August 6, 2021
NOT-OD-21-040 - Required Use of Two-Factor Authentication Using Login.Gov for eRA's External Modules in 2021
NATIONAL INSTITUTES OF HEALTH (NIH)
The deadline and approach to requiring two-factor authentication (also known as multi-factor authentication) to increase the security when accessing eRA modules (eRA Commons, Commons Mobile, ASSIST, Internet Assisted Review) are changing. NIH is providing more time to make the transition. Instead of requiring all users to transition to Login.gov by a fixed deadline of September 15, eRA will begin a phased approach beginning September 15,2021 for enforcing the two-factor authentication requirement for the NIH recipient community as described below. In this phased approach to enforcement, all scientific account holders should take action now, while administrative account holders will be required to move to two-factor authentication in early calendar year 2022.
NIH is also implementing an additional option to securely login to eRA systems using InCommon Federated accounts (when organizations participate in the InCommon Federation and authenticate their own users). Beginning September 15, 2021, users will also now have the option to use an InCommon Federated account only if their institution supports NIH’s two-factor authentication standards and the user has it enabled for their InCommon Federated Account. Use of InCommon Federated accounts without two-factor authentication will no longer be permitted.
When two-factor authentication becomes required for a user, according to the timeline below, they will now be able to use Login.gov and/or an InCommon Federated account that supports NIH’s two-factor authentication standards. Note that eRA cannot yet support two-factor authentication for users that have more than one eRA account; specific guidance for users with multiple accounts is provided below.
To make eRA user accounts more secure with two-factor authentication, eRA implemented the capability to use Login.gov instead of an eRA account username and password to access eRA modules (eRA Commons, Commons Mobile, ASSIST, Internet Assisted Review). Login.gov enhances the security of sensitive information that is stored in eRA systems by providing two-factor authentication and allows users to sign into various government agency systems with a single set of credentials. Login.gov is also an option for accessing Grants.gov, the System for Award Management (sam.gov), MyNCBI (see login tips), SciENcv, and MyBibliography.
The required use of Login.gov has been phased in for reviewers since December 2020. As reviewers are assigned to review meetings, their accounts are immediately transitioned to require the use of Login.gov.
In December 2020, NIH announced that eRA users were required to transition to the use of a two-factor authentication service provider, specifically Login.gov, by September 15, 2021. However, to ensure a smooth transition and to respond to feedback from users, the timeline for implementing the two-factor authentication requirement is being adjusted to phase in the requirement for most users and introduce another supported two-factor authentication service to support InCommon Federated institutions.
Adjusted Timeline and Approach
Starting on September 15, 2021, eRA will begin a phased approach for requiring the use of two-factor authentication for user accounts. The new timing of enforcing the requirement depends on the type of user account and a new triggering event.
The Type of User Account:
The Triggering Event:
Forty-five days after this triggering event, these users will not be able to access eRA systems until they set up and use a two-factor authentication service provider - Login.gov and/or an InCommon Federated account (that supports NIH’s two-factor authentication standards).
eRA will send reminder messages during the 45-day period to individual users who are required to transition to the new two-factor authentication requirement.
Exceptions to the Adjusted Timeline and Approach
For non-NIH eRA partner agency applicants/recipients:
Users Who Only Have a Scientific Account
Users who have a scientific account should start using two-factor authentication now to access eRA systems before they are required to transition. They may use Login.gov and/or an InCommon Federated account (only if their organization supports NIH’s two-factor authentication standards and they have it enabled for their InCommon Federated account).
Users Who Only Have One or More Administrative Accounts
NIH is exempting administrative account holders from the requirement to use two-factor authentication until early 2022, when eRA will implement support for users with multiple accounts, but we encourage administrators with only a single eRA administrative account to start using two-factor authentication now to access eRA systems. They may use a Login.gov and/or an InCommon Federated account (only if their organization supports NIH’s two-factor authentication standards and they have it enabled for their InCommon Federated account).
As eRA cannot yet support the association of multiple eRA accounts to a single two-factor authentication account (via Login.gov or InCommon Federation), administrators with multiple eRA administrative accounts may not yet transition their accounts.
Users With Both a Scientific and Administrative Account
Users with both a scientific account and an administrative account should start using two-factor authentication for their scientific account now but delay switching their administrative account until eRA has implemented support for users with multiple eRA accounts in early 2022.
If a user has already transitioned their administrative account to use two-factor authentication, but not their scientific account, they should request the eRA Service desk remove the two-factor authentication account association (Login.gov and/or InCommon Federation) from their eRA administrative account and have it added to their scientific account. This should be done before their scientific account is required to transition.
InCommon Federated Users
For those who currently use an InCommon Federated account to login to eRA systems, their organization(s) will need to strengthen the security of their federated account authentication processes to support NIH's two-factor authentication (also known as multi-factor authentication) standards, so that federated users are able to continue to use those accounts to log in. If an organization's authentication is in compliance with NIH's two-factor authentication standards by September 15, 2021, its users can continue to use federated accounts that support two-factor authentication. If not, those users will be required to switch to Login.gov to access eRA systems once they are required to transition to two-factor authentication according to the transition timeline stated above. The NIH is collaborating with the InCommon Federation, the organization that coordinates federated authentication across universities/institutions, on this effort.
Note that InCommon Federated users who have already transitioned to use Login.gov can also use their InCommon Federated account once their organization’s federated account authentication process supports the NIH’s two-factor authentication standards. Users can setup and use both Login.gov and InCommon Federated accounts (that support NIH’s two-factor authentication standards) with an eRA user account.
Federated accounts, currently limited to scientific accounts, will be opened up to administrative accounts effective September 15, 2021. However, if a user has more than one administrative account, delay switching those administrative accounts until eRA has implemented support for users with multiple eRA accounts that will be in place in early 2022.
Passphrase to Replace Password
While eRA’s external users are required to start using two-factor authentication, they will still need to maintain their eRA Commons username and password for the time being and will still receive eRA reminder notifications to change their password. The NIH is moving from passwords to passphrases — a set of random words or a sentence at least 15 characters long — effective the end of 2021. eRA users will need to change their passphrase only once a year (as opposed to the current NIH requirement that passwords be changed every 120 days).
Creating a Login.gov account and associating it with your eRA account is a simple, one-time, three-step process that should only take a few minutes. See step-by-step instructions, FAQs, video tutorials and more at the Access eRA Modules via Login.gov webpage.
For further information about using an InCommon Federated account see the Access eRA Modules Via an InCommon Federated Account webpage.
eRA Service Desk
Submit a web ticket: https://grants.nih.gov/support/index.html