Join InCommon
Sidewalks connecting together in the center of a campus.

The National Institutes of Health: Multi-factor Authentication Requirement

June 8, 2021

This is the second in a series of emails regarding new login requirements from the National Institutes of Health (NIH). Effective September 15 eRA will require you:

  1. To provide a small set of identifying information (Research and Scholarship attributes), which are detailed below
  2. To perform multi-factor authentication (MFA) for those using eRA
  3. To communicate the use of MFA using the REFEDS MFA profile

This email focuses on the multi-factor authentication requirement. The first email in this series covered the Research and Scholarship requirement and is available in this blog post.

What is NIH Doing?

NIH is introducing a new login service gateway to streamline external access to NIH resources. Your researchers, faculty, and staff who interact with NIH will see this change when accessing the electronic Research Administration (eRA), NIH’s research administration portal for Principal Investigators and grant administrators. NIH has signaled that other applications and services will likely make similar changes in the future. 

What are the requirements for MFA?

eRA will require multi-factor authentication as of September 15, including the use of a standard syntax (SAML assertion) for communicating that MFA has occurred. By using that standard syntax, an identity provider is saying that:

  1. Authentication of the current user used a combination of at least two of four distinct factors (something you know, something you have, something you are, something you do).
  2. The factors used are independent; that is, access to one factor does not by itself grant access to other factors.
  3. The combination of factors mitigates single-factor-only risks (such as phishing, offline cracking, online guessing, and theft of a single factor)

NIH also requires the identity provider to use the international standard REFEDS MFA Profile to signal that MFA was used. This means communicating a specific assertion in SAML (Security Assertion Markup Language): the AuthnContextClassRef: https://refeds.org/profile/mfa.

What are the benefits of doing this?

  1. Your faculty, researchers, and scientists will enjoy the benefits of single sign-on with any NIH service in the InCommon Federation, as well as those from other federal agencies, non-profits, and many other collaboration services. This is what federation was made for. 
  2. You will provide a superior user experience for your faculty and staff.
  3. Doing the work now positions your institution for the future, when NIH adds these requirements to other services and other research organizations follow suit.
  4. Providing federated login means you are in a better position to troubleshoot any problems your users have, again making for a better experience.

What are the Other NIH Requirements?

The three NIH requirements are: 

  1. Adopt the REFEDS Research and Scholarship Entity Category (R&S) (or release the appropriate information bilaterally)
  2. As noted here, adopt the REFEDS MFA profile – Signal your assurance of strong authentication (MFA)
  3. Adopt the REFEDS Assurance Framework to signal information about identity proofing for the person logging in.

A future email will provide the details for the assurance requirement.

Available Resources

A number of resources provide additional information:

Please contact help@incommon.org with any questions about R&S or the NIH requirements in general.