The Small Business Administration is using a boost from coronavirus response legislation to bring 16 legacy systems under the central authentication of login.gov — a move that is intended to help make it easier for businesses to apply for and receive federal aid.
Login.gov was tasked with providing authentication and identity verification services to agencies that are allocating funding under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. That includes SBA’s Paycheck Protection Program, a loan initiative for small businesses, although in that instance only banks are using login.gov.
Login.gov is a single sign-on project, spearheaded by the 18F and the U.S. Digital Service teams, that allows users to log in to multiple government websites with the same email address and password combination.
The CARES Act provision allowed SBA to shorten its timeline for bringing 16 legacy systems under the central authentication of login.gov. Legacy systems with their own, separate modes of authentication can be an impediment to adopting login.gov. So instead of forcing everything over individually, SBA created a middle layer called an “identity broker” in-house.
As the single point of contact with login.gov, the identity broker allowed SBA to control how it integrated systems.
Anti-spoofing ‘liveness detection’
Technology Transformation Services is also vetting a “liveness detection” solution for login.gov, with plans for it to be fully certified under the National Institute of Standards and Technology’s Digital Identity Guidelines by the fall.
TTS has experimented with liveness detection — algorithms used to catch attempts to spoof biometrics like fingerprints or facial images during login — previously. But the last solution was pulled due to too many false matches.
The new solution is being certified through Kantara’s identity assurance framework.
Login.gov authenticates as many as half a million users a day across 24 agencies, including the Office of Personnel Management, U.S. Customs and Border Protection, and USDS itself.
Correction: May 22, 2020. An original version of this story incorrectly stated 18F is vetting liveness detection for login.gov. Technology Transformation Services is doing the experimentation.