cc'd to [email protected], y'all could probably stick a bug reporting SOP somewhere.

I recently made a login.gov account on chrome stable for android 8.1 on a nexus 5x using the gboard as keyboard

Within the account creation flow, once I had been issued a personal key, I was prompted to verify I had saved the key elsewhere by retyping it. I was unable to do so, encountering the same bug multiple times.

I would type several characters, and after a variable number (from 5-10), the field would blank and no characters would show. Backspacing would not work, in this situation, and it would actually add characters. It seemed like if I pressed backspace, it would put the prior state of the field into the field but not remove the future state. (like AABA + C => AABAC + Backspace => AABAAABAC), but I didn’t mess with it enough to verify that.

Eventually I tried copying and pasting the personal key. This worked.

Right now https://www.login.gov/contact/ says:

Let's emphasize our public bug bounty -- https://hackerone.com/tts -- as the primary reporting point for security issues.

[email protected] isn't sufficiently high-signal for us to rely on it for public vuln reports, so I think we should remove it from the page and just rely on linking to the 18F VDP (which itself links to [email protected] for email) as the method.

Demo site only. The scrolling sidenav on the privacy and security continues scrolling into the footer. Expected behavior is for the sidenav to stop scrolling at the top border of the footer. See attached screencap.

If a person comes to the public site to create an account, an easy to spot call to action would be really helpful. A common pattern is either a unique link or button labeled "Create an account" or "Sign up" on the landing page. A direct link to the create account page cuts the extra load of looking for this option under manage account and then finding the new account link towards the bottom of a sign in page.

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch main
Signed commits required, but not enabled for branch: main

Issued created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

The USAJobs.gov profile page (https://www.usajobs.gov/Applicant/Profile/Contact) links to two Login.gov URLs that were renamed in August 2019: https://login.gov/help/changing-settings/how-do-i-change-my-email-address/ & https://login.gov/help/changing-settings/how-do-i-change-my-password/ . These URLs now return 404 errors.

The renaming of these pages took place in 1c0f49e .

While the broken links are technically on USAJobs.gov & not login.gov, it's best practice to redirect old URLs to new URLs when renaming pages - otherwise external parties linking to pages can lead users to a 404, like what happened here.

Request:

• Redirect https://login.gov/help/changing-settings/how-do-i-change-my-email-address/ (old link, now dead) to https://login.gov/help/changing-settings/change-my-email-address/
• Redirect https://login.gov/help/changing-settings/how-do-i-change-my-password/ (old link, now dead) to https://login.gov/help/changing-settings/change-my-password/
• Review logs for other renamed pages that are causing 404 errors from external links & redirect the old URLs to the new URLs.

The design and writing on login.gov are awesome, especially given the complexity of the underlying material!

Wondering though if we couldn't make this even more plain-language. Received a few comments around referring to people as "users" (h/t to @srhhnry, others).

For example, at https://login.gov/security/, consider if:

login.gov encrypts the personal information of each user separately, using a unique value generated from each user’s password. Our encryption method works like a safe deposit box in a bank vault. Only the user has the key. Only the user can open the box to reveal the contents. Only the user knows the password, and only the user can decrypt their information.

...was re-written as...

login.gov encrypts personal information using a unique value generated from a password.

Our encryption method works like a safe deposit box in a bank vault. Only the person who has the password can generate the key. Only that person can open the box to reveal the contents. Only that person knows the password, and they are the only person who can decrypt their personal information.

or...

login.gov encrypts your information using a unique value generated from your password.

Our encryption method works like a safe deposit box in a bank vault. Only you have the password that can generate the key. Only you can open the box to reveal the contents. Only you know the password, and you are the only person who can decrypt your information.

I know login.gov has to serve multiple audiences, and we might want to focus right now on agency integrators primarily, in which case I can see why the original word choice was used. IMHO, focusing on either alternative above works perfectly well for both use cases. At the end of the day, I think agency integrators can more easily read from the perspective of the public than the other way around.

Congrats again on the launch!

Instances where login.gov should uppercase on the homepage

login.gov offers the public secure and private online access to participating government programs. With one login.gov account, users can sign in to multiple government agencies. Our goal is to make managing federal benefits, services and applications easier and more secure.

login.gov handles software development, security operations, and customer support.

login.gov works with the private sector and nonprofits to identify and implement best practices and new standards.

login.gov builds on groundwork laid by the National Institute of Standards and Technology, the Cybersecurity National Action Plan, and the Federal Acquisition Service.

CircleCI is sunsetting on 9/1, at which point 1.0 builds will presumably stop. More info here:

https://circleci.com/sunset1-0/

1. Visit https://developers.login.gov/support/
2. Hover over the expandable content links.
3. See that there are link icons that show up in the lower left:

Chrome 107.0.5304.87, macOS Monterey 12.6

This Q&A is confusing w/out examples IMO, at first I thoght I had to dl a login.gov specific authenticator app: https://www.login.gov/help/signing-in/what-is-an-authenticator-app/