search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
282 stars 203 forks source link

Proofing Agents have PIV (IAL3 credential) and will present it during authentication, so don't need to be Login.gov verified #81167

Closed mateoclarke closed 5 months ago

mateoclarke commented 6 months ago

USE CASE As a VA employee who is using their PIV to authenticate to the proofing agent app, I don't need to undergo identity verification because I have already presented my PIV (which required IAL3 identity verification to obtain).

CONTEXT When we implemented the PIV card login for Proofing Agents (PR here), we aired on the stricter side and required their accounts to be verified with Login.gov.

Here is a Loom video that demonstrates the extra steps involved in that process: https://www.loom.com/share/98995077b30d41db9ef4b2ce54a63ba4

After chatting with Porta, he recommened that this is too much extra admin burden since they will be forced to login with their PIV which we can verify was issued by the VA and essentially confirm their ID has been proofed within the VA just through their possession of a VA PIV. Issuing a PIV requires VA to obtain and store fingerprints (a biometric), which is an IAL3 level of assurance. Further when authenticating with a PIV, after entering the PIN, there is a crytopgraphic validation that the cert on the PIV is still active, representing the highest level of authentication (AAL3) on par with a security key. So for purposes of our pilot where proofing agents have to present their PIV to authenticate, we don't need them to do identity verification.

In order to role this back, we need to update the ACR values passed as params to the IdP.

Currently the are set to: <acr_values>http://idmanagement.gov/ns/assurance/ial/2+http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true</acr_values>

In effect, we need to downgrade our request params from IAL2 to IAL1:

mateoclarke commented 6 months ago

I'm pretty sure this is the code that needs to be changed: https://github.com/department-of-veterans-affairs/va-in-person-identity-proofing/blob/main/nextjs-app/app/src/pages/proofing/index.tsx/#L23-L25

porta-antiporta commented 6 months ago

@mateoclarke i updated the description with additional context. Though I think the ACR values that need to be passed are: http://idmanagement.gov/ns/assurance/ial/1 and http://idmanagement.gov/ns/assurance/aal/2?hspd12=true.

http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true allows the use of security keys in addition to PIV which is not sufficient for our needs. We need PIV (so that we can extract identity information from the x509 certificate).