Heyo! Currently, key material is generated locally and deployed to a prod(ish) server as a file on the filesystem.

I was hoping to suggest two changes relating to this:

1. Allow key material to be stored in envvars.
2. Allow for a config key suffix of _BASE64 for better handling these config keys.

As for why we'd even base64 encode in this specific case (the key material), I prefer that just because it renders more clearly as one line in .env file in the heroku config output.

This begs another question (2): whether it might make sense to formally use a suffix for config keys that are base64 encoded. This would help the app know how to handle them more generally, and would also hint the validator on what needs to be checked (See #913)

Happy to make this issue only about (1), since this might be conflating things ;)

Steps to reproduce the issue

• Create new account. Start here: https://secure.login.gov/sign_up/enter_email
• Get paper key.
• Get prompted to enter your paper key.
• Do nothing, let some time pass.
• Get "are you still there?" prompt with timer.
• Click Okay or "yes I'm still here".

Expected behavior

Timer prompt disappears, "enter your paper key" prompt reappears.

Actual behavior

"enter your paper key" prompt is gone, I'm looking at the profile page.

Environment

• Windows 10 Version 1607 (OS Build 14393.1066) (64-bit)
• Firefox 55.0a1 (2017-04-22) (64-bit)
• 2017-05-04 @ 11:40 CDT

Steps to reproduce the issue (please be as specific as possible)

I am a government employee working in a facility that does not allow me to have access to my cellphone. Is there a reason that email in addition to text/phone was not included as part of the two-factor login process? Although that wonderful key code works, it is incredibly unwieldy in practice to check on application status' in USAJOBS.GOV (The site I need to use at work). All of my security training is telling me to not write that code down on paper somewhere, its like writing your password on a sticky note. And it shouldn't be saved on my computer either. To compound the issue it changes to something else the next time I login.

Expected behavior

I login with my username and password
it gives me the option to use my email on record to confirm

Actual behavior

I login with my username and password
it only gives me the option of using my cellphone or a one time password that must be written down and changes everytime I login.

My cellphone is simply not available to me for my entire workday.

Thanks for considering my issue. If this is the wrong project, I will promptly remove this.

Steps to reproduce the issue (please be as specific as possible)

1. Start from https://ttp.cbp.dhs.gov/
2. Click "Log In" or "Get Started" -> "Consent and Continue", this redirects to https://secure.login.gov/sign_up/start
3. Click "Sign in" since I already have an account
4. Enter email address and password, click Next
5. Enter OTP (using Google Authenticator), click Submit

Expected behavior

Redirect back to https://ttp.cbp.dhs.gov/ with a signed in account

Actual behavior

Window appears with "Session: Your session is no longer active. Please log in again."
Screenshot: https://photos.app.goo.gl/RQoiF3YeB4d5tehw9

Extra details

• Working a few weeks ago, when I created a new login.gov account, but didn't proceed with the application
• I can successfully login to other login.gov sites such as https://secure.login.gov/account
• Never used a GOES id
• Tried multiple times yesterday and today, from many different browsers:
  • Chrome 68.0.3440.106 (64-bit)
  • IE 11.431.16299
  • Firefox 49.0.2
• OS: Windows 10
• Sample date/time of access: 2018-08-28 22:38 PDT
• Other Internet mention of this issue: flyertalk.com

This is preventing me from applying for Global Entry. Let me know if you need me to capture any other debugging info. Thanks for taking a look!

I am unable to manage my application through your new website. It is not allowing me to see anything related to the application and frankly the website crashes and cycles me through the log in and authentication via authentication code several times over before even getting into the limited account screen that I can see.

Please advise how I am supposed to get to my application and scheduled interview.

Thanks

Copying over this bug from @romnempire at GSA-TTS/identity-site#241 -

I recently made a login.gov account on chrome stable for android 8.1 on a nexus 5x using the gboard as keyboard

Within the account creation flow, once I had been issued a personal key, I was prompted to verify I had saved the key elsewhere by retyping it. I was unable to do so, encountering the same bug multiple times.

I would type several characters, and after a variable number (from 5-10), the field would blank and no characters would show. Backspacing would not work, in this situation, and it would actually add characters. It seemed like if I pressed backspace, it would put the prior state of the field into the field but not remove the future state. (like AABA + C => AABAC + Backspace => AABAAABAC), but I didn’t mess with it enough to verify that.

Eventually I tried copying and pasting the personal key. This worked.

To test, replace xit with it in home_page_spec.rb.

Dependabot couldn't resolve your project's dependencies as it couldn't access identity-proofer-gem.

You can grant Dependabot access to identity-proofer-gem by adding the repository here. We'll automatically close this issue and kick off another update run once permission is granted.

Why: When we imported the code from ICAM, we disabled the queue adapter. This is our chance to start fresh with Sidekiq, which is better than Resque.

Hi Ya'll! 👋

Saw this new project and thought it might be useful as a CI integration for login.gov:

https://security.googleblog.com/2016/12/project-wycheproof.html
https://github.com/google/wycheproof

Happy Holidays!

Steps to reproduce the issue (please be as specific as possible)

1. git clone the repo
2. run make setup
3. see error below

Expected behavior

1. success

Dependabot couldn't resolve your project's dependencies as it couldn't access identity-equifax-api-client-gem.

You can grant Dependabot access to identity-equifax-api-client-gem by adding the repository here. We'll automatically close this issue and kick off another update run once permission is granted.

I suspect this is probably waaaay out of scope, but just because it won't do much good sitting in my own brain:

For more resiliency, might be interesting down the road to actually offer to [postal] mail a recovery code to a "friend or family member who keeps well-maintained records". I imagine it might involve entering a simple, low-entropy password. This could be used in combination with the mailed recovery code, in order to log in if someone loses their phone and files.

This is perhaps much more interesting to me personally, as I'm interesting in decentralized identity systems. I'd like to think this might be the seed of a way to make these more resilient in a world where there might be zero official recourse in drastic circumstances (eg. losing phone in boating accident, files in a house fire, or neighborhood in a tsunami, and things like that...!).

This spec failed intermittently on Travis:

Users::RegistrationsController user updates profile with invalid email and existing mobile 
displays error about invalid email

Failure/Error: expect(SmsSenderOtpJob).to_not have_been_enqueued.with(global_id(user))

expected to not enqueue a SmsSenderOtpJob with 
[#<RSpec::ActiveJob::Matchers::GlobalID:0x0000000eac50e0 @expected=#<User id: 11], 

but enqueued a SmsSenderOtpJob with [{"_aj_globalid"=>"gid://upaya/User/11"}]
# ./spec/controllers/users/registrations_controller_spec.rb:526

(I work in GSA IT, Office of the CTO. I am submitting this as part of our work to ensure GSA complies with the new Federal Source Code Policy.)

GSA needs to create an inventory of all agency source code, whether open source or closed source. The inventory we create will appear on Code.gov. The inventory will contain basic information about each source code repository, but will not include the source code itself. Please read the implementation guide and use it to submit this repository to the inventory by December 5.

Basically, please do one of the following, the details of which are described in the implementation guide:

• Add a metadata file (.codeinventory.yml or .codeinventory.json) to this repository (optionally, use this tool to generate a metadata file)
• Submit your metadata via a form (only do this if you cannot add a metadata file to this repository)

Please ensure that every source code repository under the umbrella of this project (e.g., ckanext-geodatagov) contains its own code inventory metadata file.

Let me know if you would like me to open a PR with an example .codeinventory.yml file.

Please let me know if you have any questions.

Thanks!

References:

• GSA Open Source Implementation Guide
• GSA Open Source Policy
• Federal Source Code Policy

install.txt

Steps to reproduce the issue (please be as specific as possible)

On OSX Sierra:

git clone ..., followed by bin/setup --docker

Expected behavior

App visible on localhost:3000

Actual behavior

FATAL: database "upaya_development" does not exist

Down the road, I imagine service providers might want to know the political districts (city/state districts, etc.) that a verified address falls under, without needing access to the full address. For example, if a site wants to mediate interactions between citizen and state representatives, login.gov justs need to relay enough info so that the site can verify that a user is a citizen of the state.

This information corresponds to the "Division" object in the OpenCivicData (OCD) standard.

It would be great if, during verification, the exact address could be resolved to these divisions at the city/state/federal level, and attributes could be added for each.

I haven't used this API, but if Google is a sufficiently reliable source, they offer an endpoint that will return OCD divisions by address:
https://developers.google.com/civic-information/docs/v2/representatives/representativeInfoByAddress

Resources

• http://docs.opencivicdata.org/en/latest/proposals/0002.html
• https://github.com/opencivicdata/ocd-division-ids/tree/master/identifiers/country-us

cc: @datamade

https://github.com/18F/identity-idp/blob/master/app/views/verify/activated.html.slim#L6

This route idv_url no longer exists, and so an error is thrown. Seems it was changed to verify_url, but that would result in a loop on this page, so I'm not sure what it should be ;)

I tried to login into login.gov using Firefox (ver 52.3.0) and could not get past the create a login screen for the login name and password (the site would not progress to the next screen, but instead would stay stuck on the same login creation screen)

I then tried to login using IE (ver 11.0.9600) and had success in getting past the login and password creation screens. The program then prompted me to verify my account by sending me an email or a text to my phone. I entered my mobile phone number and got the verification code as expected. BUT the login,gov website had another thing in mind, Instead of progressing to a login verification code text entry screen, the site reported a TIME-OUT warning stating "For your security, we clear what you entered if you don't move to a new page within 8 minutes." I DID NOT delay for more than 8 minutes. The delay was more like 20 seconds.

Note, the login.gov site seems to respond better to IE or maybe another browser, but not so well with Firefox.

Going by the login spec here: https://github.com/18F/identity-idp/blob/master/docs/encryption-and-key-rotation.md

And the code here: https://github.com/18F/identity-idp/blob/master/app/services/user_access_key.rb

Many aspects of this make no sense to me... IF this is actually what you are doing...

hash(user, password) {
  salt = CS-PRNG(160bit)
  s = scrypt(salt, password)
  z1 = s[0:32]
  z2 = s[32:64]

  R = CS-PRNG(256bit)
  d = HSM(R) XOR ( pad_right(z1, 0x00, 32 bytes))
  cek = SHA256(z2 || d)
  hash = SHA256(cek)
  save_record(user, d, salt, hash)
}

First and foremost, if the HSM operation is to have any meaning, it needs to be in the critical path for encrypting / decrypting data and possibly also calculating the password hash. If you don't need to go through the HSM to perform a decrypt or a hash validation, then obviously the HSM isn't actually securing anything! All it becomes is a source of entropy into the key derivation, but that's more likely to harm than help.

From the specification;

"It is important to note that the HSM factor strengthens the model in a way different than the other two factors, which rely on keeping them secret. Because the HSM is tied to a physical object, brute force attacks on our database would need to happen in proximity to the HSM, i.e., within our AWS environment, which greatly reduces the attack surface. A bad actor with a copy of the database cannot apply their own computing power to brute force cracking of passwords."

But to be clear, if you have 'd', 'salt', and 'hash', you can brute force attack passwords as;

s = scrypt(salt, password)
h = SHA256(SHA256(s[32:64] || d))
h =? hash

Now, if you were not storing 'd' in the user record, you might think to store what you call 'R' in the user record. Then you would have to go through the HSM as part of each login to derive the correct 'd' and 'cek' which is how it's supposed to work.

But even that design is still not good enough. You don't want to allow an attacker to pull 'R' from your database, send it through the HSM just once, and then be able to start brute forcing the password forever from there on out. If you're going to pay for an HSM, and if your going to call it for each password verification, then you better make sure an attacker is also required to call the HSM for each attempt they make at cracking a password. Which means you send your password hash (or something derived from it) through the HSM, not just a random 'R'!

Steps to reproduce the issue (please be as specific as possible)

1. Create a new account on login.gov
2. Verify email
3. You will be asked to enter a phone number. Enter a phone number and wait for verification text
4. You will be reprompted to login after receiving verification code.

Expected behavior

User is able to log into website

Actual behavior

This error message:

When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:

• Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)
  OS X
• Web browser and version (Internet Explorer 9,

Version 61.0.3163.100

• Date, specific time and time zone when issue was found.

9:57am, October 2, 2017

On https://secure.login.gov/account_reset/request, it says intial confirmation. It should be initial confirmation.

Can probably copy over Vagrantfile and script/bootstrap.sh from save-ferris

Steps to reproduce the issue (please be as specific as possible)

1. Change your password on login.gov
2. Visit your login.gov account page

Expected behavior

Account history shows text indicating I changed my password.

Actual behavior

Account history shows "translation missing: en.event_types.password_changed".

Steps to reproduce the issue (please be as specific as possible)

I entered my email address, then received confirmation email (confirmed), then proceeded to create a password website, then I click on the checkbox to 'show my password 2 times' after this I proceeded to next step, and received an error message 'oopss something went wrong'

Expected behavior

To continue to another application.

Actual behavior

I got returned to the main login screen and cannot login or create new account, I get returned to the main screen every time. I might have to delete cookies to continue.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:

• Operating system Windows 7
• Web browser: Version 61.0.3163.100 (Official Build) (64-bit)
• Date, specific time and time zone when issue was found.10:00 AM 10/2/17
• URLs visited: https://secure.login.gov/

To make sure we start off with a clean codebase

Steps to reproduce the issue (please be as specific as possible)

./bin/setup --docker

Expected behavior

web service running on port 3000

Actual behavior

When docker-compose is spinning up the containers, I get this error message:

[...snipped part above that is working...]
Status: Downloaded newer image for postgres:latest
Creating identityidp_redis_1 ...
Creating identityidp_db_1 ...
Creating identityidp_db_1
Creating identityidp_redis_1 ... done
Dropped database 'upaya_development'
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Network is unreachable
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
Couldn't drop database 'upaya_development'
rake aborted!
PG::ConnectionBad: could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Network is unreachable
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?

Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)

CentOS7
Docker version 18.01.0-ce, build 03596f5
docker-compose version 1.17.0, build ac53b73

I tried to bundle install, and am getting the following error:

Fetching https://github.com/amoose/simple_form.git
error: object 0b19ab36fd8bb641c20610e6b8ea11c7eb480057: zeroPaddedFilemode: contains zero-padded file modes
fatal: Error in object
fatal: index-pack failed

I think there's something wrong with that repo; I've tried to clone it standalone, but get the same error.

Hello,

We've tried to activate your repository on Depfu and got permission errors when running Bundler. That most likely means you have dependencies in your Gemfile that refer to private Github repos.

In order to fix the issue, please give our Github App access to all private Github repos used in your Gemfile. You can do that the same way you activated this repo in the first place:

https://github.com/apps/depfu/installations/new

Once we have access, everything should start automatically.

If you think that this is a mistake

Please let us know by sending an email to [email protected].

This is an automated issue by Depfu. You're getting it because someone configured Depfu to automatically update dependencies on this project.

Hi! Before opening a new issue, please make sure it has not already been
reported.

Once you are sure the issue is valid, please fill out the details below.

Thanks!

Steps to reproduce the issue (please be as specific as possible)

Please forgive me for creating an Issue, but I've been pulling my hair out trying to test another rest service that is strictly TLS 1.2 (and may be a consideration for this IdP).

When using Locust to test another rest service that is strictly TLS 1.2, I experience a high error rate (Locust Empty Response). Has this been encountered using locust to test this service, when this service is limited to TLS 1.2 on the web servers?

@konklone I have additional information to share, but, related to a service in a closed repo.

Thanks in advance!

Only the :user role should be supported at the moment
See app/models/authorization.rb

Hi,

I had already submitted an application through the previous GOES website. I've created a login.gov account but I keep encountering problems logging in. Once I do manage to login, I only see the account settings page (where I get to choose my email address / phone number) and there is no place to view my existing application / interview schedule.

Kind regards,

Mandeep

Hi! Before opening a new issue, please make sure it has not already been
reported.

Once you are sure the issue is valid, please fill out the details below.

Thanks!

Steps to reproduce the issue (please be as specific as possible)

Expected behavior

Actual behavior

When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:

• A screenshot
• Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)
• Web browser and version (Internet Explorer 9,
  Chrome 52.0.2743.116 (64-bit), etc.)
• Date, specific time and time zone when issue was found.
  Example: 4:24pm ET on September 8, 2016
• URLs visited

Hi there. I am an approved TSA Pre-check member, and I was trying to check on my account. I received a note from Delta that my name is not matching how it is listed in my known account, and I was trying to verify this. I experienced the following issues when trying to login to view my information. I have still not been able to login to verify my information, see below for exact steps I took.

I completed the following CYCLE 1 6 times before I was provided the 2-factor authentication screen (CYCLE 2). I was only able to get to this screen twice. CYCLE 2 occurred 3 times.

CYCLE 1:
I enter my username (email address) / password on the login screen.
I am directed to https://secure.login.gov/phone_setup to provide my phone number and select if I would prefer to receive a text message or a phone call.
I select Send Security Code and am redirected back to the login screen. I receive the security code, but have no place to enter it.

CYCLE 2:
I enter my username (email address) / password on the login screen.
I am directed to https://secure.login.gov/phone_setup to provide my phone number and select if I would prefer to receive a text message or a phone call.
I select Send Security Code and am redirected to the 2 factor screen: https://secure.login.gov/login/two_factor/sms
I never receive the security code, and am logged out due to time issues.

OS: Mac OS X Version 10.11.6
Browser: Chrome Version 61.0.3163.100
Date/Time: 10/2/17 at 10:30AM EST
URLs:
https://secure.login.gov/
https://secure.login.gov/phone_setup
https://secure.login.gov/login/two_factor/sms

Hi! Before opening a new issue, please make sure it has not already been
reported.

Once you are sure the issue is valid, please fill out the details below.

Thanks!

Steps to reproduce the issue (please be as specific as possible)

Attempting to login to https://ttp.cbp.dhs.gov
Click [Log In] > Consent > Sign in

The system asks for Email address.
The old site https://goes-app.cbp.dhs.gov/ requires a User ID.

Attempt to use email address associated to the User ID and enter password.
Try resetting password. Use the reset process.

Expected behavior

Expect to log in successfully or receive email to reset password.

Actual behavior

Password fails.
No email is received to reset password. Sent email from another account and received test emails. The process is not sending the password reset link.

When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:

• A screenshot
• Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)
• Web browser and version (Internet Explorer 9,
  Chrome 52.0.2743.116 (64-bit), etc.)
• Date, specific time and time zone when issue was found.
  Example: 4:24pm ET on September 8, 2016
• URLs visited

I know that you guys are definitely not interested in supporting others running your code, but I was wondering whether you might have any quick pointers on what envvars and services must run on prod environment. (In particular, I'm trying to get it running on heroku, but that's not so much important.)

Right now, these were my assumptions:

• Created heroku env with
• Created a Procfile.production without the mail process.
• Create a .env.production with:
  • RAILS_ENV=production
  • smtp_settings for sendgrid
• Run via heroku local -f Procfile.production -e .env.production

This is what I get (the url show that i was running rack, but same experience when running default webrick rails server):

Hi! Before opening a new issue, please make sure it has not already been
reported.

Once you are sure the issue is valid, please fill out the details below.

Thanks!

Steps to reproduce the issue (please be as specific as possible)

I registered my email: [email protected], it sent text an I entered it but it will go back to login and say "oops something is wrong" it keeps cycling. Please help.

Expected behavior

Actual behavior

When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:

• A screenshot
• Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)

Mac OS

• Web browser and version (Internet Explorer 9,
  Chrome 52.0.2743.116 (64-bit), etc.)

Safari

• Date, specific time and time zone when issue was found.
  Example: 4:24pm ET on September 8, 2016

10/2/17 11:50am

• URLs visited

https://secure.login.gov

SMS OTP is not coming through. Logs are not showing any error. Investigate.

While onboarding, I've been following the directions on getting this app going in the README. I found a few things that could use some updating:

1. I seemed to need to start redis and postgres separately, rather than together, as shown.

2. I needed to install rvm/rbenv, the proper ruby, and npm, and maybe the bundler gem to get the setup script to work. I think it would be good to at least mention this.

3. It would be good to have some documentation about why there are two different methods for running the app (docker vs local machine). If it were me, I'd choose one and get everybody using that so that we would have less moving parts to support/document, but I don't know the background here.

The setup script command doesn't seem to work:

run 'bin/rake db:environment:set RAILS_ENV=test db:reset'

$ rake db:environment:set RAILS_ENV=test db:reset
+ bundle exec rake db:environment:set RAILS_ENV=test db:reset
warning: parser/current is loading parser/ruby23, which recognizes
warning: 2.3.3-compliant syntax, but you are running 2.3.5.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
rake aborted!
ActiveRecord::NoDatabaseError: FATAL:  database "upaya_test" does not exist
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `load'
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `<main>'
PG::ConnectionBad: FATAL:  database "upaya_test" does not exist
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `load'
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `<main>'
Tasks: TOP => db:environment:set
(See full trace by running task with --trace)

Running without the db:environment:set seems to work?

$ rake RAILS_ENV=test db:reset
+ bundle exec rake RAILS_ENV=test db:reset
warning: parser/current is loading parser/ruby23, which recognizes
warning: 2.3.3-compliant syntax, but you are running 2.3.5.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
Dropped database 'upaya_test'
Created database 'upaya_test'
-- enable_extension("plpgsql")
   -> 0.0469s
-- create_table("app_settings", {:force=>:cascade})
   -> 0.0475s
-- create_table("authorizations", {:force=>:cascade})
   -> 0.0379s
-- create_table("events", {:force=>:cascade})
   -> 0.0249s
-- create_table("identities", {:force=>:cascade})
   -> 0.0575s
-- create_table("otp_requests_trackers", {:force=>:cascade})
   -> 0.0296s
-- create_table("profiles", {:force=>:cascade})
   -> 0.0542s
-- create_table("service_provider_requests", {:force=>:cascade})
   -> 0.0211s
-- create_table("service_providers", {:force=>:cascade})
   -> 0.0278s
-- create_table("users", {:force=>:cascade})
   -> 0.0710s
-- create_table("usps_confirmation_codes", {:force=>:cascade})
   -> 0.0204s
-- create_table("usps_confirmations", {:force=>:cascade})
   -> 0.0103s
-- add_foreign_key("events", "users")
   -> 0.0100s

Any plans for Node/JS library?

A Meteor.js Auth package would be awesome

Let's turn off server tokens for secure.login.gov

Following headers are being emitted:

X-Powered-By: Phusion Passenger
Server: nginx + Phusion Passenger

server tokens off in nginx/conf is a place to start

If I submitted a PR for using bundle exec rackup config.ru $PORT, would y'all accept that? Assuming that's what's being used in production, so wondering if we might as well standardize on that.

Went through the new setup, received a txt with code, but was taken to a login screen. (NEVER provided a screen to enter code)
Now, when I try to login, I get a message "Oops, something went wrong. Please sign in again." . What is that?
Please instruct on how to get passed this. My email is now already registered, but can't login.

Path

/contact

Expected behavior

Checkboxes should be programmatically linked to instructions for screen readers

Actual behavior

Checkboxes lack context

Checkboxes should use Fieldset and legend.

“I want to…” and the two checkboxes should be in a fieldset, with “I want to…” being the legend.

Hi! Before opening a new issue, please make sure it has not already been
reported.

Once you are sure the issue is valid, please fill out the details below.

Thanks!

Steps to reproduce the issue (please be as specific as possible)

Go to your settings page with the hopes of migrating your 2FA authentication app to a new phone.

Expected behavior

Have a way that's readily understandable to do that.

Actual behavior

See a "Disable" button and, when clicking that, getting put into a flow that does help "set up" 2FA as if it was your first time. Confusing and hidden! The button probably needs to be renamed to "Update"?

It might be advantageous to use HKDF rather than SHA-256 to generate the EncryptionKey hash at https://github.com/18F/identity-idp/blob/master/app/services/user_access_key.rb#L27

The existing pattern is ok. It could be better.

Steps to reproduce the issue (please be as specific as possible)

1. Check out repository at https://github.com/18F/identity-idp
2. Ensure prerequisites are installed, per the README.md.
3. Run 'make setup' per the README.md.

Expected behavior

The command produces no errors.

Actual behavior

The command fails when attempting to clone the repository [email protected]:18F/identity-equifax-api-client-gem.git. I'm assuming this is because the repository is private, but it may just be a repository that does not exist in my parallel universe.

A log can be found here: https://gist.github.com/rhencke/0c1addda5c5c5342f92adbd48461cfb8

IGNORE THIS. was opened accidentally :)

Steps to reproduce the issue (please be as specific as possible)

None. The one-time security code when creating an account can only be reproduced if I create another account.

Expected behavior

I expect to receive only one SMS with the one-time security code.

Actual behavior

I receive an SMS with the one-time security code for creating my account every five minutes or so, despite the fact that I have used the code and created my account.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
Just now, 8/22/17 7:54am CT, was the last time I received the SMS that keeps repeating. It's been coming repeatedly since I created the account earlier today.

Steps to reproduce the issue (please be as specific as possible)

Out of date reference on login.gov help page: "This week, login.gov saw higher than expected volume which caused downtime and delays for many users. "

• A screenshot:
  
  See: https://login.gov/help/trusted-traveler-programs/whats-going-on/
• Date, specific time and time zone when issue was found.
  Example: 11:00am ET on April 18, 2018