Credential Lifecycle Guide: Difference between revisions
Jump to navigation
Jump to search
(6 intermediate revisions by the same user not shown) | |||
Line 22: | Line 22: | ||
===Reissuance=== | ===Reissuance=== | ||
* Replace credential | * Replace credential | ||
** Near expiration time, may reissue (for example password changes). | |||
** For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment. | |||
* In-person | * In-person | ||
** Depending on availability of multiple authenticators, reissuance may require in-person processes. | |||
* Necessitate new enrollment? | * Necessitate new enrollment? | ||
** Without multiple authenticators, may necessitate a new enrollment (new online identity / account). | |||
* Viable via redundant credentials. | * Viable via redundant credentials. | ||
** In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator. | |||
===Expiration=== | ===Expiration=== | ||
* Trigger reissuance before expiration | * Trigger reissuance before expiration | ||
* Credential no longer valid | * Credential no longer valid | ||
* FIDO likely not configured to have expiration. | |||
** The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though. | |||
** Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts? | |||
===Revocation=== | ===Revocation=== | ||
* Mark credential as no longer valid. | * Mark credential as no longer valid. | ||
* For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel. |
Latest revision as of 20:29, 10 April 2019
Introduction
- Lifecycle management for authenticators.
- FIDO specifics as appropriate.
Issuance
Address initial issuance.
Enrollment
- Credential issuance happens as final part of identity proofing process.
- Authenticator is bound at this time.
Redundancy
- Should issue multiple and back-up credentials.
Add-on
- Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.
Use Cases
Lost Authenticator
- Reporting loss.
- CSP must have clear and readily available instructions for users that lose their authenticators.
- CSP may revoke existing authenticator
- Initiate reissuance via backup authenticator (if possible).
Reissuance
- Replace credential
- Near expiration time, may reissue (for example password changes).
- For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment.
- In-person
- Depending on availability of multiple authenticators, reissuance may require in-person processes.
- Necessitate new enrollment?
- Without multiple authenticators, may necessitate a new enrollment (new online identity / account).
- Viable via redundant credentials.
- In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator.
Expiration
- Trigger reissuance before expiration
- Credential no longer valid
- FIDO likely not configured to have expiration.
- The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though.
- Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts?
Revocation
- Mark credential as no longer valid.
- For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel.