|
Angela Sargent Posts: 2857
3/28/2024
|
We don't usually have big announcements like this, but I wanted to take a moment to let you all know about some upcoming features and changes that will affect user authentication. So, again, I apologize for the lengthy e-mail, but I want this transition to be as smooth as possible.
It is our understanding that grid cards, as they are currently implemented, will no longer be a CJIS-compliant method of advanced authentication (AA) / multi-factor authentication (MFA).
We want to keep ELVIS completely free, and in order to keep offering a free AA solution, we are in the process of testing a One-Time Password (OTP) feature that will be offered at no cost to agencies. This will eventually replace Grid Cards by e-mailing users a one-time, six-digit code with a 5-minute expiration that must be verified each time a user signs in. Many of you are already familiar with this method used by banks and other secure websites.
Ref CJIS 5.6.2.1.3 (One-time Passwords)
This will satisfy the out-of-band advanced authentication requirement. ELVIS is a stand-alone web application hosted outside of your agency's internal environment with its own user account and password, which is the first factor of authentication. Because the One-Time Password (OTP) is sent to a separate e-mail system ("out of band") that the user must also authenticate to (which, ideally, has a different password and is behind its own two-factor authentication), this is Out-Of-Band. Moving to OTP will also eliminate the need to replace lost/expired grid cards, and once we've verified its stability, it will entirely replace Grid Cards.
While this feature has not been pushed to the live environment, if you need to go ahead and add the e-mail address the code will come from to your existing filters, it's the same one that's already being used to send new user activation links (donotreply@elvisflorida.org). If users have been getting their new account activation links, you shouldn't have any issue getting a one time password.
I don't have a concrete timeframe for phasing out Grid Cards completely, but it will be relatively soon. There won't be anything that you need to do to transition to OTPs, but you should let your users know to expect this change if you are not intending to switch to our existing Duo integration or the new Entra Single Sign-On (SSO) method (see below). I'll be working with a couple of agencies, and once we're sure the OTP system is stable and working as expected, we'll be disabling the Grid Card system and moving any users currently on Grid Cards to OTP.
We do not have any plans to offer built-in OTP through text-messages (because sending text messages costs us per message) or push notifications (we do not have a mobile app or any plans to make one). However, ELVIS already integrates with Duo, which supports both Push Notifications and SMS messaging for a subscription fee. We have no business partnership with Duo, but we integrate with their system. If you'd like to look into SMS or Push notifications, you can visit duo.com for more information.
If you have any questions or concerns about the upcoming OTP feature or Grid Cards, please let us know. As always, we value agency feedback in everything we design.
Next..
We are also testing the new Duo Universal Interface (v4). Since we have already supported Duo for years, this is a fairly minor upgrade, but it will be coming soon as well. So far in our testing, this change is purely cosmetic to the users and will have NO impact on agencies that already use Duo integration. However, it will allow Duo admins additional configuration options.
And lastly...
Ref CJIS 5.6.4 (Assertions)
Many, many of you have requested integration with Microsoft's Azure Active Directory (AAD)/Entra Single Sign On (SSO), and we're pleased to announce that ELVIS is currently beta-testing a new SSO feature using Microsoft Entra (as a side-effect, this feature will also support other SAML-enabled Identity Providers, not just Entra). This feature is absolutely OPTIONAL. Agencies that already leverage Microsoft AAD/Entra will be able to take advantage of this, but it is NOT REQUIRED to use ELVIS.
When this feature is rolled out, in order for your agency's ELVIS users take advantage of it, a new application will have to be created within your Microsoft Entra dashboard and several settings will need to copied from there into ELVIS. We can help you through this process, and it only has to be done once for your agency. Once set up, all of your agency's ELVIS accounts will be able to attempt signing in through Entra SSO (you will have control of which users are allowed through your Entra Dashboard).
Single Sign-On (SSO) Notes:
1) Just as it has always been, ELVIS user accounts MUST be created in ELVIS by a Group Leader BEFORE Entra SSO will work. Users will NOT be allowed to create or self-register their own ELVIS accounts through Entra SSO, so Group Leaders will still be required to create user accounts in ELVIS before SSO will function.
2) Further, at this time, user roles inside ELVIS are still managed through the ELVIS interface. The SSO functionality is ONLY to satisfy authentication requirements and simplify the sign-on process. User management (creating accounts, disabling accounts, managing roles) is still done through the ELVIS interface. Disabling a user's account in Microsoft Entra will prevent them from using SSO, but it will NOT disable their account in ELVIS.
3) When using SSO, it is expected that agencies WILL REQUIRE two-factor authentication through their SSO provider (ie. Microsoft Entra). Because ELVIS is reaching out to Entra to verify a user has met authentication requirements, it will not prompt for an additional two-factor requirement.
4) A user may be allowed to use two authentication paths (ie. SSO or Username/Password + OTP) as a backup in case SSO fails for any reason. However, the agency may also choose to only allow one method: SSO, OTP, or Duo. This is configurable per-user.
5) We support over 280 law enforcement agencies within the boundaries of the State of Florida. This means we handle that many unique SSO/Two-Factor configurations, and because we have no idea what agency a user is attempting to sign in to until they give us their e-mail address, users will ALWAYS be required to enter at least their e-mail address (even for SSO) so that we can look up the correct login path to send them down. Further, and this bit is more technical, but a user's e-mail address must be configured as the primary identifier returned by Entra SSO (it doesn't have to be the user's Microsoft login, but it must be returned by Entra -- this is configurable in the Entra Dashboard), and it MUST match the e-mail address that the user entered or the user will not be allowed to sign in to ELVIS.
I'm sorry for such a long and technical e-mail, but I wanted to make sure everyone knew what was coming!
None of these features have been released yet. Currently, I'm looking publishing these changes during the first week of April and working with a few agencies at a time to verify that the Microsoft Entra integration and OTP are working as expected.
|