RC 110.4

Patch release to add CAC proofing funnel analytics #3803

RC 110

Improvements/Changes

• Phishing prevention: A new banner on Login lets users know they are on a legitimate government website (now on secure.login.gov and login.gov). We help users better identify phishing sites when we teach them how to spot legitimate government sites. (Lg 2939) (#3751)
• Deleting Accounts: Users are now required to enter a password to delete their account. This helps prevent accidental deletions. (LG-2964) (#3775)
• Upload logos on the partner dashboard: Upload logos via the partner dashboard rather than emailing or slacking our team. Your changes will be reflected immediately in applications on the sandbox. dashboard.int.identitysandbox.gov

Accessibility

We changed aspects of our design and alternative (alt) text to better service users who use screen readers. While users who don't use screen readers won't notice much a difference, these are significant changes for those that do use screen readers. Here are a few examples:

• The GSA logo is read correctly by text screen readers. (LG-2983) (#3763)
• Design changes to the footer. (LG-2989) (#3768)
• Screen reader captures email validation error messages. (LG-2996) (#3773)

Bug fixes your users might notice

• The "remember this browser" link on the sign in page is aligned with the rest of the text
• Bad actors (like hackers) can no longer abuse the otp (one time password) feature to block or prevent a - - user from signing in with their phone. (#2388)
• We fixed an error in our SAML metadata by removing the SingleLogOutService. Now our data validates properly. (#3734) https://secure.login.gov/api/saml/metadata2020

Behind the bug fixes that improve the product, but users probably won't notice

• The service provider table now includes IAA information and is trackable by deal_id. (#3756)
• Add spec to make sure that re-proofing costs behave as expected (#3754)
• fix bundler config to work (#3759)
• Add deal and IAA information to service_providers table (LG-2865) (#3756) 
• Add a missing return statement when a Acuant SDK file is not permitted (#3765)
• Remove load testing scripts (#3764) 
• Fix typo in method name (#3766)
• fix: package.json to reduce vulnerabilities (#3757) 
• Remove the Acuant SDK from the desktop flow (#3767) (Staging only)
• Don't truncate the return to SP link (#3770) 
• Bring back i18n keys removed in #3767 (#3776)

RC 109

Released 5/7/2020

Improvements/Changes

• Unconfirmed Email Addresses: If a user adds a new email address, but doesn't confirm it within 24 hours, they won't see that email address on their account page. (LG-1899)
• Proofing Limit and Billing: We'll let you know before you go over your proofing limit so you can stay within budget. (LG-2570)
• Reproofing (IAL2): You can request to have your users verify their identity again if you want the most updated information. Keep in mind you'll be billed as if this was a new user. (LG-2677)
• State and Nonce: For OIDC (open ID connect), we support a shorter character length for the state and nonce fields. Middleware vendors, like Ping, can now integrate with login.gov. (LG-2856)

Fixes

• Users who select "sign in with government ID" and add their PIV card to their account no longer receive an error message. (LG-2730)
• In rare cases, users attempt to add a phone number and then select cancel. Previously, the user would be signed out. Now, they are redirected back to their account page.

Coming Soon

• Acuant SDK is going live. Users are given better guidance on how to take photos of their ID — decreasing the number of failures for proofing.
• We're still testing aspects of the Acuant SDK flow. We fixed a few bugs to make sure users can use mobile and different web browsers (like Safari).

RC 108

Coming soon

• We are continously improving our identity verification process flow (IAL2). Accurately capturing a user’s information from any document they upload (like a driver’s liscense) eases user frustrations, decreases error messages and leads to a higher success rate of completing the IAL2 process.

  • With this new flow, users can snap a photo with their cell phone instead of using a desktop scanner or needing other image files on hand - making it a less cumbersome process.
  • If users get stuck, they can try again or revert to the old flow.

• We're making our partner dashboards more efficient and self-sustaining. Soon, you'll be able to configure applicaitons in the sandbox environment with as little intervention from our team as possible. Partners will be able to:

  • Upload your logos directly from the dashboard
  • Add your own teammates
  • Create your own team if you have a federal email address

Bug Fixes

• Fixed: “Reset password” emails only go to a user’s confirmed email addresses.
• Fixed: Errors for users who use accessibility tools. We’ve upgraded our aXe software to catch more bugs and improve their experience.
• Fixed (IAL2): Odd formatting when a user recieves the “link to upload documents” by SMS/Text.

RC 107.1

Bug Fixes and Enhancements

• This was a patch release to address an issue with URLs in the identity verification flow that are sent over SMS that were resulting in not-found errors (LG-2886, #3701)

RC 107

Features

• Drop SSN uniqueness requirement, allow multiple accounts to have the same SSN (#3634, LG-2599)
• Partners can create teams and invite members in the Partner Dashboard

Bugs and Enhancements

• OpenID Connect: allow state and nonce values to be 22 characters (down from 32)  (#3684, LG-2856)
• Update IP Geolocation database (used for guessing location of users for things like sign-in notification emails)
• Various bug fixes and enhancements

RC 106

Features

• LG-2674: Revoke Consent (#3644)
• LG-2727: Add "forget all browsers" functionality (#3625)
• LG-2618 Allow strict AAL2 SPs to opt out of default remember device (#3635)

Bugs and Enhancements

• Bump user_agent_parser from 2.5.2 to 2.6.0 (#3620)
• Update Acuant client to send correct JSON headers (#3628)
• Fix flaky spec (#3630)
• LG-2745 Add ial to auth tracking for mixed (IAL1+IAL2) SPs (#3634)
• LG-2811 Drop 2nd MFA requirement (#3643)
• Rename analytics event names to match rest of feature (#3636)
• LG-2801 Allow USPS proofing to be disabled without errors (#3638)
• Update Ruby version (#3641)
• Switch fields to use type="tel" (#3642)
• LG-2822 Add polling to hybrid flow continue step (#3646)
• Update the knapsack report (#3652)
• Upgade yarn dependencies (#3650)
• Remove CloudHSM code (#3651)

RC 105

Features

• LG-1611: SP's can optionally request signed auth response message (#3597)
• LG-2672: verified_at attribute (freshness value) (#3602)
• LG-2675: Re-prompt for consent to share with SPs after a year (#3609)

Bugs and Enhancements

• Bump nokogiri from 1.10.5 to 1.10.8 (#3595)
• Bump puma from 4.3.1 to 4.3.3 (#3606)
• LG-2025 Move service_service_provider_requests to redis part 3 (#3587)
• LG-2294 Update webauhn gem (#3601)
• LG-2713 IAL2 flow with no SP (#3603)
• LG-2596: Better webauthn Windows support (#3604)
• Docker image and Compose stack refactoring
• LG-2587 IAL2 SP User Quota Tracking (#3592)
• LG-2735 Fix cost tracking for sms and voice underreporting (#3608)
• removed fake banner from staging (#3613)
• LG-2733 Fiscal active users report by SP (#3612)
• LG-2734 aXe Audit
• Update handoff page Continue button to "Agree and continue" (#3619) …

RC 104

Bugs and Enhancements

Docker-compose #3586
Docker-compose 2 #3584
LG-2556: openid connect spec refactor (#3583)
LG-2025 Move service_service_provider_requests to redis part 2 (#3582)
LG-2564 LG-2565 IALMAX for SAML and OIDC (#3574)
LG-2622 Fix CAC error when attempting to proof (#3591)
LG-2623 Better logging for PIV/CAC errors (#3590)
LG-2506 Record user opted remember device preference (#3571)
LG-2532 Switch to cleave.js for field formatting (#3594)
LG-2532 fix weird ssn field behavior (#3598)

RC 103

Features

Recommend more secure MFA methods (#3542)
LG-2392 Add rate limit screen for doc auth image upload (#3543, #3581)
LG-2041: Authorization confirmation page (#3525)
LG-2388 Make recover fail a proper error screen (#3553)
LG-2386 Shorten Email Header #3570

Bugs and Enhancements

Update the release checklist (#3557)
Make the SP cost specs proper feature specs (#3559)
Fix PIV/CAC setup page (#3555)
Log the telephony responses (#3558)
Add the PIV/CAC service URL directly to the CSP in local dev (#3560)
Remove typo in authenticator setup screen (#3561)
LG-2041: logs event on authentication confirmation (#3562)
Specify the redirect URI in the request to the PKI server (#3565)
LG-2025 Move ServiceProviderRequest to Redis (#3554)
Redirect users who visit authentication confirmation unauthenticated (#3569)
Copy in agencies.yml from identity-idp-config repo (#3564)
Mark RemoteSettings specs as pending (#3576)
Remove Webmock.allow_net_connect! (#3577)
LG-1727: Update copy for deleting phone (#3578)
LG-1898: Stop truncating long emails (#3579)

RC 102

2020-02-04T175045

2020-02-04T175045 release