From the U.S. Government Accountability Office, www.gao.gov Transcript for: Proving Your Identity on Federal Websites Description: We talk about how federal agencies prove your identity when you use their online services, and what could be done to keep your information more secure. Related GAO Work: GAO-19-288: Data Protection: Federal Agencies Need to Strenghten Online Identity Verification Processes. Released: June 2019 [ Background Music ] [ Nick Marinos: ] Federal agencies need to move quickly so that we can ensure that those that are applying for federal services are who they say they are. [ Matt Oldham: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. If you've ever applied for benefits or services from a federal agency online, there's a chance you've gone through a process called identity proofing. It's how the government verifies that you are who you say you are. I'm with Nick Marinos, an Information Technology and Cyber Security director at GAO. And he led a report that reviewed the federal government's identity proofing practices. Thanks for joining me, Nick. [ Nick Marinos: ] Yeah, happy to be here. [ Matt Oldham: ] So what's the state of these identity verification methods that federal websites use? [ Nick Marinos: ] I guess you could say the state is kind of in flux at this point. We'll step back for a second and just think through kind of the world that we live in right now. Verifying one's identity relies on being able to confirm that the person sitting at a terminal or at their phone is actually who they say they are. And this is at a time where we're seeing an increasing amount of massive data breaches that are taking a lot of sensitive information and putting it out there on the wild. And the reason that this is compelling with respect to identity verification is that federal agencies and others use what's called knowledge-based verification as one of the primary ways to verify one's identity. And what that really means is that you'll get a list of questions, and probably we've all experienced this at some point, applying for some kind of service online. We'll get a list of questions, multiple-choice, that'll ask us for some kind of personal information verifying that, again, we are who we say we are. So it could be about a mortgage. It could be past home addresses but something that the assumption is being made that only we might be the ones aware of. [ Matt Oldham: ] I assume this isn't information that the government has at hand on their own. Do they go outside to help them prove people's identities? [ Nick Marinos: ] Exactly. So these federal agencies are likely not managing these kind of identity proofing services themselves. They're contracting out to vendors and quite often going to credit reporting agencies, which makes sense because CRAs, credit reporting agencies, house a lot of information within an individual's credit file and so they use that information to provide this identity verification service. [ Matt Oldham: ] Is there any group within the federal government that looks at this process that provides guidance on how federal agencies should go about this service? [ Nick Marinos: ] Yeah. So the National Institute of Standards and Technology, NIST, is the authority not only on this topic but many others. So when you're talking about cybersecurity guidance or standards that a federal agency should follow, NIST is your shop there. And they've put out guidance that has talked about the fact that knowledge-based verification is just not a viable method for verifying one's identity. And so they have really encouraged agencies to move away from using these methods. And what we saw with our work, we looked at a host of agencies, is that you know agencies are at different stages of trying to move towards other alternative ways of doing this. And some are using alternative methods. These could be things that we're familiar with like SMS, you know, text messages that send confirmation codes or even using, you know, traditional post offices, right, and sending a PIN through snail mail to an individual to then use that to verify that they are who they say they are. But we think that agencies could be doing more and do more quickly to move away from knowledge-based verification. [ Background Music ] [ Matt Oldham: ] So it sounds like NIST has released guidance strongly suggesting that federal agencies stop using knowledge-based verification. What are the risks involved if federal agencies take too long moving away from knowledge-based verification? [ Nick Marinos: ] Well, the risk will continue to be there -- that someone could pick up information as a result of breaches and use it to mask themselves to be someone else. You know, and what we did find with the guidance, we think that more can be done there as well. And we've made recommendations to NIST to help clarify, what are some of those alternative methods? When we spoke to the federal agencies, some of the reasons that they had been challenged in moving away from knowledge-based verification is that they really didn't see viable paths for alternatives that worked within their particular constituency, if you will. So for example, one method is to use an SMS code, a text message. Well, if the general population of those applying don't have cell phones, then another alternative method could be used. You know, one thing to point out too, an alternative method that we have seen used is actually in-person verification. So providing a location that someone can go and say okay, I don't want to do this verification online. I want to show up with some information, maybe it's a driver's license, birth certificate, and verify my identity in person. [ Matt Oldham: ] So what do you believe is the bottom line of this report? [ Nick Marinos: ] The reality is that the massive amounts of data breaches that have occurred has rendered the main method by which verification is being done, knowledge-based questions, ineffective. And federal agencies need to move quickly away from using that as a method so that we can ensure that those that are applying for federal services are who they say they are. [ Matt Oldham: ] Nick Marinos led a GAO report reviewing federal agencies' practices to verify the identities of people using federal online services. Thank you for your time, Nick. [ Nick Marinos: ] Absolutely. Thanks, Matt. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Matt Oldham: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.