[Epic] Login.gov account creation and sign in

[natalia-fitzgerald]

Milestone: Authentication

The shared data filing platform will be used by filers of small business lending (SBL) and mortgage lending (HMDA) data to centrally manage their account (user profile, financial institution details, login through Login,gov, etc.).

Epic: Login.gov account creation and sign in

The fist step in accessing the shared data filing platform will be to create an account and sign in with Login.gov. A user must sign in with their financial institution email address. Once the filer is signed in and has completed their user profile they will be directed to the SBL or HMDA filing apps to file their data.

Tasks

• [X] Make a list of the relevant user stories for this page
• [X] Document images of the Login.gov account creation and sign in
• [x] Identify UI/UX tasks related to setting up the platform to use Login.gov
• [ ] Determine what is customizable within Login.gov (content, imagery) https://developers.login.gov/design-guidelines/
• [ ] Determine what customization we would like to add
• [ ] Update mock-ups to reflect this customization
• [x] Identify tasks for user testing (to validate the process works as expected, clarity of pre-login content to set users up for success, users able to successfully complete important tasks)
• [ ] Reviewed by team for input & feedback
• [x] User testing conducted (limited ability to make changes, but let's validate the process works as we expect)

Decisions

The following list reflects the output of team discussions and decisions:

• Users of the CFPB shared data filing platform must sign in to Login.gov with their financial institution email address and not a personal email address.
• If a user signs in with a personal email address (that is on our list of personal email domains) it will trigger an alert stating that personal email domains are not supported
  • Build an explicit deny list of personal email domains (gmail.com, yahoo.com, hotmail.com, etc.) to tell users up-front that we don't support non-financial institution email addresses
  • In this scenario if the email domain is in our deny list they would reach a page with an alert asking the user to go back to Login.gov and login with their financial institution email address.
• The user profile email address will auto-populate within our system and is pulled in from the address the user used to sign in to Login.gov.
  • We are able to setup Keycloak so that whenever the user logs in, it will always be sync'ed with the email the user used to sign in to Login.gov.

User stories

• [x] https://github.com/cfpb/sbl-project/issues/64
• [x] https://github.com/cfpb/sbl-project/issues/65
• [x] https://github.com/cfpb/sbl-project/issues/74
• [x] https://github.com/cfpb/sbl-project/issues/75
• Check to make sure login.gov friendly account name is "Small Business Lending Data Submission Platform"

Technical requirements

• User management API
  • Reads data from and writes data back to Keycloak

Content requirements

• [ ] Add here

User testing

Task ideation

• Login.gov landing page Is this what you expected to see? (Is it clear that this is a service that enables cfpb to provide secure sign in?)

Current designs (MVP)

Updated: 2/16/2024

Sign in with Login.gov

When the user clicks "Sign in with Login.gov" they will be directed to the Login.gov landing page. There they will enter their email address and password and click the sign in button. This will take them to the CFPB shared platform home (authenticated) page.

CFPB shared platform (unauthenticated)	Login.gov landing page

Create an account with Login.gov

When the user clicks "Create an account with Login.gov" they will be directed to the Login.gov landing page. The account creation process is 7 screens and includes email confirmation, creating a password, setting up an authentication method, adding an authentication app, and continuing to the CFPB website.

CFPB shared platform (unauthenticated)	Login.gov landing page

Login.gov screens

1. Sign in / Create an account
2. Create your account
3. Confirm your email
4. Create a strong password
5. Authentication method setup
6. Add an authentication app
7. You've added your first authentication method
8. Continue to the CFPB

1. Sign in / Create an account	2. Create your account

3. Confirm your email	4. Create a strong password

5. Authentication method setup	6. Add an authentication app

7. You've added your first authentication method	8. Continue to the CFPB

Your account

A user's email address will auto populate within the CFPB shared filing platform in the "Complete your user profile" page and the "Request changes to your user profile" pages. If a user wishes to make a change to the email address they use to sign in to Login.gov or add a new email address they will do so within Login.gov at https://secure.login.gov/account. Changes to email addresses will be handled in Login.gov and not in the CFPB shared filing platform.

Your account

[natalia-fitzgerald]

Login.gov screens

Sign in with Login.gov

When the user clicks "Sign in with Login.gov" they will be directed to the Login.gov landing page. There they will enter their email address and password and click the sign in button. This will take them to the CFPB shared platform home (authenticated) page.

CFPB shared platform (unauthenticated)	Login.gov landing page

Create an account with Login.gov

When the user clicks "Create an account with Login.gov" they will be directed to the Login.gov landing page. The account creation process is 7 screens and includes email confirmation, creating a password, setting up an authentication method, adding an authentication app, and continuing to the CFPB website.

CFPB shared platform (unauthenticated)	Login.gov landing page

Login.gov screens

1. Sign in / Create an account
2. Create your account
3. Confirm your email
4. Create a strong password
5. Authentication method setup
6. Add an authentication app
7. You've added your first authentication method
8. Continue to the CFPB

1. Sign in / Create an account	2. Create your account

3. Confirm your email	4. Create a strong password

5. Authentication method setup	6. Add an authentication app

7. You've added your first authentication method	8. Continue to the CFPB

Your account

A user's email address will auto populate within the CFPB shared filing platform in the "Complete your user profile" page and the "Request changes to your user profile" pages. If a user wishes to make a change to the email address they use to sign in to Login.gov or add a new email address they will do so within Login.gov at https://secure.login.gov/account. Changes to email addresses will be handled in Login.gov and not in the CFPB shared filing platform.

Your account

[hkeeler]

Todos:

1. Add logo to Login.gov
2. Add custom text content to Login.gov
3. Q: Co-branding with FFIEC?

[natalia-fitzgerald]

@hkeeler @kristenshaw4 - I have updated the images here: https://github.com/cfpb/sbl-project/issues/9. Let me know if you would like me to make additional updates.

[natalia-fitzgerald]

@dan-padgett @angelcardoz We did not discuss this in backlog grooming but we should define what we would like to prioritize for MVP.

The following are two customizations we could make for MVP:

• [ ] Add the CFPB logo to Login.gov
• [ ] Add custom text content to Login.gov

Who would be in charge of making these customization? FEWD? BEWD?

[dan-padgett]

@natalia-fitzgerald The images for this epic already have the CFPB logo--are those just mockups or has the logo already been added? And similarly for the custom text--are the places where "CFPB" shows up already a part of the Login.gov flow, or would those be the custom text that we're considering?

[natalia-fitzgerald]

@dan-padgett I mocked-up the images in the epic so we still need to actually do this work in Login.gov (add logo and text). What I included in the mock-up are the custom text that we're considering.

[natalia-fitzgerald]

Next steps:

• [x] Write user stories for remaining stories
• [x] Create the GitHub issues (Story issues)
• [x] @angelcardoz will review stories and make any adjustments
• [ ] In terms of who will be responsible for the Login.gov customizations @lchen-2101 was mentioned in the call but we should confirm this with the team.

These are the items we need to write the stories for (mocked up above):

• [x] Add CFPB logo to Login.gov
• [x] Add custom CFPB text content to Login.gov

The goal is to establish trust and a sense of security for the user as they navigate an external system and provide personal information

[natalia-fitzgerald]

@angelcardoz Can you review the 3 remaining user stories and determine whether we should create story issues for them?

"As a filer, I want to be able to go to a website and log in to my existing account, so I can access the filing system."

This one may point to the way that we connect the app to Login.gov. It could also make sense at the unauthenticated page step.

"As a filer, I want to be able to create a Login.gov account and assign my own password, so that I can start the registration and filing process with minimal hurdles."

This user story may not be needed since it's an internal Login.gov process that we don't control or need to build (in other words I don't think there's technical work to be done).

"As a filer, I would like to access the CFPB's filing platform with my Login.gov credentials, so that I can trust that my information is secure."

I'm not sure what tasks would come out of this one other than the decision we've already made to use Login.gov?

• @lchen-2101 @sthomas93 for awareness

[angelcardoz]

@angelcardoz Can you review the 3 remaining user stories and determine whether we should create story issues for them?

"As a filer, I want to be able to go to a website and log in to my existing account, so I can access the filing system."

This one may point to the way that we connect the app to Login.gov. It could also make sense at the unauthenticated page step.

"As a filer, I want to be able to create a Login.gov account and assign my own password, so that I can start the registration and filing process with minimal hurdles."

This user story may not be needed since it's an internal Login.gov process that we don't control or need to build (in other words I don't think there's technical work to be done).

"As a filer, I would like to access the CFPB's filing platform with my Login.gov credentials, so that I can trust that my information is secure."

I'm not sure what tasks would come out of this one other than the decision we've already made to use Login.gov?

• @lchen-2101 @sthomas93 for awareness

@natalia-fitzgerald

Reviewed the three stories. The first story already exists (Story #3) in epic #7, so I removed from this epic.

I created the second (Story #74) and third (Story #5) for consistency and thoroughness, added to this epic, and checked them off as there are no additional action items needed. I also deleted the old reference.

[dan-padgett]

@angelcardoz checking off the user testing item here since we covered this step of the process during the focus group