EXTERNAL USERS
- How can existing external users link their Web Application Access (WAA) account with their Login.gov account to access agency applications?
- How do new external users get a Login.gov account and gain access to agency community applications?
- Do all EPA Employeees/Contractors need to register with Login.gov?
- How can external users verify if their Web Application Access (WAA) account is linked with the Login.gov account?
- Will this new process affect EPA Employeees/Contractors?
GENERAL INFORMATION
- What is EPA Gateway?
- What is Login.gov?
- How does this authentication process work?
- Why are we using Login.gov for authentication to external applications?
- What is an Identity Assurance Level (IAL)?
1.1. How can existing external users link their Web Application Access (WAA) account with their Login.gov account to access agency applications?
Existing external users must first register with Login.gov using the same email address associated with their WAA account. Then, sign into an EPA application using the newly registered Login.gov account. This will seamlessly link their WAA account and transfer all associated applications automatically to their Login.gov account.
1.2. How do new external users get a Login.gov account and gain access to agency community applications?
New external users can go to Login.gov or the EPA Gateway website and create a Login.gov account. Using the newly registered Login.gov account, sign in to https://waa.epa.gov and submit an access request to a community application. Upon EPA application sponsor approval, their account will be established, and access to the requested community application will be granted.
1.3. Do all EPA Employeees/Contractors need to register with Login.gov?
Login.gov registration is primarily for external users. However, EPA Employeees/Contractors that access web applications externally on non-GFE computers (no PIV reader available) will also need to register their EPA email address (last.first@epa.gov) with Login.gov.
1.4. How can external users verify if their Web Application Access (WAA) account is linked with the Login.gov account?
External users can sign into https://waa.epa.gov and click on the User Profile from the menu. The Login.gov image should be displayed above their profile information, which indicates that the accounts have been successfully linked. Any changes the user profile must be made via Login.gov.
1.5. Will this new process affect EPA Employeees/Contractors?
EPA Employeees/Contractors will continue to authenticate via Single Sign-On or EPASS Badge. Alternatively, they can also use their Login.gov account if they have one.
2.1. What is EPA Gateway?
The EPA Gateway is the external facing portal for user access to participating agency applications. External users will enter the Gateway and select their login method. Depending on their authenticated identity level, as determined by Login.gov, the Gateway's IdP proxy will determine which applications the customer will have access to.
2.2. What is Login.gov?
Login.gov is a government-wide shared solution that offers the public secure and private online access to participating government programs. Users can securely sign into multiple government agencies with one User ID and password.
Login.gov will authenticate and verify identities of individuals who seek benefits or services from federal agencies. Rather than requiring individuals to have a separate login process to access each federal agency's electronic system, GSA has created a platform and process that allows individuals to access information or request services from any of the different federal agencies that have opted to use Login.gov services.
The platform will leverage personal information to provide authentication and identity verification to partner agencies, as well as data and resources associated with the user's account. Based on a successful user login and identity verification, the partner agency will grant access to the user.
2.3. How does this authentication process work?
To facilitate access, information must be collected to authenticate an individual's identity at the requisite identity assurance level (IAL) for the purpose of obtaining a credential or electronically authorizing access to an EPA application or service.
Users will be authenticated with identity verification at the level requested by the agency for accessing specific services and records. When a user attempts to access an agency service or record, the individual will be directed to Login.gov. Users will be notified through the application interface what the system is used for, and how it will use their Personally Identifiable Information (PII). Users will have to authorize any use of their information before proceeding. EPA does not collect PII, as part of this process. The information requested by the system and asserted back to the agency will be only what is necessary to establish access at the appropriate assurance levels.
2.4. Why are we using Login.gov for authentication to external applications?
Using Login.gov for our external applications improves the agency's security posture and complies with the following Federal and Agency policies and guidance:
- Executive Order 13681, Improving the Security of Consumer Financial Transactions
- M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management
- CIO 2120-P-07.2, EPA Information Security - Identification and Authentication Procedure
- Federal Information Security Modernization Act of 2014
2.5. What is an Identity Assurance Level (IAL)?
An IAL is a category that conveys the degree of confidence that the applicant's claimed identity is their real identity. There are 3 IAL levels:
- IAL1: There is no requirement to link the applicant to a specific real-life identity.
- IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
- IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.