Comment by toomuchtodo
10 months ago
I can confirm first hand experience states will be onboarded (since 2021 [1]). I would strongly encourage you to advocate within your state for them to partner with Login.gov for government service delivery identity services. There is no reason states should be relying on Okta, Auth0, or ID.me when Login.gov is available and they are offering these partnership opportunities.
Login.gov could also be made available to private businesses, but requires Congressional action to do so (allowing OMB to publish a circular or a memo that would allow GSA to sell Login.gov services to business customers) [2].
[1] https://web.archive.org/web/20220218215902/https://gcn.com/c...
[2] https://beeckcenter.georgetown.edu/wp-content/uploads/2021/1...
That would be pretty cool. Especially if they nail scoping tightly. Classic example: you want to buy alcohol online and need to verify your age. Instead of clicking “yes I’m old enough” (zero validation) or uploading a photo of your drivers license (way too much info), login with your digital ID.
The e-commerce site asks hey is this person (1) a resident of region X and (2) at least Y years old? The e-commerce site is responsible for knowing what ages to check for what regions. ID service is responsible for validating the facts you want to share. You get the age controlled service and no third parties get more info than they need. Better.
How would you address concerns from privacy advocates and small-government folks about this expanding federal control into states’ business?
It's a great question, and top of mind (as I considered applying for the open Deputy Director role running Login.gov that recently opened up, and prepared accordingly).
Privacy must always be a first class citizen as it relates to digital identity solutions, and any compromise must be as minimal as possible. Trust alone is not enough, the stakes are too high, and the history of breaches and data loss (both public and private) speak for themselves. I would argue that Login.gov, GSA, and the federal government aren't attempting to control state business, but are acting in service of it. They are a vendor, and if states and local govermnet choose to implement in a manner that allows for pluggability (in order to prevent vendor lock in to Login.gov), that would be reasonable (encouraged even). Login.gov should be chosen because it is the best solution, not the default solution because of .gov. If states and local governments wish to fallback or opt to other solution providers who meet digital identity regulations, they should be able to do so. It is above all, a partnership, not a power hierarchy.
I would also say that governance and transparency are non negotiable, and should be enumerated both contractually and in statute. What Login.gov stores, how long it stores it, how data privacy and security are addressed should be documented and attested to. And most importantly, Login.gov should not have the ability to deny service once onboarded without exceptional cause (codified in statute). It should be treated like a utility: inexpensive, reliable, trustworthy, to the point you forget it even exists. It should Just Work.
I think there's a reasonable case that identity is a 'natural monopoly'.
If we end up with multiple pluggable third parties, what happens when they disagree? There's inevitably going to be data sync issues, and the risk of having an "extra" ID provider lying around that contains bad data, or is simply compromised at the authentication level, is enormous.
So we really want to pick one standard. Given that, a federally backed service has the least hostile incentive structure:
* It would be subject to very strict rules about universal service. I suspect there are going to be private players, and even some more reactionary states, who might try to sabotage industries by denying them identity data. (We see this in payments already, where a lot of firms really don't want to go near porn and guns)
* It doesn't have any reason to look for auxillary revenue. Having it store more data than necessary, or sell it to third parties, becomes politically radioactive rather than good business.
NYS is fucking obsessed with rolling its own everything. It has its own shitty equivalent to login.gov sso that's buggy as hell and even can cause you to duplicate accounts with no deduping possible. They recently launched their own mobile driver license app instead of just integrating with Android or apple wallet. Given the state of other IT projects, it's most definitely political kickbacks to companies like Infosys.