So much of how we collect and share information in today’s world is done online. We get our news. We do our shopping and banking. We book appointments. And online access has even made it easier for us to apply for benefits and services within the federal government. But just how safe is our information out there in the federal cyber world?
In today’s WatchBlog, we look at our report on federal online verification processes. Read on and listen to our podcast with Nick Marinos, a director in our Information Technology & Cybersecurity team.
Verifying you are really you
When you apply online for benefits and services, many federal agencies rely on consumer reporting agencies to help verify your identity through a process called knowledge-based verification. This process usually involves answering a series of personal questions derived from information found in your credit files and is largely based on the assumption that only the true owner of the identity would know the answers. If you answer the questions correctly, your identity is considered verified.
For example, the Social Security Administration uses this technique to verify the identities of anyone seeking access to the “My Social Security” online service, which allows users to request a replacement Social Security or Medicare card, check the status of benefit applications, or request various other services.
However, data stolen in recent breaches, such as the 2017 Equifax data breach, has raised new questions about the safety of this practice. The risk is greater now that someone other than you may know the answers to questions about your personal credit history—leaving the door open for possible fraud and identify theft.
How the federal government is responding
This fraud risk prompted the National Institute of Standards and Technology to issue guidance in 2017 that prohibits federal agencies from using such knowledge-based verification process for sensitive applications. Alternative methods are available that offer stronger security, such as comparing a photo of an ID card captured on a cell phone to documentation on file.
However, these alternative methods can be limited by cost, convenience, and technological maturity. In addition, they may not be viable for everyone to use—for example, not all applicants may have cell phones to allow them to share their photo and verify their identity.
A closer look at federal identity proofing practices
We recently reviewed remote identify proofing practices for 6 agencies—all of which have major public-facing web applications that provide access to benefits or services.
We found that:
- The Internal Revenue Service and General Services Administration had eliminated knowledge-based verification and began using alternative methods.
- Veterans Affairs partially implemented an alternative method, but still relied on knowledge-based verification for some individuals.
- The Social Security Administration and the U.S. Postal Service intended to reduce or eliminate knowledge-based verification in the future, but didn’t yet have specific plans. The U.S. Postal Service has recently addressed our recommendation by implementing a remote identity verification solution for its Informed Delivery service that does not rely on knowledge-based verification.
- The Centers for Medicare and Medicaid Services had no plans to reduce or eliminate knowledge-based verification, citing high costs and challenges with implementing new practices.
Until these agencies take steps to eliminate their use of knowledge-based verification, however, the public that they serve may remain at increased risk of identity fraud. We made 6 recommendations, including that the National Institute of Standards and Technology provide guidance on implementing these alternative methods. The U.S. Postal Service has recently addressed one of our recommendations by implementing a remote identity verification solution for its Informed Delivery service that does not rely on knowledge-based verification.
Check out our report to learn more.
- Comments on GAO’s WatchBlog? Contact email@example.com.