Skip to main content

Identity Verification: GSA Needs to Address Fraud Threats and Technical Issues

GAO-26-109261 Published: Jul 15, 2026. Publicly Released: Jul 15, 2026.
Jump To:

Fast Facts

We testified on identity verification and the General Services Administration’s Login.gov platform.

Our testimony, given before the House Oversight Subcommittee on Government Operations, is based on:

Identity Verification: GSA Should Demonstrate Its Implementation of Polices for Testing Data Backups on Login.gov

Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned

Data Breaches: Range of Consumer Risks Highlights Limitations of Identity Theft Services

We also discuss recommendations we’ve made.

A photo of the U.S. Capitol building with the text, GAO Testimony to Congress

A photo of the U.S. Capitol building with the text, GAO Testimony to Congress

Skip to Highlights

Highlights

What GAO Found

The proliferation of cyberattacks on federal agencies and other organizations has led to an increased risk of stolen personally identifiable information (PII) being used to commit fraud. For example, malicious actors have used the information to fraudulently obtain government benefits and commit tax fraud, among other things. The Social Security Administration has reported that personal information of beneficiaries has been used to fraudulently redirect the beneficiary’s direct deposit benefits. Stolen PII also increases risks for financial fraud, such as fraudulent credit card applications. In this type of fraud, thieves use identifying data, such as Social Security numbers and driver’s license numbers, to open new financial accounts without a person’s knowledge. These types of attacks can result in financial loss and damage to the reputation of federal agencies and financial institutions.

To ensure that individuals accessing government services, benefits, and other resources are the individuals they claim to be, federal agencies use a variety of identity verification processes. To suppport these efforts, the General Services Adiministration (GSA) established Login.gov as a government-wide identity verification service. Login.gov uses a non-biometric, three-step process to verify an individual’s identity. In addition, to protect users’ PII, Login.gov uses security measures such as encryption, access restrictions, and monitoring capabilities.

GAO previously reported challenges in GSA’s implementation of Login.gov. These challenges involved:

  • ensuring that Login.gov data was backed up regularly to prevent data loss,
  • aligning Login.gov with federal digital identity guidelines to provide an appropriate level of assurance when verifying users’ identities,
  • resolving technical challenges reported by agencies using Login.gov, and
  • documenting and applying lessons learned from its Login.gov pilot programs.

To address these challenges, GAO made several recommendations in 2024 and 2025 to GSA. Since then, the agency has taken steps to implement all but one of these recommendations. For example, GSA took steps to ensure that Login.gov offers remote identity-proofing services that comply with federal digital identity guidelines. In addition, the agency provided evidence that it had begun testing processes for backing up Login.gov data. However, GSA still needs to take action to fully address one of GAO’s recommendations. Specifically, GSA has not established time frames with its partners for addressing agency-reported technical challenges. Without GSA-proposed actions and time frames for addressing the challenges, agencies will continue to experience technical issues with the system.

Protecting PII and preventing identity theft is critical, as the harms can range from lost funds to emotional distress and damage to the reputation of federal agencies. Fully implementing GAO’s remaining recommendation would help the federal government ensure PII is better protected and lessen the risk of identity theft. GAO will continue to monitor GSA’s efforts to address the recommendation.

Why GAO Did This Study

The vast amount of PII that federal agencies collect from individuals to verify their identity may be vulnerable to breaches, which can result in identity theft, fraud, and other harms. Accordingly, it is critical that federal agencies implement effective ways to verify the identity of individuals who access government websites to prevent fraud and protect PII.

To address this issue, GSA launched Login.gov in 2017 to provide federal agencies with a single sign-on system to verify the identity of individuals seeking access to government websites. In 2021, GSA allocated about $187 million in technology modernization funds to enhance Login.gov’s services, including strengthening its security and anti-fraud protections and improving ease of agency adoption.

This statement discusses (1) identity-related fraud threats and (2) Login.gov capabilities and the status of GSA efforts to address prior related GAO recommendations.

This statement is based primarily on GAO’s October 2024 (GAO-25-106640) and June 2025 (GAO-25-107000) reports on Login.gov’s identity proofing processes. This statement also includes updated information provided by GSA on efforts to address GAO’s recommendations.

For more information, contact Marisol Cruz Cain at CruzCainM@gao.gov.

Full Report

GAO Contacts

Marisol Cruz Cain
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

System loginPersonally identifiable informationFederal agenciesIdentity theftInformation securityAuthenticationIdentity verificationLessons learnedSocial security numbersMotor vehicle standards