Login.gov employs multiple tools and a dedicated anti-fraud team to prevent and combat fraud. This article covers the fraud controls available through the Login.gov identity verification and authentication services and how partners can collaborate on fraud prevention.
Overview
The U.S. Government is continuously targeted by threat actors who steal identities, claim fraudulent benefits, and harm individuals. Login.gov provides security and fraud prevention that balances risk, user experience, and access.
Login.gov’s anti-fraud platform uses multiple vendor checks with overlapping functionality. If a vendor is temporarily disabled, transactions seamlessly route to alternate vendors with no disruption to users or partners.
Key Fraud Prevention Capabilities
Identity Document Validation
Login.gov validates the authenticity of user-provided identification documents (outlined here). Checks include comparing the document’s security features against the issuing agency’s standards, and verifying document data against authoritative sources.
Identity Resolution
Login.gov compares user-submitted identity attributes (name, date of birth, address, etc.) against existing public records to determine whether the information matches an existing person. This helps detect potential synthetic or stolen identities.
One-to-One Facial Match with Liveness Detection
Login.gov’s enhanced identity verification service (IAL2) includes a one-to-one facial matching step. Users take a photo of their face, which is compared against the photo on their identity document. The system also checks for signs of facial recognition bypass methods such as photographs or masks.
Phone Confirmation
Login.gov verifies that the phone number provided by the user matches identity records and that the user has possession of the device. Checks include whether the identity attributes match the phone plan, the length of time the number has been registered, and whether the number was recently ported.
RISC API
The RISC API is a data connection that allows Login.gov and partners to securely exchange security event data, including results of manual fraud review, user suspension, and user reinstatement. The RISC API does not transmit user PII.
Partners can integrate the RISC API to:
- Receive notifications when a user’s account is suspended or reinstated
- Send fraud signals back to Login.gov (e.g., when a verified user is later found to be fraudulent)
The RISC API follows the OpenID Shared Signals and Events Framework. Partners integrate it by following the instructions at developers.login.gov/security-events.
RISC API: Sending Signals to Login.gov
Partners can share fraud signals with Login.gov only through the RISC API integration. There is no mechanism to share signals via the Partner Portal dashboard without this integration.
RISC API: Recommendations
The RISC API shares security events but does not include specific action recommendations. The approach Login.gov recommends may depend on the event type and the partner’s risk profile.
Frequently Asked Questions
Why does Login.gov need fraud controls?
Government programs are a target for identity-based fraud schemes including identity theft, synthetic identity fraud, and account takeover attempts. Fraud controls are necessary to scale the platform securely. Login.gov adheres to NIST 800-63-4 Digital Identity Guidelines, holds a FedRAMP Moderate Authority to Operate, and leverages rigorous security controls.
Are fraud controls optional for partners?
No. Since Login.gov is a shared service with one account per user across agencies, fraud controls must be applied across the entire program to be effective. Any identity verification provider is inherently a fraud prevention service.
Are fraud controls optional for users?
No. Login.gov’s Rules of Use outline the terms users agree to when creating an identity-verified account. Users who do not accept these terms cannot create an identity-verified account.
How do fraud controls affect the user experience?
The user experience is not impacted unless an individual is flagged by the system. Flagged users can contact Login.gov’s 24/7 support team, and redress pathways are available for most cases.
Does Login.gov share fraud reports with partners?
Partners who integrate the RISC API will receive automated security event notifications. Other types of reporting are provided.
Future Capabilities
Login is constantly evaluating capabilities to improve our fraud program, some of which we outline on our public roadmap.