RESEARCH: Test workflow if user locked out of login.gov

[exalate-issue-sync]

Task: Test the workflow and figure out what happens when a user is locked out of their login.gov account.

• User is locked out of the email they use with http://login.gov

  • [

  Login.gov
  
  ](http://login.gov/) will let user add a new email to their account and then delete the old email, assuming they can still login with their current authentication method (or if email is the authentication method, there is a second one defined) 
      *   (Note that if you only have one authentication method defined, [http://Login.gov](http://Login.gov) may prompt you to create another one.)
  

  • If you then log in with this new email, you will have the same access to your FECFile account as you had with the previous email
  • Resource: [+Change the email address associated with your account | Login.gov+|https://login.gov/help/manage-your-account/change-your-email-address/]
  • Our login.gov requires one authentication method to be set (email does not count) and encourages two. Authentication methods are described here: https://www.login.gov/help/get-started/authentication-methods/
    * Face or touch unlock
    • Authentication application
    • Security Key
    • Text message or Phone call
    • Backup Codes
    • PIV or CAC for federal government employees and military

• User has new phone number for 2FA

  • Login.gov will let user add a new number to their account and then delete the old number, assuming they can still login with their current authentication method (or if phone number is the authentication method, there is a second one defined)
    • Note that if you only have one authentication method defined, http://Login.gov will prompt you to create one..
  • Resource: [+Change the phone number associated with your account | Login.gov+|https://login.gov/help/manage-your-account/change-your-phone-number/]

• New login.gov account (locked out of 2FA)

  • On login.gov if you are locked out, you have to delete your login.gov and create a new one as described here: https://login.gov/help/trouble-signing-in/issues-with-authentication-methods/
    

    • If you select ‘deleting your account’ then there will be two ‘Are you sure’ prompts.
      
      
      * This second prompt describes the delete process. It mentions that ‘deleting will remove any agency applications you have linked to your account and you will need to restore each connection.’ and also says you have to return in 24 hours to continue the deletion after you have received the initial confirmation email (and text, if you had defined your phone number and still have access to that number (though, if you did still have access, that number is also available for MFA and you probably didn’t need to delete after all)).
      * The email (and/or text) gives you option to log in anytime before the 24 hours if you remember your authentication. If you try to log in anytime before the 24 hour confirmation, then you will see this:
      
      * Then, when you receive the follow-up email in 24 hours, it gives you one additional opportunity to log in with your authentication or you can confirm the deletion at that time. There are actually two more prompts before confirming the deletion.

  • If the user creates a new http://login.gov account with the same email
    * After that, the user can create a new[ |http://login.gov/][

    login.gov
    
    |http://login.gov/] with their original email address
    

    • Expected/desired system behavior: FECFile recognizes them as the “old” user and they still have access to committee accounts

    • Actual behavior: User gets new UUID and does not have access to committee accounts. They would need to be re-added. (Note that the “old” user email is still listed on the committee account).
      * This behavior is confirmed. The user is still listed as a user for that committee, but the login process shows that the user does not have any committees.

    • Follow-up needed: Create ticket to ensure that if[ |http://login.gov/][

      login.gov

      |http://login.gov/] authenticates the user as the “same user”, FECFile should also recognize this user and they should recover access to accounts.
      * Same email new UUID (can we have the system check new UUID/email against existing emails, and update user with new UUID in our system?). Note: How can this go wrong?

      • Different email same UUID (confirm this is still working once above is implemented)

  • If the user creates a new http://login.gov account with a different email
    * Expected/desired behavior: They should be able to create a new http://login.gov account, and another user on the committee can add them to their existing committee accounts so they can regain access.

    • They will need to be added to committee account with their new http://login.gov account email.

• Other scenarios?

  • When a user is deleted/disabled, then they are re-added, what does that look like? Do they get the same access?
    • See above results
  • Make sure that changing your email still lets you access your FECFile account
    * Confirmed. If you change your email in your login.gov account (or add a new one to your account) and then login using that email, you can still access your account.
    • Confirmed that if you change your email address in your login.gov account, the email in the user table for the committee will also change
  • Confirm that http://login.gov makes you set a 2FA - Yes they do,[ |https://www.login.gov/help/get-started/authentication-methods/][https://www.login.gov/help/get-started/authentication-methods/|https://www.login.gov/help/get-started/authentication-methods/|smart-link]
    * For Production, can we make them have two methods?
    * If you only have one authentication method defined, login.gov will prompt you to add at least one more.
    * Check with devs - there may be a login.gov admin setting for production. There is NOT for sandbox.
  • Can you have two login.gov accounts with same email?
    * No. When adding an email address, login.gov sends an email to the address being added. If it is a unique email address, then the email is a confirmation. If the email address is used on another account, login.gov will flag that in the email it sends.
    
    • (DEVS) If there are two UUIDs, one with old email and one with new email, what is behavior for updating the UUID in FECFILE?
  • (Other) Add E2E tests, automated testing if possible
  • Reach out to http://login.gov for information on account lock out from their perspective (this may need to wait until Production)

• Useful links

  • https://login.gov/help/trouble-signing-in/overview/

  • [

    Locked out scenarios

    ](https://docs.google.com/spreadsheets/d/1_hzqF-c5QEcSK10iFln4hZ8H-sgyMl9fZqnGqIaQVSA/edit?gid=0#gid=0) - WIP

---

Notes from [

11/21/23 requirements session

](https://docs.google.com/document/d/1sgO6PIJT9BDCpUoMkt8hV7ZBdCRFljetKlU_N-yQgJs/edit?usp=drive_link): Locked out of FECfile Online

• User is a valid http://login.gov user but doesn't have committee access (committee exists)
  • User has not been granted committee access for existing committee - someone already within the committee will need to grant them access
• User is a validhttp://login.gov
  user but is no longer a FECfile Online user (removed from data/users table)
  • We don't want to completely delete user records. Users can be added to different committees, and this also leaves us open to block them in the future if needed.
• User is unable to authenticate through http://login.gov
  • User forgot their password - account recovery is through http://login.gov
  • User no longer has email access to the email they used to set up http://login.gov   - They can create a new http://login.gov account, FECfile Online recognizes them as a new user, someone has to give them access to the committee account again
• The entire committee account is locked out and they need to recover their account
  • Assumption: We have no "super user" or administrative user interface to manage roles across the application.
  • Decision for January alpha release:
    * Each committee account must have a backup person, and we can move forward without finalizing the workflow/process of if they are all locked out
    • If all backups lose access and users still can't get in, too bad, must start again. FEC does not want to accept the risk of giving the wrong person access. This may have a political cost, and still needs to be decided on by FEC.
      * Mitigation: Users will be strongly encouraged to backup data with exports, and we will have import/export functionality in the future so it is relatively easy for them to "start again"
      • For committee IDs, we would need to keep the same committee ID and determine what that looks like
  • Future discussions needed (for post-January):
    * Backup codes as an option - this is one of the options in your login.gov account when you set up authentication
    • Finalizing workflow/policy details for being completely locked out

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1780

[exalate-issue-sync]

akhorsand commented: [~accountid:712020:3243085d-540a-4657-ad08-d891487882d0] can you look into these scenarios a bit and figure out how we can test this?

[exalate-issue-sync]

gregg.moreland commented: [~accountid:61b0b42cd5986c006a9e1c94] I have added a lot of detail here based on my research of [login.gov|http://login.gov] In my current setup, I can use either the authenticator or my phone (text or voice). If I lose the phone but can still use my authenticator on another device, I can get in. I can change my phone number in [login.gov|http://login.gov] if necessary. If all is lost, I have to delete my [login.gov|http://login.gov] account and it takes 24 hours before I can add another one with that email address, but I should then be able to get back in my committees since I have the same email. If I am locked out of my email, I can define a new email address for my [login.gov|http://login.gov]. In that situation, I would need to have someone else add me back to my committee(s) with my new email.

[exalate-issue-sync]

Laura Beaufort commented: In scenario 3, I’m curious if FECFile recognizes the newly created [login.gov|http://login.gov] account with the same email address as before as the same user or treats the user as a different one, and how that impacts FECFile committee account access/creation.

[exalate-issue-sync]

Sasha Dresden commented: I needed to do scenario 3 because I lost access to my authentication app and didn’t have any backups. (I definitely have backups now!) But to answer your question, [~accountid:5b92c509d0b4022bdc51bdf4] No, it does not recognize you as the same user. After deleting my account and recreating it with [login.gov|http://login.gov], when I went to [https://dev.fecfile.fec.gov/|https://dev.fecfile.fec.gov/|smart-link] and signed it, I needed to create a profile and was not associated with any committees.

[exalate-issue-sync]

gregg.moreland commented: Thank you [~accountid:627ebeb2236090006f61d37d] for that explanation. I honestly was unsure how it would work, but knowing what little I know of the backend code, I can understand why it works that way. So, even with a new [login.gov|http://login.gov] account using the same email as before, they would still need someone to re-add them to their committee(s).

[exalate-issue-sync]

Laura Beaufort commented: I'm also curious if the system allows the "new" user to create a new/second fecfile account for a committee that already has a fecfile account.

Another route to this workflow could be:

• Email1 used to create committee account
• Committee amends Form 1 to show Email2 as committee email
• Email2 used to create “duplicate” committee account

[exalate-issue-sync]

gregg.moreland commented: [~accountid:712020:2a1493e5-adee-45bd-b27e-868a5c8d3f62] For the situation where the user deletes their [login.gov|http://login.gov] account (then waits 24 hours) and then comes back with the same email address, there is a note in the research notes to create a ticket to ensure that if [ |http://login.gov/][+login.gov+|http://login.gov/] authenticates the user as the “same user”, FECFile should also recognize this user and they should recover access to accounts.

Is this a difficult thing to do? I will be creating a ticket to address this. What do I need to account for or note in that ticket?

[exalate-issue-sync]

Laura Beaufort commented: 3 Scenarios we need to address:

1. [Login.gov|http://Login.gov] UUID changes, email stays the same
2. email changes, [login.gov|http://login.gov] UUID stays the same
3. Both email and [login.gov|http://login.gov] UUID change

Possible solutions
Scenario 1: Possibly update system with new UUID when logging in, matching on email. System shouls recognize user as the same
Scenario 2: Update membership table with new email to keep system consistent
Scenario 3: Require 2 system administrators. Possible to do this with 2 email addresses/login.gov accounts for one person. Not an ironclad solution.

”Starting over” with an empty account might be an option to explore in extreme situations. I believe FEC has a requirement to provide software to committees - would a lockout prevent that from happening? We probably need a “break glass” scenario.