The National Institute of Standards and Technology is being urged to offer more guidance on new ways of verifying the identities of people who apply for federal benefits online.
Commercial credit agencies have traditionally helped the government verify identities by asking personal questions from credit files, but the 2017 Equifax data breach has officials rethinking that process.
My Social Security uses knowledge-based verification before people can access their benefit status, replace Social Security or Medicare cards, or request services. But data stolen in the Equifax breach could be used to answer My Social Security’s personal questions.
Agencies could instead compare pictures of photo IDs submitted by mobile phone to documents on file, but not all people have a smartphone, according to a Government Accountability Office report released Friday.
In 2017, NIST effectively barred agencies from using knowledge-based verification for sensitive applications, but GAO said the guidance was insufficient in ensuring they adopted alternatives.
Agencies have argued alternatives present cost, convenience, technological, and equity barriers.
Of six agencies reviewed, only the General Services Administration and the IRS had eliminated knowledge-based verification for Login.gov and Get Transcript services.
GAO found the Department of Veterans Affairs still uses such questions for certain people, while SSA and the U.S. Postal Service indicated they want to reduce use but don’t have any plans to do so.
The Centers for Medicare and Medicaid Services have no plans to switch to alternatives.
“[U]ntil these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” reads the report.
GAO wants NIST to provide additional direction on how to successfully implement other methods like in-person identity proofing or verification of mobile device possession using carrier records. The new guidance should broach the advantages and disadvantages of different technologies and make recommendations, according to the report.
NIST officials had no plans for additional guidance at the time of review, GAO said, but the Department of Commerce agreed with the recommendations on NIST’s behalf — as did SSA, USPS and VA. The Department of Health and Human Services disagreed on CMS’s behalf arguing alternatives aren’t feasible for its clients like those using HealthCare.gov.
“The alternatives to knowledge-based verification proposed by GAO in their report are not suitable for certain populations served by CMS as they would create undue burden, create barriers to accessing federal services, or may be cost prohibitive,” HHS said in its comments. “For example, in-person for rural populations is not viable due to travel distance.”
HHS added it would continue to monitor for “potential effective” alternatives.
The Office of Management and Budget did not comment on GAO’s recommendation it require agencies to report their progress on identity-proofing processes outlined by NIST.