Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Login.gov identity proofing and fraud prevention: what changes for public sector teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A $37.4 million GSA contract was awarded to support Login.gov’s next-generation remote unsupervised identity proofing, aiming to improve verification accuracy, reduce fraud, and preserve privacy across government services, according to Incode. The signal for practitioners is that digital identity assurance is moving toward higher-friction controls that must still scale.

NHIMG editorial — based on content published by Incode covering the Login.gov identity proofing contract: Diamond Capture Associates and Incode awarded a $37.4 million GSA contract

Questions worth separating out

Q: How should organisations set identity proofing standards for high-risk access?

A: Start by defining the assurance level required for each use case, then require evidence that matches the sensitivity of the decision.

Q: Why do digital identity verification programmes need fraud controls as well as accuracy metrics?

A: A system can be accurate in normal conditions and still be weak against synthetic identities, deepfakes, or replay attacks.

Q: What breaks when identity evidence is retained too broadly?

A: Broad retention expands the attack surface and increases privacy risk, especially when biometric or documentary evidence is stored beyond the period needed for verification or audit.

Practitioner guidance

  • Define assurance tiers for remote proofing Separate low-risk access paths from high-risk transactions so that stronger identity proofing is only required where fraud impact justifies it.
  • Minimise identity evidence retention Store only the evidence required for audit, dispute resolution, and regulatory obligations, and shorten retention windows for biometric and document artifacts.
  • Link proofing outcomes to IAM lifecycle controls Make sure account recovery, step-up verification, and privileged access assignment all depend on the same verified identity state.

What's in the full analysis

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • Implementation context for Login.gov’s next-generation identity proofing programme and the government service scope it supports.
  • The specific privacy-first architecture considerations behind remote unsupervised verification and how they map to federal use cases.
  • How the contract relates to identity verification, fraud prevention, and large-scale public-sector rollout decisions.
  • The vendor’s own positioning on biometric accuracy, fairness, and service usability in government environments.

👉 Read Incode’s article on the Login.gov contract and next-generation identity proofing →

Login.gov identity proofing and fraud prevention: what changes for public sector teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Digital identity verification is now a fraud-control discipline, not just an onboarding step. Public-sector proofing programmes are being asked to prove both who the user is and whether the evidence presented is trustworthy under attack. That shifts the governance burden onto assurance design, exception handling, and post-verification account controls. Practitioners should treat proofing policy as part of security architecture, not a standalone business process.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when identity proofing fails and a false account is created?

A: Accountability usually spans the service owner, the identity governance team, and any third-party proofing provider involved in evidence handling. The practical question is whether the organisation defined assurance thresholds, escalation paths, and audit evidence before rollout. Governance should assign ownership for both verification quality and downstream account recovery.

👉 Read our full editorial: Incode's Login.gov contract shows why digital identity verification is tightening



   
ReplyQuote
Share: