A performance audit of six U.S. government agencies found that four of them are still using knowledge-based questions to verify the identities of individuals applying for federal benefits or services, even though this practice is considered outdated and insecure, especially in light of the 2017 Equifax breach.
Knowledge-based verification questions are typically created by credit reporting agencies such as Equifax, and in theory, only legitimate users should know the answers to their questions. But in reality, criminals could use data stolen in the Equifax breach and similar incidents to successfully impersonate individuals and commit fraud, warns the Government Accountability Office (GAO), which conducted the review from November 2017 to May 2019 and publicly released a report on its findings earlier this week.
For this very reason, the Commerce Department's National Institute of Standards and Technology declared in 2017 that federal agencies should eliminate knowledge-based questions for sensitive applications and replace them with more secure, advanced methods of identification such as the remote inspection of digitally-imaged physical credentials and the examination of cell phone carrier records.
But according to GAO's report, the Department of Veterans Affairs (VA), Social Security Administration (SSA), United States Postal Service (USPS) and Centers for Medicare and Medicaid Services (CMS) all still use knowledge-based questions to verify the identity of at least some individuals who week federal benefits or services such as Social Security card replacements or Medicare cards.
Of those four offenders, the VA received partial credit for implementing "alternative methods for part of its identity proofing process." However, these methods exist only as a supplement to knowledge-based verification, the report states. The SSA and USPS have no such alternatives, but at least plan to reduce or eliminate knowledge-based verification in the future, GAO continues. CMS, meanwhile, has no intention of eliminating its use of knowledge-based questions.
The GAO report says some agency officials blame their lack of progress on high costs and implementation challenges.
On the other hand, the General Services Administration (GSA) and Internal Revenue Service (IRS) fully adopted alternate, secure remote identity proofing techniques for Login.gov and Get Transcript services, respectively. The GSA, for instance, asks users to provide an image of a government-issued ID card that can be validated through a third-party sources, and a phone number that is confirmed by conducting a third-party check as well as sending the user a text message containing a one-time PIN.
Additionally, the GAO report says that the current guidance offered by NIST and the Office of Management and Budget (OMB) is "not sufficient to ensure agencies are adopting" more secure, modern methods of identity proofing. For example, NIST's guidance "does not discuss the advantages and limitations of currently available technologies or make recommendations to agencies on which technologies should be adopted. Further, most of the agencies GAO reviewed reported that they were not able to implement the guidance because of limitations in available technologies for implementing alternative identify proofing methods."
Meanwhile, GAO notes that OMB has not issued guidance advising federal agencies to submit a report detailing their progress in implementing NIST's recommendations, even though the agency has the authority to do so.
"Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes," the report concludes.