RC 84

Features

• Require two MFA methods on registration (#2900, #2949, #2951, #2952)
• Manage multiple emails (#2928, #2929, #2935, #2941, #2943, #2945, #2946, #2948, #2953, #2955, #2956)
• New default phone and fix for sms/voice delivery preference (#2947)
• Push notifications for account delete events (#2950, #2957)

Service Provider Updates

• Rename app to "myCBP" (#2932)
• Add FMCSA help text (#2934)
• Update return_to_sp_url for FMCSA (#2959)

Bugs and Enhancements

• Replace the chromedriver gem with the webdriver gem (#2931)
• Remove roles from users (#2939)
• Update account delete report timeout (#2958)

RC 83

Features

• Remove the welcome page and refine the sign in page to make the sign in and registrations flows more clear (#2907)
• Add images to the front and back upload screens in docauth to help users understand which side of the document to upload (#2917, #2923)
• Add text to the docauth error page that tells users how to take better pictures of documents (#2918)

Service Provider Updates

• Promote admin.move.mil to production (#2910)
• Add the configuration for DOT Delphi eInvoicing (#2913)
• Add the configuration for USGS ScienceBase Login (#2920)

Bugs and Enhancements

• Fix the wording in the new device sign in notifications to make it more clear that the location is derived from the IP address (#2924)
• Improve the checklist that is used for doing releases (#2912)
• Fix ACR param validation issue with the example SPs in local dev (#2915)
• Add a script for tracking the age of open pull requests for internal metrics (#2916)
• Fix intermittent 500 that would occur after cancelling docauth and signing back in (#2921)
• Remove the cancel link from the WebAuthn success screen since there is nothing for the user to cancel there (#2922)
• Use the Google Analytics tracking cookie instead of depending on form submissions to submit events to GA on the backend (#2905)
• Upgrade dependencies (#2927)
• Add messages for problems connecting with vendors in doc auth (#2925)

RC 81

Features

• Add remember device to TOTP and WebAuthn (#2850, #2853, #2859, #2862, #2865, #2873)
• Add support for Georgia state IDs 🍑 (#2863)
• Add ability to use a text file to test DocAuth in lower environments (#2869, #2875)
• Ask for confirmation before deleting and regenerating backup codes (#2877)

SP Updates

• Add a logo for NPS (#2852)
• Update config for apprenticeship.gov (#2856)
• Bugs and Enhancements
• Increase the performance of the test suite (#2844)
• Speed up a query for event disavowal by token (#2855)
• Add a flash message for success after verification with DocAuth (#2849)
• Fix an issue where errors during DocAuth were not correctly reported to the user (#2860)
• Refine Google Analytics reporting (#2835, #2868, #2881)
• Use secure compare in recurring job invocation API calls (#2864)
• Show new device sign in timestamps in Eastern Time (#2874)
• Make phone the preferred MFA method for sign in over backup codes (#2878)

RC 80

Features

• Add nasa.gov and *.dhs.gov to list of email domains for piv/cac (#2809, #2836)
• Add disavowals to events (#2813, #2830, #2831, #2832, #2833, #2838, #2840, #2845)
• Whitelist SP attributes for ability to receive LOA3 data (#2672)
• New unphishable badge (#2804)
• Add backup codes option to account page (#2819)
• New IAL2 Account Recovery (#2814)

SP Updates

• Adds HHS XMS logo to sp-logos (#2843)

Bugs and Enhancements

• Updates OpenID Connect ExpressJS sample app (#2808)
• Fix the OIDC token form code validation (#2810)
• Use render_not_found helper in events controller (#2811)
• Tear down scaffolding for migrating to sessions w/ KMS contexts (#2790)
• Stop saving in user factory traits (#2817)
• Stop using pkey generator in user factory (#2816)
• Reduce capybara wait time (#2818)
• Silence Puma in test environment (#2820)
• Silence output from CloudHSMKeySharer spec (#2822)
• Don't use knapsack when running locally (#2821)
• Silence zonebie (#2824)
• Disable bullet in unit tests (#2825)
• Fix name collision in doc auth / doc capture shared examples (#2827)
• Use 18f logo for service provider session decorator test (#2826)
• Upgrade shoulda_matchers (#2823)
• Upgrade gems and npm packages (#2828)
• Regenerate knapsack report (#2829)
• Fix back button prevents confirming personal key (#2834)
• Fix issue with twilio mocks in pkey verification controller (#2841)
• Remove saml.crt from the app (#2796)
• Clean up service providers list and add some docs. #2839
• Fix doc auth 500 error on invalid phone exception from Twilio #2846

RC 79

Features

• Alert users via email when their account is used to log in on a new device (#2781)
• Added usdoj.gov domain to the list of email domains we support (#2797)
• Added identity proofing from a computer with document capture from a mobile phone (#2792)
• Enabled configuration for multiple SAML endpoints (#2730)

SP Updates

• Updated USAID prod certificate (#2801)

Bugs and Enhancements

• Added Yarn to list of dependencies that must be installed (#2794)
• Upgrade gems and npm packages (#2803)
• Added missing event names for backup codes (#2802)
• Fixed 500 errors on doc auth when no phone used for 2fa (#2800)
• Added encryption contexts to session KMS events (#2787)
• Design edits for LG-881 (#2769)
• Create Event objects in controller instead of forms / services (#2798)
• Sunsetted SAML SLO (#2795)
• Dropped password metrics table (#2754)
• Removed scaffolding to migrate to 2L-KMS (#2760)

RC 78

Features

• Allow users to select from MFA phones when proofing (#2724)
• Ability to edit address or ssn in proofing flow (#2764)
• Make it easier to reset passwords and notify large groups of users whose password may have been compromised outside login.gov (#2757)
• Allow users whose letters are returned to sender to retry proofing with a new address (#2775)

Bugs and Enhancements

• Remove unused code for measuring aggregate password strengths (#2752)
• Start tracking context in KMS encryption calls (#2734)
• Migrate to 2L-KMS for encrypting passwords (#2735)
• Fix bug where users were redirected to account page after PIV/CAC login (#2759)
• Remove SSN discovery oracle (#2776)
• Fix 500 errors that occured during docauth flow (#2756)
• Fix 500 errors that occurred on device history page (#2770, #2773 & #2774)

RC 77

Feature Updates:

• Document Authentication (the ability to capture a photo of a state identity document and confirm the ID is valid). We have deployed to the integration test environment as we finalize the Authority to Operate (ATO) update. We would be excited to receive feedback from you on this new feature. (#2741)
• Display the devices and locations a user has authenticated with in account history (#2720)

Enhancement Updates: Improving code hygiene

• Use upstream session store (#2740)
• Update gems and npm packages (#2739)
• Use factories in device tracking tests (#2738)
• Fix copy/paste issue with cert in setup script (#2737)
• Use cloudHSM helpers in OIDC specs (#2736)

RC 75 and RC 76

Features

PIV/CAC available as second factor allowed by domain of registered email address. Full list available https://github.com/18F/identity-idp/blob/master/config/application.yml.example (in the piv_cac_email_domains: section) (#2710)

Bugs and Enhancements

Backup code page visual polish (#2706)
Don't tell users to contact us on 2FA key use. (#2708)
Remove legacy attribute and session encryptor (#2711)
Set PKCE or JWT mode per SP for OpenID Connect (#2716)
Reset remember me on piv/cac change (#2717)
Change rubocop rules for commas in multiline method calls (#2721)
Update gems (#2722)
Remove webpack dev server (#2725)
Cleanup webpack output on setup (#2726)

SP Updates

RC 74

Features

• Add list of recovery codes as a 2FA option during account creation (turned off in production) (#2691)

Bugs and Enhancements

• Allow piv/cac based on email (turned off in production) (#2710)
• Enable AES attribute encryption by default (#2705)
• Update email templates (#2703)
• Switch to using pry as the default rails console (#2553)
• Rate limit logins (#2699)
• Update npm packages (#2698)
• Simulate Acuant for document-based proofing (#2704)
• Remove selfie matching from document authentication flow (#2688)

SP Updates

• Add DOL Foreign Labor Gateway (#2696, #2707)
• Configure omniauth redirect URL for the dashboard (#2689)

RC 73

• Password Strength Meter UI Fix: There was a misconfiguration of the password strength meter and the password character length. With this fix, the password strength meter will not turn green unless a user enters a strong password that is at least 12 characters long.
• Implemented Field Limits: Implemented text field limits for all user facing fields in both the user experience and backend.
• New login.gov status page: login.gov has a new status page https://logingov.statuspage.io/. This is currently experimental and we plan to use it for rapid notification of incidents, and to publish system performance and error metrics