RC 70

Features

• Alert a user on personal key sign in #2630
• Require MFA after 12 hours for IAL2 and AAL2 #2638, #2639

Bugs and Enhancements

• Alert a user on personal key sign in #2630
• Confirm before removing a security key #2617
• Capture statistics on use of remember me feature #2633
• Create events for webauthn key management #2635
• Create event for personal key as 2FA #2634
• Fix SAML NameFormat to comply with the SAML 2.0 standard #2624
• Convert email_address to plural #2628
• Fix loop with detect webauthn in Safari #2640
• Fix sms bug with analytics endpoint #2631
• Expand 2nd MFA options for piv/cac #2637
• Convert color variables to 6 digit hex #2636
• Guard against nil email in password validator #2629
• Namespace platform authenticator params in analytics controller #2622

RC 69

Features

• Add a warning to the personal key page about phishing #2610

Bugs and Enhancements

• Don’t increment IdV attempt count when errors occur #2607
• Stop blocking account creations for email addresses on a large set of domains #2603
• Enhanced monitoring of IdV errors #2614
• Rollback changes to reset password that caused issues on iOS 12 #2608
• Associate remember me revocation with user model instead of relying on phone timestamps #2605
• Allow form submit with enter key on webauthn nickname form #2604
• Track analytics on users using platform authenticators #2609
• Update webauthn library #2602
• Clean up text and content issues #2615 #2613
• Code cleanup and hygiene #2594

New Service Providers and updates to existing ones

• Add SEC Rule 19D-1 #2620
• Add OPM secure portal #2619

RC 68

2018-10-11T141509

2018-10-11T141509 release

RC 66 - Patch 1

Features

• List/delete webauthn configurations for a user #2494
• Allow a user to add a new webauthn configuration #2490
• Create WebAuthn Configurations Table #2461

Bugs and Enhancements

• Don't show recovery code before IdV flow #2485
• Revert removal of #2351 (redirect uri validation) #2498
• Update Reek from 4.8.1 to 5.0.2 #2499
• Revert changes to `find_with_email #2497
• Update gems with bummr #2493
• Add timeout to Twilio API calls #2491
• Fix tests using users with phones #2496
• Ensure rack-timeout is properly configured #2488
• Set up a TOTP user for local development #2483
• Remove unused personal_key method #2481
• Allow full exception logs for users without phone #2479
• Refactor AccountReset::DeleteAccountController #2450
• Catch no method error in formatted phone #2477
• Fix failure screens throwing 500 error with failure_to_proof_url #2473
• Take into account nil user in SmsLoginOptionPolicy #2472
• Make user_access_key_overrides fasterer #2458
• Remove dup webauthn_configurations index creation #2469
• Add nil phone_configuration to anonymous user #2467
• Run bundle install in devops repo when releasing #2468
• Int: Fix Idv::Proofer vendor initialization #2465
• Fix Idv::Proofer vendor initialization #2463
• Return blank for nil phone numbers #2521

New Service Providers and updates to existing ones

• Add HUD to the service providers in production #2495
• Add CBP I-94 SP #2487
• Add Railroad Retirement Board Branding #2482

RC65 patch 1

Bugs and Enhancements

• Update LOA3 "failure to proof" screens #2454
• Redirect piv/cac errors to cleanup url #2380
• Add spinner when requesting piv/cac cert from user #2258
• Piv/cac available based on email domain #2429
• Track additional IdV analytics #2431
• Use 2-letter phone country code for analytics #2442
• Refactor and fix account reset requests #2444
• Allow sign in via remember me after idling #2438
• Display fake banner in lower environments #2418
• Prevent calling unsupported countries #2423
• Fix already authenticated users redirecting to account page #2426
• Fix border radius on Account boxes #2427
• Add client-side Crockford Base32 encoding helper #2417

New Service Providers and updates to existing ones

• Add RRB LOA3 SP to Production #2457
• Adds in the logo for the Small Business Administration #2393
• Add a new redirect_uri for logout with the CBP ROAM SP #2435
• Update redirect_uri list for OIDC Sinatra developer demo app #2433
• Add a logout redirect uri for the Trusted Traveler Program SP #2446

RC 64

Features

• Failure to proof URL for service provides at LOA3 i#2389

Bugs and Enhancements

• Fix preview images from PRs from showing in internal Slack channels #2422
• Update dependencies #2420
• Add script to give IDP access to CloudHSM keys #2235
• Add a task to copy user phone numbers into a new table to eventually allow multiple phones per user #2415
• Fix a bug where session timeout prevented user from ending at SP #2390
• Stop storing unnecessary OIDC request data in the session #2412
• Track errors when the user is nil in analytics #2407
• Fix bug where users without a phone number where asked to use auth app to confirm phone during IdV #2389
• Add account reset health checker #2387
• Change release script to stop recycling unused servers #2349

New Service Providers and updates to existing ones

• Add a redirect URI for DOE #2416

RC 63

Features

• Add Connected Applications to Account Management #2376
• Write 2L KMS encrypted sessions #2373
• Add script to email compromised users #2340

Bugs and Enhancements

• Add phone configurations table #2361
• Fix OIDC Sinatra SP redirect uri for int and dev #2391
• Refactor SP redirect URI validation #2351
• Use different text in SMS for login vs verify phone number #2342
• Fix confusing placeholder phone number #2359
• Update PR template and contribution guidelines #2315
• Add console output suppression spec helper #2383
• Remove stray SAML test file #2382
• Add logstash.conf.example and update README #2378
• Production Error: ERROR: duplicate key (email) #2379
• Ran make normalize_yaml on PR 2358 #2377
• Update USAJOBS / TTP instructions on create account #2358
• Update gems with bummr #2371
• Clean up localizations #2333
• Create an AWS lambda function for delayed notifications with account reset #2310
• Fix 500 errors on bad personal key. Match host on redirect URIs #2362
• Fix phone validation logic to prevent toggling disable #2357
• User can't create account because their email is "invalid" #2360
• Display a message to the user when an account reset link is expired #2331
• Ignore saml_*.txt files generated by tests #2352
• Adjust response code for SMS reply #2325
• Fix 500 errors on bad personal key and invalid otp_delivery_preference in path. Add specs. #2346
• Match host on redirect URIs #2347
• Add SMS opt-out reply job spec #2343
• Create an AWS lambda function to upload USPS verification to GPO #2332
• Ignore the old password columns on the user model #2330
• Hardcode session encryption cost for migration #2395
• Catch sending too much to kms #2411
• Use 32 byte salts for passwords #2372

New Service Providers and updates to existing ones

• Add Forest Service ePermits to the production service providers #2339

RC 62

Bugs and Enhancements

• Cancelling account deletion now notifies both email and sms #2320
• 2FA selection at sign in has been cleaned up #2317
• Attribute encryption rake task logs errors and continues #2322
• The IdP supports serving assets from the Cloudfront CDN #2321
• Invalid user params won’t raise errors #2324
• Adjust checkbox spacing on OTP verification screen #2316
• Remove stray TODO comment #2312
• Handle Twilio errors more gracefully #2308
• Only send one SMS for account reset delayed notification #2309
• Redesign IDV verification OTP delivery method screen #2302
• Fix typo on account reset page #2306
• Make programmable SMS countries configurable #2298
• Make the call to action full width on mobile for some pages #2291
• Fix attribute_encryption_key_queue in example application configuration #2294
• Allow Code Climate to analyze spec folder #2292
• Fix USPS uploader spec #2296
• Remove TODO comments from codebase #2295
• Remove CSRF protection from SendNotificationsController #2290
• Remove CSRF protection from account reset delayed notifications endpoint #2289
• Fix Voice OTP bug in previous release #2287
• Define locale argument for VoiceOtpSenderJob #2284
• Add SMS opt-out messaging #2276

New Service Providers and updates to existing ones

• Add a new redirect uri to DOT portal SP #2327
• Allow users of NGA and EOP SPs to use piv/cac as a second factor #2323
• Add tsp.move.mil SP #2319

RC 61

Features

• Use GPO instead of Equifax for address verification #2267, #2272
• Delayed account reset requests #2274
• Use Twilio/Auth Verify service to send international SMS #2275, #2280

Bugs and Enhancements

• Fix 500 errors #2269
• Allow SMS to be sent to Zambian and Liberian phone numbers #2256
• Clarify and simplify personal keys instructions #2266

New Service Providers and updates to existing ones

• MyCBP #2282
• Update USAID logo #2278
• Add piv/cac subject to attributes for move.mil #2263

Code maintenance

• Remove unused code #2268
• Update dependencies #2270
• Refactor encryption #2203, #2229, #2260, #2271

RC 60

Features

• Add PIV/CAC as a two factor authentication option #2234, #2237, #2244, #2250, #2253
• Allow dynamic service provider updates in production #2227
• Log ‘Password Changed’ event #2233
• Log ‘Personal Key Changed’ event #2217
• Offer all two factor authentication options during account creation #2099
• Increased the Reauthentication Timeout window from 2 to 5 minutes

Bugs and Enhancements

• Fix bug in enter phone number screen #2255
• Remove already initialized constant #2252
• Hide nonce from html #2236
• Upgrade Ruby from 2.3.5 to 2.5.1 #1997
• Improve request tracing #2245
• Add help text for SAM users on account creation screen #2230
• Update dependencies #2175, #2228
• Send ‘password reset link’ to confirmed email address #2182
• Prevent ‘password reset tokens’ from leaking to 3rd party sites #2214
• Fix validation bug on personal key screen #2215
• Fix rate limiting issues #2216, #2222

New Service Providers and updates to existing ones

• DOE - Fossil Energy #2251
• SAM.gov #2248
• USAID logo #2239
• Secret Service #2232