US government's Login.gov turns frown upside down, now smiles on facial recognition
Authentication portal to match snaps on existing IDs with user-provided snaps
The US General Services Administration (GSA) plans to support facial recognition through its Login.gov authentication service, after declining to do so last year.
"Today, GSA is announcing that it will offer new pathways to identity verification beginning next year that will align with the National Institute of Standards and Technology’s (NIST’s) 800-63-3 IAL2 guidelines," the agency advised in a Wednesday post.
"These features will provide virtual and in-person ways for people to verify their identities and securely access vital government benefits and services using convenient, cutting-edge technology, while ensuring their data remains safe."
According to NIST's SP 800-63 Digital Identity Guidelines, IAL2 means: "Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing."
The regulations support the use of biometric data, such as facial recognition, fingerprints, and iris scans, as a part of multi-factor authentication, in conjunction with a physical authenticator – like a phone, hardware key, or ID card. Government agencies have the option of choosing which approved identity verification method they wish to use to authenticate users of online services.
The Register understands that the GSA contemplates supporting one-to-one matching between a government-stored image captured to prepare a photo ID and a self-submitted picture. This is a lesser level of authentication than IAL3, which requires the person to be physically present and having an authorized party confirming claimed identity characteristics.
Login.gov, used by 70 million people since 2017 to access US government services, will also support in-person identity verification at a participating local post office, and remote verification without a facial image match on live video chats.
Last year, the US Internal Revenue Service abandoned plans to adopt facial recognition to identify taxpayers, after pushback from lawmakers and advocacy groups.
At the time, Dave Zvenyach, who was then Director of Technology Transformation Services at the GSA, told The Register that while the Login.gov team was looking into facial recognition and reviewing equity and accessibility studies.
"GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations," he said in July 2022.
Whatever qualms the GSA may have had appear to have been resolved as a matter of practical necessity, if not scientific satisfaction. NIST's guidelines allow the technology and Login.gov needs to support it to be compliant. The decision about whether to use facial recognition has been left to government agencies, which may or may not have a use for it.
- UK tribunal agrees with Clearview AI – Brit data regulator has no jurisdiction
- Chinese citizens feel their government is doing such a fine job with surveillance
- Yes, Singapore immigration plans to scan your face instead of your passport
- Airport chaos as eGates down for the count across UK
When NIST looked at facial recognition in 2019, it found [PDF] the accuracy of facial recognition algorithms varied widely.
"Our main result is that false positive differentials are much larger than those related to false negatives and exist broadly, across many, but not all, algorithms tested, NIST said in its report. "Across demographics, false positives rates often vary by factors of 10 to beyond 100 times."
People from West and East Africa, and East Asia had the highest false positive rate, while people from East Europe had the lowest, according to the study. Accuracy rates depended on the dataset and model training – the report cited algorithms in China that did better on people from Asia and worse on those from elsewhere. The report also cites higher false positive rates for women, children, and the elderly, which supports the GSA's concern about equality – some people are more likely to be misidentified by facial recognition systems than others.
NIST in 2021 evaluated [PDF] the US Customs and Border Protection agency’s Traveler Verification Service (TVS), which matches live photographs of travellers taken at checkpoints to stored images and provides a match or no match result. The latter sees travellers undergo further vetting.
Error rates varied across the 29 systems tested but were generally around 0.5 percent, easily good enough to meet the 97 percent [PDF] accuracy required under 8 U.S.C. 1187(c).
Last month, the Government Accountability Office (GAO) told the Department of Homeland Security that its Homeland Advanced Recognition Technology (HART) system, a replacement for the legacy Automated Biometric Identification System (IDENT), fell short in terms of privacy disclosures and cost management. ®