Policy & Practice | Fall 2023

Landscape Research: Authentication and Identity Proofing The DBN recently produced a report and an open data set that catalogs digital authentication and identity verification practices in initial appli cations for SNAP, TANF, WIC, MAGI Medicaid, child care, and UI, across every state and territory, representing a total of 158 different applications. 2 A data-sharing partnership with Code for America facilitated the develop ment of these datasets, and supported work on their Benefits Enrollment Field Guide. 5 Through this work we learned a great deal about the land scape of online benefits applications, including the following highlights: Combined and standalone appli cations: In many states, SNAP, WIC, TANF, Medicaid, and child care are included on combined applications that allow users to apply for more than one benefit program at a time. Some states also have multiple appli cations for the same programs (e.g., SNAP/TANF in Mississippi or SNAP/ TANF/Medicaid in California), or offer simplified, stand-alone SNAP applications in addition to combined applications (e.g., kynect in Kentucky, or North Carolina’s ePASS). UI is not currently integrated with other program applications, but may share the same authentication services (e.g., UtahID, a state SSO which is used for the state’s unemployment insurance application and the state’s combined SNAP, TANF, Medicaid, and child care application). Authentication: A majority of applications (75%) across programs require applicants to log in or create an account to start an application. Of the 143 applications that require or allow account creation, either to start an application or later in the process, 93 of those account registra tion processes require users to include an email address. Requirements to include an email address during account registration are particularly important in some programs, like SNAP. Of the 39 SNAP applications that require accounts to start an application, 14 state application flows appear to require users to enter an email address, although some of these

Figure 1: Is an Email Address Required to Create an Account?

states have other online applications for SNAP that do not require users to create an account or provide an email address. The U.S. Department of Agriculture’s Food and Nutrition Service (FNS) has previously stated that applications for SNAP cannot require users to submit an email address, since doing so creates an additional condition of eligibility. 6 A total of 117 applications (81%) that have a log-in requirement or option also offer some kind of authentication security measures such as multifactor authentication or email validation links. These may help ensure accounts are secure, but depending on how such measures are deployed, they may also create additional steps or barriers for applicants and beneficia ries attempting to create or return to an account. Single sign-on: Currently 31 applications are using single sign-on options (SSOs) that enable applicants to use the same login for other gov ernment services in the state. SSOs are a growing service in many states, and some SSOs may be deployed with minimal program-specific consider ations and may also include identity verification. Identity verification in initial applications: Around a third of appli cations require or prompt some type of active identity proofing steps as part of an online application process. Identity proofing requirements are most common in UI online applica tions. Just over half of UI applications require some type of active identity

proofing steps to apply. Among other programs, identity proofing require ments or prompts were most common for applications that allow users to apply for MAGI Medicaid, with 46 percent of applications that include MAGI Medicaid requiring or prompting identity proofing steps. For UI, we found evidence that 22 labor agencies were using biometrics for identity proofing. We did not find evidence that biometrics are currently being used for identity proofing in any other safety net programs. When identity proofing prompts or requirements are included in online SNAP, TANF, WIC, MAGI Medicaid, or child care applications, they appear to use knowledge-based verification (KBV). The methods being used for identity proofing shape security and access. KBV questions—sometimes also referred to as remote identity proofing or RIDP—can create obstacles for people with limited credit history, as well as immigrant parents applying for services on behalf of their children. 7 Additionally, because of data breaches, answers to these types of ques tions, which include questions about cars owned, previous loans, or past addresses, may not actually be secret. The National Institute of Standards (NIST) has previously outlined limits on the use of KBV questions for identity proofing. In 2019, the U.S. Government Accountability Office also issued guidance recommending that several federal agencies discontinue

See Research Corner on page 44

13

Fall 2023 Policy & Practice