannot build a competent identity solution because a majority of voters believe that to do so presages something from genocide ("Papiere, bitte!") to the literal end of the world (“Mark of the Beast”).
We are still in the same universe where the OPM breach happened, right?
Like no, I don't trust the government to protect the big bucket of PII on everyone in digital form. Not because of lizard people but because the government can barely keep it's own sites secure. Giving them more dangerous data in the form of bulk PII is the wrong move.
Login.gov was the first thing, in a long time, that was well executed. I need to see more things like that to restore my faith. ID.me is the wrong direction.
The IRS already has almost all our PII. Not sure how adding a photo materially changes anything in that regard.
I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?
My father doesn't have any sort of web-connected camera, which caused a whole set of problems with his unemployment that I can't remember how they got fixed.
On a similar note, I don't have a lot of documents tied to my name, so I had nothing that they wanted when my photo verification didn't work for whatever reason. Pretty sure I just never solved that one and left the last couple weeks I would have gotten unemployment on the table.
The IRS has our PII, but lots of it is not in a big bucket, it's quite diffuse. If PII is dynamite (and it is) then we want it divided up in silos, with firewalls, and limited access where nobody has universal access. Ideally a lot of it is protected by differential privacy - if I am getting audited, the auditor only see's my returns and not my identity, and someone else gets only my identity.
GSA has really upped the game over the past 10 years for digital services delivery. Such as Login.gov. Look for other places 18F/USDS are involved, and you'll see significant improvements.
With a remotely sane identity system, knowing someone’s identifiers and basic biographical facts would not help you to impersonate them. PII has the sensitivity that it does in today’s world only because we abuse knowledge of PII as a poor man’s authentication mechanism.
login.gov meets IAL2 since it NIST SP 800-63-3 "allows for remote or in-person identity proofing" (800-63A page 8). Likewise, TOTP is explicitly mentioned as an allowed multi-factor OTP authenticator (800-63B pages 20-21). I'm not aware of changes in SP 800-63-4 that would affect login.gov's current implementation, but it's been a minute since I last read the -4 draft and could be wrong.
Login.gov permits me if the IRS could do identity proofing.
The IRS can't do identity proofing (hence the need for ID.me, which is implementing "remote or in-person identity proofing"), and login.gov doesn't do it for the agency. Login.gov can only record whether the identity was created at IAL-1 or IAL-2.
Use of login.gov is orthogonal to the question of ID.me.
Login.gov is a fine authentication service, but cannot deliver the identity assurance level (IAL-2) required to identify people. (It may not be able to deliver AAL-2 authentication soon either as standard evolve.) Uploading a picture of your drivers license is not a meaningful validation of your identity.
The reaction of the Senators here is the equivalent of “I’m shocked to hear there is gambling happening here”. Typical pandering. Literally every drivers license and ID in the country is running through a biometric identity provider run by a contractor to identity duplicate licenses. Many DMVs outsource credential production to a third party.
I don’t think ID.me is the best solution, but it is better than providing a trivially stolen number “what was your AGI last year” that facilitates billions of dollars of fraud annually.