Two-Factor Authentication: Access eRA Modules via Login.gov

Quick Links

Adjusted Timeline

InCommon Federated Users

Initial Set-up at Login.gov

Resources

Help

Log-in Options for eRA Modules


To make eRA user accounts more secure with two-factor authentication (also known as multi-factor authentication), eRA is offering its users two ways to comply:

  • use Login.gov
  • and/or use an InCommon Federated account that support NIH’s two-factor authentication standards* (beginning September 15, 2021)

These two options should be used instead of an eRA account username and password to access eRA modules (eRA Commons, Commons Mobile, ASSIST, and Internet Assisted Review), per the adjusted timeline below.

Using Login.gov enhances the security of sensitive information that is stored in eRA modules by providing two-factor authentication. Login.gov also allows users to sign into various government agency systems with a single set of credentials. Login.gov is also an option for accessing Grants.gov, the System for Award Management (SAM.gov), as well as MyNCBI, SciENcv, and MyBibliography.

Beginning September 15, 2021, users will now have the option to use an InCommon Federated account (when organizations participate in the InCommon Federation and authenticate their own users) only if their organization supports NIH’s two-factor authentication standards and the user has it enabled for their InCommon Federated Account.  Use of InCommon Federated accounts without two-factor authentication will no longer be permitted and those users will be required to switch to Login.gov to access eRA modules once they are required to transition to two-factor authentication according to the transition timeline stated below.  For further information see Access eRA Modules via Federated Accounts).

When two-factor authentication becomes required for a user, according to the timeline below, they will now be able to use Login.gov and/or an InCommon Federated account that supports NIH’s two-factor authentication standards. Note that eRA cannot yet support two-factor authentication for users that have more than one eRA account; specific guidance for users with multiple accounts is provided below.

Adjusted Timeline

A deadline of September 15, 2021 had initially been set to require users of eRA Commons, Commons Mobile, ASSIST and IAR to use Login.gov, instead of their eRA Commons account username and password, to access those modules.

To ensure a smooth transition and based on feedback from users, NIH is providing more time to make this transition than previously announced. Instead of requiring all users to transition to Login.gov by September 15, 2021, eRA will begin a phased approach beginning on that date for enforcing the two-factor authentication requirement for the NIH recipient community as described below.

This phased approach will apply to everyone  — all scientific account holders should take action now, while administrative account holders will be required to move to two-factor authentication in early 2022.

The new timing for enforcing the requirement depends on the type of user account and a new triggering event.

The Type of User Account:

This phased approach pertains to all scientific account holders but excludes administrative accounts until early 2022.

The Triggering Event:

All PIs and key personnel associated with an application or Research Performance Progress Report (RPPR) will be required to transition to the use of two-factor authentication 45 days after the submission of their competing grant application (Type 1 or 2) or their RPPR.

After 45 days of this triggering event, these users will not be able to access eRA modules until they set up and use a two-factor authentication service provider - Login.gov and/or an InCommon Federated account (that supports NIH’s two-factor authentication standards).

Exceptions to the Adjusted Timeline and Approach

For reviewers

The transition for reviewers (those with an IAR role) is ongoing and unchanged. Reviewers will continue to be required to use two-factor authentication as soon as they are enabled for a review meeting. However, reviewers will have the new option to use an InCommon Federated account (only if their organization supports NIH’s two-factor authentication standards and they have it enabled on their InCommon Federated account) and/or Login.gov.

For eRA partner agency applicants/recipients
The updated plan applies only to NIH applicants/recipients; while eRA partner agency users are encouraged to move to two-factor authentication, they are not required to at this time (except for reviewers whose transition is ongoing; or applicants/recipients who apply to NIH or have an NIH grant). eRA partner agency users have the option to use a Login.gov and/or an InCommon Federated account (only if their organization supports NIH’s two-factor authentication standards and they have it enabled for their InCommon Federated account).

For users who only have a scientific account

  • Users who have a scientific account (principal investigator, etc.) should start using two-factor authentication now to access eRA modules before they are required to transition. They may use Login.gov and/or an InCommon Federated account (only if their institution supports NIH’s two-factor authentication standards and they have it enabled for their InCommon Federated account).

For users who have only one or more administrative accounts

  • NIH is exempting administrative account holders from the requirement to use two-factor authentication until early 2022, when eRA will implement support for users with multiple accounts.

But we encourage administrators [signing official (SOs), administrative officials (AOs), etc.] with only a single eRA account to start using two-factor authentication now to access eRA modules.  They may use Login.gov and/or an InCommon Federated account (only if the users’ organization supports NIH’s two-factor authentication standards and the users have it enabled for their InCommon Federated account).

Administrators with multiple eRA accounts should not yet transition their accounts.

For users with both a scientific and administrative account

  • Users with both a scientific account and an administrative account (for instance, a principal investigator and a signing official) should start using two-factor authentication for their scientific account now.

They should wait to switch their administrative account until eRA has implemented support for users with multiple eRA accounts in early 2022.

If a user has already transitioned their administrative account to use two-factor authentication, but not their scientific account, they should request the eRA Service Desk  to remove the two-factor authentication account association (Login.gov and/or InCommon Federation) from their eRA administrative account and have it added to their scientific account. This should be done before their scientific account is required to transition.

InCommon Federated Users

For those who currently use an InCommon Federated account to log in to eRA modules, their participating organization(s) will need to strengthen the security of their federated account authentication processes to support NIH's two-factor authentication (also known as multi-factor authentication) standards, so that federated users are able to continue to use those accounts to log in.

If an organization's authentication is in compliance with NIH's two-factor authentication standards by September 15, 2021, its users can continue to use federated accounts that support two-factor authentication; if not, those users will be required to switch to Login.gov to access eRA modules once they are required to transition to two-factor authentication according to the transition timeline stated above.

The NIH is collaborating with the InCommon Federation, the organization that coordinates federated authentication across organizations, on this effort. 

Note that InCommon Federated users who have already transitioned to Login.gov can also use their InCommon Federated account once their organization’s federated account authentication process supports the NIH’s two-factor authentication standards. Users can set up and use both Login.gov and InCommon Federated accounts (that comply with NIH’s two-factor authentication standards) with an eRA user account.

Federated accounts, currently limited to scientific accounts, will be opened up to administrative accounts effective September 15, 2021. However, if a user has more than one administrative account, hold off on switching those administrative accounts until eRA has implemented support for users with multiple eRA accounts that will be in place in early 2022.

For further information, please see the Access eRA Modules Via an InCommon Federated Account webpage.

Initial Setup at Login.gov

It is a simple, one-time, three-step process to associate your Login.gov  account with your eRA Commons account.

Here are the detailed steps and screenshots for the initial setup at Login.gov: 2FA flyer

Note: We have used eRA Commons as an example below.

A screenshot of a cell phone Description automatically generated

 

IMPORTANT: Before starting the process:

  1. Make sure your eRA account is active and you know your account password.  If you need to reset your eRA account password, please do so first by using the Forgot Password/Unlock Account? link on the main Commons home screen.

  2. Start the process by going to the eRA commons home screen and clicking the LOGIN.GOV option.

  3. Make sure you are not using old eRA system bookmarks as that may interfere with the Login.gov process.

Here are the system URLs for:

  1. eRA Commons: https://public.era.nih.gov/commons/

  2. ASSIST: https://public.era.nih.gov/assist/

  3. IAR: https://public.era.nih.gov/iar

  4. Commons Mobile: http://m.era.nih.gov/cmb

Resources

Help

Log-in Options for eRA's Modules

Module

Two-factor authentication via Login.gov

eRA Credentials

PIV/CAC Card*

Federated**

eRA Commons

Yes

Yes

Yes

Yes

Commons Mobile

Yes

Yes

 

 

IAR (via eRA Commons)

Yes

Yes

Yes

Yes

ASSIST

Yes

Yes

 

 

 

*Users accessing eRA modules are being transitioned to require two-factor authentication.  Once a user’s account is transitioned, they are no longer permitted to use eRA Account credentials (username/password) to login and must either use Login.gov or an InCommon Federated account that supports NIH’s two-factor authentication standards.

**When organizations authenticate their own users.  Only available to users who have not yet transitioned to the required use of Login.gov.   See note below about InCommon Federation support of 2FA.

eRA account credential maintenance will continue, at least for now, but will be much easier. Even though we are requiring the use of two-factor authentication, you will still need to maintain your eRA Commons username and password for the time being and will get reminders to renew those annually.  But there is good news. NIH is moving from passwords to passphrases — a set of random words or a sentence at least 15 characters long — effective the end of 2021. A major plus of this move is that you will need to change your passphrase only once a year (as opposed to the current NIH policy that passwords need to be changed every 120 days).