Credential Lifecycle Guide: Difference between revisions
Jump to navigation
Jump to search
(→About) |
|||
Line 17: | Line 17: | ||
* Other login methods (potentially for reissuance). | * Other login methods (potentially for reissuance). | ||
* Reporting loss (potentially trigger revocation). | * Reporting loss (potentially trigger revocation). | ||
** CSP must have clear and readily available instructions for user's that lose their authenticators. | |||
===Reissuance=== | ===Reissuance=== | ||
* Replace credential | * Replace credential |
Revision as of 19:01, 10 April 2019
Introduction
- Lifecycle management for authenticators.
- FIDO specifics as appropriate.
Issuance
Address initial issuance.
Enrollment
- Credential issuance happens as final part of identity proofing process.
- Authenticator is bound at this time.
Redundancy
- Should issue multiple and back-up credentials.
Add-on
- Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.
Use Cases
Lost Authenticator
- Other login methods (potentially for reissuance).
- Reporting loss (potentially trigger revocation).
- CSP must have clear and readily available instructions for user's that lose their authenticators.
Reissuance
- Replace credential
- In-person
- Necessitate new enrollment?
- Viable via redundant credentials.
Expiration
- Trigger reissuance before expiration
- Credential no longer valid
Revocation
- Mark credential as no longer valid.