RC 118

RC 118

Improvements/Changes

• Update doc auth welcome step to include selfie instructions #4151
• Display success alert if ID submission is successful #4165
• React document capture form should always show Continue/Submit as enabled #4125
• Show error message if Acuant SDK capture reports failure #4122
• Localize document capture (Acuant) label texts #4143
• Add the document capture step to the hybrid flow #4153
• Invalidate password in response to RISC notification #4155
• Pass "Attention" results that have Bar code tests #4159

Accessibility

Bug Fixes Users Might Notice

• Users can confirm an email while logged into a different account #4170

Behind the scenes changes users probably won't notice

• Update doc auth funnel queries to account for piv/cac steps/dropoffs #4168
• Upgrade Acuant SDK to 11.3.2 or newer #4128
• Refactor doc auth from response to be a hash #4135
• Ignore service providers missing IAA start and end dates for IAA Billing Report #4167

RC 117

RC 117

Improvements/Changes

• Show service provider application name instead of agency name on service provider handoff page (LG-3172) (#4056)
• Return x509 attributes in SAML responses if service provider is configured to include them and user presents PIV/CAC (LG-3186) (#4080)
• Change email display name (Resolves #3791) (#4058)
• Update supported RISC events (LG-3326) (#4106)

Accessibility

• Change "Take a selfie" to "Take a photo of yourself" (LG-3265) (#4047)

Bug Fixes Users Might Notice

• Handle malformed parameters when verifying email addresses (LG-3287) (#4054)
• Do not always make newly added phones the default (LG-3173) (#4076)

Behind the scenes changes users probably won't notice

• Do not allow reset disavowal without an associated account (#4085)
• Remove empty KeyName from SAML response (LG-3312) (#4091)
• Create JSON feed for billing report by IAA (LG-3101) (#4042)
• Do not create identity records when SAML auth is not completed (LG-3281) (#4121)
• Many updates in preparation for liveness document capture support

RC 116

RC 116

Improvements/Changes

• Create a more streamlined doc auth flow on mobile and desktop; works even if Javascript is enabled (LG-3191) (#3994)
• Allow user to return to Service Provider if they reach a fail to proof page (LG-3264) (#4023)
• A more fluid experience for capturing a selfie using react-based technology particularly if an error occurs (LG-3091/LG-3094) (#4009)
• Allow language translation in liveness flow for French and Spanish (LG-3237) (#3997)
• Clearer error message during doc auth flow (LG-3052) (#4025)
• Require auth cert for HSPD12 compliant PIV/CAC authentications (LG-3167) (#4005)
• Allow SAML clients to request AAL3 authn context (LG-3099) (#4019)
• Have one uuid per user with agency's that have multiple SPs to report RISC events (#3987)

Accessibility

• Adjust text, headers and other page elements to be more accessible (LG-3221) (#4000)

Bug Fixes Users Might Notice

• Added retry in the case of Acuant API failures 404, 438, and 439 (LG-3258) (#4038)
• Fix IAL2 counts for SAML for all reports that include counts (LG-3282) (#4041)

Behind the scenes changes users probably won't notice

• Add dashboard logout URI to redirect_uris (LG-3050) (#3991)
• React internationalization string element interpolation (LG-3237) (#3997)
• Log acuant result code, if billable (LG-2495) (#4001)
• Update gems to the new typhoeus-less versions and minor updates (LG-3177) (#3998)
• Redo proofing cost migrations as strong migrations (#4004)
• Make sure to log GetResults cost inside of SelfieStep (#4007)
• update ruby version for 2.6.6 compatibility (#4022)
• Log face match results to events.log (LG-2495) (#4018)
• Merge logic for dealing with AAL3 and PIV/CAC requirement (#4014)
• Remove domain from precompiled assets, works better with CDN (#4027)

RC 115

Improvements/Changes

• Allow users to return to the service provider website if they fail to proof with a state ID (#3943)
• Users will have an easier time capturing their image with a full screen view rather than a small window #3942
• Remove "cancel" link for Delete Account SMS (LG-3076)

Bug Fixes Users Might Notice

• Fixed PIV/CAC authorization for AAL3 (#3982)
• Fixed a bug that didn't allow IAL2 SAML users to complete the liveness verification (#3959)
• Document Capture with Acuant SDK shuts down camera session when successful so users can move forward in the process and no longer be stuck (#3958)
• Removed 60 second timeout on liveness. Users have more time to capture their image. (#3941)
• Removed non-AAL3 options for two-factor authentication (like SMS) at sign in when AAL3 proofing is required. Users can only use two-factor authentication methods that meet AAL3 proofing requirements (PIV/CAC and security key). #3951

Behind the scenes changes users probably won't notice

Remove redundant user_id index on email_addresses table #3966
Make React available in IDP #3903
Create localization utilities for React components #3909
Make SAML easier - Exempt NameIDPolicy in SAML AuthnRequest #3912

RC 114

Improvements/Changes

• To protect a user's information, PII is hidden on the 'my account page' after a period of inactivity until the user signs in with their authentication method LG-3028 (#3862)
• Mobile 'terms of service' were added to the phone setup page so the user is aware of what rules apply when opting in to receive SMS (#3887)
• Fixed grammar in new registration page LG-3171 (#3895)
• Removed 'cancel' link from the email a user receives when attempting to delete their account LG-3077 (#3906)

Bug Fixes Users Might Notice

• Fixed broken link in the SMS a user receives when they request to upload photos of their ID via SMS LG-3154 (#3876)
• Changed the size of the heading (add missing closing tag) on the page a user sees after requesting 'send me a link' to upload documents (#3886)
• Fixed Acuant errors that caused users to timeout while submitting photos of their ID or selfie (Stopped using Typhoeus #3889
  and whitelisted link_sent) #3898

Behind the scenes changes users probably won't notice

• Set the issuer in a cookie LG-3105 (#3872)
• Remove slim files that were already converted to ERB (#3879)
• Convert the account reset slim files to ERB (#3880)
• Convert the doc auth slim files to ERB (#3881)
• Convert layout slim files to ERB (#3882)
• identity-monitor smoke tests in the IDP repo LG-3170 (#3884)
• Add a view for the combined document capture step LG-3022 (#3892)
• Add CircleCI job to run staging smoke tests (#3888)
• Update check_for_pending_migrations to error in every env (not just prod) (#3893)

RC 113

Improvements/Changes

• Changed the wording on our button for uploading a selfie to "re-upload photo" (#3404)
• Clarified email text for users who try to reset a password using an unconfirmed email address (#3865) (#3861)
• Improvements to the Acuant liveness detection and proofing (#3866)
• Replaced 'deal_id' with 'app_id' to service_providers and service provider reports (LG-3114 LG-3115) (#3854)
• Enable voice calls for Jordan so users with Jordan phone numbers can use voice to receive one-time-passwords while we work on getting a Jordan sender ID (#3859)

Code cleanup

• Isolated the logic around what is an IAL level request in an IalContext (LG-3106) (#3855)
• Use dot formatter in RSpec to make it easier for developers to scroll down to failed specs
• Code clean up nginx config files that are out-of-date, unused, and misleading. (#3868)

Bug Fixes Users Might Notice

• Restore email confirmation link to "Confirm email address" (LG-2940) (#3870)

Behind the scenes bug fixes users probably won't notice

• Fix vulnerable package in rubygems. Upgrade the vulnerable dependencies to a fixed version (#3847)
• Update redis to will let some of the security patches apply cleaner (#3857)
• Remove out-of-date encryption doc that is no-longer needed (#3867)

RC 112.1

Patch release to include #3851 (backwards compatibility for ServiceProviderRequest keys)

RC 112

RC 112

Improvements/Changes

• The content on our "delete your account" screens is clearer and easier to follow. See screenshots, below (#3780)

Accessibility

• Decorative images are hidden from screen readers to prevent confusion and redundancy for
  users. This is an accessibility best practice we're excited to incorporate. (#3824)
• Show/hide buttons create bugs for some users. The QR code is now always visible on the "add authenticator app" page and the alt text was updated. (#3843, #3844)

Bug Fixes Users Might Notice

• IAL2: Users can re-verify to take a selfie when visiting a SP. Previously we would just pass a user
  without a selfie to the service provider. (#3804)
• Unconfirmed email addresses: Users who don't confirm an email address, can re-add the email at a later time. (Also released as patch release in RC 111.1 #3821)
• Copy changes to make sure our language is clear and concise. Examples include updates to the "re-enter your password" screen (#3818) (#3818) and PIV/CAC copy (#3827).
• Liveness: Fixed the handoff between a computer and mobile (#3834) as well as a loading issue with the selfie page. (#3836)
• Fixed a bug in the HTML of the "how you know this is a government website" banner at top of home page

Behind-the-Scenes Changes Users Might Not Notice

• Updated vulnerable code libraries (#3796)

• Support for multi-region KMS, allows us to keep login.gov up and working with encrypted data if one Amazon Web Services region goes down (#3812, #3816)

• Fix tests to use separate Chrome driver which fixes unreliable behavior in our test suite (#3826) Removed unused ID scanning code (#3825)

• Update calls to AAMVA to check driver's license data to retry automatically on failure. This should reduce errors for users attempting to proof (#3831)

• Fixed the returning of nonce values in OpenID Connect API when there are multiple login attempts (released as patch release RC 111.3) (#3832)

• Allow service providers to request signing in with AAL3 level (requires a PIV/CAC or WebAuthn token) (#3835, #3840, #3839)

• Clean up test logging output for parallel tests (#3841)

• Store test service provider ID in a parallel-friendly way (#3842)

RC 111.1

Patch release to include #3821, fixes a bug with adding emails to accounts after the links have expired

RC 111

Improvements/Changes

• Partnership Dashboard: Users with .gov and .mil email addresses can create accounts without reaching out to the partnership team.
• Tracking success rates: Tracking proofing success rates by service provider helps us better understand
• Better fraud analysis: We'll retain data from deleted accounts rather than purging. We can perform fraud and forensic analysis to make Login safer for all users. Additionally, we improved our audit log to track who made changes to providers. The additional tracking helps us identify who performed any malicious behavior and when it took place.
• More options for Pinpoint failures: If an SMS fails to send for one Pinpoint environment, we can try again with another one.
• Quickly solve user SMS issues: More specific tracking lets us send user SMS issues to Pinpoint so it can be debugged—leading to faster bug fixes for our users. DMDC: Users can verify their identity using a CAC.

Bug fixes your users might notice

• We hid the "remove key" link for keys that cannot be removed to avoid any confusion.

Behind the scenes bug fixes that improve the product, but users probably won't notice

• We cleaned up our error reports and fixed a 500 error (server error) that occurred when an authorization request referred to an issuer for a nonexistent service provider.
• Fixed a 500 error (server error) that occurred when a user attempted to proof w/ a CAC.