mogul
commented
7 months ago This is stalled pending a contract action, so the date it will be satisfied is presently indeterminate.
Open mogul opened 11 months ago
mogul
commented
7 months ago This is stalled pending a contract action, so the date it will be satisfied is presently indeterminate.
In order to eliminate the need to manage credentials (and address a POAM), users should authenticate with the system using their login.gov account and a PIV/CAC card.
Additional context
This POAM was noted as a Low on September 26th, 2023. Low findings must be resolved within 180 days. So we expect this capability will be in place no later than March 26th, 2024.
Here we're referring specifically to the additional requirement to verify that a PIV card was used during authentication. In particular, see the "Authentication Assurance (AAL) Values" section in the login.gov SAML docs; I'm highlighting the relevant item in red in the screencap below:
We've been told that other agencies also want to be able to require the use of a PIV/CAC card during authentication in their eCase applications, and that we were not alone in requesting that feature be added to eCase.