LG-12636: Show recommended PIV option for .gov/.mil email

app/components/tag_component.rb

@@ -0,0 +1,24 @@
+class TagComponent < BaseComponent
+  attr_reader :big, :informative, :tag_options
+  alias_method :big?, :big
+  alias_method :informative?, :informative
+
+  def initialize(big: false, informative: false, **tag_options)
+    @big = big
+    @informative = informative
+    @tag_options = tag_options
+  end
+
+  def css_class
+    classes = ['usa-tag', *tag_options[:class]]
+    classes << 'usa-tag--big' if big?
+    classes << 'usa-tag--informative' if informative?
+    classes
+  end
+
+  def call
+    content_tag(:span, content, **tag_options, class: css_class)
+  end
+
+  private :big, :informative
+end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -11,7 +11,10 @@ class TwoFactorAuthenticationSetupController < ApplicationController
     def index
       two_factor_options_form
       @presenter = two_factor_options_presenter
-      analytics.user_registration_2fa_setup_visit(enabled_mfa_methods_count:)
+      analytics.user_registration_2fa_setup_visit(
+        enabled_mfa_methods_count:,
+        gov_or_mil_email: gov_or_mil_email?,
+      )
     end
 
     def create
@@ -42,6 +45,10 @@ def two_factor_options_form
 
     private
 
+    def gov_or_mil_email?
+      current_user.confirmed_email_addresses.any?(&:gov_or_mil?)
+    end
+
     def mfa_context
       @mfa_context ||= MfaContext.new(current_user)
     end

app/models/email_address.rb

@@ -31,6 +31,10 @@ def confirmation_period_expired?
     Time.zone.now > expiration_time
   end
 
+  def gov_or_mil?
+    email.end_with?('.gov', '.mil')
+  end
+
   class << self
     def find_with_email(email)
       return nil if !email.is_a?(String) || email.empty?

app/presenters/two_factor_authentication/set_up_auth_app_selection_presenter.rb

@@ -15,5 +15,9 @@ def label
     def info
       t('two_factor_authentication.two_factor_choice_options.auth_app_info')
     end
+
+    def phishing_resistant?
+      false
+    end
   end
 end

app/presenters/two_factor_authentication/set_up_backup_code_selection_presenter.rb

@@ -12,6 +12,10 @@ def info
       t('two_factor_authentication.two_factor_choice_options.backup_code_info')
     end
 
+    def phishing_resistant?
+      false
+    end
+
     def single_configuration_only?
       true
     end

app/presenters/two_factor_authentication/set_up_phone_selection_presenter.rb

@@ -12,6 +12,15 @@ def info
       t('two_factor_authentication.two_factor_choice_options.phone_info')
     end
 
+    def phishing_resistant?
+      false
+    end
+
+    def visible?
+      return false if IdentityConfig.store.hide_phone_mfa_signup
+      super
+    end
+
     def mfa_configuration_count
       user.phone_configurations.count
     end

app/presenters/two_factor_authentication/set_up_piv_cac_selection_presenter.rb

@@ -12,6 +12,18 @@ def info
       t('two_factor_authentication.two_factor_choice_options.piv_cac_info')
     end
 
+    def phishing_resistant?
+      true
+    end
+
+    def recommended?
+      user.confirmed_email_addresses.any?(&:gov_or_mil?)
+    end
+
+    def desktop_only?
+      true
+    end
+
     def single_configuration_only?
       true
     end

app/presenters/two_factor_authentication/set_up_selection_presenter.rb

@@ -2,10 +2,20 @@ module TwoFactorAuthentication
   class SetUpSelectionPresenter
     include ActionView::Helpers::TranslationHelper
 
-    attr_reader :user
+    attr_reader :user, :piv_cac_required, :phishing_resistant_required, :user_agent
+    alias_method :piv_cac_required?, :piv_cac_required
+    alias_method :phishing_resistant_required?, :phishing_resistant_required
 
-    def initialize(user:)
+    def initialize(
+      user:,
+      piv_cac_required: false,
+      phishing_resistant_required: false,
+      user_agent: nil
+    )
       @user = user
+      @piv_cac_required = piv_cac_required
+      @phishing_resistant_required = phishing_resistant_required
+      @user_agent = user_agent
     end
 
     def render_in(view_context, &block)
@@ -24,6 +34,10 @@ def info
       raise NotImplementedError
     end
 
+    def phishing_resistant?
+      raise NotImplementedError
+    end
+
     def mfa_added_label
       if single_configuration_only?
         ''
@@ -32,6 +46,26 @@ def mfa_added_label
       end
     end
 
+    def visible?
+      if piv_cac_required?
+        type == :piv_cac
+      elsif phishing_resistant_required?
+        phishing_resistant?
+      elsif desktop_only?
+        !browser.mobile?
+      else
+        true
+      end
+    end
+
+    def recommended?
+      false
+    end
+
+    def desktop_only?
+      false
+    end
+
     def single_configuration_only?
       false
     end
@@ -55,5 +89,13 @@ def mfa_configuration_description
     def disabled?
       single_configuration_only? && mfa_configuration_count > 0
     end
+
+    private :piv_cac_required, :phishing_resistant_required
+
+    private
+
+    def browser
+      @browser ||= BrowserCache.parse(user_agent)
+    end
   end
 end

app/presenters/two_factor_authentication/set_up_webauthn_platform_selection_presenter.rb

@@ -1,10 +1,5 @@
 module TwoFactorAuthentication
   class SetUpWebauthnPlatformSelectionPresenter < SetUpSelectionPresenter
-    def initialize(user:, configuration: nil)
-      @user = user
-      @configuration = configuration
-    end
-
     def type
       :webauthn_platform
     end
@@ -32,6 +27,10 @@ def info
       )
     end
 
+    def phishing_resistant?
+      true
+    end
+
     def single_configuration_only?
       true
     end

app/presenters/two_factor_authentication/set_up_webauthn_selection_presenter.rb

@@ -16,6 +16,10 @@ def info
       t('two_factor_authentication.two_factor_choice_options.webauthn_info')
     end
 
+    def phishing_resistant?
+      true
+    end
+
     def mfa_configuration_count
       user.webauthn_configurations.where(platform_authenticator: [false, nil]).count
     end

app/presenters/two_factor_options_presenter.rb

@@ -1,7 +1,12 @@
 class TwoFactorOptionsPresenter
   include ActionView::Helpers::TranslationHelper
 
-  attr_reader :user, :after_mfa_setup_path, :return_to_sp_cancel_path
+  attr_reader :user,
+              :after_mfa_setup_path,
+              :return_to_sp_cancel_path,
+              :phishing_resistant_required,
+              :piv_cac_required,
+              :user_agent
 
   delegate :two_factor_enabled?, to: :mfa_policy
 
@@ -24,21 +29,22 @@ def initialize(
   end
 
   def options
-    webauthn_platform_option + totp_option + phone_options +
-      backup_code_option + webauthn_option + piv_cac_option
+    all_options_sorted.select(&:visible?)
   end
 
-  # Array of possible options selected by the user to display on the
-  # add additional MFA page
-  def all_user_selected_options
+  def all_options_sorted
     [
-      TwoFactorAuthentication::SetUpWebauthnPlatformSelectionPresenter.new(user: user),
-      TwoFactorAuthentication::SetUpAuthAppSelectionPresenter.new(user: user),
-      TwoFactorAuthentication::SetUpPhoneSelectionPresenter.new(user: user),
-      TwoFactorAuthentication::SetUpBackupCodeSelectionPresenter.new(user: user),
-      TwoFactorAuthentication::SetUpWebauthnSelectionPresenter.new(user: user),
-      TwoFactorAuthentication::SetUpPivCacSelectionPresenter.new(user: user),
-    ]
+      TwoFactorAuthentication::SetUpWebauthnPlatformSelectionPresenter,
+      TwoFactorAuthentication::SetUpAuthAppSelectionPresenter,
+      TwoFactorAuthentication::SetUpPhoneSelectionPresenter,
+      TwoFactorAuthentication::SetUpBackupCodeSelectionPresenter,
+      TwoFactorAuthentication::SetUpWebauthnSelectionPresenter,
+      TwoFactorAuthentication::SetUpPivCacSelectionPresenter,
+    ].map do |klass|
+      klass.new(user:, piv_cac_required:, phishing_resistant_required:, user_agent:)
+    end.
+      partition(&:recommended?).
+      flatten
   end
 
   def icon
@@ -97,43 +103,6 @@ def skip_label
 
   private
 
-  def piv_cac_option
-    return [] unless current_device_is_desktop?
-    [TwoFactorAuthentication::SetUpPivCacSelectionPresenter.new(user: user)]
-  end
-
-  def webauthn_option
-    return [] if piv_cac_required?
-    [TwoFactorAuthentication::SetUpWebauthnSelectionPresenter.new(user: user)]
-  end
-
-  def webauthn_platform_option
-    return [] if piv_cac_required?
-    [TwoFactorAuthentication::SetUpWebauthnPlatformSelectionPresenter.new(user: user)]
-  end
-
-  def phone_options
-    if piv_cac_required? || phishing_resistant_only? || IdentityConfig.store.hide_phone_mfa_signup
-      return []
-    else
-      [TwoFactorAuthentication::SetUpPhoneSelectionPresenter.new(user: user)]
-    end
-  end
-
-  def totp_option
-    return [] if piv_cac_required? || phishing_resistant_only?
-    [TwoFactorAuthentication::SetUpAuthAppSelectionPresenter.new(user: user)]
-  end
-
-  def backup_code_option
-    return [] if piv_cac_required? || phishing_resistant_only?
-    [TwoFactorAuthentication::SetUpBackupCodeSelectionPresenter.new(user: user)]
-  end
-
-  def current_device_is_desktop?
-    !BrowserCache.parse(@user_agent).mobile?
-  end
-
   def piv_cac_required?
     @piv_cac_required
   end

app/services/analytics_events.rb

@@ -4744,10 +4744,16 @@ def user_registration_2fa_setup(
 
   # Tracks when user visits MFA selection page
   # @param [Integer] enabled_mfa_methods_count Number of MFAs associated with user at time of visit
-  def user_registration_2fa_setup_visit(enabled_mfa_methods_count:, **extra)
+  # @param [Boolean] gov_or_mil_email Whether registered user has government email
+  def user_registration_2fa_setup_visit(
+    enabled_mfa_methods_count:,
+    gov_or_mil_email:,
+    **extra
+  )
     track_event(
       'User Registration: 2FA Setup visited',
       enabled_mfa_methods_count:,
+      gov_or_mil_email:,
       **extra,
     )
   end

app/views/partials/multi_factor_authentication/_mfa_selection.html.erb

@@ -30,6 +30,13 @@
     <% end %>
     <span id="two_factor_options_form_selection_info_<%= option.type %>" aria-hidden="true" class="usa-checkbox__label-description">
       <%= option.info %>
+      <% if option.recommended? %>
+        <br />
+        <%= render TagComponent.new(
+              informative: true,
+              class: 'margin-top-1',
+            ).with_content(t('two_factor_authentication.recommended')) %>
+      <% end %>
     </span>
   </div>
 <% end %>

app/views/users/two_factor_authentication_setup/index.html.erb

@@ -22,7 +22,7 @@
   </h2>
 
   <%= render IconListComponent.new(icon: :check_circle, color: :success) do |c| %>
-    <% @presenter.all_user_selected_options.each do |option| %>
+    <% @presenter.all_options_sorted.each do |option| %>
       <% if option.mfa_configuration_count > 0 %>
         <% c.with_item do %>
           <%= option.label %> <%= option.mfa_added_label %>

config/locales/two_factor_authentication/en.yml

@@ -155,6 +155,7 @@ en:
       google_policy_link: Privacy Policy
       google_tos_link: Terms of Service
       login_tos_link: Mobile Terms of Use
+    recommended: Recommended
     totp_header_text: Enter your authentication app code
     two_factor_aal3_choice: Additional authentication required
     two_factor_aal3_choice_intro: This app requires a higher level of security. You

config/locales/two_factor_authentication/es.yml

@@ -162,6 +162,7 @@ es:
       google_policy_link: aplican la política de privacidad
       google_tos_link: las condiciones de servicio
       login_tos_link: las condiciones de uso
+    recommended: Recomendado
     totp_header_text: Ingrese su código de la app de autenticación
     two_factor_aal3_choice: Se requiere autenticación adicional
     two_factor_aal3_choice_intro: Esta aplicación requiere un mayor nivel de

config/locales/two_factor_authentication/fr.yml

@@ -171,6 +171,7 @@ fr:
       google_policy_link: règles de confidentialité
       google_tos_link: conditions de service
       login_tos_link: conditions d’utilisation
+    recommended: Recommandation
     totp_header_text: Entrez votre code d’application d’authentification
     two_factor_aal3_choice: Authentification supplémentaire requise
     two_factor_aal3_choice_intro: Cette application nécessite un niveau de sécurité