You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While the initiative is to be applauded, the implementation presumes that all users with .gov emails can get or obtain get a PIV, which is inaccurate. Federal employees in the legislative and judicial branches generally can't obtain a PIV, and by domain count, .gov is 85%+ non-federal.
Under the current logic, people with .gov email addresses from cities and states will be asked to add their PIV card. Most users with .gov email addresses can't have PIV cards and shouldn't be prompted to add one.
Login could consider only prompting users whose email address (or rather, their email addresses's second-level domain) matches a domain where Domain type == Federal - Executive. However, additional investigation would be warranted to confirm that scope is accurate.
The text was updated successfully, but these errors were encountered:
Hi @h-m-f-t , thanks for your feedback on this new feature! I think you raise a valid point, and at the very least I feel that the content should more accurately reflect that the user may not necessarily have a PIV. I'd also be interested to explore the domain-matching idea you mentioned with the CISA domain list for federal domains.
I'll plan to bring this feedback to our team, and will follow-up with any updates.
In the meantime, it's currently a one-time, optional prompt, so it will not be shown to a user again once they opt to skip the recommendation.
Steps to reproduce the issue (please be as specific as possible)
Expected behavior
Only users who sign in with a .gov email address from an agency capable of issuing a PIV should be prompted to add it.
Actual behavior
In #10282, a new interstitial was added post-password-auth to nudge users with .gov (and .mil) email addresses to add their PIV card. Users are redirected to https://secure.login.gov/login/piv_cac_recommended.
Issue
While the initiative is to be applauded, the implementation presumes that all users with .gov emails can get or obtain get a PIV, which is inaccurate. Federal employees in the legislative and judicial branches generally can't obtain a PIV, and by domain count, .gov is 85%+ non-federal.
Under the current logic, people with .gov email addresses from cities and states will be asked to add their PIV card. Most users with .gov email addresses can't have PIV cards and shouldn't be prompted to add one.
Login could consider only prompting users whose email address (or rather, their email addresses's second-level domain) matches a domain where
Domain type
==Federal - Executive
. However, additional investigation would be warranted to confirm that scope is accurate.The text was updated successfully, but these errors were encountered: