Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Most users w/.gov email addresses can't have PIV cards and shouldn't be prompted to add one #10420

Open
h-m-f-t opened this issue Apr 12, 2024 · 2 comments
Open

Most users w/.gov email addresses can't have PIV cards and shouldn't be prompted to add one #10420

h-m-f-t opened this issue Apr 12, 2024 · 2 comments

Comments

@h-m-f-t
Copy link

h-m-f-t commented Apr 12, 2024
edited

Steps to reproduce the issue (please be as specific as possible)

  1. Sign in with a Login.gov account using a .gov (or .mil) email address that doesn't have a PIV/CAC card associated as a second factor
  2. Be prompted to add a PIV/CAC

Expected behavior

Only users who sign in with a .gov email address from an agency capable of issuing a PIV should be prompted to add it.

Actual behavior

In #10282, a new interstitial was added post-password-auth to nudge users with .gov (and .mil) email addresses to add their PIV card. Users are redirected to https://secure.login.gov/login/piv_cac_recommended.

Issue

While the initiative is to be applauded, the implementation presumes that all users with .gov emails can get or obtain get a PIV, which is inaccurate. Federal employees in the legislative and judicial branches generally can't obtain a PIV, and by domain count, .gov is 85%+ non-federal.

Under the current logic, people with .gov email addresses from cities and states will be asked to add their PIV card. Most users with .gov email addresses can't have PIV cards and shouldn't be prompted to add one.

Login could consider only prompting users whose email address (or rather, their email addresses's second-level domain) matches a domain where Domain type == Federal - Executive. However, additional investigation would be warranted to confirm that scope is accurate.

Screenshot 2024-04-12 at 10 45 43 AM
@aduth
Copy link
Member

aduth commented Apr 12, 2024

Hi @h-m-f-t , thanks for your feedback on this new feature! I think you raise a valid point, and at the very least I feel that the content should more accurately reflect that the user may not necessarily have a PIV. I'd also be interested to explore the domain-matching idea you mentioned with the CISA domain list for federal domains.

I'll plan to bring this feedback to our team, and will follow-up with any updates.

In the meantime, it's currently a one-time, optional prompt, so it will not be shown to a user again once they opt to skip the recommendation.

@h-m-f-t
Copy link
Author

h-m-f-t commented Apr 12, 2024

Awesome, thanks @aduth! We're happy to help over here on the .gov side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h-m-f-t @aduth