← Back to News List

Adjusted Timeline for Two-Factor Authentication

·       Adjusted Timeline for Requiring Two-Factor Authentication to Access eRA Modules Using Login.Gov or InCommon Federated Accounts

·        Notice Number: NOT-OD-21-172

·        https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-172.html

Purpose

The deadline and approach to requiring two-factor authentication (also known as multi-factor authentication) to increase the security when accessing eRA modules (eRA Commons, Commons Mobile, ASSIST, Internet Assisted Review) are changing. NIH is providing more time to make the transition. Instead of requiring all users to transition to Login.gov by a fixed deadline of September 15, eRA will begin a phased approach beginning September 15,2021 for enforcing the two-factor authentication requirement for the NIH recipient community as described below. In this phased approach to enforcement, all scientific account holders should take action now, while administrative account holders will be required to move to two-factor authentication in early calendar year 2022.

NIH is also implementing an additional option to securely login to eRA systems using InCommon Federated accounts (when organizations participate in the InCommon Federation and authenticate their own users). Beginning September 15, 2021, users will also now have the option to use an InCommon Federated account only if their institution supports NIH’s two-factor authentication standards and the user has it enabled for their InCommon Federated Account. Use of InCommon Federated accounts without two-factor authentication will no longer be permitted.

When two-factor authentication becomes required for a user, according to the timeline below, they will now be able to use Login.gov and/or an InCommon Federated account that supports NIH’s two-factor authentication standards. Note that eRA cannot yet support two-factor authentication for users that have more than one eRA account; specific guidance for users with multiple accounts is provided below.

Adjusted Timeline and Approach

Starting on September 15, 2021, eRA will begin a phased approach for requiring the use of two-factor authentication for user accounts. The new timing of enforcing the requirement depends on the type of user account and a new triggering event.

The Type of User Account:

This phased approach pertains to all scientific account holders but excludes administrative accounts until early 2022 (also see eRA Commons User Roles)

The Triggering Event:

All PIs and key personnel associated with an application or Research Performance Progress Report (RPPR) will be required to transition to the use of two-factor authentication 45 days after the submission of their competing grant application (Type 1 or 2) or their RPPR.

Forty-five days after this triggering event, these users will not be able to access eRA systems until they set up and use a two-factor authentication service provider - Login.gov and/or an InCommon Federated account (that supports NIH’s two-factor authentication standards).

eRA will send reminder messages during the 45-day period to individual users who are required to transition to the new two-factor authentication requirement.

To access full notice, please click link below:

https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-172.html

Please contact the Office of Sponsored Programs if you have any questions.

Posted: August 12, 2021, 3:41 PM