Passer au contenu principal
US flag Un site web officiel du gouvernement des États-Unis

Learn about login.gov

Contents

Overview
Accounts and authentication
Identity proofing
Development operations and compliance
Privacy
Integration and working together
Metrics and analytics
Fraud detection
Customer service
Accessibility

Overview

With one login.gov account, users can securely sign in to multiple government agencies online. login.gov is a FedRAMP approved authentication and identity proofing platform that makes online interactions with the U.S. government simple, efficient and intuitive. login.gov empowers people to feel safe signing into government websites and accessing federal services online with a single, privacy-protected account. We enable agencies managing federal benefits, services, and applications to make their offerings easier and more secure. We save agencies time and money by offering a shared solution for remote identity proofing that is secure and recommended by the Government Accountability Office.

Why login.gov

login.gov offers the public a single, secure, and private access to online federal services, eliminating the need to remember passwords for multiple systems. It also reduces costs of developing or buying duplicative authentication and proofing solutions for agencies, so they can focus on their mission. The more agencies that adopt login.gov, the more taxpayers save. Through login.gov agencies can provide a more consistent customer experience by reducing duplicate accounts and encouraging a 21st Century IDEA compliant experience.

login.gov’s offerings

login.gov offers secure two-factor authentication with widely available as well as unphishable methods. This service provides users with secure access to digital services at over 17 different government agencies with a single set of credentials. For you, this means leveraging the best security defined by NIST 800-63 Identity Assurance Level 1 and Authentication Assurance Level 2, and FedRAMP Moderate while complying with 21st Century Idea Act in a easy-to-use experience.

login.gov identity verification builds on the security of our authentication service and provides a remote proofing experience using an individual’s state-issued ID rather than knowledge-based verification. Our remote proofing implementation complies with NIST’s IAL2. The login.gov verified accounts (IAL2/AAL2) allows applications to access verified attributes about a user such as a phone number and a social security number while maintaining user privacy by requiring the user’s consent and password to decrypt the data.

login.gov’s opportunity

Nobody likes managing dozens of accounts, along with remembering passwords, resetting passwords, reactivating their inactive accounts, and more. It’s frustrating and cumbersome, and insecure. Our vision is to create a single trusted account for the public to access all U.S. government digital services. For agencies, login.gov eliminates the burden and cost of creating and maintaining authentication and identity proofing systems, keeping up with evolving standards and technologies, and lowering costs.

Authentication

We want to offer secure and modern authentication to the entire US public. Federal agencies and the public benefit from login.gov because…

  • it provides the highest security that meets both FedRAMP and NIST identity standards,
  • it saves taxpayer funds by centralizing login as a shared government service,
  • and provides a world-class customer experience for the public.

We are also keeping ahead of evolving security threats by leading industry in adopting emerging authentication security methods such as WebAuthn and building a product to encourage more secure methods. See how our multi-factor methods compare:

multi-factor methods

Identity proofing

We provide an online remote identity proofing platform that allows agencies to verify that their users are who they say they are from the convenience of their own home. We have worked with some of the most recognizable brands in the Identity, Credential, and Access Management (ICAM) space to bring one solution to the federal government. login.gov meets NIST’s Identity Assurance Level 2 making it a great fit for applications that need to feel confident about their users.

Primary benefits of using login.gov

For the public:

  • One account for every federal government service they interact with
  • A secure and private authentication experience with opt-in user consent
  • An intuitive, delightful, and well designed user experience
  • The convenience of identity verification from home
  • Simple tools to manage and update their account
  • Descriptive help content, and a staffed contact center for user support

For your agency:

  • Reduced user support issues and troubleshooting
  • High availability and uptime
  • Secure two-factor authentication (2FA) backed by a FedRAMP Moderate ATO
  • Reduced costs through economies of scale across government
  • Enhanced fraud detection and monitoring
  • A platform that stays up to date with current authentication and identity policies, technologies, and standards, without additional effort required from your agency

Our team

login.gov is an offering of the General Services Administration, an agency of the U.S. federal government. The program is run by the Technology Transformation Services, a group that leads the digital transformation of federal government by helping agencies build, buy, and share technology that allows them to provide more accessible, efficient, and effective products and services for the American people.

Our agency partners and users

login.gov is used by over 60 applications at 17 agencies including Cabinet level agencies such as the Department of Defense, Department of Homeland Security, Department of Energy, and the Department of Transportation. Over 17 million people have signed up to use login.gov, across all applications.

Support for state and local governments and tribes

login.gov hopes to support state and local governments with their authentication and identity needs. At this time, we are working internally to align policies to permit these engagements.

Using login.gov with mobile apps

login.gov is a native web application that is mobile friendly and responsive that users can access from mobile devices and tablets. login.gov’s usability is regularly tested on mobile devices. login.gov can be integrated with native mobile applications as well.

Accounts and authentication

Account creation

Anyone with a valid email address and second factor can create a login.gov basic authentication account (IAL1/AAL2). Only U.S. citizens with a valid driver’s license can currently create a verified account (IAL2/AAL2). See our help content for more about the account creation process.

Supported multi-factor authentication (MFA) methods

Supported MFA options include:

  • Phone: Get a security code via text message (SMS) or phone call
  • Authentication application: Set up an authentication application on your mobile device or computer to get a security code without providing a phone number
  • Security key: Use a hardware security key
  • Government employee and contractor IDs: Use your PIV/CAC card
  • Backup Codes: Receive a pre-generated list of security codes to use when signing in
  • Web Authentication (WebAuthn): Use your device’s biometric hardware (e.g. fingerprint reader) or FIDO security keys

PIV/CAC support for government employees and contractors

We currently support PIV/CAC as a second factor and passwordless authentication using a PIV/CAC.

Password requirements and expiration

login.gov requires passwords with a minimum of 12 characters and actively screens for and prohibits the use of more than 30k weak passwords, including those with repeating letters, popular words, or patterns that have been exposed in a security breach. Our password strength meter aligns with the NIST 800-63 guidelines for passwords. All login.gov users are required to use two-factor authentication at sign-in. We’ve also conducted usability tests to ensure that users are not overburdened by the requirements. We follow NIST’s most recent guidelines for password security and do not automatically rotate or expire passwords after a time period or account inactivity.

Accounts for foreign citizens or non-SSN holders

Anyone can create a login.gov basic authentication account (IAL1/AAL2) with an email address and second factor such as a phone number. Identity verification accounts (IAL2/AAL2) currently require a Social Security Number (SSN) to meet the NIST requirements of a government identification number.

Authorization

At this time, login.gov supports authentication and identity proofing capabilities. We encourage agencies to take the lead on determining the best strategy for their role management and authorization. Our industry partners can help develop or provide existing solutions that can address your authorization needs. We’d be happy to schedule a conversation to help you understand successful use cases to identify solutions that meet your agency’s needs.

Disabling accounts

login.gov has default security measures that can lock a user out. Your application or agency access policies may provide further restrictions on the privileges a user may possess. We do not delete accounts due to inactivity and we don’t disable accounts on behalf of the agency unless the user has attempted security breaches.

How we define unique accounts

login.gov determines uniqueness by email address as they can’t be used for multiple accounts. Attributes can be updated and managed after the user has created their account. login.gov has a unique UUID per user per agency to prevent inappropriate data sharing across agencies.

Account creation for minors

Registration of minors is a business decision to be made by your agency. Anyone with an email address and a phone number can create a login.gov basic authentication account (IAL1/AAL2). For our identity verification accounts (IAL2/AAL2), we require a valid form of state-issued ID and a financial/utility account and address of record (phone number connected with the user’s name via a telco check). Most minors do not have these forms of identification, which would preclude them from obtaining verified IAL2 account.

User attribute bundle sent to agencies

Please see our developer documentation for the attributes an application can receive based on the identity assurance level.

User account recovery

Our most up-to-date account recovery documentation is available on our help site: How do I sign in if I don’t have my authentication methods?

Identity proofing

What is remote identity proofing

NIST defines identity proofing as “The process by which a [credentialing service provider] collects, validates, and verifies information about a person.” This is the process login.gov uses to verify that you are who you say you are. While many agencies can validate an individual’s identity through an in-person proofing experience, we developed an online application that allows individuals to have their identities verified from their smartphone or computer.

How we proof an identity

We offer two levels of identity assurance within our platform. For our login.gov basic authentication accounts (IAL1/AAL2), we rely on the user having access to an email address and a secure multi-factor method such as a phone or PIV/CAC.

For identity verified accounts at the NIST 800-63 IAL2 level, we ask users to upload a photograph of their state-issued ID and we verify that information against Department of Motor Vehicles (DMV) records. As a fallback we can also leverage address verification by mail. Users must also provide their phone numbers and SSN, which are validated against their known phone bill for accuracy.

To improve proofing coverage, we plan on expanding our use of data sources to include government data sources not available through traditional commercial data sources as we are a trusted federal entity. Likewise, we plan on integrating with in-person proofing services offered by the USPS.

Death check

At elevation to IAL2, a death check is performed against the asserted SSN.

We do not offer knowledge-based verification

As the recent GAO report on protecting online identity verification points out, knowledge-based authentication is vulnerable because personal data available from previous data-breaches “could be used fraudulently to respond to knowledge-based verification questions.” Moreover, NIST guidance “effectively prohibits agencies from using knowledge-based verification for sensitive applications.” Our methods rely on verifying identities using government issued ID cards rather than pure knowledge of personal identification.

Development operations and compliance

Our FedRAMP Moderate Authority to Operate (ATO)

login.gov has a FedRAMP Moderate ATO issued by the U.S. General Services Administration. Our SSP/Control Implementation Survey/Customer Responsibility Matrix is available through the FedRAMP marketplace.

FISMA rating for login.gov

We currently have a FISMA moderate rating and our roadmap includes a pursuit of FISMA high over the long term.

Staying in sync with NIST guidelines as they evolve

login.gov is working closely with NIST to stay current on the latest guidelines, recommendations, and best practices. We have enhanced our platform as the SP 800-63 Digital Identity Guidelines have been updated and published, an example of this being the transition from “Level of Assurance” (LOA) to the new “Identity Assurance Level” (IAL) and “Authentication Assurance Level” (AAL). This is a very important benefit of login.gov as we remove the agency burden of compliance with these standards, so you can focus on your specific mission and those you serve.

New features delivery

As a user-centered agile development team, we are bringing online new features, usability improvements every sprint. We will inform you of these changes in our bi-weekly email that includes high-level release notes. We also maintain a robust roadmap and would be happy to go over that roadmap with you to see how login.gov can meet your needs.

We develop the platform using open-source agile practices in a cloud-based environment. We have multiple lightweight scrum teams performing incremental delivery and continuous user research. We are also engaging with industry partners and leaders in the identity, security, privacy and usability space to ensure login.gov meets the evolving needs of agencies and the public.

Availability and uptime

As an authentication system and gateway to your applications, we strive for high availability and uptime. See our status page for live statistics, incident reports, and subscribe to updates.

login.gov is built in a scalable way and will be load tested continually to ensure that it can handle daily usage and peaks as the service grows. We expect to load test to a minimum of 200% load while also doing stress testing to find and resolve bottlenecks well before the service’s production load hits that level.

Cloud-based hosting

login.gov is hosted in Amazon Web Services East/West (AWS E/W) and is highly available. We plan to migrate to GovCloud when it supports AWS Key Management Service, which is used to monitor our per user encryption and is not currently available in GovCloud. Per our FedRAMP Moderate ATO, our risk assessment takes into account our use of AWS E/W.

Privacy

Privacy Impact Assessment (PIA)

We can provide you with our Privacy Impact Assessment upon request. View our published System of Records Notice.

Sharing identity data between applications

login.gov stores the absolute minimum of data as a general principle. login.gov does not store any agency application data except for identifiers, which are different for each agency. For account linking across applications, we are examining how to securely link a user’s ID with their consent.

Personally Identifiable Information (PII) protection

See how login.gov keeps personal information private.

Paperwork Reduction Act

OMB’s interpretation of the Paperwork Reduction Act (PRA) does not consider “items collected to create user accounts or profiles for agency websites” subject to the PRA.

Integration and working together

Partnering with us

To get started, reach out to our team using this form. It asks for some basic information about your agency team, program, and applications you’d like to integrate with login.gov. We’ll work with you to understand and capture your needs and requirements at a high level. We will then jointly decide whether login.gov makes sense for your particular business and use cases. If we decide to move forward, the next step is to sign an interagency agreement, or join an existing one with your agency. We’ll then test your integrations and finally, plan for launch.

Our sandbox environment

We have a sandbox environment available to try out your integrations. The identity provider (IdP) hosted here is nearly identical to that in production.

Launching your application

There are a number of parallel steps to an integration. Establishing a new interagency agreement will take two to four weeks, which can occur concurrently with the technical integration of your application. We generally advise two to three weeks for your team to test and integrate with login.gov. Once testing is complete, login.gov will launch your application within two weeks.

Interagency Agreements 101

login.gov is a cost-recoverable federal service, which means we must, by law, charge other agencies for our work. Our partnership and financial engagement will be governed by an Interagency Agreement (IAA).

The bulk of an IAA is split into two Department of the Treasury forms:

  • General Terms and Conditions, also known as the 7600A. The 7600A form is mostly boilerplate information about your agency and a broad outline of the nature of the relationship between our agencies.
  • Order Requirements and Funding Information, also known as the 7600B. The 7600B lays out the specifics of what login.gov and your agency will do during this relationship and has more specific information like financial billing codes, cost, and a Statement of Work.
  • Each project will only have one 7600A form between login.gov and your agency, but there may be multiple 7600B forms, depending on the scope and duration of the project.

Communicating platform updates

The login.gov partnerships team will communicate the current base functionality of login.gov before agencies adopt. As an agile operation, the login.gov will improve the platform with each and every sprint. We communicate changes in a bi-weekly email and you will be able to preview upcoming changes in our sandbox.

We expect to work closely with partner agencies and their users to understand agency and user needs, so we can prioritize features and functionality that help improve the overall platform for our customers. We will work with agency partners to recruit users in their organizations that we can interview and conduct usability tests with.

We also provide a Slack channel for agency partners to communicate with our team.

Pricing

login.gov prices its service using a tiered-pricing model based on user volume that saves you money. There is a fixed price for each tier, with lower per user rates at higher volume tiers, resulting in bulk savings. Our tier pricing is dependent on whether your users are using identity proofing (IAL2/AAL2) or just authentication (IAL1/AAL2) services. User volume is calculated at the application level.

Billing

Estimated user volume, which determines the pricing tier, will be determined when a new agency comes onto the platform and once per year thereafter. GSA will generate and submit invoices to each agency based on the actual user volume in the final quarter of the billing cycle as referenced in block 27 in the 7600B. Actual volume is measured as the aggregate total number of users present in the applications for an agency at the time of invoicing, which is at the conclusion of the PoP. A conservative estimate of user volume is used during the remainder of the billing cycle.

User attribute update notifications

We offer push notifications to partner applications of user attribute updates using the Web Push Protocol. See our developer documentation for details.

Messaging available to communicate to your users

We are developing an agency integration user-experience guide to help you communicate to your users how to use your application while authenticating with login.gov.

Migrating existing users

We strongly recommend that all applications notify their users of migration to login.gov. We recommend that applications use just-in-time provisioning ⁠— which creates a login.gov user when they log back in ⁠— for linking user accounts when migrating. Once a user creates an account with login.gov, your application should then link the user to their old information. You may want to include a screen that asks for their specific consent of the migration, if your application requires it.

Metrics and analytics

Business intelligence available for partners

We provide an annual statement that includes your usage, and we are updating our partner experience to provide regular reports. We will also allow agencies to request special analysis of data to discover unique insights for their specific agency. We’re investing in more reporting capabilities for integrated applications.

Metrics captured by our system

We capture over a hundred different user events over the course of a user transaction, in addition to security and infrastructure monitoring. This allows us to develop a variety of calculated metrics like 2FA method rates, user adoption rates, and conversation rates within our platform.

Fraud detection

Fraud detection and communication to agencies

login.gov works to have a shared risk-model for our threat detection and prevention. We monitor, throttle, and block suspicious traffic. Our primary strength is in fraud prevention. We allow authentication by unphishable methods through PIV/CAC and WebAuthn and are improving the user experience to encourage users to configure these secure methods. We encourage our partners to identify behaviors that may warrant additional authorization policies for events occurring within their application.

Sharing fraudulent events across agencies

By sharing data across our experiences between login.gov and agency partners, we will be able to spot fraudulent activity much more easily than we could independently from only one system. We encourage your team to notify us of fraudulent or suspicious events so that we can address the activity and, if needed, notify the Department of Homeland Security.

Customer service

Customer service to users

login.gov provides customer support for our end-users through our contact center services. Our live agents answer telephone calls and emails in English, Spanish, and French (through a translation service) 8am-8pm Monday through Friday, excluding federal holidays. Most inquiries are received from the login.gov email form. Our contact center staff provides a phone number to users upon escalation of an issue. We work with agency partner help desks to help them understand how to provide comprehensive support.

Any needed services outside these hours are on a case by case basis depending on partner needs.

login.gov agents CAN login.gov agents CANNOT
• Verify the steps users need to sign in successfully • Provide advice or answer questions about other agencies applications or procedures
• Leverage login.gov’s FAQs to browse most common topics and questions • Reset user’s login.gov account
• Verify which website/application the caller is trying to access • Create or delete a user’s login.gov account
• Provide referral information about the application that the user is trying to access • Provide advice about how to navigate non-login.gov’s applications
• Provide screen shots of the login.gov application to help users navigate the login.gov screens • Verify that an account has been created or deleted
  • Make changes to a user’s login.gov account
  • Change a user’s email or phone number
  • Shorten or waive the 24 hour “cooling off” period for account deletion

Accessibility

Usability

Our approach is to continuously iterate on login.gov based on what we learn from ongoing research and usability studies. We have recently started publishing our research.

Accessibility standards/compliance for Section 508

We follow all accessibility standards and we comply with 508. You can find 18F’s accessibility checklist, and learn more about the tools we use to ensure all our products and services are 508 compliant.