Last December’s Executive Order on Transforming Federal Customer Experience called on federal agencies to reinvent their service delivery “in a manner that people of all abilities can navigate.” Though it’s still early in the process for many agencies, those looking for inspiration should look no further than the Department of Veteran Affairs (VA) as a leader in customer service.
The VA.gov website was launched in 2016 to merge more than 500 scattered services into a single cohesive portal. Not only was the consolidation itself an enormous undertaking, but the portal allowed access to critical information such as healthcare, education, disability benefits, and service records, all of which needed to be secured.
As a result, the VA needed to adhere to the security requirements outlined in the Digital Identity Guidelines from the National Institute of Standards and Technology (NIST) (800-63-2 LOA3, now superseded by NIST 800-63-3). The guidelines require robust identity proofing and multi-factor authentication (MFA) to verify users’ identities.
The VA also needed to deal with the millions of existing accounts that used DS Logon and MyHealtheVet, as neither option met the NIST LOA3 or IAL2/AAL2 standards. Their ideal solution would allow veterans to use their existing credentials created through these two services at the new site. Finally, the new login process had to be simple enough that the entire user base, including older or unhoused veterans, would be able to access their information.
Simplifying the login process was essential for another reason. Despite the large cache of records, the VA encompasses, many veterans find themselves unable to verify their identities and access the VA’s online services. A large hurdle, such as a lack of a stable address or credit history, or a seemingly trivial complication like an international phone number can serve as a barrier to proving a veteran’s identity. In these cases, they are forced to go to a VA field office to verify their identity in person. Depending on the circumstances, this can be inconvenient for many, and impossible for some. To truly serve all of their users, VA.gov needed a way to eliminate these roadblocks and provide a truly accessible online experience.
To create a new login solution that addressed all of these needs and ensured equity in access, the VA partnered with ID.me. Users can now log into the VA.gov portal using either their existing credentials or new credentials created through ID.me. The VA chose to implement a risk-based authentication protocol to give veterans options. Upon first login, veterans are prompted to create an LOA1 account with the option to secure their account by enrolling in MFA. If they need to perform a high-risk transaction, such as claiming a benefit or changing a beneficiary, veterans will be prompted to enroll in MFA (if they haven’t done so already) and then verify their identity at LOA3 or IAL2/AAL2 if they verify through a supervised remote flow.
VA.gov’s new login process for veterans made the VA a leader in digital identity security and customer experience. It was the first federal agency to support supervised remote identity proofing via online video chat while meeting NIST standards for IAL2/AAL2. The VA also supports FIDO U2F tokens, which are a proven defense against remote account takeover. As a result, veterans are offered a safe online experience as well as a convenient one.
To learn more about how the Department of Veteran Affairs created a more secure, customer-friendly digital portal on VA.gov, read the case study here.