If you’ve logged into the System for Award Management (SAM) at all in the past 14 months, you know that it’s a bit more challenging to log in than it used to be. This is for your own protection, but all these extra layers of security can seem pretty daunting, especially if you aren’t comfortable working with computers. I’m going to try to explain what the extra steps are all about, and hopefully teach you a thing or two about the various authentication methods available to you.
A little over a year ago, the U.S. General Services Administration implemented a new login process for SAM. After June 29, 2018, everyone was required to log into SAM through login.gov, a federal website that gives the public secure and private online access to participating government programs. With one login.gov account, users can sign into the websites of multiple government agencies. login.gov uses two-factor authentication and requires stronger passwords that meet National Institute of Standards of Technology requirements for secure validation and verification.
As the name implies, two-factor authentication (sometimes called 2FA), requires two different methods to sign into an account. Usually this means entering a memorized password (the first “factor”) and a unique code sent to a device that you own (the second “factor”). Requiring two methods makes breaking into your account much harder.
When GSA began using login.gov for SAM, users only had to set up one authentication method in addition to their password. A personal key (a 16-character secret code) was also generated for all users, and users were instructed to print out the personal key and keep it in a safe place in case they ever lost access to their authentication method. Since then, the login.gov team has discovered that personal keys have not worked well for users, so they have begun retiring them as a form of two-factor authentication, and users are now required to set up two two-factor authentication methods when you create a login.gov account.
Here are the choices you have for authentication methods in login.gov:
- Text message (SMS)
- Phone call
- Authentication application
- Security key
- PIV/CAC card
- Backup codes
I’ll cover each of these in more detail below.
Text message (SMS)
This is the first choice for most of my clients, and for good reason. 96% of Americans own a cell phone of some kind, and even the most ancient cell phones can receive text messages. If you choose this authentication method, a six-digit code will be sent to you via text message after you enter your email address and password. You have ten minutes to enter that code on login.gov to authenticate before the code expires.
It’s worth noting that security experts aren’t in love with SMS-based two-factor authentication because someone could steal your phone number or intercept your text messages.
This is another authentication method that doesn’t require a lot of explanation. Instead of receiving a six-digit code via text message, you will receive a phone call. When you answer, an automated agent will speak the six-digit code to you. You have ten minutes to enter that code on login.gov to authenticate before the code expires.
If you have already used SMS as your first authentication method and you want to use the phone call as your second authentication method, keep in mind that it must be a different phone number. Since most people don’t carry two cell phones, this is likely to be a landline. If you are going to use a landline for one of your authentication methods, make sure you think about where you are likely to be when you need to access SAM. If, for example, you set up your login.gov account from your company office, but you come into your local PTAC office for help registering or updating your company’s SAM registration, you won’t be where you need to be to accept the automated call. Usually this obstacle can be overcome by having an employee or partner answer the phone and relay the code to you.
Using an automated phone call for your 2FA has some of the same security concerns as using text messaging, as phone numbers can be stolen.
A more secure option than receiving security codes by text or phone call is to use an authentication app to generate security codes. To use this option, you will need to have a smartphone or an internet-connected tablet or computer on which you can install an authentication app. This method may seem intimidating if you’ve never used an authentication app before, but it’s really pretty simple.
Here are some of the more popular authentication applications:
- Android: 1Password, Authy, Google Authenticator, LastPass Authenticator, Microsoft Authenticator
- iOS: 1Password, Authy, Google Authenticator, LastPass, Microsoft Authenticator
- Windows: 1Password, Authy, Microsoft Authenticator, OTP Manager
- MacOS: 1Password, Authy, OTP Manager
- Web browser extensions: Authy
After downloading one of these applications to your device, you will need to set it up to work with login.gov. To do that, you will need to either enter a key provided by login.gov into your app or scan a QR code displayed on login.gov with the app and the camera on your phone or tablet. This will associate your authentication app with your account.
The next time you log into login.gov, you will be prompted to enter a code from your app after you enter your email address and password. You will open your authentication app, look at the code for login.gov, and enter it on login.gov. These codes expire quickly, so you must act fast. Keep that in mind if you are trying to log into SAM from your tablet or smartphone and hoping to use the authentication app on the same device. Some of the apps do allow you to copy the code to your clipboard so you can easily paste it into login.gov, but if you aren’t very adept at switching quickly between applications on your device, this may still present a challenge.
A security key is an authentication device that strengthens account security when used in addition to a password when signing in. Using a security key is better than receiving codes via phone call or text message because these codes can be phished or intercepted. When you use a security key to sign in, the key will check to make sure you are on the official login.gov website.
A security key is usually a piece of physical hardware, like a USB, that you can carry on your keychain. You can also use supporting software, such as a web browser extension or other services. When choosing a security key, look for compatibility with the FIDO standard. Here are two of the most popular and affordable security keys:
To add your security key to login.gov, select “security key” as your authentication method. You will be prompted to create a nickname for your security key. Next you will be prompted to plug it into an open USB port on your computer to link it. Once that’s done, all you do for future logins is plug your security key into the USB port when prompted.
If you don’t know what a Personal Identity Verification (PIV) card is, you probably don’t have one. A PIV card is a “smart” card, about the size of a credit card, that enables federal employees and contractors to gain physical access to buildings and controlled spaces. It is also used to control access to various federal information systems. The Common Access Card (CAC) is what the Department of Defense calls their PIV card.
If you are not a federal employee and you do not have a current contract that requires you to have a PIV/CAC card, you cannot get one, so you would not be able to use this authentication method.
If you have a PIV/CAC card, you will need a card reader and middleware that works with your computer to use this authentication method with login.gov. If you have a PIV/CAC card that you use for physical access, but you have not yet set it up for online access, go to the GSA’s “Getting Started” page at idmanagement.gov to learn how to do this.
Backup codes are not very safe because they can easily be lost or stolen. If you choose this option, login.gov will generate ten codes that you can download, print, copy or write down. Every time you log into login.gov, you will have to enter one of these codes (after entering your email address and password). After you use the 10th code, you will be given a new set of backup codes to save and use.
If you don’t have access to any of the other authentication methods, you can use only backup codes, but this is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.
Which methods to use
If you don’t have a PIV or CAC card, the two strongest authentication methods are the security key and authentication application. If you don’t want to spend any money on hardware, or you don’t own a smartphone, the phone call and text message are satisfactory alternatives. Backup codes should be used as a last resort.
If you have questions about any of this, or want assistance getting registered at login.gov, please contact your nearest Montana PTAC office.
Portions of this post were taken from the help pages at login.gov.