Login.gov — General Services Administration

⚠️ The bottom line

Login.gov told 50 federal agencies it met the government's own security standard. It didn't. Agencies paid IAL2 prices for IAL1 service — paying for Fort Knox security and getting a padlock. $187 million billed. The Inspector General called it a "material misrepresentation." The federal government defrauded itself. Login.gov was the good-guy alternative — no facial recognition, privacy-first, open source. Then the GSA added facial recognition anyway. And the Inspector General found they'd charged agencies $187 million while failing to meet the security standards they claimed to meet. The privacy alternative misrepresented its own capabilities for $187 million.

Legal jurisdiction

🇺🇸 United States (headquarters)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

2/4 MODERATE

Is someone spying on me?

Data Sharing

2/4 MODERATE

Who gets my data?

Security

2/4 MODERATE

Is it actually secure?

Honesty

0/4 N/A

Can I trust what they say?

3Contradictions

1Critical

2High

0Medium

3Sources

Findings by concern

Spying 2/4 MODERATE 1 finding

⚡ highmarketing vs regulatory

Login.gov was the good-guy alternative — no facial recognition, privacy-first, open source. Then the GSA added facial recognition anyway. And the Inspector General found they'd charged agencies $187 million while failing to meet the security standards they claimed to meet. The privacy alternative misrepresented its own capabilities for $187 million.

What they claim: Login.gov was built as a privacy-preserving alternative to commercial identity verification like ID.me

What we found: In 2023, the GSA began integrating facial recognition into Login.gov for identity proofing, contradicting its original privacy-first design philosophy. The GSA Inspector General found Login.gov had charged agencies $187 million for identity verification services while failing to meet NIST identity assurance standards. The IG called it a "material misrepresentation."

Data Sharing 2/4 MODERATE 1 finding

⚠️ criticalmarketing vs regulatory

What they claim: Login.gov marketed to agencies as meeting NIST Identity Assurance Level 2 (IAL2) standards

What we found: The GSA Inspector General found Login.gov did not actually meet IAL2 standards despite telling agencies it did. The GSA had been billing agencies at IAL2 rates while delivering IAL1 verification — essentially charging for secure identity proofing while providing basic username/password authentication.

Security 2/4 MODERATE 1 finding

⚡ highprivacy policy vs third party research

One login for the IRS, Social Security, VA, student loans, and 46 other agencies. Convenient — until someone breaches it. The OPM hack already proved what happens when the government centralises identity: 21.5 million records stolen, including fingerprints. Login.gov is building the same single point of failure, just bigger.

What they claim: Login.gov describes strong data protection with encryption and minimal data retention

What we found: Login.gov serves as a single sign-on for 50+ federal agencies, creating a centralised identity target. Security researchers have warned that a single breach of Login.gov could compromise access to tax records (IRS), social security benefits (SSA), veteran services (VA), and student loans (ED) simultaneously. The OPM hack of 2015, which exposed 21.5 million federal employee records, demonstrated the catastrophic risk of centralised government identity systems.

Sources

Login.gov misrepresented security standards, IG finds (2023-03-28)
GSA IG: Login.gov identity verification audit(link unavailable) (2023-03-20)
GAO: Federal agencies need to address Login.gov identity verification challenges (2023-06-15)