Credential Lifecycle Guide: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 15: Line 15:
==Use Cases==
==Use Cases==
===Lost Authenticator===
===Lost Authenticator===
* Other login methods (potentially for reissuance).
* Reporting loss.
* Reporting loss (potentially trigger revocation).
** CSP must have clear and readily available instructions for users that lose their authenticators.
** CSP must have clear and readily available instructions for users that lose their authenticators.
** CSP may revoke existing authenticator
** Initiate reissuance via backup authenticator (if possible).


===Reissuance===
===Reissuance===

Revision as of 19:17, 10 April 2019

Introduction

  • Lifecycle management for authenticators.
  • FIDO specifics as appropriate.

Issuance

Address initial issuance.

Enrollment

  • Credential issuance happens as final part of identity proofing process.
  • Authenticator is bound at this time.

Redundancy

  • Should issue multiple and back-up credentials.

Add-on

  • Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

  • Reporting loss.
    • CSP must have clear and readily available instructions for users that lose their authenticators.
    • CSP may revoke existing authenticator
    • Initiate reissuance via backup authenticator (if possible).

Reissuance

  • Replace credential
  • In-person
  • Necessitate new enrollment?
  • Viable via redundant credentials.

Expiration

  • Trigger reissuance before expiration
  • Credential no longer valid

Revocation

  • Mark credential as no longer valid.
Retrieved from "https://wiki.nief.org/index.php?title=Credential_Lifecycle_Guide&oldid=159"