Two-Factor Authentication: Access eRA Modules via an InCommon Federated Account

Background

How do Users Log in Using an InCommon Federated Account?

Timeline

What happens on September 15, 2021?

What Can Users Do?

Resources

Help

Log-in Options for eRA Modules

Background

eRA is expanding support for users to securely log in to eRA modules using InCommon Federated accounts (when organizations participate in the InCommon Federation and authenticate their own users).  Currently, eRA supports only a limited number of organizations that participate in the InCommon Federation by allowing users to log in to eRA modules using their organization’s account credentials (username/password).

Beginning September 15, 2021, eRA will be opening up the ability for all organizations that participate in the InCommon Federation to authenticate their own users to access eRA modules.  However, beginning on this date, two-factor authentication (also known as multi-factor authentication) will also be required.  This means that users will now have the option to use an InCommon Federated account only if their organization supports NIH’s two-factor authentication standards and the user has it enabled for their InCommon Federated Account. 

Use of InCommon Federated accounts without two-factor authentication will no longer be permitted.

The NIH is collaborating with the InCommon Federation, the organization that coordinates federated authentication across universities/institutions, on this effort.

How do Users Log In Using an InCommon Federated Account?

On eRA modules, users will see an option to log in using their InCommon Federated account — Login with Federated Account.  The user can select a dropdown menu which displays all InCommon Federation organizations that are supported.  When an organization is selected, the user is taken to that organization’s sign-in site to log in with their organization’s credentials (username and password).  Once the organization has authenticated their own user, they are redirected back to eRA Commons and automatically logged in (see steps).

image-20210805142338-1

Note: Federated accounts, currently limited to scientific accounts, will be opened up to administrative accounts effective September 15, 2021. However, if you have more than one administrative account, wait to switch any of your administrative accounts as eRA is working on a solution that will support users with multiple eRA accounts that should be available in early 2022.

Timeline

Two-Factor Authentication Required for InCommon Federated Accounts beginning September 15, 2021

With NIH implementing new security procedures to require two-factor authentication, these InCommon Federated accounts need to match that higher level of security too.

  • For those who currently use an InCommon Federated account to login to eRA modules, their organization(s) will need to strengthen the security of their federated account authentication processes to support NIH's two-factor authentication standards, so that federated users are able to continue to use those accounts to log in.
  • If an organization's authentication is in compliance with NIH's two-factor authentication standards by September 15, 2021, its users can continue to use federated accounts that support two-factor authentication; if not, those users will be required to switch to Login.gov to access eRA external modules once they are required to transition to two-factor authentication according to eRA’s transition timeline.

Note that InCommon Federated users who have already transitioned to use Login.gov can also use their InCommon Federated account once their organization’s federated account authentication process meets NIH’s two-factor authentication standards. Users can set up and use both Login.gov and InCommon Federated accounts (that support NIH’s two-factor authentication standards) with an eRA user account.

The NIH is collaborating with the InCommon Federation to implement support for the two-factor authentication requirements by September 15, 2021.  However, it will be dependent upon each organization that participates in the InCommon Federation to implement the necessary support and to express that via its federated login system.

What happens on September 15, 2021?

Effective, September 15, 2001, users who arrive on the eRA Commons home screen will see a lengthy list of over 3,000 organizations in the Federated Account login droplist.  This droplist will now include all organizations that participate in the InCommon Federation. Not to worry, there will be a type-ahead feature so navigating the list will be easy.

Note that just because an organization is listed, it does not mean they support NIH’s two-factor authentication standards. When a user selects their organization from the droplist, they will still be taken to their organization’s sign-in site to log in with their organization’s credentials.  However, the organization must support NIH’s two-factor authentication standards and must have two-factor authentication set up and enabled for your organization’s account. 

Once you login and are authenticated via your organization, you will be redirected back to eRA Commons where eRA will verify that your organization account is compliant with NIH’s two-factor authentication standards.  If it is compliant, then you will automatically be logged into eRA Commons.  If it is not compliant, you will be presented with a message informing you that your InCommon Federated account cannot be used, and you will be required to use Login.gov if your eRA account has transitioned to require the use of two-factor authentication.

The message:

Login to NIH modules requires multi-factor authentication (MFA). Either your institution does not support multi-factor authentication, or your institution has not enabled your account for multi-factor authentication. Please contact your local IT department at <Organization’s contact information> to inquire about the ability to support multi-factor authentication for your account. If multi-factor authentication is not available through your institution, you may also register for and use an account from Login.gov.

For more information about your institution's support contact, please refer to: <Organization’s website link>

What Can Users Do?

With the goal of encouraging more organizations to move to InCommon Federated accounts that are compliant with NIH’s two-factor authentication standards, we are continuing to ask you to take action on two items:
 

  1. Check if your InCommon Federated account meets NIH and InCommon Federation’s two-factor authentication standards via this compliance website. If your Federated account passes the check, it is good news. You can continue using your InCommon Federated account instead of moving to Login.gov after your eRA account is transitioned to require two-factor authentication.
  2. If your InCommon Federated account does not pass the check, then we recommend you contact your organization’s administrators (the IT administrators who manage authentication) and encourage them to implement support for NIH’s two-factor authentication standards so you can continue using your InCommon Federated account. If the administrators have any technical questions, they can reach out to the InCommon Federation at help@incommon.org.

Resources

Help 

 

 

Log-in Options for eRA's Modules 

Module

Login.gov

eRA Account*

 

InCommon Federated Account**

eRA Commons

Yes

Yes

 

Yes

Commons Mobile

Yes

Yes

 

 

IAR (via eRA Commons)

Yes

Yes

 

Yes

ASSIST

Yes

Yes

 

 Yes

 

*Users accessing eRA modules are being transitioned to require two-factor authentication.  Once a user’s account is transitioned, they are no longer permitted to use eRA Account credentials (username/password) to login and must either use Login.gov or an InCommon Federated account that supports NIH’s two-factor authentication standards.

**When participating organizations authenticate their own users.  Effective September 15, 2021, InCommon Federated authentication requires support of NIH’s two-factor authentication standards.