search

HHS / simpler-grants-gov

https://simpler.grants.gov
Other
46 stars 13 forks source link

Spike: research verification level needs with HHS stakeholders #2802

Open mxk0 opened 1 week ago

mxk0 commented 1 week ago

Summary

From @chouinar in Slack:

A broad login.gov question - what “level” of verification does a user require in login.gov? They have a few (under “Type of Service Level”). For example, the most basic one is just email/pass/MFA. This is what the legacy grants system uses. The level we require affects what information we can get back about a user. At this level, we would not have a users first/last name.

First name / last name are not at the lowest level: https://developers.login.gov/attributes/ - the user has to have gone through some amount of verification so they would have even entered those values.

Acceptance criteria

chouinar commented 1 week ago

Organizing some notes for discussion that are more detailed than the initial message I had in Slack copied above.

User attributes: https://developers.login.gov/attributes/

Notably first/last name require verification which the lowest level doesn't give (we tested this, you can make a login.gov account without ever entering your name).

The types of service levels are on https://developers.login.gov/oidc/authorization/#service_level - but will copy them below. The legacy system uses a deprecated approach for this, but the docs say the "auth-only" (first one below) is the equivalent.

urn:acr.login.gov:auth-only

Requires basic identity assurance: email address, password, and at least one MFA method. No identity verification.

Meets either NIST 800-63-3 AAL1 or AAL2 standard (depending on agency integration configuration)

urn:acr.login.gov:verified

Requires that the user has gone through basic identity verification without facial matching.

Does not meet NIST 800-63-3 IAL2 standard.

urn:acr.login.gov:verified-facial-match-required

Requires identity verification with facial match for all users. Even if a user has been previously verified without facial matching, they will be required to go through verification with facial match.

Meets NIST 800-63-3 IAL2 standard.

urn:acr.login.gov:verified-facial-match-preferred

Requires identity verification. Users with no previous identity verification will be required to go through a facial match. Users with previous identity verification will use that data, even if it was done without facial match.

Authentications for users who verify with facial matching will meet NIST 800-63-3 IAL2 standard. Authentication for users who do not do facial matching will not meet NIST 800-63-3 IAL2 standard.