W2FA?! Two-factor authentication on the way to eRA Common

Earlier this month I attended the NIH Regional Seminar, a meeting focused on grants administration and related policy. As I usually do at meetings, I tweeted—and a short tweet prompted an immediate and frustrated response:

A little background for the uninitiated: “electronic research administration” or eRA Commons is a portal that supports several aspects of NIH grants adminstration. Principal investigators (PIs), grants administrators, and others need accounts to enter profile information, enter data for NIH grant applications and reporting, and track status of applications.

It’s been around a while and comes with a particular set of quirks and bugs/features. You have to reset your password every 120 days. The password has atypical restrictions, like you can’t end with numbers. You can’t recycle a password for 8 years. When you’re updating your personal profile, you can’t save and leave the page until all the required fields are filled and errors have been resolved.

During an eRA Commons workshop, staff revealed that, in the not too distant future, eRA Commons login will go through two-factor authentication (2FA). 2FA adds in another layer of security to establish that you are indeed the user whose name and password you entered.

When I mentioned this on Twitter, there was much wailing and gnashing of teeth. PIs were resoundingly against 2FA. Great, one more thing to make the login process harder. Isn’t resetting their password every login enough? 2FA is such a pain. Who really wants to hack into their account and view their grant scores/statements? It’s going to create problems for sponsored programs helping with submissions. And more generalized, Aaaargh whyyyyyyyy?

Why 2FA?

First we need to recall that NIH is a federal agency and thus subject to a whole lot of federal regulations, rules, plans, and guidances.  Maybe protestations are right; maybe no one cares to hack into eRA Commons and 2FA is overkill. Nonetheless NIH has to address priorities and requirements to modernize systems and enhance cybersecurity. So on the surface, this is about NIH complying with federal requirements.

But let’s dig a little deeper. Why might external stakeholders want a little more security on eRA Commons? That portal provides access to several different NIH systems: ASSIST (creating, editing, and submitting applications), RPPR (progress reporting), xTrain (managing training grant appointments and terminations), Internet Assisted Review (critiquing and scoring applications as a reviewer)… In short, eRA Commons provides access to a lot of confidential information.

Of course that’s for just a select few applications and awards, right? People were primarily thinking of eRA Commons through their lens, what they see in a scientific role (e.g., as a PI). But other people are engaged in grant applications. Most critically, PIs can’t just submit an application on their own. An authorized organizational respresentative (AOR)/signing official (SO) “has institutional authority to legally bind the institution in grants administration matters.” They are cleared to provide signatory approval of submissions, and you can’t submit a grant without them. The SO is typically in the sponsored programs office (and there should be more than one). Within eRA Commons, an SO has access to every NIH grant application across the organization. The SO can not only submit but also reject grant applications. They can create, updated, and delete eRA Commons accounts for almost every individual at their institution and manage other people’s eRA Commons access. Maybe hacking a PI’s eRA Commons account provides a low return, but the implications of accessing an SO’s account carry much more weight.

What about implementation?

Some pushback in my stream was about how 2FA would be done and how administrative support would access applications to input information for PIs.

NIH isn’t building a new system for 2FA from scratch. It will leverage the existing login.gov system, which is already in use for Trusted Traveler Programs, USAJOBS, and SAM. Folks at eRA Commons will begin piloting with a subset of users next year and develop the interface with user input.

login.gov enables multiple methods for 2FA—text, phone, authentication app, security key, backup codes. One concern that popped up in my feed was access while traveling abroad, and a pre-generated list of backup codes could address cases where text or phone aren’t readily available.

Some people raised the issue of how 2FA would interfere with enabling others to access someone’s eRA Commons account. Indeed it will. And frankly I think that’s part of the point. As far as NIH is concerned, you shouldn’t be sharing your login credentials with others, even trusted individuals you want working on your application or reports. User credentials are assumed to represent accountability to said user for actions. “I didn’t do <x>!” isn’t a defense when you contact the helpdesk and they see that your account did indeed do <x>.

That doesn’t mean that PIs are left to handle grants administration activities on their own. The PI and/or SO can delegate other eRA Commons roles  to individuals within your organization, granting them access to edit RPPRs, initiate applications, administer training grants, etc. There are certain activities that can only be executed by specified roles. Only the SO or an ASSIST Access Manager (designated by the SO) can manage access to applications, which means contacting your sponsored programs office to add anyone other than PI and the person who initiated the application. Only the PI can route RPPRs to the SO, creating a stage of accountability for the PI in the reporting process. The advantage of delegations is that you can manage the level of access. It’s not all or nothing. Plus you don’t have to worry about one person changing your password and disrupting your (and maybe others’) access.

I’m not expecting people to embrace 2FA lovingly. I’ve dealt with it on different systems and experienced hassles and headaches it can produce. But perhaps a little context and knowledge about eRA Commons can promote some understanding, and maybe even grudging acceptance, of what’s to come. Either way, 2FA is on its way.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s