Join InCommon



NIH to Begin Requiring Multifactor Authentication

Chain links on blue background



February 17, 2021

The National Institutes of Health is moving to require multi-factor authentication (MFA) or two-factor authentication (2FA) for all or most of its services (for our purposes, we’ll lump those together and use MFA). This is significant for any campus or research organization with faculty, researchers, or scientists that interact with NIH. 

NIH has set a September 15, 2021, deadline for all users of eRA (electronic Research Administration) modules to use MFA. You can take action now that will make things easier for your NIH researchers to use their campus/organization credentials to log into eRA modules. 

Here are the two important take-aways for those who operate InCommon identity providers.

  • NIH needs the attributes that are part of the Research & Scholarship (R&S) bundle. If you don’t support R&S, you should do so. This allows your researchers to seamlessly access services for which they need access.
  • Adopt the REFEDS MFA profile for credentials of those who interact with NIH and configure your federated login system to convey that fact.

NIH is working with InCommon to help campuses and research organizations understand the need to support R&S and implement MFA. NIH and eRA will continue to support federated credentials until the deadline, when MFA will need to be implemented and conveyed via the IdP. 

NIH has also indicated that some of its services will begin to require some level of identity proofing for credentials used to access those services. Which services, when this will be required, and what specific identity proofing levels will be needed is all still taking shape. InCommon is working with colleagues at NIH to understand the situation and provide appropriate guidance to InCommon Participants. Please stay tuned for those updates.