GSA-TTS / isdc-lacr-tracker

Artifacts related to the ISDC LACR Tracker
0 stars 0 forks source link

POAM: Authenticate with PIV/CAC card via login.gov #18

Open mogul opened 11 months ago

mogul commented 11 months ago

In order to eliminate the need to manage credentials (and address a POAM), users should authenticate with the system using their login.gov account and a PIV/CAC card.

Additional context

This POAM was noted as a Low on September 26th, 2023. Low findings must be resolved within 180 days. So we expect this capability will be in place no later than March 26th, 2024.


Here we're referring specifically to the additional requirement to verify that a PIV card was used during authentication. In particular, see the "Authentication Assurance (AAL) Values" section in the login.gov SAML docs; I'm highlighting the relevant item in red in the screencap below: image

We've been told that other agencies also want to be able to require the use of a PIV/CAC card during authentication in their eCase applications, and that we were not alone in requesting that feature be added to eCase.

mogul commented 8 months ago

This is stalled pending a contract action, so the date it will be satisfied is presently indeterminate.