ID verification: As a user, I need a way to verify my identity before I buy a permit so that I can enter into a legal agreement with the USFS and so that my permit is enforceable

[csstarling]

Background

This story replaces #110 and related to #109 around folks entering required information. Currently, ID and signature are "required" to verify ID in-office, and if ID verification remains required.

Link to trade offs docs

Acceptance criteria

• [ ] Customer will certification ID on their own. This will happen before payment.
• [ ] If customer can't certify then they can not move onto payment.

Tasks

• [ ] Obtain minimal requirements from law enforcement and other decision makers
• [ ] Determine design of verification
• [ ] Add verification step to platform
• [ ] Design review
• [ ] Code review
• [ ] PO Approved

Definition of done

• [ ] e2e tests are updated for application routing changes.
• [ ] e2e tests are functioning.
• [ ] Child routes for existing pages are working.
• [ ] Pull requests meet technical definition of done.

[csstarling]

ID verification: options and tradeoffs

Option 1 (preferred): Self-reported ID confirmation, which provides lower evidence of identity

⃞ By checking this box, I verify that I am [name] at [address].

Pros: Streamlined user experience, no dependency on Login.gov for MVP launch, simplifies and speeds path to production for the MVP, many districts were gathering ID info over the phone without doing a visual check/verifying that the ID matched the person on the phone and we didn’t hear of any issues. Cons: Relies on users to self-report ID confirmation at the point of sale, which may hinder enforcement since there will be less certainty that the person who purchased the permit is the person who actually agreed to abide by permit conditions (however, people who falsely confirm their identity would be violating 18 U.S. Code § 1001); people who don’t have a government issued ID number who might be barred from purchasing an in-office permit could potentially purchase a permit online (we can validate data format for an “ID” form field, but there’d be no check whether the ID number is valid).

Option 2: Login.gov, which provides strong evidence of a permittee’s identity, before folks can proceed with the transaction

Pros: ID proofing using government issued ID; users could log in and have their info pre-populated on the permit form, rather than having to enter it every time; single sign-on experience for eventual scaling to additional permit types and adding features on the roadmap for later releases (e.g., enforcing household limits, letting users see past purchase information, etc.).

Cons: Potentially onerous account creation process for users, additional Login.gov licensing cost, need to modify existing agreement could delay pilot launch beyond the early target of end of Sept. Login.gov does not provide ID number information, so users would still be required to input their ID number. (https://developers.login.gov/attributes/)

Open questions: What is the minimum info that can be printed on the permit in order to make it enforceable? What information do LEOs use in enforcement? Revisit notes from LEO interviews and discuss w/ pilot forest LEOs Is name and transaction info (permit number, date purchased) enough? Do we need an address? Can we email users their own government issued ID # (sensitive PII)? GSA privacy officer’s opinion is that we can, as long as we appropriately disclose to users how their info will be used and what information will be passed on via email. Need to confirm w/ USFS privacy officer--ultimately, it’s their call. If we want to pursue this path, there are implications for the design of the “accept conditions” page. What is the level of effort to having permittee data requirements changed in the handbook if needed? To what extent do we need to coordinate with BLM on this?

[csstarling]

@aQuib , @mtlaney Please add your tasks. cc @carlsonem

[mgwalker]

It might be preferable to have the user type their name rather than a checkbox. Depending on how "enforceable" the signature is meant to be, a typed name is considered a legally valid signature (federally, I'm like 95% sure; some states have also opted in, but I don't think that matters here) but I'm not sure if a checkbox does too.

[MelissaBraxton]

Curious where things stand on this? @bboddiger and @csstarling Has there been a decision on whether to go with Login.gov for members of the public to do ID verification?

[bboddiger]

Was this the one that is blocked until engineering, design, security folks all come to an agreement? Shadat was going to write up a short paper to explain this one I believe, correct?

Or is this one that just covered verification, which is not offered as part of current login.gov agreement? There are a few issues that read very similar to me, not sure if I’m mixing them up.

From: Melissa Braxton notifications@github.com Sent: Friday, September 4, 2020 2:41 PM To: USDAForestService/USFS-timber-permitting USFS-timber-permitting@noreply.github.com Cc: Boddiger, Beth -FS beth.boddiger@usda.gov; Mention mention@noreply.github.com Subject: Re: [USDAForestService/USFS-timber-permitting] ID verification: As a user, I need a way to verify my identity before I buy a permit so that I can enter into a legal agreement with the USFS and so that my permit is enforceable (#168)

Curious where things stand on this? @bboddigerhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbboddiger&data=02%7C01%7C%7C4ccac1d011264e65121608d85112e188%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637348488817914774&sdata=jHE2x3KXHOuC3vhI3cXaW4oqdyrhtDeqsshRr6Aj1hk%3D&reserved=0 and @csstarlinghttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcsstarling&data=02%7C01%7C%7C4ccac1d011264e65121608d85112e188%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637348488817914774&sdata=0cylu%2B4jH1k4zdblH3IUfzM8Gk8DIJTR4ICyMtzZ9oI%3D&reserved=0 Has there been a decision on whether to go with Login.gov for members of the public to do ID verification?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FUSDAForestService%2FUSFS-timber-permitting%2Fissues%2F168%23issuecomment-687372133&data=02%7C01%7C%7C4ccac1d011264e65121608d85112e188%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637348488817914774&sdata=5%2FKKaImmdBog%2BX6c1GY%2F2bc2Lgl886rWX3%2FDK6DYQ78%3D&reserved=0, or unsubscribehttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAN4LDRICJOBULBNUVMIRH5LSEFGHBANCNFSM4P3WIVIQ&data=02%7C01%7C%7C4ccac1d011264e65121608d85112e188%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637348488817924732&sdata=YFuprdOYcLvX5cbZ5qZzQ5BcUKACy1kuS6Mw%2BUS1Xu4%3D&reserved=0.

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

[MelissaBraxton]

It's a good Q! This is very focused on whether members of the public can use a lightweight ID confirmation, rather than going with the cumbersome Login.gov ID verification for the MVP. I'm also interested in the write up, since I'm uncertain on the rationale for requiring login.gov in the MVP, and whether it would preclude this option. @smahmudFS and @JonathanLerner54 - Can you weigh in please?

[mgwalker]

It's definitely not just you, Beth! I am also a little confused about how/whether we're going to use Login. I know there's an ATO concern here since it's in the OF SSP (I think that's right? @smahmudFS please correct).

IF we are not going to do ID verification AND Login.gov is in the current SSP, I would be interested in figuring out what are the ATO implications of just not using Login.gov for the pilot at all. If we need to write a justification or something, that seems like the easier path than using Login.gov for authentication "just because." It makes sense to me that without ID verification, there's no user or FS value in authentication at all, so if we can skip it by writing up a paragraph or two, that seems reasonable.

[carlsonem]

@bboddiger did we officially concluded on how we will do ID verification?

[MelissaBraxton]

@smahmudFS - Thanks so much for sharing the write up! It's really helpful to have it all laid out--and the write up is nice to look at too!

There are some fundamental differences between what's laid out in the doc and what has been discussed for firewood that maybe we can clear up pretty quickly.

1. There has been no talk of removing Login.gov from Open Forest. In my view, it absolutely should remain in use without any changes in how it's implemented for the special uses permitting module--so I think we are on the same page there! Adding login.gov to the work you all have started on firewood permitting would likely require more code changes.

2. The use case for special uses (which does and should continue to use Login.gov to authenticate users) is very different than for firewood. Firewood is analogous to Christmas tree permit sales. Public users will not access any data in the system. Once the permit is issued, that's it -- very different than special uses where people are logging in and out and viewing info they and USFS provided. Login.gov was not required for Christmas tree purchases, so I'm curious about why it says that "the current architecture requires" it. Can you say more about that?

3. The need is to aid law enforcement in one time ID verification (not authentication), so that law enforcement can check that the person holding the permit out in the forest is the person who purchased the permit online.

4. WRT to potential impacts 3 and 5, It's true that the system would need a SORN in order to be able to store these data, which is why we'd suggested not storing it and not giving the public access to it.

What do you think @bboddiger?

[bboddiger]

Attaching write-up from eng/security regarding login.gov use: https://app.zenhub.com/files/214296595/af65909d-217d-46de-b7ac-52bbb59728e0/download

[carlsonem]

@bboddiger @zchaudhry is there any additional information you need to make a decision if we are using login.gov as part of the MVP? Let me know if we need a meeting of the minds (not mine :) ) so we can move this part of the application forward. Thanks!

[bboddiger]

The one question that needs to be answered is whether or not this will affect the ATO. Is there someone who can give a thumbs up or down on that? That is the one thing we cannot affect—I don’t feel comfortable accepting it as a risk without knowing for sure, or even what sort of odds we’re facing.

From: Melissa Braxton notifications@github.com Sent: Thursday, September 10, 2020 3:14 PM To: USDAForestService/USFS-timber-permitting USFS-timber-permitting@noreply.github.com Cc: Boddiger, Beth -FS beth.boddiger@usda.gov; Mention mention@noreply.github.com Subject: Re: [USDAForestService/USFS-timber-permitting] ID verification: As a user, I need a way to verify my identity before I buy a permit so that I can enter into a legal agreement with the USFS and so that my permit is enforceable (#168)

@smahmudFShttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FsmahmudFS&data=02%7C01%7C%7C91f0060efd3044f2fb1608d855ce65e3%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353692248136953&sdata=vgPb5%2Fh4Ty1%2FTWrS%2Bk4KPO5MchjPsku5cS4J8tw0GCE%3D&reserved=0 - Thanks so much for sharing the write up! It's really helpful to have it all laid out--and the write up is nice to look at too!

There are some fundamental differences between what's laid out in the doc and what has been discussed for firewood that maybe we can clear up pretty quickly.

1. There has been no talk of removing Login.gov from Open Forest. In my view, it absolutely should remain in use without any changes in how it's implemented for the special uses permitting module--so I think we are on the same page there! Adding login.gov to the work you all have started on firewood permitting would likely require more code changes.
2. The use case for special uses (which does and should continue to use Login.gov to authenticate users) is very different than for firewood. Firewood is analogous to Christmas tree permit sales. Public users will not access any data in the system. Once the permit is issued, that's it -- very different than special uses where people are logging in and out and viewing info they and USFS provided. Login.gov was not required for Christmas tree purchases, so I'm curious about why it says that "the current architecture requires" it. Can you say more about that?
3. The need is to aid law enforcement in one time ID verification (not authentication), so that law enforcement can check that the person holding the permit out in the forest is the person who purchased the permit online.
4. WRT to potential impacts 3 and 5, It's true that the system would need a SORN in order to be able to store these data, which is why we'd suggested not storing it and not giving the public access to it.

What do you think @bboddigerhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbboddiger&data=02%7C01%7C%7C91f0060efd3044f2fb1608d855ce65e3%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353692248146912&sdata=ukuA1gXy5o2DS13YoOwCupMTR42W4HXHzzPl05DoXaM%3D&reserved=0?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FUSDAForestService%2FUSFS-timber-permitting%2Fissues%2F168%23issuecomment-690734822&data=02%7C01%7C%7C91f0060efd3044f2fb1608d855ce65e3%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353692248146912&sdata=WvBK9zJFF5BO8ntEiFae%2FH5ZW4c8t7%2BAg%2B5Ee1QtL1k%3D&reserved=0, or unsubscribehttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAN4LDRP5EKHC3JOUZIPBJJDSFE6QNANCNFSM4P3WIVIQ&data=02%7C01%7C%7C91f0060efd3044f2fb1608d855ce65e3%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353692248156867&sdata=Ge8CGdhAE9Rs92TGeOg9FMqGDTaY0H9JWwvUJfk7160%3D&reserved=0.

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

[MelissaBraxton]

@smahmudFS and @mwreiss - Can you confirm that we are on the same page wrt to not touching how login.gov is currently implemented in Login.gov for firewood permitting? I'm still not following how building out the firewood permitting module in the same vein as we did Christmas trees would jeopardize the ATO. Maybe the doc you shared during the engineering sync today would help, @smahmudFS?

[carlsonem]

OBE by issue #110