Login.gov — Federal Digital Identity & Shared Authentication Platform
Login.gov is GSA's shared digital identity platform — the federal government's attempt to solve a problem that had been growing for two decades: Americans interacting with federal agencies online were required to create separate accounts for every agency, resulting in a fragmented, insecure landscape of 1,000+ individual username-password systems across the federal government. Launched in 2017 through a collaboration between USDS (U.S. Digital Service) and 18F, Login.gov has grown to 50 million accounts used by more than 40 federal agencies — including SSA (My Social Security), USCIS (immigration case status), USAJobs (federal job applications), CBP (Global Entry), TSA PreCheck, SBA (business loan applications), and IRS (Free File). The platform's ambition — one account, all federal services — sits at the intersection of digital modernization, privacy law, and an emerging political debate about whether consolidated federal identity could enable cross-agency data aggregation that current law prohibits.
Legal Authority
- 44 U.S.C. § 3554 — FISMA; requires federal agencies to implement information security programs protecting agency systems; includes identity management as a core security function; GSA Login.gov operates under FISMA requirements
- 44 U.S.C. § 3607 — OMB authority over federal information management; OMB M-19-17 established the Federal Identity, Credential, and Access Management (FICAM) architecture that Login.gov implements
- 5 U.S.C. § 552a — Privacy Act; governs Login.gov's handling of personally identifiable information collected during identity proofing; Login.gov published system of records notices under the Privacy Act for its credential and identity record systems
- 6 U.S.C. § 1523 — DHS cybersecurity standards; CISA's cybersecurity requirements apply to Login.gov's infrastructure
Key Mechanics
Login.gov is GSA's shared authentication platform — a single sign-on service that allows Americans to use one account and credential to access multiple federal government websites and services. Rather than each agency building its own identity verification system, agencies integrate with Login.gov's API; users create one Login.gov account and can use it across all participating agencies. Login.gov offers two authentication levels: (1) simple email/password + multi-factor authentication (for low-sensitivity applications) and (2) identity-proofed accounts that verify a user's identity by having them photograph a government-issued ID and undergo automated facial recognition comparison. The identity proofing process meets NIST SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements. As of 2024, Login.gov serves over 70 agencies and 66 million accounts. The program faced controversy in 2023 when the GSA Inspector General found that Login.gov had billed agencies for IAL2 identity proofing services using an algorithm that did not actually meet the IAL2 standard — a potential fraud issue; GSA responded with a remediation plan. Login.gov uses SAML 2.0 and OpenID Connect protocols for agency integration; agencies integrate through a sandbox/production process reviewed by Login.gov's technical team.
How It Works
| Parameter | Value |
|---|---|
| Agency | GSA Technology Transformation Services (TTS); operated by Login.gov program office |
| Launched | 2017 (beta); 2018 (production) |
| Accounts | 50 million+ (as of 2025) |
| Agency partners | 40+ federal agencies; growing |
| Identity Assurance Levels | IAL1 (self-asserted), IAL2 (remote proofing), IAL3 (in-person) |
| Primary standard | NIST SP 800-63-3 (Digital Identity Guidelines) |
| Governing OMB policy | OMB M-19-17 (Enabling Mission Delivery through Improved Identity, Credential, and Access Management) |
| Revenue model | Cost-recovery; agencies pay per-authentication fee (~$1.85/IAL2 transaction) |
| Infrastructure | FedRAMP-authorized; hosted on AWS GovCloud |
The Identity Assurance Level Framework
Login.gov's identity assurance model follows NIST Special Publication 800-63-3 (Digital Identity Guidelines), which establishes three Identity Assurance Levels:
IAL1 — Self-Asserted: The user provides information (name, email, address) that is accepted at face value with no verification. Appropriate for services where the consequence of a wrong identity is low. Most Login.gov accounts are IAL1.
IAL2 — Remote Identity Proofing: The user must prove their identity remotely by submitting a government-issued photo ID (driver's license, passport) and completing a selfie or biometric comparison to verify the document belongs to them. Login.gov's IAL2 process uses a combination of document authentication and facial comparison technology. IAL2 is required for higher-stakes government services (SSA, USCIS, SBA loans) where the government needs confidence in who it is dealing with.
IAL3 — In-Person Proofing: Identity verified by a trained operator in person; requires physical presentation of identity documents. Login.gov offers a pathway to IAL3 through the U.S. Postal Service's network of post offices as in-person verification locations.
The Biometric Controversy (2022)
In 2022, a GSA Inspector General audit and congressional scrutiny revealed that Login.gov's implementation of IAL2 remote identity proofing had used facial recognition technology from a vendor (Daon, and previously ID.me-adjacent capabilities) in a manner that did not fully comply with NIST 800-63-3's requirements for equitable verification across demographic groups. Specifically:
- The audit found that the facial comparison failure rates were higher for darker-skinned users, raising equity concerns
- Congress directed GAO to review Login.gov's identity proofing compliance
- Login.gov subsequently moved to offer alternative verification pathways that do not rely solely on facial comparison — including document verification combined with trusted referee networks and in-person post office verification
The controversy highlighted broader questions about facial recognition in government identity systems: accuracy disparities by race and age, privacy implications of biometric data storage, and the appropriate role of commercial biometric vendors in government authentication.
OMB M-19-17 and the Shared Services Mandate
OMB Memorandum M-19-17 (Enabling Mission Delivery through Improved Identity, Credential, and Access Management, 2019) directed federal agencies to:
- Use shared identity services rather than building agency-specific solutions
- Meet NIST 800-63-3 standards
- Implement phishing-resistant multi-factor authentication for all federal employees and contractors
M-19-17 made Login.gov and ID.me (a private-sector identity verification company) the two primary options for agencies needing civilian-facing identity proofing. The IRS's 2022 attempt to shift Free File users to ID.me's facial recognition-required system generated a public backlash over biometric data collection, prompting IRS to switch to Login.gov instead.
Revenue Model and Sustainability
Login.gov operates on a cost-recovery model: agencies pay a per-authentication fee that is intended to cover the program's full operating costs. The IAL1 authentication fee is approximately $0.23 per sign-in; IAL2 identity proofing costs approximately $1.85 per proofed identity. However, the program has faced recurring sustainability challenges — the cost-per-transaction model creates budget uncertainty as agencies' usage volumes fluctuate, and the program required supplemental appropriations in its early years.
The GAO raised concerns in 2023 about Login.gov's long-term financial sustainability and the adequacy of its cost accounting — Login.gov had been receiving appropriations above its cost-recovery revenue in ways that may not be sustainable. GSA was directed to develop a more rigorous cost model.
DOGE and Identity Consolidation
In 2025, the DOGE initiative expressed interest in Login.gov as an infrastructure layer that could enable cross-agency data access — the idea being that a unified federal identity system could facilitate matching records across IRS, SSA, HHS, and other agency databases to identify fraud and eligibility inconsistencies.
Privacy advocates and statistical agencies raised two categories of concern:
-
Privacy Act limitations: The Privacy Act prohibits federal agencies from sharing individually identifiable records for purposes incompatible with their original collection purpose. Login.gov authentication records cannot legally be used as a hub for cross-agency data matching without specific statutory authorization.
-
CIPSEA implications: If Login.gov were used to link statistical agency data (BLS surveys, Census responses) to non-statistical administrative purposes, it would violate the CIPSEA prohibition on non-statistical use of confidentiality-pledged data.
No changes to Login.gov's architecture or data-sharing authorities were implemented in 2025, but the debate surfaced the latent tension between identity consolidation (efficiency) and data compartmentalization (privacy law compliance).
Login.gov vs. ID.me
ID.me is a private-sector identity verification company that has federal government contracts for identity proofing at VA, IRS, and other agencies. Unlike Login.gov (a government-operated shared service), ID.me is a commercial entity that retains user biometric data and identity documents. The contrast raises policy questions about whether the government should operate its own identity infrastructure or rely on commercial providers — and what data rights users have over biometric information shared with a private company acting as a government contractor.
How It Affects You
<!-- pria:personalize type="impact" -->If you are a citizen or consumer: If you have applied for federal benefits, checked immigration status, applied for a federal job, or accessed SSA's online portal, you may already have a Login.gov account. Creating a Login.gov account at login.gov is free. One account provides access to all partner agencies — you do not need separate usernames and passwords for each. For higher-stakes services requiring IAL2, you will need to complete an identity proofing step (document upload + selfie verification or post office visit).
If you are a business, researcher, or analyst: Businesses applying for SBA loans or small business certifications through Login.gov will need IAL2 identity proofing for the authorized signers. For government contractors, Login.gov is increasingly the access layer for federal procurement portals (SAM.gov integration in progress). The Login.gov developer documentation (developers.login.gov) provides OpenID Connect and SAML integration guides for agencies building Login.gov-authenticated applications.
If you work at a federal agency: OMB M-19-17 directs agencies to use shared identity services rather than building custom solutions. New citizen-facing digital services should integrate with Login.gov rather than creating agency-specific accounts. For workforce authentication (federal employees and contractors), HSPD-12 PIV cards remain the primary standard; Login.gov addresses civilian user-facing applications. Login.gov's FedRAMP authorization (Moderate impact level) means agency ATOs can inherit Login.gov's security controls rather than re-authorizing the identity layer independently.
If you are a journalist or policy analyst: The GAO reports on Login.gov (2022–2023) are the most detailed independent assessments of the program's performance, equity, and financial sustainability. The 2022 biometric controversy documentation — IG report, GAO report, congressional hearing transcripts — provides the factual record on facial recognition accuracy disparities. For the DOGE data access angle, the key legal question is whether consolidated federal identity could serve as a cross-agency data linkage mechanism and what statutory authorizations would be required.
<!-- /pria:personalize -->Recent Developments
- 2025 — DOGE interest in Login.gov as cross-agency data access infrastructure; Privacy Act and CIPSEA legal analysis concluded existing authorities do not permit use of Login.gov authentication records for data matching across agencies.
- 2024 — Login.gov expanded partner agency list; post office in-person identity proofing network grew to 18,000+ locations; work continued on in-person IAL3 pathway.
- 2023 — GAO report raised Login.gov financial sustainability concerns; GSA directed to develop rigorous cost accounting; NIST began 800-63-4 revision process (next generation digital identity standards).
- 2022 — IRS reversed course on requiring ID.me facial recognition for Free File access; switched to Login.gov; Login.gov reached 30M accounts; GSA IG report on IAL2 facial recognition compliance gaps published.
- 2021 — OMB M-21-04 updated zero-trust security requirements with implications for identity; Login.gov accelerated IAL2 rollout.
- 2019 — OMB M-19-17 directed agencies to use shared identity services; Login.gov designated as primary government identity service alongside ID.me.
- 2017 — Login.gov launched by USDS and 18F within GSA; first agency partners onboarded.