US govt login portal could be one cyberattack away from collapse, say auditors

The US government's Login.gov identity verification system could be one cyberattack, or just a routine IT hiccup, away from serious trouble, say auditors, because it hasn't shown its backup testing policy is actually in use or effective.

The US Government Accountability Office reported Tuesday that Login.gov, which is managed by the federal government's General Services Administration (GSA) procurement branch, has mostly complied with prior recommendations to improve the seven-year-old centralized login service for US citizens. "Mostly" doesn't include any scheme to keep an eye on the state of its data backups, however, which could be disastrous if they had to be pulled out of storage to restore damaged systems. 

You know - like what a backup is supposed to be used for. 

The report says that Login.gov does back up its data, but "did not fully establish and implement policies and procedures regarding testing those backups." That means, the auditors say, they can't be sure that what's backed up is actually sufficient to restore functionality in case of a catastrophic attack.

"If Login.gov's backup data was not tested to ensure that its integrity was not compromised, then it could result in complete loss of data if a breach were to occur," the GAO wrote in its report. 

If Login.gov's backup data was not tested to ensure that its integrity was not compromised, then it could result in complete loss of data if a breach were to occur

GAO IT and cybersecurity director Marisol Cruz Cain told The Register in an email that the backup data referred to in the report was related to Login.gov functionality - not the personal data of its users. 

"Officials told us that the backups pertained to data that are critical to the availability of Login.gov," Cruz Cain said. "They also stated that if the data were to be lost it would negatively impact Login.gov's core services." 

GSA said the lack of full backup testing stemmed from an understaffed security engineering team, which wasn't fully staffed until January 2024. GAO noted that while GSA has since established a policy, it hasn't shown it's been implemented or effective.

"At the conclusion of our review [in June 2025], GSA provided its updated policy for testing Login.gov's backup data," the GAO report stated. "However, it is not yet evident that the policy has been fully implemented or if it is achieving the intended results."

Until GSA actually demonstrates it's done what it said it'd do, "Login.gov officials will have less assurance that they are consistently and effectively ensuring the integrity and availability of its data."

The recommendation for GSA to get its backup act together is the only one the GAO made in yesterday's report, but it's not the only problem that auditors have identified at Login.gov. 

Despite being launched to verify the identities of US citizens accessing digital government services, Login.gov didn't comply with the National Institute of Standards and Technology's IAL2 identity proofing standards until October 2024. That gap forced multiple federal agencies to lean on third-party services, like ID.me and LexisNexis, for higher-assurance identity checks that Login.gov couldn't yet provide.

• GAO finds billions in possible government savings, all without Elon's help
• Get a $25 gift card if you help the US check whether these facial logins really work
• GSA plows ahead with face matching tech despite its own reliability concerns
• Remote ID verification tech is often biased, bungling, and no good on its own

Between 2020 and 2023, federal agencies spent around $209 million on commercial identity proofing services because Login.gov didn't yet support key capabilities, according to the GAO.

In addition to those problems, the GAO also issued a report in October of last year on what Cruz Cain said were "issues such as cost uncertainty, not having real-time visibility into authentications, high failure rates, and lack of fraud controls, among others" that still contains two unresolved recommendations. 

While the aforementioned identity proofing services have been implemented, the GAO said that GSA "has yet to fully address Login.gov's technical challenges and has not yet developed and documented a plan for lessons learned" identified in the October report. 

Getting those problems fixed could be a job for some of the 18F staffers who helped develop the platform, but oops - they've all been fired. Hopefully the recently filled security engineering team doesn't get caught up in all those federal government layoffs, too. ®