RC 75 and RC 76

Features

PIV/CAC available as second factor allowed by domain of registered email address. Full list available https://github.com/18F/identity-idp/blob/master/config/application.yml.example (in the piv_cac_email_domains: section) (#2710)

Bugs and Enhancements

Backup code page visual polish (#2706)
Don't tell users to contact us on 2FA key use. (#2708)
Remove legacy attribute and session encryptor (#2711)
Set PKCE or JWT mode per SP for OpenID Connect (#2716)
Reset remember me on piv/cac change (#2717)
Change rubocop rules for commas in multiline method calls (#2721)
Update gems (#2722)
Remove webpack dev server (#2725)
Cleanup webpack output on setup (#2726)

SP Updates

RC 74

Features

• Add list of recovery codes as a 2FA option during account creation (turned off in production) (#2691)

Bugs and Enhancements

• Allow piv/cac based on email (turned off in production) (#2710)
• Enable AES attribute encryption by default (#2705)
• Update email templates (#2703)
• Switch to using pry as the default rails console (#2553)
• Rate limit logins (#2699)
• Update npm packages (#2698)
• Simulate Acuant for document-based proofing (#2704)
• Remove selfie matching from document authentication flow (#2688)

SP Updates

• Add DOL Foreign Labor Gateway (#2696, #2707)
• Configure omniauth redirect URL for the dashboard (#2689)

RC 73

• Password Strength Meter UI Fix: There was a misconfiguration of the password strength meter and the password character length. With this fix, the password strength meter will not turn green unless a user enters a strong password that is at least 12 characters long.
• Implemented Field Limits: Implemented text field limits for all user facing fields in both the user experience and backend.
• New login.gov status page: login.gov has a new status page https://logingov.statuspage.io/. This is currently experimental and we plan to use it for rapid notification of incidents, and to publish system performance and error metrics

RC 71

Features

• Alert a user on personal key sign in #2630
• Add user event when removing phone number #2649
• Do not present FIDO auth option if browser does not support FIDO #2642 #2651
• Display timestamps in the local timezone #2654
• Alert users when personal key is regenerated #2660
• Add a phone / multi-phone #2662

Bugs and Enhancements

• Update typography scale to match spec #2611
• Stub twilio when testing personal key as mfa #2644
• Add security key SVG to setup page #2647
• Return 400 error for invalid String params #2648
• Update account reset final delete screen design #2652
• Update gems with bummr #2653
• Create password screen allows less than 12 characters #2657

RC 70

Features

• Alert a user on personal key sign in #2630
• Require MFA after 12 hours for IAL2 and AAL2 #2638, #2639

Bugs and Enhancements

• Alert a user on personal key sign in #2630
• Confirm before removing a security key #2617
• Capture statistics on use of remember me feature #2633
• Create events for webauthn key management #2635
• Create event for personal key as 2FA #2634
• Fix SAML NameFormat to comply with the SAML 2.0 standard #2624
• Convert email_address to plural #2628
• Fix loop with detect webauthn in Safari #2640
• Fix sms bug with analytics endpoint #2631
• Expand 2nd MFA options for piv/cac #2637
• Convert color variables to 6 digit hex #2636
• Guard against nil email in password validator #2629
• Namespace platform authenticator params in analytics controller #2622

RC 69

Features

• Add a warning to the personal key page about phishing #2610

Bugs and Enhancements

• Don’t increment IdV attempt count when errors occur #2607
• Stop blocking account creations for email addresses on a large set of domains #2603
• Enhanced monitoring of IdV errors #2614
• Rollback changes to reset password that caused issues on iOS 12 #2608
• Associate remember me revocation with user model instead of relying on phone timestamps #2605
• Allow form submit with enter key on webauthn nickname form #2604
• Track analytics on users using platform authenticators #2609
• Update webauthn library #2602
• Clean up text and content issues #2615 #2613
• Code cleanup and hygiene #2594

New Service Providers and updates to existing ones

• Add SEC Rule 19D-1 #2620
• Add OPM secure portal #2619

RC 68

2018-10-11T141509

2018-10-11T141509 release

RC 66 - Patch 1

Features

• List/delete webauthn configurations for a user #2494
• Allow a user to add a new webauthn configuration #2490
• Create WebAuthn Configurations Table #2461

Bugs and Enhancements

• Don't show recovery code before IdV flow #2485
• Revert removal of #2351 (redirect uri validation) #2498
• Update Reek from 4.8.1 to 5.0.2 #2499
• Revert changes to `find_with_email #2497
• Update gems with bummr #2493
• Add timeout to Twilio API calls #2491
• Fix tests using users with phones #2496
• Ensure rack-timeout is properly configured #2488
• Set up a TOTP user for local development #2483
• Remove unused personal_key method #2481
• Allow full exception logs for users without phone #2479
• Refactor AccountReset::DeleteAccountController #2450
• Catch no method error in formatted phone #2477
• Fix failure screens throwing 500 error with failure_to_proof_url #2473
• Take into account nil user in SmsLoginOptionPolicy #2472
• Make user_access_key_overrides fasterer #2458
• Remove dup webauthn_configurations index creation #2469
• Add nil phone_configuration to anonymous user #2467
• Run bundle install in devops repo when releasing #2468
• Int: Fix Idv::Proofer vendor initialization #2465
• Fix Idv::Proofer vendor initialization #2463
• Return blank for nil phone numbers #2521

New Service Providers and updates to existing ones

• Add HUD to the service providers in production #2495
• Add CBP I-94 SP #2487
• Add Railroad Retirement Board Branding #2482

RC65 patch 1

Bugs and Enhancements

• Update LOA3 "failure to proof" screens #2454
• Redirect piv/cac errors to cleanup url #2380
• Add spinner when requesting piv/cac cert from user #2258
• Piv/cac available based on email domain #2429
• Track additional IdV analytics #2431
• Use 2-letter phone country code for analytics #2442
• Refactor and fix account reset requests #2444
• Allow sign in via remember me after idling #2438
• Display fake banner in lower environments #2418
• Prevent calling unsupported countries #2423
• Fix already authenticated users redirecting to account page #2426
• Fix border radius on Account boxes #2427
• Add client-side Crockford Base32 encoding helper #2417

New Service Providers and updates to existing ones

• Add RRB LOA3 SP to Production #2457
• Adds in the logo for the Small Business Administration #2393
• Add a new redirect_uri for logout with the CBP ROAM SP #2435
• Update redirect_uri list for OIDC Sinatra developer demo app #2433
• Add a logout redirect uri for the Trusted Traveler Program SP #2446

RC 64

Features

• Failure to proof URL for service provides at LOA3 i#2389

Bugs and Enhancements

• Fix preview images from PRs from showing in internal Slack channels #2422
• Update dependencies #2420
• Add script to give IDP access to CloudHSM keys #2235
• Add a task to copy user phone numbers into a new table to eventually allow multiple phones per user #2415
• Fix a bug where session timeout prevented user from ending at SP #2390
• Stop storing unnecessary OIDC request data in the session #2412
• Track errors when the user is nil in analytics #2407
• Fix bug where users without a phone number where asked to use auth app to confirm phone during IdV #2389
• Add account reset health checker #2387
• Change release script to stop recycling unused servers #2349

New Service Providers and updates to existing ones

• Add a redirect URI for DOE #2416