W2FA?! Two-factor authentication on the way to eRA Common

Earlier this month I attended the NIH Regional Seminar, a meeting focused on grants administration and related policy. As I usually do at meetings, I tweeted—and a short tweet prompted an immediate and frustrated response:

A little background for the uninitiated: “electronic research administration” or eRA Commons is a portal that supports several aspects of NIH grants adminstration. Principal investigators (PIs), grants administrators, and others need accounts to enter profile information, enter data for NIH grant applications and reporting, and track status of applications.

It’s been around a while and comes with a particular set of quirks and bugs/features. You have to reset your password every 120 days. The password has atypical restrictions, like you can’t end with numbers. You can’t recycle a password for 8 years. When you’re updating your personal profile, you can’t save and leave the page until all the required fields are filled and errors have been resolved.

During an eRA Commons workshop, staff revealed that, in the not too distant future, eRA Commons login will go through two-factor authentication (2FA). 2FA adds in another layer of security to establish that you are indeed the user whose name and password you entered.

When I mentioned this on Twitter, there was much wailing and gnashing of teeth. PIs were resoundingly against 2FA. Great, one more thing to make the login process harder. Isn’t resetting their password every login enough? 2FA is such a pain. Who really wants to hack into their account and view their grant scores/statements? It’s going to create problems for sponsored programs helping with submissions. And more generalized, Aaaargh whyyyyyyyy?

Why 2FA?

First we need to recall that NIH is a federal agency and thus subject to a whole lot of federal regulations, rules, plans, and guidances.  Maybe protestations are right; maybe no one cares to hack into eRA Commons and 2FA is overkill. Nonetheless NIH has to address priorities and requirements to modernize systems and enhance cybersecurity. So on the surface, this is about NIH complying with federal requirements.

But let’s dig a little deeper. Why might external stakeholders want a little more security on eRA Commons? That portal provides access to several different NIH systems: ASSIST (creating, editing, and submitting applications), RPPR (progress reporting), xTrain (managing training grant appointments and terminations), Internet Assisted Review (critiquing and scoring applications as a reviewer)… In short, eRA Commons provides access to a lot of confidential information.

Of course that’s for just a select few applications and awards, right? People were primarily thinking of eRA Commons through their lens, what they see in a scientific role (e.g., as a PI). But other people are engaged in grant applications. Most critically, PIs can’t just submit an application on their own. An authorized organizational respresentative (AOR)/signing official (SO) “has institutional authority to legally bind the institution in grants administration matters.” They are cleared to provide signatory approval of submissions, and you can’t submit a grant without them. The SO is typically in the sponsored programs office (and there should be more than one). Within eRA Commons, an SO has access to every NIH grant application across the organization. The SO can not only submit but also reject grant applications. They can create, updated, and delete eRA Commons accounts for almost every individual at their institution and manage other people’s eRA Commons access. Maybe hacking a PI’s eRA Commons account provides a low return, but the implications of accessing an SO’s account carry much more weight.

What about implementation?

Some pushback in my stream was about how 2FA would be done and how administrative support would access applications to input information for PIs.

NIH isn’t building a new system for 2FA from scratch. It will leverage the existing login.gov system, which is already in use for Trusted Traveler Programs, USAJOBS, and SAM. Folks at eRA Commons will begin piloting with a subset of users next year and develop the interface with user input.

login.gov enables multiple methods for 2FA—text, phone, authentication app, security key, backup codes. One concern that popped up in my feed was access while traveling abroad, and a pre-generated list of backup codes could address cases where text or phone aren’t readily available.

Some people raised the issue of how 2FA would interfere with enabling others to access someone’s eRA Commons account. Indeed it will. And frankly I think that’s part of the point. As far as NIH is concerned, you shouldn’t be sharing your login credentials with others, even trusted individuals you want working on your application or reports. User credentials are assumed to represent accountability to said user for actions. “I didn’t do <x>!” isn’t a defense when you contact the helpdesk and they see that your account did indeed do <x>.

That doesn’t mean that PIs are left to handle grants administration activities on their own. The PI and/or SO can delegate other eRA Commons roles  to individuals within your organization, granting them access to edit RPPRs, initiate applications, administer training grants, etc. There are certain activities that can only be executed by specified roles. Only the SO or an ASSIST Access Manager (designated by the SO) can manage access to applications, which means contacting your sponsored programs office to add anyone other than PI and the person who initiated the application. Only the PI can route RPPRs to the SO, creating a stage of accountability for the PI in the reporting process. The advantage of delegations is that you can manage the level of access. It’s not all or nothing. Plus you don’t have to worry about one person changing your password and disrupting your (and maybe others’) access.

I’m not expecting people to embrace 2FA lovingly. I’ve dealt with it on different systems and experienced hassles and headaches it can produce. But perhaps a little context and knowledge about eRA Commons can promote some understanding, and maybe even grudging acceptance, of what’s to come. Either way, 2FA is on its way.

Posted in Uncategorized | Leave a comment

Valuation of Personal Lives

Postdoc pay is a perennial discussion. Last week, the topic popped into my Twitter feed once again with a question related to using family costs to justify a higher stipend.

It should be noted that there were a couple of bad (and IMO bad faith) takes in replies to this and/or an earlier related tweet. (PSA: If you find yourself about to dictate the incompatibility of being a good postdoc and a good parent, you should probably step away from Twitter.)

There’s a clear point about the tension between postdoc pay standards and what it costs to raise a family, especially in high cost-of-living locales. This is a longstanding discussion in the research community. This was emphasized in many of the replies. Even those who suggested that a one-off salary bump wasn’t the way to solve the issue acknowledged the very real challenges that postdocs with families face.

I am not faculty and have no plans to be, but from my perspective, the precedent is problematic. First it could disrupt trust and satisfaction among other didn’t try to negotiate a higher salary or did but with no effect. Second it creates an environment where, maybe even subconsciously, a PI is factoring in a postdoc’s family status into costs when they hire in the future.

But there was another thing simmering in the back of my mind, which someone else brought up:

Pay should be based on the job you’re hired to do and (at least to a degree) prior experience and qualifications. (At least that’s the aim, even though that’s not how it plays out entirely today.)

But the issue for me isn’t just about establishing different pay scales for different work. It’s about the reason for doing so.

There’s this embedded expectation that single or married but childless postdocs can “get by” on less than those with kids. Perhaps for the majorities in each category that’s true. But as Liz Wayne pointed out, postdocs can have significant care/family or related costs beyond kids. Some may have chronic illnesses with associated healthcare costs. They might be helping to care for a spouse or parent with an illness or disability. They might be trying to provide financial support for other family members. And circumstances change over time too.

I’m deeply uncomfortable with the idea that anyone should have to disclose information from their personal lives to justify their pay. (Note: No one suggested this specifically, but in my view, it’s an extension of the premise. Also this is not a criticism of the hypothetical candidate.)

Can you imagine needing to tell a prospective boss, “Sorry, I’m going to need a higher stipend I can afford medical care for <condition x>”? Or going to a current boss and saying, “Um I need a raise so I can afford to leave my abusive partner”? First of all, no one should have to disclose that sort of information to their supervisor unless they want to. Second, who wants to be making those valuations of what life events and circumstances “justify” more money—and which don’t?

No doubt the struggle for postdocs with children is real. But they’re not the only ones facing financial challenges. Creating a two-tiered system based on familial status isn’t the way to solve those issues though.

Posted in Uncategorized | Leave a comment

Lost in Data

I like data. I tend to put a lot of stock in it. For scientists, data* is a key part of our lives and work. Data is how we learn, which enables us to progress.

But we have to acknowledge something very important about data. Data does not materialize out of vacuum. It doesn’t just appear on a computer drive somewhere. It’s gathered, processed, and analyzed.

Even when elements are automated, along the way humans designed the automation. They made decisions about which things to measure, how and when and where to measure them, which data points and metadata to record or retain, how to categorize or cluster data or deal with outliers…

These are human activities, meaning there are opportunities for our biases and agendas to influence the processes. Many strive to minimize the effects of bias, applying methods and strategies to design the questions, data collection processes, and analyses to get to an accurate answer in an appropriate and ethical way. They acknowledge the limitations of their approaches and data too. It can take great awareness and care to avoid biasing data.

But decisions about data collection and analysis can be driven by partisanship and chauvinism**. You don’t have to change data to manipulate it. You can modify it in the way you collect and analyze it.

The easiest is that to just stop collecting the data—or never collect it in the first place. You can’t report what you don’t measure. It can make for an incredibly useful stall tactic. We need data to know if an issue is persistent and widespread, “worthy” of investing precious time and dollars. Of course getting that data will take time and dollars.

A perhaps more sly way is to have a system in place but make the data difficult to report. You can to point to “data” and proclaim, See, no problem here! But the absence of reporting, especially for large organizations, doesn’t translate to the absence of incident.

Another approach is to change how you collect, categorize, or analyze the data. You influence who’s represented and in what way. You shift how a subset of data from one grouping to another. You modify the algorithm.

Without calling attention, you make changes (relative to how predecessors did it) to “close” the pesky gaps that groups have rallied around and worked to change. Look at the progress! Nothing more to worry about. Those groups still saying it’s an issue—well, they’re obsessed, fanatics. 

I’ve been reading Susan Faludi’s Backlash: The Undeclared War Against American Womenwhich looks at the backlash against women’s gains and feminism through the 1980s. I’ve been struck in the latter half of the book (which focuses on backlash as seen in politics, popular psychology, women at work, and reproductive rights) by how data was used to pushback against (legitimate) claims of persisting disparities. Much of this was driven by federal offices under the control of Reagan appointees, combined with budget cuts, reducing the data collected, failing to process cases/claims (which can become points of data), or changing the way data was categorized or analyzed. I can’t help but wonder how much of this is happening now.

Today, as a society, we’ve become more engrossed in data. We collect more data perhaps than ever before. Too often I see the sentiment that data is somehow “pure”, untouched by human dispositions. Critical information and trends can be lost in the data, and we may be none the wiser if we don’t engage critically with the data, processes, and agendas that generated it.

* Yes, technically data is plural (unless talking about Data, the android). I’m intentionally using singular verbs as I’m referring to data as a single concept, not a collection of data points here.

** Chauvinism used here in its broader meaning of “undue partiality or attachment to a group or place to which one belongs or has belonged.”

Posted in Uncategorized | Leave a comment

#januwordy: Authentic

Authentic. It’s a word that permeates the public life of social media. Newbies are advised to “be authentic.” Some established account holders talk about the imperative to be their “authentic selves.” But what does that mean?

Authenticity generally implies a certain level of openness and transparency. It’s the feeling that you have a good sense about the person from the words and actions that you see. To borrow another cliche, it’s “being true to yourself.”

But what does that look like in a world where put parts of our lives on display for acquaintances and strangers around the world? In spheres where engagement is measured in clicks and likes? There’s an underlying suggestion that authenticity will bring followers and connections, perhaps even attention and opportunities, maybe even financial gain one day.

Here I stumble. Do we really want authenticity? Or do we want performances of “authenticity”? #humble #blessed 

I can’t help but wonder about the many factors that contribute to our interpretations of authenticity.

How much of our expectations are driven by gendered, racial, ethnic, age, religious, and other stereotypes? She cares too much about money and power. He poses too hard as a feminist. She doesn’t post about this topic enough. They talk about that thing too much.

How much of our read of authenticity is about seeing trauma or pain? Certainly talking about struggles can be valuable, letting other people know they’re not alone and creating an opening for support from a virtual community. But there are pieces that many of us keep to small private circles, maybe even just to ourselves, at least for a while. That was true before the internet and remains true now. Failing to broadcast our anguish doesn’t make a person/a any less authentic, and may in fact be more so for a given individual.

True authenticity takes many forms, no matter which ‘verse we’re moving in. Some forms will resonate with us, as individuals, more clearly than others. And perhaps it’s worth a few moments of self-reflection to examine the ones that do and don’t.

Posted in Uncategorized | Leave a comment

Furloughed Forgotten

We’ve hit Day 28 of the partial Federal shutdown.

The moment the shutdown began, the media started talking about the 800,000 Federal employees who would be affected—either required to work or not allowed to work, both anticipating their next paychecks wouldn’t arrive on time (and they didn’t).

But in addition to those Federal employees whose lives have been disrupted, contractors are getting hit by the furlough as well. They garner an occasional mention in the news stories about government shutdowns.

But broadly there’s a limited awareness of the roles of contractors and how their affected by the the shutdown. You see this in comments such in the vein of, It sucks that feds aren’t getting paid right now, but they’ll get paid later.

Yes, Congress has already passed the bill to guarantee federal employees backpay. That does little to alleviate the financial and emotional tolls of today.

But that bill also does nothing for those who are contractors. In shutdowns past, many contractors have just had to take a loss. Their employers don’t get paid for the time, so often neither do the individual contractors. (In some locales, their employers can mandate use of PTO to cover compensation, but it depends on state and local laws—and that of course has other consequences.) This week Senator Tina Smith introduced a bill to get contractors backpay (at least for low-wage workers arguably hit hardest by the shutdown).

A lot of folks who aren’t US citizens or permanent residents work for the federal government—generally as contractors due to requirements for federal employment. They face another stressor in times of shutdown—visa status. Some employers continue paying their foreign workers in the US to continue fulfilling the visa requirements, money the firm hasn’t in the past been able to recoup. If the firm can’t afford/won’t cover the wages and the shutdown drags on another month, then many contractors’ visas will be out of status (unless they find employment elsewhere).

Federal contractors include a wide range of positions. Many of them are low-wage workers. The shutdown is devastating a lot of people’s lives. All because of a presidential tantrum and a submissive/cooperative GOP leadership.

Some thoughts on the short shutdown in 2018 remain largely relevant today:

Posted in Uncategorized | Leave a comment